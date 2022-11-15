Information stored in the cloud and managed by the federal government — including Canadians' personal information — is at an increased risk of being hacked because government departments were not given funding or adequate direction on how to securely manage the data, according to Canada's auditor general.

In a report released Tuesday, Karen Hogan also said the federal government must take immediate action to strengthen how it prevents, detects and responds to cyberattacks.

When federal organizations decide to store Canadians' personal information in the cloud, they are responsible for securing and protecting that information, said Hogan in a statement.

The government needs to act now — while departments are in the early stages of transitioning to the cloud — to strengthen the use of controls to prevent, detect, and respond to cyberattacks.

The audit looked at whether federal departments had adequate and effective governance tools to manage data, as well as the tools needed to prevent, detect and respond to cybersecurity events that could compromise Canadians' personal information stored in the cloud.

The requirements the federal government put in place to reduce the security risks of storing information in the cloud were not always clear and that departments did not effectively implement them, the auditor general's office said.

The report found that four years after the Treasury Board of Canada Secretariat first directed government departments to consider moving information to the cloud, there were still gaps in the controls used to prevent cybersecurity breaches.

These findings relate to security inspections and some aspects of cloud guardrails, a type of security control, the report said.

The audit also found that the Treasury Board had run few simulations designed to test and improve the way the federal government responds to cybersecurity breaches at multiple government departments.

Funding and tools needed: report

The report defines the cloud as computer servers in Canada or in other countries that may be owned by third parties, which are used to store information over the Internet.

The audit also said inadequate long-term funding had not been provided to government departments that are now beginning to migrate information over to the cloud.

Government departments had also not been given the tools necessary to calculate the cost of moving data online, or of managing that data once it was in the cloud, it said.

Without these tools or a funding plan, departments cannot ensure that they will have the people, expertise and resources they need to not only secure cloud-based information, but also prevent and address security threats, the report said.

Peter Zimonjic (new window) · CBC News