Auditor General of Canada Karen Hogan speaks during a press conference at the National Press Theatre in Ottawa, on Tuesday, March 19, 2024. THE CANADIAN PRESS/Spencer Colby

Auditor General of Canada Karen Hogan speaks during a press conference at the National Press Theatre in Ottawa, on Tuesday, March 19, 2024. THE CANADIAN PRESS/Spencer Colby

Audit finds Canada not prepared to protect citizens from cybercrime

Probe finds RCMP, CRTC, and cyberspy security agency lack capacity and tools

Three key agencies lacked the “capacity and tools” to effectively protect Canadians from cyberattacks and tackle the growing threat of online crime, the federal spending watchdog has found.

In a report Tuesday, Auditor General Karen Hogan describes breakdowns in response, co-ordination, enforcement, tracking, and analysis between and across the organizations.

Hogan’s review looked at the RCMP, the Communications Security Establishment cyberspy agency and the Canadian Radio-television and Telecommunications Commission.

She found people were left to figure out where to make a cybercrime report, and might even have been asked to report the same incident to another organization.

For instance, after learning of an offer to sell child sexual exploitation material, the CRTC did not refer the matter to law enforcement but rather told the complainant to contact police directly.

The auditor also says the RCMP has struggled to staff its cybercrime investigative teams, with almost one-third of positions vacant as of January.

In 2022, victims of fraud reported a total of $531 million in financial losses to the RCMP’s Canadian Anti-Fraud Centre, the report notes. Three quarters of these reports involved cybercrime.

However, only five to 10 per cent of cybercrimes are reported. “Without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase.”

The report says effectively addressing cybercrime depends on reports going to the organizations best equipped to receive them. While the RCMP, the CSE and Public Safety Canada have pondered a single point for Canadians to report cybercrime, “this has yet to be implemented.”

Between 2021 and 2023, the CSE deemed that almost half of the 10,850 reports it received were out of its mandate because they related to individual Canadians and not to organizations, Hogan found. “However, it did not respond to many of these individuals to inform them to report their situation to another authority.”

The report says the RCMP and CSE were often well co-ordinated in their responses to potential high-priority cases, such as attacks on government systems or critical infrastructure.

In addition, the RCMP, through its National Cybercrime Co-ordination Centre, forged partnerships with Canadian and international enforcement agencies to understand the needs of these agencies and align efforts.

“However, it did not always forward to domestic police agencies requests for information it received from international partners.”

The auditor also found poor case management limited the ability of the Mounties to respond to cybercrime incidents, as well as a lack of RCMP procedures and service standards to manage victim notifications.

The CRTC “does little to protect Canadians against online threats,” the report says.

In one instance, the CRTC deleted evidence and returned electronic devices on an accelerated time frame to a person being investigated for violating anti-spam legislation, to avoid being served with a search warrant by a law enforcement agency.

In addition, the National Cyber Security Strategy developed by Public Safety Canada had critical gaps, such as the absence of the CRTC as a key player, despite its mandate to enforce anti-spam legislation.

READ ALSO: ‘Sophisticated cybersecurity incidents’ hit B.C. government networks

READ ALSO: British Columbia government lax on cybersecurity practices, auditor reports

cybersecurity