Communication Security Establishment Canada headquarters in Ottawa in 2022. CSE is one of three agencies that protect federal information technology systems and operations.Spencer Colby/The Globe and Mail
The federal auditor found “significant gaps” in the government’s cybersecurity services, monitoring efforts and responses to active attacks on information systems.
In a report released on Tuesday, Auditor-General Karen Hogan said the federal government must continually bolster its defences as cyberattacks become more sophisticated, pervasive and harmful.
The Treasury Board of Canada Secretariat, the Communications Security Establishment and Shared Services Canada share responsibility for protecting federal information technology systems and operations.
Hogan said the organizations work together and with departments and agencies to prevent data theft and limit disruptions to systems that deliver programs and services to Canadians.
Auditor-General Karen Hogan appears before the Standing Committee on Government Operations and Estimates in Ottawa on Sept. 23.Spencer Colby/The Canadian Press
She found not all federal organizations were subject to the same security policies, resulting in the inconsistent use of available protection services.
The report said CSE officials told Hogan the inconsistent deployment of its cybersecurity defence sensors across all federal organizations created security gaps, affecting the agency’s ability to defend government networks, systems and devices.
Cyberattack targeting federal government gains access to individuals’ contact information
Shared Services and the CSE also lacked a comprehensive, current inventory of government devices and assets such as laptop computers, smartphones and servers, Hogan reported.
Shared Services Canada began working on a complete list of government devices in 2017, but the project was not completed.
“Without up-to-date IT information across all departments and agencies, the federal government risks not being aware of – let alone being able to quickly respond to – changing cybersecurity challenges,” the report says.
Hogan concluded a lack of information sharing delayed the government’s response to a significant cyberattack in January 2024, allowing the attacker “prolonged access” to personal information.
She said an initiative to set up a cybersecurity collaboration platform and incident case management tool had not received funding at the time of her audit.