Canada is lagging behind the U.S., Britain and other countries in defending citizens and businesses against malicious hackers and cyber-criminals, say numerous groups involved in trying to police the internet.
"We're failing, we're falling behind," warns Katherine Thompson of the Canadian Advanced Technology Alliance, one of Canada's largest private-sector high-tech advocacy groups.
"We cannot continue down the path that we're on right now," she told CBC News. "We just went through a very long federal election where not one of the major party leaders discussed cyber-security."
- Cyberattacks on infrastructure a 'major threat,' says CSIS chief
- Ransomware, bogus emails from 'boss' mark growing skill of cyber-criminals
Since 2010, Public Safety Canada has spent $245 million on defending government computer networks, safeguarding critical infrastructure and educating the public.
It has also earmarked $142 million over the next five years to tackle cyber-threats — particularly against critical infrastructure. But leaders in Canada's policing, IT and cyber-security sectors say the federal strategy is focused primarily on national security threats and does little to combat the dramatic growth in email scams, online extortion and breaches at corporate computer networks.
Canadians are also largely in the dark about the scope of cybercrimes given the country has no central agency to track online scams and malicious electronic attacks.
What's more, there are no federal laws to force companies to disclose hacks, security breaches, thefts of data or money so the general public has incomplete knowledge of which companies have been compromised.
"People having their identity threatened, or having their computers infected, files locked down for ransom, those types of things, the average police station doesn't know how to respond to that," says Norm Taylor who leads an executive training program for the Canadian Association of Chiefs of Police.
"The result is, it's not being documented. And the public is neither reporting, nor are the police really doing much in the way of outreach to quantify those types of incidents," he says.
Exploding array of scams
Canada does have a Spam Reporting Centre and a government run Canadian Anti-Fraud Centre, but Taylor says neither is equipped to handle the exploding array of cyber-scams and malware that are targeting home and business computers.
This spring, the CACP sent 17 police executives on an international study mission to learn how governments in the U.S., Europe, India, Singapore, Australia and New Zealand are grappling with cybercrime.
The group identified "the urgent need to increase reporting of cybercrimes to police," and pointed to Australia's ACORN program (Australian Cybercrime Online Reporting Network) as a model for collecting citizen complaints so that police and industry can monitor trends, thwart organized criminal groups and arrange incidents for further investigation.
The FBI in the U.S. runs a similar program called "IC3", referring to its Internet Crime Complaint Centre, which last year alone received 269,000 complaints about frauds, email scams and online extortion. That included some 4,000 complaints from Canada.
But in Canada, "most of the reporting, and almost all of the resolution is happening behind the closed doors of the private sector," says Taylor.
"So if my credit card is compromised, I'm going to call my bank. My bank is going to take the report, they are going to resolve the issue, and they are going to reimburse me.
"At no point does the criminal justice system even know that this happened. Whereas now in Australia, you can't get the bank to reimburse you unless you have an ACORN filing number."
Police demand "paradigm shift"
Those Canadian police chiefs involved in the 2015 CACP global cyber-study made six recommendations are calling for a "paradigm shift" in how police and the public treat cybercrime.
"Right now, if you ask most people 'Why didn't you call police?' they'd say, 'Well, why would we? What will the police do about it?'" Calgary Police Chief Roger Chaffin told CBC News.
Chaffin helped write the CACP report, which calls for more coordination and information sharing between police and industry.
Right now, Public Safety Canada advises the public to contact local police if they are a victim of cybercrime. But "Canadian policing in its current format is ill-suited to address crime on a global basis," Chaffin concedes, acknowledging that Canada's police system is fragmented between between federal, provincial and local authorities.
"Nothing really brings it to light more than cybercrime, because your threat actor could be next door to you, or across the world from you. And the ability and the agility to respond to that is going to challenge our model," he says.
Chaffin would like to see a national cyber-security centre set up by government, industry and all major police forces to help investigate and warn the public about new and emerging cyber-threats.
The RCMP has been provided funding to set up a dedicated cybercrime unit. However, it is unclear whether that will help local forces given the RCMP's mandate to probe crimes that are national in scope.
Cyber-threats not being shared
CBC News has learned the Canadian government is trying to work with industry leaders to develop a new "threat-sharing" network to try to help spread intelligence about emerging cyber-threats.
Currently, much of the IT security industry operates in silos. The federal government protects its own networks, while large industries protect theirs.
John Proctor, vice-president of CGI, a global cyber-security firm based in Ottawa, says that, unlike the U.S. and Europe, Canada lacks co-operation within the private sector.
His firm employs 1,400 cyber-security specialists around the globe, monitoring cyber-networks for clients in the financial, manufacturing, retail, and oil and gas industries, as well as governments.
"We're not sharing the threats we see on a daily basis, and that includes us," Proctor told CBC News during a recent tour of CGI's 24/7 security operations centre.
He says Canada desperately needs a "threat-sharing" hub where companies can overcome proprietary and competitive concerns to help defend one another`s collective security.
"So think of the banks in Toronto. They're all doing their own security, they're all very, very capable. So how do we make sure that continues? How do we make sure that a small credit union in Manitoba can benefit from the knowledge that's being gained by one of the big five banks in Toronto?"