Canada’s Cybersecurity Agencies Struggle with Case Tracking

OTTAWA – Canada’s security agencies, including the Royal Canadian Mounted Police (RCMP), lack the capacity and capability to effectively police cybercrime, according to a new report from Auditor General Karen Hogan. Released on Tuesday, the report underscores the urgent need for improved cybercrime management to protect Canadians’ financial and personal information.

“Without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase,” warned Hogan.

The comprehensive audit reviewed the cybercrime management practices of the RCMP, the Communications Security Establishment (CSE)—which houses the Canadian Centre for Cyber Security—and the Canadian Radio-television and Telecommunications Commission (CRTC). The report highlights significant issues in response, coordination, enforcement, tracking, and analysis among these organizations.

“We found breakdowns in response, coordination, enforcement, tracking, and analysis between and across the organizations responsible for protecting Canadians from cybercrime,” the report states.

A critical flaw identified in the current system is the fragmented reporting process. “Under the current system, people are left to figure out where to make a report or may be asked to report the same incident to another organization,” said Hogan’s report.

From 2021 to 2023, nearly half of the 10,850 reports received by the CSE were deemed outside its mandate as they pertained to individual Canadians rather than organizations. Furthermore, in many instances, the CSE failed to redirect individuals to the appropriate authorities.

The report highlights significant challenges faced by the RCMP, including inadequate case tracking and staffing shortages. “This impaired the federal policing branch’s ability to understand the full picture of cybercrime cases reported to its cybercrime unit and to keep track of specific cases assigned to the unit for investigation,” noted the report. As of January 2024, almost one-third of positions in the RCMP’s cybercrime unit were vacant.

In 2022, victims of fraud reported $531 million in financial losses to the RCMP’s Canadian Anti-Fraud Centre, with three-quarters of these reports involving cybercrime. However, only five to ten percent of cybercrimes are reported, according to the report.

The RCMP’s National Cybercrime Coordination Centre has established relationships with Canadian and international enforcement agencies. However, the report indicates that the RCMP did not always forward information requests from international partners to domestic police agencies.

The CRTC, through its anti-spam reporting center, receives numerous reports of phishing, malware, identity theft, and online scams. Yet, many cybercrime-linked incidents reported to the CRTC were not investigated due to its limited authority to share information with law enforcement, constrained by the civil nature of the anti-spam law and potential privacy breaches.

The report concludes with a call for immediate action to address these systemic issues. While there have been discussions about creating a single reporting point for cybercrime, this has not yet been implemented.

As cybercrime continues to escalate, the need for a coordinated, efficient, and well-resourced response mechanism is critical to safeguarding Canadians from the growing threat of cyber attacks.