The Canadian Radio-television and Telecommunications Commission (CRTC) has been working since 2021 to understand and address a growing issue of botnets and malicious software. The Commission believes that botnets are an issue, based in part on data that 20 to 30 percent of all Internet traffic is botnet traffic and users or devices in Canada attempt to access seven million malicious domains daily.
As part of the comment period in 2021, the Messaging Malware and Mobile Anti-abuse Working Group (M3AAWG) provided recommendations and comments (more here, https://services.crtc.gc.ca/pub/instances-proceedings/Default-Defaut.aspx?lang=eng&YA=2021&S=C&PA=a&PT=nc&PST=a#2021-9). Forty-four other interested parties provided comments as well.
In early July 2022, CRTC announced a decision (https://crtc.gc.ca/eng/archive/2022/2022-170.htm) to proceed with a technology-neutral blocking framework, based on the proven efficacy of the existing Canadian Shield and actions taken in other countries. The solution must be flexible so that service providers can adapt quickly to emerging threats.
The CRTC has established five guiding principles for Telecommunications Service Providers (TSPs) that choose to block botnets, including:
- Necessity: any blocking must be exclusively for cybersecurity
- Accuracy: limit impact on legitimate services; allow public to report and resolve false positives
- Transparency: carriers will provide information to consumers about how carriers are blocking but not provide bad actors with info that could be used to circumvent the solution; carriers must also maintain and file specific metrics with the Commission to allow for public disclosure of blocking statistics
- Customer privacy: support existing privacy regulations and enhance those obligations to be relevant to a blocking framework
- Accountability: carriers will document and review their blocking systems to ensure they work as intended
The CRTC has assigned a working group to propose technical parameters for who will determine what is blocked, what precisely will be blocked and other details. This group is expected to file a report within the next nine months.
In its 2021 comments (https://www.m3aawg.org/sites/default/files/m3aawg-response-to-crtc_march_15_2021.pdf), M3AAWG suggested that the framework support anti-spam, anti-phishing, scam defense and anti-malware efforts and consider a flexible approach that comprehends legitimate sites or pages that might house a malicious download, rather than a brute-force blocking of the entire domain or IP address.
M3AAWG also suggested allowing users to opt out of filtering and blocking, providing a centralized industry-wide response and maintaining user privacy.
M3AAWG also made a number of common-sense security hygiene suggestions, rather than a single blocking technique, including maintenance of operating systems, patching, use of antivirus tools, strong passwords with multi factor authentication, use of firewalls, blocking malicious advertising and using Internet service providers with a focus on security practices. Recommendations also were provided for handling false positives, automating blocking, defending against techniques such as domain generation algorithms. Comments also suggested collaboration and sharing of blocking info among industry vendors, handling customer privacy issues, and how to handle data used for blocking to ensure legitimate sites and other are not blocked inadvertently.
Additional M3AAWG comments can be viewed here, https://www.m3aawg.org/sites/default/files/m3aawg-response-to-crtc_march_15_2021.pdf and will continue to monitor the CRTC and working group efforts.