The federal auditor general found “significant gaps” in the government’s cybersecurity services, monitoring efforts and responses to active attacks on information systems.
In a report released on Tuesday, Auditor General Karen Hogan said the federal government must continually bolster its defences as cyberattacks become more sophisticated, pervasive and harmful.
The Treasury Board of Canada Secretariat, the Communications Security Establishment and Shared Services Canada share responsibility for protecting federal information technology systems and operations.
Hogan said the organizations work together and with departments and agencies to prevent data theft and limit disruptions to systems that deliver programs and services to Canadians.
She found not all federal organizations were subject to the same security policies, resulting in the inconsistent use of available protection services.
The report said CSE officials told Hogan the inconsistent deployment of its cybersecurity defence sensors across all federal organizations created security gaps, affecting the agency’s ability to defend government networks, systems and devices.
Shared Services and the CSE also lacked a comprehensive, current inventory of government devices and assets such as laptop computers, smartphones and servers, Hogan reported.
Get daily National news
Get the day’s top news, political, economic, and current affairs headlines, delivered to your inbox once a day.
Shared Services Canada began working on a complete list of government devices in 2017, but the project was not completed.
“Without up-to-date IT information across all departments and agencies, the federal government risks not being aware of — let alone being able to quickly respond to — changing cybersecurity challenges,” the report says.
Hogan concluded a lack of information sharing delayed the government’s response to a significant cyberattack in January 2024, allowing the attacker “prolonged access” to personal information.
She said an initiative to set up a cybersecurity collaboration platform and incident case management tool had not received funding at the time of her audit.
The agencies agreed to various recommendations to remedy the cybersecurity shortcomings.
Treasury Board President Shafqat Ali and Joël Lightbound, minister responsible for Shared Services Canada, said Canadians expect their government to keep their personal information and the systems they rely on secure.
“We continue to invest in advanced technologies, enhanced monitoring and real-time threat detection to strengthen the federal government’s ability to anticipate, defend against and respond to cyberincidents,” they said in a joint statement.
© 2025 The Canadian Press
‘Significant gaps’ in government’s cybersecurity services: auditor general
