Canada’s cybercrime teams massively understaffed, says auditor general

OTTAWA — Canada’s auditor general has found the RCMP and other agencies tasked with dealing with cybercrime are under equipped and under-resourced to deal with crimes that are generating millions in profits to criminal gangs.

“We found breakdowns in response, coordination, enforcement, tracking, and analysis between and across the organizations responsible for protecting Canadians from cybercrime,” reads Auditor General Karen Hogan’s report tabled in Parliament Tuesday morning.

Article content

The auditor looked closely at the RCMP, Communications Security Establishment Canada, CRTC and Public Safety to see how they were handling the issue.

It found the RCMP were significantly understaffed and that there were issues of communication between all these different agencies.

“We estimated that almost one third of positions across all teams were vacant. In our view, having a plan to reduce human resource gaps across all responsible organizations is an important component of an updated National Cyber Security Strategy,” reads the report.

Hogan said the RCMP isn’t doing enough to figure out why people are leaving and why they are failing to attract new talent, though money does seem to be a central issue.

“RCMP officials told us that compensation was the main reason for these staffing challenges. The officials also told us that individuals doing the same cybercrime technical work in the private sector were typically paid more.”

Public Safety Minister Dominic Leblanc said the government knows the issue is only growing and the RCMP will have the resources they need.

Article content

Article content

“Their work will only grow in importance over the coming years and that’s why we intend to ensure they have the resources they need to prevent cyber attacks and dismantle cyber criminal networks,” he said. 

Leblanc said the government will have a comprehensive approach to the problem to release soon.

“Our new National Cyber Security Strategy will outline a strengthened approach to protecting Canada’s economic interests and critical infrastructure from cyber threats and I look forward to releasing that very soon.”

Hogan took data from the Canadian Anti-Fraud Centre, a joint project of the RCMP, Competition Bureau and Ontario Provincial Police, which received reports of more than $500 million in fraud last year, a number that is only predicted to grow. She said it’s likely only about five to 10 per cent of crime is actually reported.

Hogan described a complex process where cybercrimes are currently reported to multiple different departments that often don’t communicate well together. She pointed to the Communications Security Establishment Canada (CSEC), which took in about 10,000 reports last year.

Article content

CSEC, Canada’s digital spy agency, is tasked with securing the networks of large federal government departments, critical infrastructure and can help private firms with cyber attacks, but they are not meant to investigate Canadians’ personal cyber crime issues.

She said roughly half of those 10,000 cases were found not to be within CSEC’s mandate, but the department didn’t follow up with many of those reports and redirect them to the right agency.

“We would have expected that they would have told those folks, you need to report this to a different place or pass it along to the organization that could have helped deal with their issue, but what we found is in 2,000 cases an individual never heard back,” Hogan said to MPs after the report was released.

She said that silence is unfair to Canadians who just want their issues properly addressed.

“Canadians are going to find it confusing and probably frustrating that they don’t know what’s happened to a report that they’ve made,” she said.

Hogan found that the CRTC also seemed to lack a good system for dealing with criminal cases that might come through their anti-spam line.

Article content

The agency has had the responsibility of dealing with spam calls and complaints about them since 2014. The auditor general found in rare cases this has led to the agency coming across cybercrime cases that it has not always handed off to the proper authorities.

“We found that most of the cybercrime-linked reports were not investigated by the CRTC. We found that during the three years in our audit period, the CRTC conducted only six investigations into anti-spam violations with links to cybercrime-linked incidents.”

It also found that in one case the CRTC essentially interfered in another investigation after failing to hold on to information that a police agency wanted.

“In one instance, to avoid being served with a search warrant by a law enforcement agency, the CRTC deleted evidence and returned electronic devices on an accelerated time frame to a person being investigated for violating the anti-spam legislation,” reads the report.

Hogan said there needs to be a one-stop shop for Canadians looking to report cybercrime.

“It shouldn’t be this confusing. Canadians should report (to) their federal government, and then the government should figure out who should get the report and act on it promptly.”

National Post
rtumilty@postmedia.com

Our website is the place for the latest breaking news, exclusive scoops, longreads and provocative commentary. Please bookmark nationalpost.com and sign up for our daily newsletter, Posted, here.

Article content