Last week’s CRTC decision on botnet-blocking can be viewed as a step toward Canada asserting sovereignty over our piece of the internet, but it also raises questions of duplicated efforts by ISED and the Commission.
In Compliance and Enforcement and Telecom Decision CRTC 2022-170: Development of a network-level blocking framework to limit botnet traffic and strengthen Canadians’ online safety, the Commission determined “regulatory action is necessary to ensure that Canadian carriers that block botnets do so in a way that provides a baseline level of protection to Canadians.”
Last week’s decision establishes guiding principles for a future “network-level botnet-blocking framework” and sets in motion activities for the industry-wide CRTC Interconnection Steering Committee (CISC) to assist in developing technical parameters consistent with these principles within nine months. As an aside, don’t you love nested acronyms like CISC? When we created the technical and operational liaison committees 30 years ago, the first C stood for Canadian.
There had been disagreement over the need for regulatory involvement in addressing botnet traffic; the major ISPs, responsible for 80-90% of consumer connections in Canada, argued in favour of the flexibility enabled through existing channels of collaboration is more adaptable than regulation. The major ISPs are already sharing botnet and malware indicators through the Canadian Security Telecommunications Advisory Committee (CSTAC), under the auspices of ISED. It is noteworthy that “CSTAC” appears 23 times in the Decision.
Is cyber-security another area (like spectrum management) that requires an organizational realignment between the CRTC and ISED in order to rationalize responsibilities, avoid duplication of efforts, and regulatory overlap?
A year and a half ago, the CRTC launched this proceeding, “strengthen Canadians’ online safety.” The Commission concluded that botnet traffic “constitutes a significant issue for cyber security, both in terms of volume and severity of harm.” No surprise there. What is the right way to address the issue?
I question the basis for the type of regulatory intervention being prescribed, which the CRTC claims necessary because:
- Service providers’ current practices are diverse and opaque and lack a practical and consistent mechanism for sharing botnet IOCs;
- Service providers have a considerable role to play in botnet blocking, consistent with a defence-in-depth strategy toward cyber security;
- network-level blocking programs are effective and appropriate; and
- there is confusion among the parties regarding the regulatory basis for the existing botnet blocking conducted by service providers.
Is it notable that a network-level blocking framework may be required as part of Online Harms legislation? To what extent was this influential in the CRTC’s decision?
Some parties suggested the framework should permit consumers to choose whether or not to opt-in to network-level blocking. The CRTC said “CIRA Canadian Shield is used by just 1% of households. This very low figure suggests that opt-in models result in underuse.” I’m not convinced the CRTC’s made accurate use of that statistic. There is a big difference between opting in to protection endorsed by your service provider and having the technical competency to change DNS settings on every device in your home, let alone choosing CIRA’s DNS service. There are competing cyber-security services that offer protections, including protections from the major ISPs themselves.
I am concerned that the centralized model chosen by the CRTC may raise the level of protection afforded to customers of some smaller service providers but could lead to a degradation in responsiveness and security for the majority of Canadians who are served by companies already collaborating.
Security is a competitive service feature offered by service providers and third party firms. As CISC works through the dozen questions asked by the CRTC, it needs to ensure that customers aren’t ultimately losing choices in how their connectivity is safeguarded.
We’ll be hearing back from CISC in 9 months.