Public Accounts Committee on June 4th, 2024

That would be a question to ask the foundation. At times, they did reduce the funding received, but this is really a lapse in the board oversight on managing prudent funds.

I will see if Sami wants to jump in.

We were looking at whether or not they had the ability to respond to the quantity of potential reports of cybercrime. There are many parties involved in cybercrime at the federal government level, and then add in that there are other layers of governments, law enforcement and the private sector. There are many people involved in this space.

We were looking at whether they had enough people to respond to the reports that were received. What we found, in many cases, is that thousands of them were not acted on. For example, at Communications Security Establishment, they received almost 11,000—10,600 cases—reports to them of potential cybercrimes. They're an organization that really deals with businesses and critical infrastructure.

When about half of those were from individuals or related to individuals, we would have expected that they would have told those folks that they needed to report this to a different place or pass it along to the organization that could have helped deal with their report. What we found, in almost 2,000 cases, was that the individual never heard back. I would imagine that Canadians are somewhat frustrated and wondering what happened to their potential report.

When it came to capacity, we looked at whether they had enough people. Often what we heard was that they didn't have enough people to deal with all of these claims. In the case of the RCMP, about 30% of their cybercrime investigation team positions are vacant. This is a similar concern that we flagged in previous audits when it comes to the RCMP's staffing and vacant positions.

It's a tough one to tackle. As I mentioned, there are other layers of government, other layers of law enforcement that are not federal and the private sector that also fill in and have responsibilities to monitor and fight cybercrime.

One of the gaps we did see was that the Canadian Radio-television and Telecommunication Commission, which has the responsibility for enforcing Canada's anti-spam legislation, is not included in the national cybercrime strategy. Spam is often the gateway to a cybercrime, so it would be important that they be part of that strategy.

We then saw that there was a lack of sharing of information between organizations. I mentioned to you before how some reports ended up in the wrong place and were then not forwarded on. Often we hear two reasons behind that. It could be lack of capacity and personnel to tackle the volume that's coming in, and they also cite privacy reasons.

It really is time for the government to clarify how this should happen federally and put in place one point of single reporting for Canadians. It shouldn't be this confusing. Canadians should report to their federal government, and the government should figure out who should get the report and act on it promptly.

The original strategy dates back to 2018. I am happy to see that they're working on completing it. I think they're expecting to have it done in 2024.

We continue to note in the report that the CRTC is not yet included in that strategy.

We believe that the strategy should have a much more comprehensive look at resources needed across the federal government to fight cybercrime. It's not just the RCMP that need more individuals. All of the organizations that are fighting cybercrime need individuals with these specialized skills that are sought after, not just by our government but by other layers of government and the private sector.

I think it's important to note that we didn't look at the actual responses or investigations of crimes. We didn't investigate the RCMP's hiring practices.

What they did cite for us was that, oftentimes when it comes to cybercrime, specialized skill is in limited supply in the country. Many are looking for it. It's also that they needed to remain competitive with the private sector. That was one of the reasons they couldn't fill the 30% of positions that were vacant.

As I mentioned earlier, I think a place to start would be to make it easier for Canadians to report potential cybercrime with that one single portal or funnel. Then we could allow the public service to have the tools and the skills that it needs to forward those to the department best equipped to address the crime. This really works when your report goes to the organization that is best equipped to deal with it. Right now, what we're seeing is that's not always the case, and thousands of reports go unaddressed or are not redirected.

Paragraph 47 refers to an investigation that was conducted by the CRTC to determine whether anyone had violated Canada's anti-spam legislation. The CRTC seized cellphones and information. During the course of the investigation, it learned that a police force was conducting a criminal investigation.

Yes, it's Granby Police. The CRTC contacted it and provided it with electronic information. Then the police service informed the CRTC that it would be subject to a search warrant. The CRTC then informed the police service that it had quickly erased the information on the cellphones and that they had been returned to their owners.

However, it was found that this statement was incorrect, as the cellphone information had not yet been erased at the time of the statement. The timeline was difficult to follow.

I think it was a few weeks.

We have evidence that decisions were made more quickly than usual.