Canada’s key federal agencies have “neither the capacity nor the tools” to protect Canadians from cyberattacks, the auditor general has found in a recent report tabled on Tuesday.
In a report Tuesday, Auditor General Karen Hogan describes breakdowns in response, co-ordination, enforcement, tracking, and analysis between and across the organizations.
Hogan’s review looked at the RCMP, the Communications Security Establishment cyberspy agency and the Canadian Radio-television and Telecommunications Commission.
“We found that these organizations have neither the capacity nor the tools to effectively fight cybercrime. As cyberattacks grow in number and sophistication, part of the issue is the federal government’s siloed and disconnected approach,” Hogan said while tabling the report.
She said her office found “breakdowns in response coordination, tracking and information sharing between and across federal organizations.”
Hogan added that addressing cyber crimes depended on incident reports made to the organizations responsible for tackling them. She said the current system for reporting cyber crimes was “confusing and it does not meet the needs of individuals reporting these crimes.”
She found people were left to figure out where to make a cybercrime report, and might even have been asked to report the same incident to another organization.
For instance, after learning of an offer to sell child sexual exploitation material, the CRTC did not refer the matter to law enforcement but rather told the complainant to contact police directly.
Public Safety Minister Dominic LeBlanc said he welcomes the AG’s report, adding that the threat of cyberattacks has grown in the last decade.
- Crashed B.C. school bus was filled with grade 6s, 7s, superintendent says
- Former Calgary mayor Naheed Nenshi named Alberta NDP leader in landslide victory
- Ontario Road Trips: Elora is home to gorgeous gorges — and a bit of Hollywood glam
- Trying to time the housing market after the rate cut? What experts advise
“In the last decade, our reliance on the Internet to take care of everyday things has obviously drastically increased. That comes, of course, with increased convenience, but it also comes with increased risks. That’s why over the last number of years we have increased law enforcement’s capacity to investigate and combat cyber crime. In 2020, we invested $137.5 million to establish the National Cyber Crime Coordination Centre,” he said during a press conference Tuesday.
The agency, LeBlanc said, works closely with international investigative agencies like Europol, Interpol and the FBI.
“It also works closely with companies to warn them that they are under cyber attack so they can take the appropriate actions and limit data leaks, business interruptions and have to pay ransom,” he said.
The auditor also says the RCMP has struggled to staff its cybercrime investigative teams, with almost one-third of positions vacant as of January.
In 2022, victims of fraud reported a total of $531 million in financial losses to the RCMP’s Canadian Anti-Fraud Centre, the report notes. Three quarters of these reports involved cybercrime.
However, only five to 10 per cent of cybercrimes are reported. “Without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase.”
The report says effectively addressing cybercrime depends on reports going to the organizations best equipped to receive them. While the RCMP, the CSE and Public Safety Canada have pondered a single point for Canadians to report cybercrime, “this has yet to be implemented.”
Between 2021 and 2023, the CSE deemed that almost half of the 10,850 reports it received were out of its mandate because they related to individual Canadians and not to organizations, Hogan found. “However, it did not respond to many of these individuals to inform them to report their situation to another authority.”
The report says the RCMP and CSE were often well co-ordinated in their responses to potential high-priority cases, such as attacks on government systems or critical infrastructure.
In addition, the RCMP, through its National Cybercrime Co-ordination Centre, forged partnerships with Canadian and international enforcement agencies to understand the needs of these agencies and align efforts.
“However, it did not always forward to domestic police agencies requests for information it received from international partners.”
The auditor also found poor case management limited the ability of the Mounties to respond to cybercrime incidents, as well as a lack of RCMP procedures and service standards to manage victim notifications.
The CRTC “does little to protect Canadians against online threats,” the report says.
In one instance, the CRTC deleted evidence and returned electronic devices on an accelerated time frame to a person being investigated for violating anti-spam legislation, to avoid being served with a search warrant by a law enforcement agency.
In addition, the National Cyber Security Strategy developed by Public Safety Canada had critical gaps, such as the absence of the CRTC as a key player, despite its mandate to enforce anti-spam legislation.
–With files from Canadian Press
Comments