Lack of funding, direction putting Canadians' info at risk of cyberattacks: AG report

Information stored in the cloud and managed by the federal government — including Canadians' personal information — faces an increased risk of being hacked because government departments were not given the funding they needed or adequate direction on how to securely manage the data, says Canada's auditor general.

Ottawa is putting First Nations at risk by failing to provide resources to manage climate events: AG

An analyst looks at code in a cybersecurity lab. The federal government must take immediate action to strengthen how it prevents, detects and responds to cyberattacks, according to a newly released report from the auditor general's office. (Jim Urquhart/Reuters)

Information stored in the cloud and managed by the federal government — including Canadians' personal information — faces an increased risk of being hacked because government departments were not given adequate funding or direction to securely manage the data, says Canada's auditor general.

In a report released Tuesday, Karen Hogan also said the federal government must take immediate action to improve how it prevents, detects and responds to cyberattacks.

"When federal organizations decide to store Canadians' personal information in the cloud, they are responsible for securing and protecting that information," said Hogan in a media statement.

"The government needs to act now — while departments are in the early stages of transitioning to the cloud — to strengthen the use of controls to prevent, detect and respond to cyberattacks."

Hogan's audit looked at whether federal departments had adequate and effective governance tools to manage data and prevent, detect and respond to cybersecurity events that could compromise Canadians' personal information stored in the cloud.

"The requirements the federal government put in place to reduce the security risks of storing information in the cloud were not always clear and that departments did not effectively implement them," the auditor general's office said. 

The report found that, four years after the Treasury Board of Canada Secretariat first directed government departments to consider moving information to the cloud, there were still gaps in the controls used to prevent cybersecurity breaches. 

"These findings relate to security inspections and some aspects of cloud guardrails, a type of security control," Hogan's report said. 

The audit also found that the Treasury Board ran few simulations to test and improve the way the federal government responds to cybersecurity breaches at multiple government departments.

Funding and tools needed: report

The report defines "the cloud" as computer servers in Canada or in other countries that may be owned by third parties, which are used to store information over the Internet.

The audit also said adequate long-term funding was not provided to government departments that are now beginning to migrate information over to the cloud.

Government departments also were not given the tools they needed to calculate the cost of moving data online, or of managing that data once it was in the cloud, the audit said. 

"Without these tools or a funding plan, departments cannot ensure that they will have the people, expertise and resources they need to not only secure cloud-based information, but also prevent and address security threats," the report said. 

Watch: Measures to secure personal info in cloud were 'applied and monitored inconsistently': AG:

Measures to secure Canadians' personal information in cloud were 'applied and monitored inconsistently': AG

4 months ago
Duration 1:15
Auditor General Karen Hogan says federal authorities were not given enough funding or resources to securely manage Canadians' personal information through cloud services.

The report said that it saw evidence the federal government was working to address gaps in security inspections, monitoring, direction and cybersecurity management.

President of the Treasury Board Mona Fortier said she welcomed the report and accepted the recommendations. She said her government has put safeguards in place and described the auditor general's report as a push for "additional diligences."

"We are still in the early stages of our adoption with the cloud and these recommendations are part of maturing our processes," she said.

Climate disasters and First Nations

The report also found that Indigenous Services Canada did not provide First Nations communities with the support they needed to "prevent, prepare for and respond to emergencies such as floods and wildfires."

"Over the last four fiscal years, Indigenous Services Canada has spent about $828 million on emergency management," Hogan said in a media statement.

"Funding and building approved infrastructure projects, such as culverts and dikes to prevent seasonal floods, would help minimize the impact on people and the cost of responding to and recovering from emergencies."

The report looked at the department's actions in response to floods, wildfires, landslides and severe weather events in the provinces but did not consider the federal government's role in the territories.

B.C. Minister of Transportation and Infrastructure Rob Fleming, right, views work that was done to rebuild a portion of Highway 8 washed away by flooding in November, on the Nicola River near the Shackan Indian Band west of Merritt, B.C., on March 24, 2022. (Darryl Dyck/The Canadian Press)

The audit found that the federal government was "more reactive than preventative," despite numerous proposals from First Nations' communities on how to mitigate the impacts of dramatic climate events.

"The department had a backlog of 112 of these infrastructure projects that it had determined were eligible but that it had not funded," the report said.

"The department is also spending 3.5 times more money on responding to and recovering from emergencies than on supporting the communities to prevent or prepare for them."

The audit also looked at the federal government's management of the Arctic and found that the federal organizations responsible for safety and security in the region do not have a full picture of ocean traffic in the area. 

Minister of Indigenous Services Patty Hajdu thanked Hogan for her report and said her department would work to implement the recommendations.

"What it says to the Government of Canada is that this work has to happen more quickly," she said. "We are seeing unprecedented climate change affect particular First Nations communities around the county and we need to get ahead of that curve."

Protecting the Arctic

The audit also found that Canada is not able to adequately respond to the need for increased surveillance in the region as marine traffic in the Arctic increases with rising global temperatures.

"The government urgently needs to address the long-standing issues noted in our audit to put equipment renewal on a sustainable path and protect Canada's interests in the Arctic, including an improved capability to respond to threats and incidents," Hogan said in a media statement.

The report said that renewal of the ships, aircraft, satellites and other equipment used to monitor marine traffic has fallen so far behind that some of this equipment may have to be retired before it can be replaced.

Replacement delays, combined with the lack of contingency planning, could significantly compromise the presence of the Canadian Coast Guard and Transport Canada in Arctic waters, the report said.

"Action is needed to close gaps and put equipment renewal on a sustainable path to provide a full picture of what happens in the Arctic," the audit said.

Transport Minister Omar Alghabra said the federal government is committed to providing government agencies with the support they need to ensure security in the Arctic.

Alghabra said replacements for Canada's icebreakers are on order and a new commercial drone will arrive next year that will help track waterways and airport infrastructure in Iqaluit. 

"A lot of work has taken place. More is ongoing," Alghabra said. "We are in a totally different world today than we were before and the safety of our Arctic water is a priority for us."

The country's top military commander warned a parliamentary committee last month that Canada's hold on the outer reaches of its Arctic territory is "tenuous" and will face significant challenges from both Russia and China in the future.

Gen. Wayne Eyre, the chief of the defence staff, told the House of Commons defence committee — which has embarked on a study of the country's security posture in the region — that the Far North does not face an immediate threat.

"Right now, today, we don't see a clear and present threat to our sovereignty, not today, not this week, not next week, not next year," Eyre said.

"However, in the decades to come, that threat, that tenuous hold that we have on our sovereignty, at the extremities of this nation, is going to come under increasing challenge."


Peter Zimonjic

Senior writer

Peter Zimonjic is a senior writer for CBC News. He has worked as a reporter and columnist in London, England, for the Daily Mail, Sunday Times and Daily Telegraph and in Canada for Sun Media and the Ottawa Citizen. He is the author of Into The Darkness: An Account of 7/7, published by Random House.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Account Holder

Join the conversation  Create account

Already have an account?