From deleting evidence to dismissing reports, audit finds Canadian agencies fall short on fighting cybercrime

With Canadians reporting millions in financial losses due to cybercrime, the auditor general is warning that the federal government “does not have” the capacity or tools to fight cybercrime effectively, citing a series of alarming examples where agencies fell short.

In a new report presented Tuesday, auditor general Karen Hogan examined federal departments and agencies’ ability to enforce laws against increasingly sophisticated cybercrimes “to ensure the safety and security of Canadians.”

She found a series of breakdowns in coordination, information sharing, tracking, and response between those tasked with protecting people from cybercrimes such as romance scams, phishing attempts, deploying ransomware, and identity theft. This resulted in many reported incidents not being directed to the organization best placed to address them.

“Effectively addressing cybercrime depends on reports going to the organizations best equipped to receive them. Those organizations need to act on the reports they receive to help protect Canadians against the risk of financial loss and other harms,” reads the 35-page report.

The departments and agencies that came under the microscope for this review were the Royal Canadian Mounted Police (RCMP), the Communications Security Establishment Canada (CSE), the Canadian Radio-television and Telecommunications Commission (CRTC), and Public Safety Canada.

CSE failed to pass on reports

Hogan found that the CSE – which centrally focuses on IT security and foreign signals intelligence – determined that close to half of the 10,850 cybercrime reports it received between 2021 and 2023 were out of its mandate as they related to individuals and not organizations.

It appears that the agency’s efforts to further assist these Canadians stopped there, with Hogan’s report noting CSE did not inform any of these individuals to report their situations to another authority.

The agency, which hosts the Canadian Centre for Cyber Security, is now facing calls to make sure that cybercrimes reported to them are routed to the organization with the mandate to address them.

CRTC deleted evidence

In looking at the role the CRTC plays in relation to its responsibility to enforce Canada’s anti-spam legislation, Hogan’s audit team found that in one instance related to a report “involving an offer to sell child sexual exploitation material,” the telecommunications agency did not refer the matter to law enforcement.

Instead, they told the complainant to contact law enforcement directly.

In another example, the report flags that to avoid being served with a search warrant by law enforcement; the CRTC “deleted evidence and returned electronic devices on an accelerated time frame to a person being investigated for violating the anti-spam legislation.”

Hogan wants to see the CRTC set clear policies and procedures outlining “when and under what circumstances information it acquires will be shared with law enforcement.”

RCMP staffing impacting response

And, while the RCMP is planning to enact a new “National Cybercrime Solution” meant to make it easier for victims to report cybercrimes by creating a shared database for law enforcement agencies, that effort has been delayed as the national police force struggles to staff its cybercrime investigative teams.

As of January 2024, 30 per cent of positions across the RCMP’s cyber-related teams were vacant, according to the audit.

Hogan’s report did note that when it came to the RCMP’s National Cybercrime Coordination Centre, it was largely effective in issuing the majority of its victim notifications within one day, but its processes could be bolstered by instilling a triage procedure based on the urgency of the alleged crime.

The RCMP is now being asked to improve its documentation and tracking processes for cybercrime reports and investigations, and analyze what’s behind the struggles in recruiting and retaining specialized cybercrime staff.

Cybercrime reporting ‘confusing’

Broadening this out to the bigger picture, the audit notes that in 2022, victims of fraud reported $531 million in financial losses to the RCMP’s Canadian Anti-Fraud Centre – more than triple the amount reported in 2020 – the majority of which were cybercrime related.

Hogan cautions that Canada won’t be able to sufficiently combat cybercrime until Canadians are able to more easily report it, and with estimates being that between just five and 10 per cent of cybercrimes are reported in this country, a lacking national system may be contributing to those stats.

“The current system for reporting cybercrime incidents is confusing, and it does not meet the needs of individuals reporting these crimes,” she said in a statement accompanying the audit.

Hogan called out the government for not yet enacting a “much needed single point for Canadians to report cybercrime,” while being “well coordinated” in their responses to high-priority cases, such as attacks on Government of Canada systems.

In responses given to Hogan’s office in advance of the report’s tabling, the implicated organizations have agreed with her findings.

Federal response coming

“Because of the increasing sophistication of cybercrime attempts, the low rate of reporting, and the fact that cybercrime does not respect domestic and international borders, collaboration and a strategic response are needed more than ever,” the report states.

Hogan is holding a press conference to further discuss her latest reports at 1 p.m. ET on Parliament Hill.

These findings come just a day after Public Safety, Democratic Institutions and Intergovernmental Affairs Minister Dominic LeBlanc, Foreign Affairs Minister Melanie Joly and Defence Minister Bill Blair issued a blunt warning about the threat malicious foreign cyber activity poses to Canadians.

“State-sponsored actors have demonstrated their desire to target all aspects of our society, including each level of government, the private sector, and even individuals,” the statement said. “These states obtain information that can be used to interfere with our political systems and our critical infrastructure, and can be used to threaten or harm people in Canada.”

Minister LeBlanc and other members of cabinet will respond to the audit’s findings in the House of Commons foyer at 2 p.m. ET.

This is a breaking news story, check back for updates…