World NewsCanada

Canada Revenue Agency Faces Ongoing Cybersecurity Challenges: Internal Audit

Save
Canada Revenue Agency Faces Ongoing Cybersecurity Challenges: Internal Audit
A computer keyboard lit by a displayed cyber code is seen in this illustration picture taken on March 1, 2017. (Kacper Pempel/Reuters)
Andrew Chen
10/11/2023
Updated:
10/11/2023
0:00

A recent internal Canada Revenue Agency (CRA) audit reveals that computer security at the agency continues to be poorly monitored, despite growing cyber threats that auditors say pose risks to taxpayers’ information.

In a report titled “Security Assessment and Authorization,” the audit concluded that the CRA, tasked with managing electronic data for more than 27 million individual and corporate tax filers, continues to face challenges in safeguarding sensitive data, as first reported by Blacklock’s Reporter.

“There was a lack of monitoring,” the report said, with auditors highlighting “a lack of management oversight.”

CRA managers “were not always aware of or did not clearly understand the security assessment and authorization process, more specifically for monitoring,” the report said.

The auditors emphasized the need to enhance security across multiple domains. This includes strengthening corporate policy instruments, defining roles and responsibilities more clearly, refining authorization procedures, improving the monitoring of performance indicators, and implementing formal procedures and tools.

According to the audit, the CRA has one of the most extensive IT environments and repositories of personal and financial information within the government of Canada. During the fiscal year 2020 to 2021, a substantial 90.2 percent of income tax and benefit returns, as well as 94.2 percent of corporate income tax returns, were submitted digitally.

Related Stories
‘Underachieving Has Become Habitual in Canada,’ Economic Expert Tells MPs
10/9/2023
‘Underachieving Has Become Habitual in Canada,’ Economic Expert Tells MPs
Canada’s Airline Industry in Need of Serious Reform, Experts Say
10/5/2023
Canada’s Airline Industry in Need of Serious Reform, Experts Say

“It is essential for the CRA to meet Canadians’ expectations for delivering client service while maintaining trust that their information will be protected from potential data breaches and identity theft,” the report said.

In 2014, a cyberattack compelled the CRA to shut down its website for six days during the tax season. Managers at the time verified that hundreds of Social Insurance Numbers were compromised as the agency’s databases fell victim to a vulnerability known as the Heartbleed Bug, which circumvented encryption systems. Investigations unveiled that the cyberattack went unnoticed for six hours before the systems were eventually shut down.
A similar breach occurred in 2020, where more than 5,000 CRA accounts were compromised.

Marc Brouillard, the government’s chief technology officer at the time, defended the CRA’s response, asserting that the system worked efficiently, enabling the identification of fraudulent transactions.

“We have thousands of transactions every day,” Mr. Brouillard said in 2020, according to Blacklock’s Reporter. When asked about whether the cyberattacks indicated a “total failure” in security, he responded, “I would argue no, quite the opposite.”

The audit provided a series of suggestions, among them being the recommendation that the Security Branch should establish a centralized monitoring strategy for system authorization across the CRA to document security decisions based on risk.

“Addressing security in the early stages of information technology projects and throughout the information system’s life cycle is vital to ensuring security is integrated into the design, that security objectives are met and that planning and resources are optimized,” said the report.