With Canadians reporting millions in financial losses due to cybercrime, the auditor general is warning that the federal government "does not have" the capacity or tools to fight cybercrime effectively, citing a series of alarming examples where agencies fell short.
, auditor general Karen Hogan examined federal departments and agencies' ability to enforce laws against increasingly sophisticated cybercrimes "to ensure the safety and security of Canadians."
She found a series of breakdowns in coordination, information sharing, tracking, and response between those tasked with protecting people from cybercrimes such as romance scams, phishing attempts, deploying ransomware, and identity theft. This resulted in many reported incidents not being directed to the organization best placed to address them.
"Effectively addressing cybercrime depends on reports going to the organizations best equipped to receive them. Those organizations need to act on the reports they receive to help protect Canadians against the risk of financial loss and other harms," reads the 35-page report.
The departments and agencies that came under the microscope for this review were the Royal Canadian Mounted Police (RCMP), the Communications Security Establishment Canada (CSE), the Canadian Radio-television and Telecommunications Commission (CRTC), and Public Safety Canada.
CSE failed to pass on reports
Hogan found that the CSE – which centrally focuses on IT security and foreign signals intelligence – determined that close to half of the 10,850 cybercrime reports it received between 2021 and 2023 were out of its mandate as they related to individuals and not organizations.
It appears that the agency's efforts to further assist these Canadians stopped there, with Hogan's report noting CSE did not inform any of these individuals to report their situations to another authority.
The agency, which hosts the Canadian Centre for Cyber Security, is now facing calls to make sure that cybercrimes reported to them are routed to the organization with the mandate to address them.
During a press conference on Parliament Hill, Hogan was asked what reasons the agency gave for not passing on reports about cybercrime.
"It was a few things, usually either that they just didn't have the resources to respond, or that there were privacy reasons for which they didn't forward along the information," she said.
CRTC deleted evidence
In looking at the role the CRTC plays in relation to its responsibility to enforce Canada's anti-spam legislation, Hogan's audit team found that in one instance related to a report "involving an offer to sell child sexual exploitation material," the telecommunications agency did not refer the matter to law enforcement.
Instead, they told the complainant to contact law enforcement directly.
In another example, the report flags that to avoid being served with a search warrant by law enforcement; the CRTC "deleted evidence and returned electronic devices on an accelerated time frame to a person being investigated for violating the anti-spam legislation."
Hogan wants to see the CRTC set clear policies and procedures outlining "when and under what circumstances information it acquires will be shared with law enforcement."
RCMP staffing impacting response
And, while the RCMP is planning to enact a new "National Cybercrime Solution" meant to make it easier for victims to report cybercrimes by creating a shared database for law enforcement agencies, that effort has been delayed as the national police force struggles to staff its cybercrime investigative teams.
As of January 2024, 30 per cent of positions across the RCMP's cyber-related teams were vacant, according to the audit.
Hogan's report did note that when it came to the RCMP's National Cybercrime Coordination Centre, it was largely effective in issuing the majority of its victim notifications within one day, but its processes could be bolstered by instilling a triage procedure based on the urgency of the alleged crime.
The RCMP is now being asked to improve its documentation and tracking processes for cybercrime reports and investigations, and analyze what's behind the struggles in recruiting and retaining specialized cybercrime staff.
Cybercrime reporting 'confusing'
Broadening this out to the bigger picture, the audit notes that in 2022, victims of fraud reported $531 million in financial losses to the RCMP's Canadian Anti-Fraud Centre – more than triple the amount reported in 2020 – the majority of which were cybercrime related.
Hogan cautions that Canada won't be able to sufficiently combat cybercrime until Canadians are able to more easily report it, and with estimates being that between just five and 10 per cent of cybercrimes are reported in this country, a lacking national system may be contributing to those stats.
"The current system for reporting cybercrime incidents is confusing, and it does not meet the needs of individuals reporting these crimes," she said in a statement accompanying the audit.
Hogan called out the government for not yet enacting a "much needed single point for Canadians to report cybercrime," while being "well coordinated" in their responses to high-priority cases, such as attacks on Government of Canada systems.
In responses given to Hogan's office in advance of the report's tabling, the implicated organizations have agreed with her findings.
Feds vow new strategy
"Because of the increasing sophistication of cybercrime attempts, the low rate of reporting, and the fact that cybercrime does not respect domestic and international borders, collaboration and a strategic response are needed more than ever," the report states.
These findings come just a day after Public Safety, Democratic Institutions and Intergovernmental Affairs Minister Dominic LeBlanc, Foreign Affairs Minister Melanie Joly and Defence Minister Bill Blair issued a blunt warning about the threat malicious foreign cyber activity poses to Canadians.
"State-sponsored actors have demonstrated their desire to target all aspects of our society, including each level of government, the private sector, and even individuals," the statement said. "These states obtain information that can be used to interfere with our political systems and our critical infrastructure, and can be used to threaten or harm people in Canada."
Responding to the audit's findings in the House of Commons foyer, LeBlanc pointed to a series of efforts already underway aimed at further shoring-up Canada's cybersecurity capabilities, including a soon-coming national cybersecurity strategy that will outline a "strengthened approach."
"In the last decade our reliance on the internet to take care of everyday things has obviously drastically increased. That comes of course with increased convenience, but it also comes with increased risks," LeBlanc said.
