Three key agencies lacked the “capacity and tools” to effectively protect Canadians from cyberattacks and tackle the growing threat of online crime, the federal spending watchdog has found.
In a report released on June 4, Auditor General Karen Hogan describes breakdowns in response, co-ordination, enforcement, tracking, and analysis between and across the organizations.
Ms. Hogan’s review looked at the RCMP, the Communications Security Establishment cyberspy agency and the Canadian Radio-television and Telecommunications Commission.
She found people were left to figure out where to make a cybercrime report, or may have been asked to report the same incident to another organization.
For instance, after learning of an offer to sell child sexual exploitation material, the CRTC did not refer the matter to law enforcement but rather told the complainant to contact police directly.
The auditor also says the RCMP has struggled to staff its cybercrime investigative teams, with almost one-third of positions vacant as of January.
In 2022, victims of fraud reported a total of $531 million in financial losses to the RCMP’s Canadian Anti-Fraud Centre, the report notes. Three quarters of these reports involved cybercrime.
However, the centre estimates only five to 10 per cent of cybercrimes are reported. “Without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase.”
Public Safety Minister Dominic LeBlanc welcomed the report and underscored the seriousness of the threat.
“In the last decade, our reliance on the internet to take care of everyday things has obviously drastically increased,” he told reporters. “That comes of course with increased convenience, but it also comes with increased risks.”
The report says effectively addressing cybercrime depends on reports going to the organizations best equipped to receive them. While the RCMP, the CSE and Public Safety Canada have pondered a single point for Canadians to report cybercrime, “this has yet to be implemented.”
Between 2021 and 2023, the CSE deemed that almost half of the 10,850 reports it received were out of its mandate because they related to individual Canadians and not to organizations, Ms. Hogan found. “However, it did not respond to many of these individuals to inform them to report their situation to another authority.”
The report says the RCMP and CSE were often well co-ordinated in their responses to potential high-priority cases, such as attacks on government systems or critical infrastructure.
In addition, the RCMP, through its National Cybercrime Co-ordination Centre, forged partnerships with Canadian and international enforcement agencies to understand the needs of these agencies and align efforts.
“However, it did not always forward to domestic police agencies requests for information it received from international partners.”
The auditor also found poor case management limited the ability of the Mounties to respond to cybercrime incidents, as well as a lack of RCMP procedures and service standards to manage victim notifications.
The CRTC “does little to protect Canadians against online threats,” the report says.
In one instance, the CRTC deleted evidence and returned electronic devices on an accelerated time-frame to a person being investigated for violating anti-spam legislation, to avoid being served with a search warrant by a law enforcement agency.
In addition, the national cybersecurity strategy developed by Public Safety Canada had critical gaps, such as the absence of the CRTC as a key player, despite its mandate to enforce anti-spam legislation.
Among the auditor’s recommendations:
— Agencies should work together to ensure that cybercrimes reported by Canadians are routed to the organization with the mandate to address them;
— the National Cybercrime Co-ordination Centre should establish procedures to identify the most urgent victim notifications and ensure that they are sent first;
— the co-ordination centre should ensure all requests for assistance received from domestic and international partners are fully documented and completed so that all necessary information is provided as part of the response;
— and the CRTC should ensure that roles and responsibilities of officials responsible for enforcement comply with the requirements of the legislation.
In the report, various agencies spelled out steps being taken to address the recommendations.
Mr. LeBlanc also pointed to the government’s forthcoming revised cybersecurity strategy, saying it would “outline a strengthened approach” to protecting Canada’s economic interests and critical infrastructure.