The Canadian Radio-television Telecommunications Commission (CRTC) took action[1] to establish a framework to limit botnet traffic before they reach consumers’ devices.
The CRTC plays a limited role in regulating telecommunications service providers (TSPs) under the Telecommunications Act and protects Canadians from online harms under the Canadian Anti-Spam Legislation (CASL).
Botnets are networks of computers, cellular phones, and other devices that have been infected with malware, allowing third parties to control the devices without the knowledge or consent of the owners.
After consulting with various organizations, the CRTC gathered input on blocking techniques and which activities to block to establish a framework that sets out the terms and conditions that allow Canadian carriers to block botnets and other harmful activities before reaching Canadian’s devices.
For the framework, the CRTC defined an “indicator of compromise” (IOF) would be defined as follows:
An IOC is an identifier used by carriers to block network traffic for cyber security purposes that indicates, with a high degree of confidence, intrusion on a system and that malicious activity is occurring. In other words, an IOC is a technical characteristic of a particular cyber attack. In the context of a blocklist, an IOC may consist of, for example (i) a domain name, or (ii) an IP address and port number
The CRTC considers that “a framework that focuses on all IOCs rather than just those that only identify botnet traffic would maximize its effectiveness in protecting Canadians, be technically feasible, and be appropriate as a matter of policy.”
The CRTC was not able to identify a party to manage a centralized blocklist, so it deferred a decision on that issue.
The CRTC decided that carriers would be responsible for ensuring that the blocklist that they use meets minimum criteria under that framework, and each carrier would work to resolve false-positive complaints within two business days of receipt of the complaint.
The CRTC decided that since some carriers are already using in-house blocklists, the framework would permit the use of in-house blocklists.
The CRTC determined that the blocking methods would not be limited to IP-based blocking. All blocking methods would be authorized under the framework.
The CRTC considered that allowing customers to opt in or opt out of blocking would not be permitted, but rather done by default.
The CRTC determined that a mix of manual review and automated IOC delisting would help minimize false positives and ensure that blocklists are up to date and accurate.
The CRTC determined that sharing information about blocking under the framework should be made available to permit consumers to make informed decisions, but sensitive information, such as the list of IOC blocked, should not be made public to avoid disclosure to malicious actors.
The CRTC determined information that the carriers should report annually on their cybersecurity blocking.
The framework went into effect on August 12, 2025.
Time will tell whether the framework has the desired effect of reducing botnet traffic.
_________________
[1] See Compliance and Enforcement and Telecom Decision, CRTC 2025-142.
The post CASL: A Framework to Stop Botnet Traffic appeared first on Slaw.