The Canadian Radio-television and Telecommunications Commission (CRTC) says regulatory action is needed to ensure telecom providers that block botnets do it in a way that protects Canadians.
Cyber attackers use botnets to emit activities, including spam and information theft, that goes against Canada’s anti-spam legislation (CASL). Botnets impact everyone, from small businesses to hospitals.
The CRTC says communications from botnets flow through the networks telecom companies provide, putting them in a position to implement blocks of botnet activities.
In its decision, the regulatory body said it needs to take action as the current practices of service providers are “opaque” and aren’t consistent when sharing botnet indicators of compromise (IOCs). The CRTC further stated service providers are in a “unique position” to address activity, and blocking the issue at the network level is appropriate.
The CRTC’s Interconnection Steering Committee will examine the issue and create a report with its recommendations in the next nine months. A commenting period will follow, and the CRTC says it will “establish the minimum standards for botnet blocking” afterwards.
Several parties, including telecom companies, financial institutions, and advocacy groups, submitted comments last year when the CRTC launched its initial consultation. Bell, Eastlink, Telus and Rogers were part of the telecom companies who said intervention from the regulatory body was unnecessary.
The Big Three ultimately rejected the idea of mandatory blocking.
“The parties opposed to regulatory intervention argued that the existing flexibility afforded through collaboration is more adaptable than regulation, that a regulatory authority to block botnets already exists, that the current blocking efforts already follow industry best practices, and that other parties can contribute to botnet mitigation strategies more than can,” the CRTC said in its decision.