Canada’s telecom regulator may force internet service providers to adopt network-level botnet blocking to limit criminally-run automated systems’ ability to spread malware.
ISPs can use several techniques to fight botnets, including domain-based blocking, internet protocol (IP)-based blocking and protocol-based blocking. However, these and other strategies aren’t required by regulation or controlled for possible bias.
But on Wednesday, the Canadian Radio-Telecommunications and Telecommunications Commission (CRTC) called for comments on a proposal to require ISPs to implement strategies to fight botnets at the network level by blocking suspicious email, texts and communications by malware to command and control servers.
It would do so by approving a mandatory or voluntary network-blocking framework that carriers would follow. To meet privacy concerns, the commission says any approved framework has to be done in ways that protect internet user privacy, enable subscribers to opt into or out of message blocking, provide a mechanism to correct possible false positives of messages, ensure blocking decisions are unbiased and made in the best interest of Canadians, and minimize subscriber information monitoring, collection, and usage.
Technically, the CRTC says, any filtering or blocking affects the principle of net neutrality — the concept that all internet traffic should be given equal treatment by ISPs, with little or no prioritization. But there are exceptions, the CRTC notes. For example, blocking access to child exploitation material. If rules for network-based blocking are approved, “a limited exception to net neutrality may be warranted” to give Canadians protection from spyware, information theft and ransomware, the regulator says.
The commission also suggests that rather than leave decisions in the hands of ISPs, an independent body with expertise in cybersecurity might assess whether blocking a particular domain or IP address is justified. That body could also decide how message blocking decisions can be unbiased and accurate. The commission doesn’t suggest a body, but one possibility is the federal government’s Canadian Centre for Cyber Security.
The commission also acknowledges that any blocklist of forbidden IP addresses will need to change regularly to remain accurate. It wants to hear about worries of over-blocking and false positives and ways to take wrongly-blocked addresses off a list quickly.
“Malicious botnet attacks are a serious and recurring concern,” CRTC chair Ian Scott said in a statement. “Almost every week, we see another organization victimized by ransomware or hear of a fellow citizen lured in by a phishing scam. With the launch of this proceeding, we are aiming to better protect Canadian individuals, businesses and institutions against damaging botnet activity.”
ISPs, exchange carriers, web hosting companies, consumers, and others have until March 15th to file comments. Submissions are limited to 20 pages.
In an interview, telecommunications consultant Mark Goldberg said that by launching this consultation, the CRTC might be signaling that blocking and filtering measures ISPs already perform need formal approval of the commission under the Telecommunications Act. Section 36 of the act says a carrier shall not control content or purpose of communications it carries without permission.
In a statement the Competitive Network Operators of Canada (CNOC), which represents many independent ISPs, said the consultation may raise end-user concerns with content interference and blocking and overreach. At the same time, it added, network integrity, public safety, and user safety are crucial. “We will study this new consultation, to identify any meaningful areas requiring comment in terms of independent ISPs and concerns about how this might affect our users, and our ability to compete fairly.”
Greg Young, vice-president of cybersecurity at Trend Micro who used to work for the federal department of communications, applauded the proposal to create an anti-botnet framework. “Anything that blocks known bad traffic is a good thing,” he said in an interview.
The CRTC has the authority to fight spam by enforcing the Canadian Anti-Spam Legislation (CASL), which prevents Canadian-based companies from sending commercial email without the recipient’s consent, installing software on computers without consent, and making false or misleading representations to promote products or services online. The CRTC expects ISPs to take steps to limit such behaviour on their networks. Botnets, which are huge networks of interconnected PCs, servers and other internet-connected devices around the world that pump out spam, violate CASL.
However, most are controlled outside Canada and therefore out of the reach of the regulator. A framework would give ISPs a guide to implementing technologies to block messages from botnets to domains of their command and control (C2) servers, as well as meet privacy concerns.
No one-size-fits-all solution
The CRTC document notes that one strategy alone won’t accomplish its goals. Not all malware connects to C2 servers using domains, so that domain-based blocking won’t work for these attacks. That’s why IP-based blocking (through firewalls that block communications to suspected C2 servers) and protocol-based blocking need to be used.
The commission says if it goes ahead with mandating botnet traffic blocking, it could do many things to protect privacy. Suggested ideas include prohibiting carriers from monitoring, collecting, or disclosing content or metadata that does not contribute to blocking botnet traffic; limiting monitoring and collection to the destination domain name or IP address requested and the number of times the malicious service is requested, and restricting disclosure of monitored data to parties participating in the blocking program.
And while internet subscribers should know some information from ISPs to decide which provider to chose and whether to participate in a blocking program (such as whether a particular domain or IP address is blocked), the CRTC also says it may put limits on how much an ISP can publicly divulge about its blocking technology.
Carriers can use the consultation to list their preferred blocking techniques, listing pros and cons. If domain-based blocking is one, they can talk about which domain resolver technology they prefer. Domain resolvers translate domain names into IP addresses. Domain resolver providers include the Canadian Internet Registry Authority’s (CIRA) Canadian Shield, Quad9, OpenDNS, Comodo Secure DNS and CleanBrowsing.
(This story has been updated from the original to add statements from CNOC and Greg Young of Trend Micro)