OTTAWA — Canada’s efforts to stop cybercriminals are scattered and under-resourced, and victims who report crimes to the wrong authorities stand a good chance of having their complaints just thrown away, the federal auditor general reported Tuesday.
OTTAWA — Canada’s efforts to stop cybercriminals are scattered and under-resourced, and victims who report crimes to the wrong authorities stand a good chance of having their complaints just thrown away, the federal auditor general reported Tuesday.
OTTAWA — Canada’s efforts to stop cybercriminals are scattered and under-resourced, and victims who report crimes to the wrong authorities stand a good chance of having their complaints just thrown away, the federal auditor general reported Tuesday.
“We found breakdowns in response, coordination, enforcement, tracking and analysis between and across the organizations responsible for protecting Canadians from cybercrime,” auditor Karen Hogan’s report said.
Talking Points
Online crimes are already known to be a $531-million-a-year problem, based on limited 2022 figures, and “without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase,” the auditors found.
Responsibility for cybercrime is shared among different parts of the Royal Canadian Mounted Police, the Communications Security Establishment (CSE) defence agency, the Public Safety Department and the Canadian Radio-television and Telecommunications Commission (CRTC).
“We found that these organizations have neither the capacity nor the tools to effectively fight cybercrime as cyberattacks grow in number and sophistication,” Hogan said in a news conference about her reports.
The public would be better served if there were a single place to go to report cybercrimes and attacks, she said. The various authorities have talked about creating one but have not.
Even so, Hogan said, the various agencies should be doing better: “You don’t need [a single report-taking window] to agree that if a report that comes to you now is not within your mandate, you should do something about it.”
The Mounties are missing about 30 per cent of the staff they’re supposed to have to investigate cybercrime, the auditors found, and they aren’t even sure why: “The RCMP had not done an internal labour market analysis of its existing workforce, its workforce needs, and how employees advance within it,” the report said.
(The RCMP did tell the auditors that cyber experts can make more money in the private sector for similar work.)
Though the RCMP are the key investigators and enforcers, they aren’t the only ones with responsibility when it comes to cybercrime. Often, regular people don’t know where to turn, and they suffer for it, the audit report said.
The way the CSE-run Canadian Centre for Cyber Security handles reports of cyber incidents is symbolic of the confusion. More than a third of the reports it gets from individuals who believe they’ve been victims of cybercrime, it simply deletes, the auditors found.
The centre does a great job responding to high-priority cases, the auditors said, particularly ones involving the government or critical infrastructure. It moves fast, informs victims if they’re unaware they’ve been targeted, alerts enforcement partners like the Mounties and checks in with victims afterward.
But the cybersecurity centre isn’t a law-enforcement agency itself. Its mandate is to work with governments and private enterprises to keep them secure. Despite the extensive information it has for individuals worried about cybercrime and cyberattacks, helping cybercrime victims one-on-one isn’t its job.
The CSE would explain as much if you were a private citizen reporting a possible cybercrime to the agency in the two years the auditors examined, but only if you made your report by phone or email. If you filed one of the 1,870 such reports the agency got via its web reporting form in that period, you were out of luck.
Instead of being advised to take your report to the police, you’d hear nothing. The CSE would determine that your individual report was not its responsibility, and would neither reply nor forward your report anywhere, the auditors found.
The centre might not even have assessed your concern correctly, says the report: “The establishment’s Canadian Centre for Cyber Security deleted information from all out-of-mandate reports almost immediately. However, we found that the establishment did not have controls to ensure that reports were accurately assessed as being out of mandate before deletion.”
Hogan said often when agencies didn’t respond to reports, it was due to lack of resources or proper authority. This particular practice was “unique,” she said. She didn’t have an explanation.
“Canadians are going to find it confusing and probably frustrating that they don’t know what’s happened to a report,” Hogan said.
The CSE’s spokesperson Janny Bender Asselin told The Logic in an email that the agency can’t forward reports that are out of its bailiwick to other authorities because of privacy rules, but recognizes the concern.
“We are working with our federal partners to establish a single-window solution for reporting cyber incidents with the ultimate goal to ensure Canadians can always find the help they need,” she wrote.
A federal cyber-incident reporting portal now directs individuals to numerous other agencies, depending on the type of incident.
Elsewhere, the CRTC is responsible for efforts to fight email spam, because it oversees internet providers. Spam messages are often the beginnings of cybercrimes—attempts to rip recipients off or steal their personal information—but the commission doesn’t do very much with cybercrime-related reports, the auditors found.
They estimated the CRTC got about 75,000 cybercrime-linked spam reports in 2022–23 alone. Over three years, the auditors said, it initiated just six investigations. Three of those have led to “enforcement actions” such as monetary penalties, which is as much as the CRTC is permitted by law to impose.
But in one of those cases, the commission acted bizarrely, the audit report says. It had used its spam-investigating authority to seize “electronic devices” from someone it subsequently learned was also under criminal investigation. CRTC investigators told police that they had taken the electronics, but when the police said they’d be getting a search warrant for the devices, the CRTC got permission from the owner to wipe the devices to avoid being served with the warrant.
The report does not say what possible crime was being probed or what happened to the investigation.
Even within the CRTC, the enforcement arm and the legal department don’t get along in ways that affect the commission’s effectiveness, the audit found. “We observed that there was a marked lack of trust and civility between these two teams,” the auditors reported.
Public Safety Minister Dominic LeBlanc said in a statement that he welcomes the audit and its recommendations. Cybercrime is inherently complex and multijurisdictional, all the authorities need to work together, and Bill C-26—the cybersecurity law that has been plodding through Parliament for nearly two years—will help, he said.
“I have every confidence in our law enforcement and intelligence agencies’ ability to continue to keep Canadians safe online,” LeBlanc’s statement said.
Loading...
You have shared 5 articles this month and reached the maximum amount of shares available.
CloseIf you would like to purchase a sharing license please contact The Logic support at [email protected].
CloseYou have gifted 0 article(s) this month and have 5 remaining.
Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.
Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.
See the bigger picture with reporters and industry experts in subscriber-exclusive events.
Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.