Andrew Hayes, Deputy Auditor General
Office of the Auditor General of Canada
January 26, 2026
Office of the Auditor General of CanadaGood morning, Mr. Chair, and thank you for the opportunity to appear before the committee today to discuss our report on cyber security of government networks and systems, which was tabled on October 21, 2025. I’d like to begin by recognizing that we are meeting on the traditional, unceded territory of the Algonquin Anishinaabe people. With me today is Jean Goulet, the principal who was responsible for the audit.
The central responsibility for protecting government information technology systems and operations is shared by the Treasury Board of Canada Secretariat, Communications Security Establishment Canada, and Shared Services Canada. These organizations work together and with departments and agencies to prevent data theft and limit disruptions to systems that deliver programs and services to Canadians.
We found that while the government had tools in place to protect and defend its networks and systems against cyber threats, there were gaps in cyber security defence services, monitoring, and response during active attacks.
Only 42% of federal organizations are required by Treasury Board policy to use the cyber security defence services offered by Shared Services and the Communications Security Establishment. Others have opted in, but this inconsistent use of services undermines the federal government’s ability to protect critical information and manage risks.
We also found that coordination among the 3 organizations was too slow during active cyber attacks. For example, poor coordination delayed the government’s response during a major attack 2 years ago. This extended the time during which the attacker had access to public servants’ personal information.
Protecting federal networks and systems also requires analyzing the potential vulnerabilities of all government IT devices, including laptops, smartphones, and servers. We found that Shared Services and the Communications Security Establishment did not have a comprehensive inventory of all government devices. Without up-to-date information, the federal government risks being unable to quickly respond to a changing cyber security landscape.
Malicious actions, external events, and attacks targeting the Canadian government’s digital systems are frequent and more sophisticated. A coordinated and comprehensive approach to the government’s cyber security posture, better collaboration, and a current inventory of IT devices are key to safeguarding Canadians’ information.
Chair, this concludes my opening remarks. We would be pleased to answer any questions the committee may have. Thank you.