Steven Harroun to the panel on “Cybersecurity Risks and Realities” at the Telecommunications Media Forum


Steven Harroun, Chief Compliance and Enforcement Officer
Canadian Radio-television and Telecommunications Commission

Washington, D.C.
December 11, 2019

(Check against delivery)

I welcome this opportunity to compare notes with public and private sector partners about our diverse efforts to protect our countries’ increasingly digital economies and societies.

More than ever, bad actors are using technology and preying on human psychology to take advantage of our citizens. Technology can contribute to solutions, but it’s not enough by itself. Education, enforcement, and international cooperation and collaboration are equally crucial to our efforts to combat these bad actors.

We each have distinct roles and responsibilities, and I will briefly explain the CRTC’s contributions.

The CRTC is an administrative tribunal operating at arm’s length from government that oversees Canada’s communication system in the public interest. Our mandate includes acting to counter constantly evolving telecommunications and cyber threats. These threats can adversely impact not only individual’s personal information and finances, but potentially our national security or critical infrastructure.

Navigating today’s complex communications marketplace can be challenging. Our job at the CRTC is to help protect Canadians from abusive communications in the form of unwanted phone calls or online threats.

To do that, we are responsible for enforcing Canada’s anti-spam legislation, known as CASL, the Unsolicited Telecommunications Rules and the National Do Not Call List.

CASL prohibits companies from sending commercial electronic messages – through emails, social media platforms or text messages – without recipients’ consent. While that may seem harmless enough, we know that spam can be a vehicle to install malware or other malicious online threats.

The government has given the CRTC the necessary tools to enforce CASL. Among them, we can impose penalties of up to $1 million per violation for individuals and up to $10 million per violation for businesses.

Working with domestic and international enforcement and regulatory agencies is critical to our success. We have conducted parallel investigations with other agencies.

For instance, in March of this year, we executed warrants alongside our federal police force to search the residence of a suspected malware distributor. As we take cases forward or conduct enforcement actions, we have to be mindful that we not impede or disrupt potential criminal cases that may be running in parallel.

At the CRTC, we understand that no country can do it alone. Protecting Canadians isn’t a matter of zeroing in on email marketers or Web hosting providers. These companies are part of a much larger group of global actors that includes technology, infrastructure and service providers. Everything and everyone is interconnected and interdependent.

The IIC understands this. Today’s panel discussion is the continuation of conversations that began at an Abusive Communications Workshop we co-hosted in Thailand during the 2016 Communications Policy and Regulation Week. The workshop, with participants from all regions, demonstrated the global commitment to combat spam and nuisance communications.

We work with international industry groups, too, on best common practices for compliance and collaboration. Groups like the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG), the Internet Corporation for Assigned Names and Numbers, national computer emergency response teams, and Internet registries and registrars are an essential part of the landscape.

It’s important, too, that as a government agency, we make efforts to understand business models of online industries so that we can more effectively mitigate online abuse.

As an example, in October we participated in discussions at the Mobile Messaging Malware Anti-Abuse Group meetings supporting the development of common best practices for industry players on the removal of abusive and objectionable content online. This is a great example of the private sector taking the lead on an important issue and seeking input from government and regulators.

Building awareness and engaging stakeholders is critical, but it isn’t always sufficient.

Yesterday CRTC staff issued penalties of $100,000 to two partners operating as Orcus Technologies for allegedly developing, selling and promoting malware.

One of the two was issued an additional penalty for allegedly operating a secure service used by hackers to communicate with a variety of infected machines.

The parties have 30 days to file representations to the Commission to contest the violations or pay the penalties.

Our investigation found that Orcus Technologies marketed and sold a remote administration tool under the name Orcus RAT. This tool was in fact malware – a Remote Access Trojan – that enabled hackers to install the program and take full control of a victim’s computer without their knowledge, let alone consent.

The CRTC’s work on this file involved domestic and international cooperation with the Royal Canadian Mounted Police, the Federal Bureau of Investigation and the Australian Federal Police. The network of bad actors included individuals in Australia, the United States, Germany, Canada and Belgium, among others.

But our citizens are not only targeted by sophisticated malware and technical threats. The CRTC is now receiving complaints about SIM swapping, which relies more on the exploitation of human psychology than any computer expertise. It’s nonetheless an area that regulators will need to explore as the marketplace evolves.

And telephony still matters! Beyond the importance of cellphones to everyday life, telephony can be an inroad for scams and fraud that target our citizens. Although we don’t have the same scale of robocalls in Canada as in other jurisdictions, we do see telemarketing used to target Canadians.

Two days ago, the heads of the FCC and CRTC conducted a test of the STIR/SHAKEN framework, completing one of the first international authenticated phone calls. STIR/SHAKEN will enable service providers to certify whether a caller’s identity can be trusted by authenticating and verifying the caller ID information for Internet Protocol-based voice calls.

This new framework will reduce the impact of caller ID spoofing so we can better protect Canadians and instill trust in our communications system. This is another great example of how partnerships with our network operators, and collaboration with the FCC and the FTC to understand the threat landscape, has been critical.

Given the complexity of today’s cybersecurity ecosystem, our greatest asset in countering the threats posed by bad actors is strong partnerships that enable us to build on each other’s knowledge and areas of expertise.

This needs to be an ongoing commitment that we all contribute to. Today’s discussion is an important step in moving this work forward.

Thank you.


Media Relations
(819) 997-9403

General Inquiries
(819) 997-0313
Toll-free: 1 (877) 249-CRTC (2782)
TTY: (819) 994-0423
Ask a question or make a complaint

Stay Connected
Follow us on Twitter @CRTCeng
Like us on Facebook

Page details

Date modified: