Every hour of every day, a silent siege is underway. Countless malicious actors are weaselling their way through cyberspace, probing for openings to steal your money, your identity, to hold your organization ransom – or generally just ruin your day.
They mostly fail thanks to cybersecurity efforts churning behind the scenes, or your own precautions. But just often enough they succeed and wreak havoc.
The threats multiplied during the pandemic, with one-quarter of Canadian organizations reporting that they were targeted with a COVID-19 themed cyber-attack. This is an endless war, but one we must win.
Many cyberattacks are facilitated by botnets—networks of hacked devices run by bad actors. The role telcos play in defending against botnets has captured the attention of the Canadian Radio-television and Telecommunications Commission (CRTC).
The CRTC has proposed a new framework that would formalize what many internet service providers (ISPs) already do to help block botnet traffic suspected of “malicious cyber activity,” and has asked the public for input.
You may not have heard of this proceeding because it has been lightly reported. But anyone who uses the internet should be paying attention.
The CRTC is right to be concerned about how telcos do their part. Botnets can compromise users’ information and knock websites offline, and ISPs play a key role in the response.
But given Canada’s important commitment to net neutrality, and a telco sector dominated by big players who also sell content, our response must be measured. It must strike a delicate balance that defends us against bad actors while putting guardrails on large telcos’ power, all to preserve a free and open internet.
Those same telecom operators overwhelmingly oppose the CRTC’s proposal to oversee their filtering of malicious traffic. They insist that these matters are best left to the private sector and that regulation isn’t needed.
It’s not that they don’t want to filter bad traffic – they do it all the time. They just don’t want to be subjected to independent oversight by the CRTC.
Until now, their filtering has occurred in something of a regulatory “grey zone”—obscured from customers and the CRTC—and are happy to keep it that way, basically saying, “leave us alone, we’re on it,” while the CRTC tries to create oversight for filtering all agree is necessary.
Clearly, we need new rules for the road. We should not accept a system that allows these giants to have the unfettered power to block content, akin to a “kill switch,” that could stray into censoring content or stifling free expression online.
Neither should we allow the CRTC to impose a heavy hand of regulation.
There is a middle ground, which would work better for all. It comes from the not-for-profit I lead, CIRA, which oversees the .CA domain and champions a trusted internet for Canadians. Promoting better cybersecurity is at the heart of our mission, which is why we offer our free Canadian Shield service to protect Canadians from cyber attacks.
We believe it is possible to enshrine protections against botnets, while placing safeguards against overreach by either regulators or telecoms; a system that would provide independent oversight while preserving free speech, and promoting greater telecom and cybersecurity choice for consumers.
In our comments to the CRTC, we outline a careful framework that would continue to let ISPs filter out malicious traffic, but add accountability to their activities–making it easier for smaller players to get in the game, and separating who decides what to block from who is allowed to block it. It is laser-focused, empowering ISPs to fend off cyberattacks, while protecting users’ freedom of expression.
The threats before us are tremendous. But technical measures to make the internet safer must not create a slippery slope that could lead to blocking content or free expression. As we say in our submission, safeguarding net neutrality and user privacy are two of the CRTC’s main jobs.
Just as we filter drinking water to keep it safe, the CRTC should ensure we have a framework that allows ISPs to stop cyberattacks, but with oversight that ensures they cannot turn off the taps at will.