On June 23rd, the Canadian Internet Registration Authority (CIRA) hosted a virtual panel titled Battling botnets: A security balancing act.
In a discussion moderated by The Wire Report’s Hannah Daley, panel members Mark Buell of the Internet Society, Andy Kaplan-Myrth of TekSavvy, Leah Michalopulos of the Canadian Electricity Association and CIRA President and CEO Byron Holland, weighed in on the creation of a framework for network-level botnet blocking.
In January of this year, the Canadian Radio-television and Telecommunications Commission (CRTC) proposed a framework to bring oversight to how internet service providers (ISPs) block malicious traffic on their networks. This proposal served as the background for the panel discussion about where responsibility lies for protecting Canadians from botnets and other malicious cyber threats. CIRA’s submission to the CRTC’s consultation argued that any framework to filter for network security needs to be laser-focused on actual threats to the network, with built-in accountability, transparency, non-discrimination and proportionality.
Since the panel discussion took place, the CRTC has requested additional information from the major ISPs about the traffic management practices they have in place.
The audience posed many questions during the panel discussion; unfortunately, not all of them could be answered live. So, we’ve compiled the top unanswered questions from the discussion with CIRA’s answers along with the full recording of the event:
Panel - Battling botnets: A security balancing act
1) My ISP has implemented spam blocking that sends a small percentage of my legitimate email to the spam folder. Should a person be able to opt out of spam blocking?
At CIRA, we believe that users should be empowered to control how they access information online. In our submission to the CRTC’s botnet consultation, we argued that users’ right to opt out of any blocking mechanism or framework should be protected. In line with the principle of transparency, a user of any subscription or service should have access to clear information about whether and when they have the ability to opt out of it. In the case of content blocking, what opting out means should be crystal clear to users and they should be able to do so without significant undue burden.
2) Should ISPs prioritize controlling botnets instead of copyright enforcement on behalf of others?
Any blocking framework should be laser-focused on the technical threats that weaponize the network. Blocking should not be used to police content or online speech, as there are more proportionate measures available for addressing illegal content online. In our view, there is a major difference between filtering unsafe traffic for the purposes of promoting network security and blocking content to protect specific business interests.
3) How can ISPs be encouraged to invest in protecting its customers without government intervention?
ISPs have disclosed that they already block and manage traffic on their own accord, without government intervention. They do so for a variety of reasons, including to protect their networks from security or technical threats. In a competitive landscape, ISPs could differentiate themselves based on the steps they take to protect users of their network. Unfortunately, Canada’s telecommunications sector is generally described as an ‘oligopoly,’ where internet access is only provided by one or maybe two companies in a given market. In a competitive environment, end-users will have the option to switch providers if they find their ISP doesn’t do enough to protect them. More competition between ISPs would incentivize these providers to offer more cybersecurity services as part of a value proposition to attract more customers away from their competitors.
4) Should the government focus on incentivizing vendors and operators of critical infrastructure to be secure like the U.S. is doing?
Canada has historically taken a broad-based approach to combatting cyber threats. Digital literacy, threat information exchange, anti-virus software, spam blockers, app and software partners and telcos are among those who have played key roles. As cyber threats multiply and increase in complexity, the need to invest in the infrastructure and technologies needed to keep us safe is more important than ever. In general, CIRA supports government efforts to increase the adoption of cybersecurity services, technologies and best practices. CIRA recently welcomed the federal government’s announcement of $80 million in new funding to support cybersecurity through the Cyber Security Innovation Network Program. We would also support programs that can help reimburse expenses associated with cyber security technology adoption in underserved sectors like the small and medium-sized business community.