The RCMP and other Canadian security agencies do not have the capacity or capability to effectively police cybercrime, according to a new report from Canada’s auditor general — a concerning problem, it says, in the face of increasingly frequent and devastating blows.
“Without prompt action, financial and personal information losses will only grow as the volume of cybercrime and attacks continues to increase,” said the report, made public Tuesday.
The report looked at how the Mounties, Communications Security Establishment (CSE) — which hosts the Canadian Centre for Cyber Security — and the Canadian Radio-television and Telecommunications Commission (CRTC) handle hacks on businesses, organizations and individuals.
“We found breakdowns in response, coordination, enforcement, tracking, and analysis between and across the organizations responsible for protecting Canadians from cybercrime.”
One of the main gaps in the system, according to the auditor general, is around reporting.
“Under the current system, people are left to figure out where to make a report or may be asked to report the same incident to another organization,” said their report.
For example, between 2021 and 2023, CSE deemed that almost half of the 10,850 reports it received were out of its mandate because they related to individual Canadians and not to organizations.
However, the auditor general’s office said in many cases, CSE did not tell people to report their situation to another authority.
When cases do make it to the RCMP, which is responsible for investigating criminal offences, they face another set of challenges, according to the report.
When the auditor general peeked under the RCMP’s hood it found the Mounties weren’t tracking cases properly.
“This impaired the federal policing branch’s ability to understand the full picture of cybercrime cases reported to its cybercrime unit and to keep track of specific cases assigned to the unit for investigation,” said the report.
“As a result, the federal policing branch was unable to produce an accurate count of all the potential cybercrimes reported to it and could not accurately track the cases assigned to the cybercrime unit.”
It also doesn’t have the people.
The report said the RCMP has struggled to staff its cybercrime investigative teams. As of January 2024, almost one-third of positions across the force were vacant, it said.
Child porn tip not passed on to RCMP: report
The audit said the CRTC received thousands of reports to its anti-spam reporting centre — which was set up to protect Canadians against phishing attempts, malware, identity theft and online scams — that were actually cybercrime-linked incidents but not investigated.
The CRTC told auditors that’s because they are limited in sharing information with law enforcement agencies because the anti-spam legislation is a civil administrative regime, and disclosing information to criminal law enforcement agencies could lead to breaches of Canadians’ privacy rights.
In one troubling case highlighted in the report, the CRTC received a report through the spam reporting centre from an individual about an offer to purchase child sexual exploitation material. Rather than forwarding the report to law enforcement, the CRTC contacted the individual and asked them to report the incident to law enforcement. It is unknown whether the individual did so.
“We raised our concerns with the CRTC that it did not forward this report to a law enforcement agency, as required by its operating procedures. The CRTC disagreed and took the position that its operating procedures do not require it to inform law enforcement because the person who made the report to the online spam reporting centre was not the potential victim or at immediate risk of harm,” wrote the auditors office.
“As a result, we informed the RCMP of the incident in April 2024.”
The report made multiple recommendations aimed at the three agencies and the federal government, which were all accepted.