Telecom - Commission Letter addressed to Various Parties

Ottawa, 29 June 2021

Our reference: 1011-NOC2021-0009

BY E-MAIL

To: Saskatchewan Telecommunications, Bragg Communications Inc., Shaw Communications Inc., TekSavvy Solutions Inc., Distributel Communications Limited, Xplornet Communications Inc., Rogers Communications Canada Inc., Bell Canada, Cogeco Connexion Inc., Québecor Média Inc., and TELUS Communications Inc.

Re: Compliance and Enforcement and Telecom Notice of Consultation CRTC 2021-9 – Request for information

Pursuant to the procedure set out in paragraph 5 of Call for comments – Development of a network-level blocking framework to limit botnet traffic and strengthen Canadians’ online safety – Changes to procedure, Compliance and Enforcement and Telecom Notice of Consultation CRTC 2021-9-1, 29 June 2021, attached is a request for information.

Responses must be filed with the Commission by 29 July 2021.

All parties may file final reply comments strictly limited to the new information provided in response to this RFI by 12 August 2021. These final reply comments are limited to 5 pages.

As set out in section 39 of the Telecommunications Act and in Broadcasting and Telecom Information Bulletin CRTC 2010-961, Procedures for filing confidential information and requesting its disclosure in Commission proceedings, persons may designate certain information as confidential. A person designating information as confidential must provide a detailed explanation on why the designated information is confidential and why its disclosure would not be in the public interest, including why the specific direct harm that would be likely to result from the disclosure would outweigh the public interest in disclosure. Furthermore, a person designating information as confidential must either file an abridged version of the document omitting only the information designated as confidential or provide reasons why an abridged version cannot be filed.

Sincerely,

Neil Barratt
Director – Electronic Commerce Enforcement
CRTC

cc: NOC 2021-9 Distribution List

Request for information:

A. Detection

  1. What percentage of your network’s total Internet traffic do you attribute to botnet traffic over the last 5 years? If this metric is unavailable, what percentage of your network’s total Internet traffic do you attribute to malware communication over the last 5 years? (before applying any filters, if applicable)

B. Remediation (Actions taken once detected)

Staff acknowledges the efforts by TSPs to protect customers from malicious botnet traffic, whether by way of ongoing network management practices or through various add-on service offerings. The questions that follow are not intended to request information that was already provided by TSPs on these efforts that were already discussed in submissions. They are instead intended to quantify their use, efficacy and alignment with CSTAC Security Best Practices in so far as their relation to botnet traffic blocking activity. Given the specific nature of these questions, it is likely they are best addressed with assistance from members of respective TSP Network or Security Operations Centers.

  1. Do you filter or block detected botnet traffic? If so, provide the following:
    1. When did you start blocking botnet traffic?
    2. What is the percentage of blocked traffic compared to overall traffic over the last 5 years?
    3. Regarding the system used to block botnet traffic:
      1. Are you using (or have you used) a third-party’s block list? If so, please provide the date range during which you used this product, the legal name of this third-party, and the name of the product. If this is a paid service, provide the annual cost in $ CAD.
      2. Are you using (or have you used) a proprietary/ internal blocking system? If so, specify whether it is used in addition or in lieu of a third-party’s block list and also provide the date range during which you have used this system.
      3. Describe how your current blocking system works (A and/or B above, as applicable): is it domain-based, IP- and port-based, signature-based, etc.?
    4. Are details of this blocking or filtering activity disclosed to consumers (e.g. posted on your website)? If so, please provide the link.
    5. Do you collect personal information in the context of this blocking activity and if so, do you use or disclose this information for secondary purposes (e.g. marketing analysis)? Please specify the purpose and the recipients.
    6. Do you filter or block traffic, other than botnet traffic, for the purpose of internet traffic management against cyber threats? If so, to what extent?
    7. Are traffic blocking or filtering services offered by default to all your customers, or are they part of an enhanced or paid option?
  2. Do you notify customers whose accounts or devices have been compromised? If so, provide the following:
    1. When did you start this type of notification?
    2. Total number of notifications sent each year over the last 5 years.
    3. How is this notification done (e.g. by email, using the user-account app messaging, walled garden or over the phone)?
    4. Following notification, do you also assist end-users in remediating infections? If so, please provide how this assistance is done and the number of instances over the last 5 years.
  3. Do you report botnet indicators of compromise (IOCs) to law enforcement agencies (LEAs) for investigation or takedown, on your own initiative (i.e. other than responding to production orders or subpoenas)? If so, provide the following:
    1. Number of reports made each year over the last 5 years, grouped by LEA.
    2. Did you also assist LEAs by voluntary providing technical assistance in investigations? If so, please provide the number of instances over the last 5 years.

C. Education and outreach

  1. Do you provide customer education or awareness information or campaigns about botnets?  If so, please provide the following:
    1. Copy of materials from these awareness campaigns.
    2. Description of the campaign, including active dates, and manner the information was conveyed to your client (e.g. pamphlet by email, user-account app messaging, alert on your website, or communications in traditional media).
  2. Do you share specific information related to botnet IOCs with third-parties (other than victimized clients and LEAs) in order to contribute to global security? Is so, provide the following:
    1. With whom (e.g. other TSPs, Canadian Centre for Cyber Security (CCCS), domain registrars, etc.)?
    2. How (e.g. automatically or manually)?
    3. How often? Provide an example of IOCs shared over the last year with each third-party.
  3. Do you participate in working groups or outreach activities on botnet topics? If so, please provide the following:
    1. The names, composition, meeting frequency, and other relevant information on mandate and scope for these groups.
    2. Have you implemented new safeguards over the last 5 years, based on recommendations made in these working groups? If so, please provide the following:
      • A list of these safeguards and where they were recommended; and
      • Metrics related to the decrease of botnet traffic achieved through their implementation.
Date modified: