The federal government is facing significant challenges in its response to increasing cyberattacks, according to a report released by the Auditor General. The report, presented in the House of Commons, highlights serious deficiencies in coordination among agencies responsible for protecting government information technology systems.

Auditor General Karen Hogan stated that the government’s cybersecurity defenses are inadequate, particularly during active attacks. The report indicates that not all federal departments are utilizing recommended cybersecurity protections, which has led to delays that allowed attackers prolonged access to sensitive personal information.

"Gaps in cybersecurity defenses undermine the government’s ability to protect critical information and manage cybersecurity risks," Hogan said. The audit focused on three key agencies: the Treasury Board of Canada Secretariat, Communications Security Establishment Canada (CSE), and Shared Services Canada. While these agencies have the necessary tools to defend against cyber threats, the report found that many departments are not fully utilizing these resources.

From April 2023 to March 2024, CSE blocked approximately 2.4 trillion suspicious cybersecurity events, while Shared Services Canada blocked around 6.6 trillion events from October 2023 to September 2024. Despite these efforts, the report noted that there have been significant breaches, including a 2014 incident at the National Research Council Canada that resulted in a loss of intellectual property and cost the government an estimated $100 million to rectify.

In January 2024, Global Affairs Canada experienced a month-long cyberattack that compromised its network and led to the theft of personal information. Shortly after, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) had to take some systems offline due to an attack.

The report also pointed out that not all federal organizations are required to use the cybersecurity services provided by CSE and Shared Services Canada. Of the 204 federal organizations, 85 are mandated to use both CSE’s cybersecurity sensors and Shared Services’ secure internet service. However, 26% of these organizations did not utilize the secure internet service, and many of the remaining 119 organizations are not required to use these services, although they are encouraged to do so.

Hogan emphasized that the inconsistent use of cybersecurity services has hindered the government’s ability to monitor and respond to cyber threats effectively. The audit revealed that during a recent major cyberattack, slow coordination and limited information sharing delayed the government’s response by seven days, allowing attackers extended access to sensitive information.

The report also highlighted that Shared Services Canada and CSE do not maintain a complete inventory of government IT devices, which complicates their ability to monitor cybersecurity events. Shared Services Canada has been working on this inventory since 2017, but the project remains incomplete and is not expected to finish until at least 2027.

Hogan concluded that without a comprehensive understanding of the IT assets used by federal organizations, the government is at risk of being unprepared for evolving cybersecurity threats. The report calls for a reevaluation of cybersecurity incident management practices among the three main departments, which they have agreed to undertake. The audit also noted that CSE has identified China as a significant cyber threat to Canada, alongside threats from Russia, Iran, North Korea, and India.