We're highly critical of most government cybersecurity efforts for a number of reasons. One is that they are often pushed with totally overblown rhetoric about power grids going down and planes falling from the sky. That said, it's not as though we want our governments to be completely ignorant about security issues online - more realistic threats like data breaches are something we expect them to be protected against, especially as they struggle to bring more and more government services online.

Which brings us to another big reason we are critical of new cybersecurity powers for the government: they usually aren't very good at it, and fail to make smart use of the powers and resources they already have. In the US, federal agencies are demanding more information sharing powers without identifying the obstacles they claim to face. In Canada, a public audit reveals that they have made little effort to start sharing security information at all:

Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, many were "still unclear" about the centre's role and mandate, says the report.

"Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the Government of Canada and, if so, to which agency."

As a result, the centre "cannot fully monitor" Canada's cyber-threat environment, hampering its ability to provide timely advice.

An ineffectual bureaucracy is nothing new, and it can often be fixed by finding the right people to whip it into shape. But you face a much bigger problem when the core culture of your government still fails to comprehend how the internet works or what cybersecurity means - which is where this tidbit comes in:

Further, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.

Yes, that's right - the response center for monitoring cyber threats isn't even open around the clock. It has shorter hours than the brunch menus at most restaurants. Recognizing that this could be a problem, but still completely failing to understand the fundamental stupidity of being "closed for the night" online, the government has plans to extend the hours to 9pm, seven days a week.

How did they get to this ridiculous place, and where are they going? Five years ago the government allocated some money for cybersecurity. Nobody really checked to see if it was accomplishing anything until now, with the Auditor General's report. The audit revealed all these flaws and criticized "limited progress", so as the report came out... the government allocated some more money. Hurray! But not.

Because what they still lack is an actual road map - a clear identification of the real cybersecurity threats that exist, a strategy to combat them, some evidence that it will actually work, and a way to check and see if it does. Then they can figure out how much money it will cost, and they can figure out if there are any acceptable new laws that are actually necessary to make it happen. If governments in Canada, the US or anywhere else can't get the basics of cybersecurity right with their existing resources, and can't communicate intelligently about the problems, then neither more money nor more laws will fix anything.