Canada’s telecom regulator will create a mechanism that internet service providers will have to use to block malware-carrying botnets.
In a ruling released Thursday, the Canadian Radio-television and Telecommunications Commission said internet providers here will have to block these botnets at the network level — but that won’t start for months, until a blocking mechanism has been worked out.
A botnet is a network of malware-infected computers (bots) that are under the control of a server operated by a malicious actor. In its decision, the CRTC notes botnets enable spam, distributed denial-of-service attacks, malware deployment, and information theft, as well as giving attackers unfettered access to networks via infected systems.
The decision said a framework could include a centrally-managed blocklist of internet addresses overseen by the federal government’s Canadian Centre for Cyber Security, the Canadian Internet Registry Authority (CIRA), or a new independent agency.
CIRA, which oversees the .ca domain, already has a botnet blocking service called Canadian Shield that requires consumers to add a configuration file to their routers. It hasn’t seen wide adoption. But through a partnership with Mozilla, Canadian Shield works automatically with the Firefox browser to stop users from going to malicious websites. The government’s Canadian Security Establishment (CSE), which oversees the Cyber Centre, runs a network blocking service to protect federal networks.
After an 18-month consultation, the CRTC said that botnet traffic constitutes a significant issue for cyber security, both in terms of volume and severity of harm, and needs regulation.
However, acknowledging that network-level botnet blocking won’t be easy, the commission has given its network working group nine months to propose minimum technical standards for a blocking mechanism service providers can adopt. The group will suggest who decides what is blocked, what precisely is blocked, and other technical details related to the implementation.
The standards have to be based on the following principles set out in the CRTC decision:
•Necessity: Blocking must be done exclusively for the purpose of cyber security and not for any other purpose, including blocking otherwise illegal activity, or blocking for commercial, competitive, or political purposes;
•Accuracy: Any impact on legitimate services must be as minimal as possible, limited to that which is necessary in order to achieve the objective of blocking the malicious traffic. The public must have the opportunity to report and resolve false positives and over-blocking in an effective and timely manner;
•Transparency: Customers and prospective customers must be provided with clear information about the cyber security network-level blocking solutions applied by carriers. The information to be disclosed should provide sufficient information for Canadians to make informed decisions about which carriers they might wish to do business with, but should not be so detailed that it would undermine the effectiveness of the framework by providing actionable information to malicious actors on how to circumvent the blocking mechanism. In addition, carriers must maintain and file specific metrics with the commission to allow for public disclosure of statistics regarding the uptake and effectiveness of the blocking framework;
•Customer privacy: In addition to complying with their existing privacy obligations, carriers should implement practices that enhance those obligations to account for the specifics of a blocking framework to provide the highest level of consumer privacy protection;
•Accountability: Carriers should document and periodically review all their blocking systems used for cyber security purposes in order to verify that their blocking program works as intended.
The telecom industry and the public will be able to comment on the proposed minimum standards for a framework before they are confirmed.
In a statement CIRA head Byron Holland said, “we support the CRTC’s decision to develop a framework for botnet blocking in order to ensure Canadians can leverage a safe and trusted internet for their social, economic and cultural development.”
Regulation of the problem is not what most of the country’s internet carriers want. Among the 46 written submissions to the commission, the idea of a mandatory regime got thumbs down from the country’s big three telecom providers, independent internet providers, banks and an insurance company, and internet advocacy groups. Many providers say they already have measures in place to mitigate botnet traffic.
Instead, there were calls for the telecom industry to work more closely on cybersecurity, perhaps with a voluntary botnet-fighting framework.
However, the commission concluded that “regulatory measures are required to ensure that the network-level botnet blocking provided by Canadian carriers provides a baseline level of protection.”
Telecom service providers’ current botnet-fighting practices are “diverse and opaque and lack a practical and consistent mechanism for sharing botnet indicators of compromise,” the commission said. Different providers block different threats, using different methods and blocklists.
Among the advantages of a regulated regime with minimum standards providers have to follow, the commission argued, would be the creation of a centrally-managed blocklist
Right now the sharing by providers of indicators of compromise is ad hoc, the commission added. “A certain level of centralization” would address this gap by ensuring that all telecom providers have a baseline level of information, which would in turn ensure a baseline level of protection for all customers, it said.
Service providers argued their blocking methods follow best practices, but the commission noted a number of inconsistencies. The most notable departure from the best practices is in how they track and categorize blocking events. Most who responded to a commission request for more information don’t track blocking events, the ruling noted.
The CRTC also believes that network-level blocking programs are effective and appropriate — and have been adopted by other countries.
In a submission to the commission, SaskTel and others estimated malicious bots account for 20 to 30 per cent of all Internet traffic. Nokia submitted that 5G wireless networks and the proliferation of Internet of Things (IoT) devices mean that botnet attacks are likely to be much larger and more powerful if left unchecked.
On the other hand, Telus, Rogers, Bell Canada, and Xplornet argued that because a very low percentage (0.0002 per cent) of Canadian network traffic comes from malicious botnets, regulatory intervention isn’t justified.
In its ruling, the commission recognized that malicious websites accessed by Canadians as a percentage of total websites visited may be low in absolute terms. “However,” it added, “since visiting a single malicious domain is sufficient to advance a device infection or result in credential theft, the commission considers that even the relatively small ratio detected by TSPs (telecom service providers) is significant.”
The commission acknowledged that no single entity in the cyber security landscape, including telecom service providers (TSPs), can resolve the botnet issue alone. So far, it added, most of the burden to secure devices against malware threats has fallen on end-users. “But while it is true that TSPs cannot address bot infections at their source, their position as Internet access providers means they are a critical control point for botnet communications,” the ruling says. “They have a much broader view of the issue and, therefore, have more opportunities to disrupt botnet communication channels at scale. Moreover, unlike many end-users, they have the skill, expertise, and capacity to understand the botnet threat and respond proportionately.”
A narrowly constrained blocking mechanism would have a minimal, or even nonexistent, net impact on net neutrality, the commission also said. “While some might characterize botnet blocking as inconsistent with net neutrality in that it blocks the delivery of telecommunications, it also has a role in preserving net neutrality. Not only does such a mechanism serve to protect Internet accessibility, a necessary condition for net neutrality, it also corrects the distortion created by botnets in the overall Internet bandwidth resulting from the significant and unfair advantage in favour of machine-generated traffic from cyber threat actors.”