Ottawa, October 21, 2025—A report from Auditor General Karen Hogan tabled today in the House of Commons concludes that the Government of Canada had tools in place to protect its networks and systems from cyber threats, but important gaps remain in cyber security defence services, monitoring and response during active cyber attacks.
Responsibility for protecting government IT systems and operations is shared by the Treasury Board of Canada Secretariat, the Communications Security Establishment Canada, and Shared Services Canada, working with departments and agencies across the federal government to prevent information theft and damage to systems that deliver programs and services to Canadians. However, 119 out of 204 federal organizations are not required to use the cyber security services offered by Shared Services Canada and Communications Security Establishment Canada. While some of these organizations have voluntarily opted in, this inconsistent use of services has resulted in a fragmented cyber security landscape across the federal government that could undermine its ability to protect critical information and manage cyber security risks.
The audit found that coordination between the 3 organizations was insufficient during active cyber attacks. In a recent major attack on a federal department, slow coordination and limited information sharing delayed the government’s response by 7 days, extending the time during which the attacker had access to public servants’ personal information. Initiatives to improve collaboration and incident case management have yet to receive funding at the time of this audit.
Shared Services Canada and Communications Security Establishment Canada also did not have a comprehensive, up‑to‑date inventory of all government IT devices, such as laptops, smartphones, and servers. While Shared Services Canada began work to address this gap in 2017, the project has not yet been completed and is now expected to continue until at least 2027.
“Malicious actions, external events, and attacks involving the Canadian government’s digital systems are becoming more sophisticated and frequent,” said Ms. Hogan. “A coordinated and comprehensive approach to the government’s cyber security posture, better collaboration and a current inventory of IT assets are key to safeguarding Canadians’ information and maintaining their trust in government IT systems.”
- 30 -
The 2025 Report of the Auditor General of Canada, Cyber Security of Government Networks and Systems, is available on the Office of the Auditor General of Canada website.
Please visit our Media Room for more information.