There are “significant gaps” in the way the federal government responds to the increasing number of dangerous cyberattacks, a new report from the federal auditor general revealed.
The report, tabled in the House of Commons on Tuesday morning, found co-ordination among the agencies tasked with protecting the federal government’s IT systems and operations was insufficient during active attacks and that not all departments use the recommended protections.
In at least one case, those delays allowed “the attacker prolonged access to personal information.”
“Gaps in cybersecurity defences undermine the government’s ability to protect critical information and manage cybersecurity risks,” said the report.
The audit found the three agencies responsible for cyber defence — the Treasury Board of Canada Secretariat, Communications Security Establishment Canada (CSE) and Shared Services Canada — had the tools in place to protect and defend government networks and systems from cyberattacks.
However, Auditor General Karen Hogan said not all departments, agencies and Crown corporations were using the cybersecurity services on offer, pointing to gaps in co-ordination and information sharing during attacks.
The audit showed the government’s cyber fortresses are under constant attack.
From April 2023 to March 2024, CSE’s sensors blocked about 2.4 trillion suspicious cybersecurity events, from simple network scans to sophisticated cyberattacks, the audit found, while Shared Services Canada blocked about 6.6 trillion suspicious cybersecurity events from October 2023 through September 2024.
Auditor General Karen Hogan speaks during a news conference on Dec. 2, 2024. (Adrian Wyld/The Canadian Press)There have also been major successful hits.
For example, in 2014, a breach at the National Research Council Canada resulted in the loss of intellectual property, cost the government an estimated $100 million to fix and resulted in a years-long project to rebuild the organization’s network, the audit found.
In January 2024, Global Affairs Canada was subject to a month-long cyberattack that compromised its network and resulted in the theft of personal information. A few weeks later, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) had to take some of its corporate systems offline during an attack, the report said.
Not all departments using cyber screens: AGDespite the increasing number of sophisticated attacks, the report flagged inconsistent use of cyber tools.
CSE uses cybersecurity defence sensors to detect and mitigate cybersecurity events, while Shared Services Canada offers what’s called its “enterprise internet service,” which provides secure connectivity for federal government users to access the internet and for Canadians to access government websites.
Across all the 204 federal organizations, 85, including most large departments, are required to use both programs. While all 85 deployed CSE’s sensors, 26 per cent were not using the enterprise internet service.
The remaining 119 federal organizations are not subject to the same policies and not required to use CSE and Shared Services’ cybersecurity services — but they are strongly encouraged to do so.
While the majority did deploy CSE’s sensors, most did not use Shared Service’s secure connection.
“The inconsistent use of these cybersecurity services has impacted the government’s awareness of cybersecurity events across the federal public service and its ability to defend its networks and systems from cyberattacks and from threat actors seeking to disrupt government operations,” the report said.
The auditors heard from organizations not using the services who suggested maintenance could be improved. And Crown corporations offered that using these cybersecurity services could be perceived as a threat to independence.
In both 2022 and 2023, the National Security and Intelligence Committee of Parliamentarians (NSICOP), one of the country’s independent watchdogs, also found that because policies intended to secure government systems were not uniformly applied across the federal family, the whole system is at risk.
In one report, NSICOP argued these gaps leave government agencies holding vast amounts of data on Canadians and businesses susceptible to state-sponsored hackers from countries like China and Russia.
Co-ordination was 'insufficient' during attacksHogan's audit found delays in how Ottawa monitored security breaches, increasing the likelihood that cyberattackers will make off with personal or sensitive information.
Co-ordination between the three main cyber organizations was “insufficient” during active cyberattacks, the report said.
“In a recent major attack on a federal department, slow co-ordination and limited information-sharing delayed the government’s response by seven days, extending the time during which the attacker had access to public servants’ personal information,” it said.
When responding to the attack, CSE had an urgent need to access key, sensitive information from Shared Services Canada to evaluate the significance and source of the ongoing cyberattack, said the report.
“However, because of incomplete procedures and protocols for sharing that information, it took seven days to request and transmit the information, which delayed the response to the cyberattack,” it said.
The report said on more than one occasion during a cyberattack, the federal organization under attack had difficulty reaching subject experts at Shared Services Canada to get urgent technical support to assist.
WATCH | Is Canada ready to combat cyber threats? (From Oct. 2024):A new report from Canada’s cyber spy agency warned cybercrime is persistent and widespread across all levels of government. The head of the Canadian Centre for Cyber Security Rajiv Gupta breaks down the threats facing Canada and what is being done to combat them.The audit recommended the three main departments re-evaluate their cybersecurity incident management practices, which they agreed to do.
The audit further found Shared Services Canada and the CSE did not have complete, up-to-date inventories of government IT devices, like laptops and smartphones, by the federal organizations they serviced.
The report pointed out that Shared Services Canada began work to address this gap in 2017, but the project has not yet been completed and is now expected to continue until at least 2027.
“The incomplete inventory also made it difficult for the department and the agency to obtain a complete understanding of the IT assets that federal organizations were using and their inherent vulnerabilities that could be exploited in a cyberattack,” it said.
In a joint statement, Joël Lightbound, the minister responsible for Shared Services Canada, and Treasury Board President Shafqat Ali said they are investing in enhanced monitoring and real-time threat detection.
"Canadians expect their government to keep their personal information and the systems they rely on secure," said the statement.
"In an increasingly complex and hostile digital environment, cybersecurity is not only a technical responsibility — it is a national priority and a key pillar of public trust in government institutions.
CSE has repeatedly warned that China poses the most sophisticated and active cyberthreat to Canada. In its most recent annual report, it also said Canada faces cyberthreats from Russia, Iran, North Korea and India.