federal auditor general found “significant gaps” in government cybersecurity services, monitoring efforts and responding to active attacks on information systems.
In a report released on Tuesday, the Auditor General Karen Hogan said the federal government must continually strengthen its defenses as cyberattacks become more sophisticated, pervasive and harmful.
Treasury Canada, the Communications Security Authority and General Services Canada share responsibility for protecting federal information technology systems and operations.
Hogan said the organizations are working together, and with departments and agencies, to prevent data theft and limit disruption to systems that provide programs and services to Canadians.
She found that not all federal organizations were subject to the same security policies, resulting in inconsistent use of available security services.
The report said CSE officials told Hogan that inconsistent deployment of cybersecurity sensors across federal organizations created security gaps, impacting the agency's ability to protect government networks, systems and devices.
Shared Services and CSE also did not have a complete and up-to-date inventory of government devices and assets such as laptops, smartphones and servers, Hogan said.
Get the latest national news
To stay on top of news affecting Canada and around the world, sign up for breaking news alerts delivered directly to you as they happen.
Shared Services Canada began work on a comprehensive list of government devices in 2017, but the project was not completed.
“Without up-to-date IT information across all departments and agencies, the federal government risks not being aware of—let alone being able to quickly respond to—evolving cybersecurity challenges,” the report states.
Hogan concluded that a lack of information sharing delayed the government's response to a major cyberattack in January 2024, allowing the attacker “prolonged access” to personal information.
She said an initiative to create a cybersecurity collaboration platform and incident management tool had not received funding at the time of her audit.
The agencies agreed to various recommendations to address cybersecurity deficiencies.
Treasury Board President Shafqat Ali and Joel Lightbound, the minister responsible for General Services Canada, said Canadians expect their government to keep their personal information and the systems they rely on secure.
“We continue to invest in advanced technologies, improved monitoring and real-time threat detection to strengthen the federal government's ability to anticipate, defend against and respond to cyber incidents,” they said in a joint statement.
© 2025 The Canadian Press
