Canadian agencies do not have the capacity or capability to police cybercrime: AG

The auditor general looked at how Canadian agencies handle hacks on businesses, organizations and individuals.   (RedPixel/ - image credit)
The auditor general looked at how Canadian agencies handle hacks on businesses, organizations and individuals. (RedPixel/ - image credit)

The RCMP and other Canadian security agencies do not have the capacity or capability to effectively police cybercrime, says a new report from Canada's auditor general.

"Without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase," said Auditor General Karen Hogan's report, made public Tuesday.

The report looked at how the RCMP, the Communications Security Establishment (CSE) — which hosts the Canadian Centre for Cyber Security — and the Canadian Radio-television and Telecommunications Commission (CRTC) handle hacks on businesses, organizations and individuals.

"We found breakdowns in response, co-ordination, enforcement, tracking, and analysis between and across the organizations responsible for protecting Canadians from cybercrime."

One of the main flaws in the system, says the auditor general, has to do with reporting.

"Under the current system, people are left to figure out where to make a report or may be asked to report the same incident to another organization," said the report.

Between 2021 and 2023, for example, CSE deemed that almost half of the 10,850 reports it received were outside its mandate because they related to individual Canadians and not to organizations.

But the auditor general's office said that in many cases, CSE did not tell people to report their situations to another authority.

While the RCMP, the CSE and Public Safety Canada have considered establishing a single point for Canadians to report acts of cybercrime, "this has yet to be implemented," the report notes.

RCMP could not accurately track cases: report

When cases do make it to the RCMP, which is responsible for investigating criminal offences, they face another set of challenges, according to the report.

The auditor general's report said that the RCMP hasn't been tracking cases properly.

"This impaired the federal policing branch's ability to understand the full picture of cybercrime cases reported to its cybercrime unit and to keep track of specific cases assigned to the unit for investigation," said the report.

"As a result, the federal policing branch was unable to produce an accurate count of all the potential cybercrimes reported to it and could not accurately track the cases assigned to the cybercrime unit."

WATCH | System for reporting cybercrime confusing, lacks co-ordination, auditor general says

The RCMP also doesn't have the people.

The report said the RCMP has struggled to staff its cybercrime investigative teams. As of January 2024, almost one-third of positions in the cybercrime unit was were vacant, it said.

In 2022, victims of fraud reported $531 million in financial losses to the RCMP's Canadian Anti-Fraud Centre. Three quarters of these reports involved cybercrime, the report said.

But only five to 10 per cent of cybercrimes are reported, said the report.

The RCMP, through its National Cybercrime Co-ordination Centre, has cultivated relationships with Canadian and international enforcement agencies.

"However, it did not always forward to domestic police agencies requests for information it received from international partners," said the report.

Child porn tip not passed on to RCMP: report 

The audit said the CRTC receives reports through its anti-spam reporting centre, which was set up to protect Canadians from phishing attempts, malware, identity theft and online scams. The report says that thousands of those reports were actually cybercrime-linked incidents that were not investigated.

The CRTC told the auditor general's office that's because it has limited authority to share information with law enforcement agencies because the anti-spam law is a civil law, and disclosing information to criminal law enforcement agencies could lead to breaches of Canadians' privacy rights.

Darryl Dyck/The Canadian Press
Darryl Dyck/The Canadian Press

In one troubling case cited in the auditor general's report, the CRTC received a report through the spam reporting centre from an individual about an offer to purchase child sexual exploitation material. Rather than forwarding the report to law enforcement, the CRTC contacted the individual and asked them to report the incident to law enforcement. It is not known whether the individual did so.

"We raised our concerns with the CRTC that it did not forward this report to a law enforcement agency, as required by its operating procedures. The CRTC disagreed and took the position that its operating procedures do not require it to inform law enforcement because the person who made the report to the online spam reporting centre was not the potential victim or at immediate risk of harm," wrote the auditors office.

"As a result, we informed the RCMP of the incident in April 2024."

In another case cited in the report, the CRTC deleted evidence and returned electronic devices to a person being investigated for violating anti-spam legislation, to avoid being served with a search warrant by a law enforcement agency.

The report did contain some praise.

The report said the RCMP and CSE were often well co-ordinated in their responses to high-priority cases, such as attacks on government systems or critical infrastructure.

The report made multiple recommendations aimed at the three agencies and the federal government. All the relevant agencies and departments accepted the auditor general's recommendations.

Public Safety Minister Dominic LeBlanc said the government is launching a cyber security strategy "in the coming months."

"This strategy will outline a strengthened, whole-of-society approach to protecting Canada's economic interests from cyber threats," he said in a media statement.

"I have every confidence in our law enforcement and intelligence agencies' ability to continue to keep Canadians safe online."