OTTAWA – MARCH 16, 2021 – Last evening the Canadian Internet Registration Authority (CIRA) submitted an intervention to the Canadian Radio-television and Telecommunication Commission (CRTC)’s botnet consultation. The CRTC proceeding focuses on whether to establish rules that would permit internet service providers (ISPs) to filter malicious internet traffic that enable cyber attacks.
CIRA’s own DNS Firewall and Canadian Shield services help Canadians mitigate cyber attacks. However, CIRA sounded a note of caution to the CRTC. Technical measures to make the internet safer must not allow for a slippery slope towards blocking content or free speech – in fact, safeguarding net neutrality and user privacy are two of the CRTC’s main jobs. CIRA’s intervention offers several proposals for ensuring that any framework to filter for network security is narrowly-tailored, builds in accountability, and requires that all blocking decisions be the technical decisions of independent third parties, not telecommunications service providers.
Canada’s internet faces a greater number of cyber threats than ever before. To protect users, ensure the safety and stability of our internet infrastructure, and bring independent oversight to what many ISPs already do without review, CIRA supports the creation of a voluntary framework that lets ISPs filter cyber attacks on their networks in standards-based, accountable ways. Drawing on its decades of network operation and cyber security experience, CIRA offers several proposals for how such a framework can be structured to prevent cyber attacks, protect user privacy, and defend Canada’s internet infrastructure.
CIRA’s Submission to the CRTC
Several of CIRA’s proposals to the CRTC are summarized below:
- Adoption of a new network-level blocking framework by ISPs must be voluntary, not mandatory.
- There should be a simple mechanism for users to opt out of any filtering provided by an ISP.
- The decision to block a given cyber threat should not be made by just one actor. To prevent a single point of failure, the framework should provide for multiple certified parties to offer block lists, and use that certification as a key oversight mechanism.
- Parties providing block lists must be independent from any internet service provider or content provider.
- The rules for which types of harmful traffic can be blocked should be guided by principles of transparency, non-discrimination, necessity, and proportionality. Blocking should never be authorized when a more proportionate response is available.
- Any framework should hold internet service providers to the highest privacy standards to prevent overcollection, over-retention, or misuse of user data.
You can see CIRA’s full submission here.
“Just like we filter drinking water to keep it clean, we need to filter the internet to keep it safe from security threats. That’s why CIRA supports new regulations to protect Canada's internet infrastructure and its users through a narrowly-tailored blocking framework for network security purposes.
Of course, with any filtering, there are legitimate concerns about over-blocking, or censorship of legitimate expression online. We share these concerns. Any framework approved by the CRTC must be laser-focused on technical threats that weaponize the network itself–like botnets or malware–and must not be used to block other forms of content or speech.
There’s a big difference between filtering to protect the network itself, and blocking content for business interests. For example, in 2016, a massive botnet of internet-connected devices launched a cyber attack that knocked websites like Netflix and Amazon offline. Botnets can put the stability of the entire network at risk, and we believe that activities that include filtering for security can help reduce this type of abuse.
By comparison, censoring websites based on their content would not only be inappropriate under this framework, the framework would also render it impossible. There are already pre-existing legal tools designed to address the harms suffered by rightsholders, whereas there are few regulatory tools available for ISPs to mitigate technical abuse of the network.
We look forward to working with the CRTC and all other interested parties to develop the new framework.”
—Byron Holland, CIRA’s president and CEO
The following statistics are excerpted from CIRA’s 2020 Cybersecurity Report, which surveyed over 500 Canadian IT security decision-makers and found that:
- One-third of Canadian organizations have been targeted with a COVID-19 related cyber-attack since the pandemic began (i.e., fake contact tracing app, COVID-19 test results phish, etc.).
- One-quarter of organizations experienced a breach of customer and/or employee data in the last year. Another 38% don’t know if they did or not.
- About three in 10 organizations report a spike in cyber attacks since the start of the pandemic.
- Just over half of organizations have implemented new cybersecurity protections in response to COVID-19.
- Fewer organizations expect to increase human resources dedicated to cybersecurity in the next 12 months, with one-third planning to do so, down from 45% in 2019.
About CIRA Cybersecurity Services
Since 2015, CIRA has developed new cybersecurity services including CIRA Firewall and CIRA Canadian Shield, the latter of which protects over 100,000 Canadians from malware, phishing and ransomware attacks for free. CIRA holds considerable expertise in DNS-based filtering for cyber threats, and protects a wide range of organizations including municipalities, hospitals, universities, and other educational institutions. In the past year over 20 million malicious domains were blocked by CIRA Canadian Shield alone.
About the Canadian Internet Registration Authority
The Canadian Internet Registration Authority (CIRA) is the national not-for-profit best known for managing the .CA domain on behalf of all Canadians. CIRA also develops technologies and services—such as CIRA DNS Firewall and CIRA Canadian Shield—that help support its goal of building a trusted internet for Canadians. The CIRA team operates one of the fastest-growing country code top-level domains (ccTLD), a high-performance global DNS network, and one of the world’s most advanced back-end registry solutions.