The Cyber Bill That Covers Banks but Not Hospitals: Inside the Senate Hearing on C-8
Bill C-8 would set Canada’s first cybersecurity standards for finance, telecom, energy and transport. Hospitals and municipal water, where a breach can cost lives, sit entirely outside the bill.
David Shipley wanted the senators to think about plane crashes.
When an aircraft goes down, he told the Standing Senate Committee on National Security, Defence and Veterans Affairs as it studied Canada’s new cybersecurity bill, investigators learn everything they can, as fast as they can, so the next one never happens. Shipley, of Beauceron Security Inc., wanted that same instinct applied to a hospital the moment its systems are taken hostage. The problem, as he put it, is that the country can’t even get to that conversation.
“That is a conversation we can’t get to,” he said, “if we can’t even pass this bill.”
The bill was Bill C-8, Canada’s first attempt to make cybersecurity standards mandatory across its critical infrastructure rather than something companies opt into. And the uncomfortable fact underneath Shipley’s analogy was this: the legislation in front of the committee on the afternoon of May 25, 2026, does not cover hospitals at all.
What the bill reaches, and what it doesn’t
Bill C-8 would do something Canada has never done. It would make cyber incident reporting mandatory and build a single regulatory framework over four federally regulated sectors: finance, telecommunications, energy and transportation. Those four made the list because Ottawa regulates them directly.
Hospitals and municipal water systems do not. They answer to provinces and municipalities, so they sit outside the bill’s reach entirely. The committee heard that this jurisdictional line leaves the country’s life-and-limb infrastructure, the systems whose failure is counted in patients rather than dollars, at extreme risk.
The danger is not hypothetical. Peer-reviewed research before the committee has documented more than 150 ransomware attacks on healthcare facilities in the United States since 2016, and tied those attacks to somewhere between 42 and 67 deaths among Medicare patients. Care delayed. Systems locked. People who did not survive the gap. The bill on the table would extend none of its new requirements to the hospitals where the same kind of attack could land.
Today’s guns are made of code
Christian Leuprecht told the committee that Canada has fallen behind its G7 peers on the most basic cybersecurity standards, and that the gap is an open door. The threat he described is patient and deliberate. Security professionals call it pre-positioning, when a state-sponsored actor quietly embeds access inside a system and waits, sometimes for years, for the moment to use it. He pointed to campaigns known as Salt Typhoon and Volt Typhoon.
Leuprecht did not reach for understatement. “I always say that if you want to destroy Western civilization, take out Microsoft,” he told the senators. “We have, sometimes by design, sometimes inadvertently, created significant vulnerabilities.”
He reframed the old language of national power for an age of hybrid conflict. “Guns and butter aren’t what they used to be,” he said. “Technology, hybrid threats, total defence, conventional capabilities, state-of-the-art modern warfare technology, dual-use technology, cyber disruptions and airspace incursions are today’s guns. The butter is the freedom to have access to reliable and stable transport and energy.” Meanwhile, the average cost of a single data breach in Canada has climbed to US$4.82 million.
A fungus that grows in the dark
Not everyone in the room wanted the bill passed as written. Privacy advocates, among them Citizen Lab and OpenMedia, argued that the legislation sets its administrative thresholds low enough to be dangerous. As they characterized it, the bill would let the government issue secret orders, collect data without a warrant, and share what it gathers broadly with foreign intelligence agencies. Those are the advocates’ warnings about what the bill enables, not findings the committee has made.
Matthew Hatfield of OpenMedia put the concern in a single image. “Surveillance routines are a fungus,” he said. “They spread and go crazy in darkness, and they are kept limited in strong light.”
Their proposed fixes were specific. Require a judge to authorize data gathering before it happens. Restrict any data collected to cybersecurity purposes alone, and bar its use for foreign intelligence. And write explicit protection for every layer of telecommunications encryption into the bill.
What the senators were left holding
Two camps, both serious, pulled the same bill in opposite directions. The security experts wanted it passed quickly and then widened to cover the hospitals it ignores. The privacy advocates wanted it slowed until the guardrails were built in. Neither side was arguing that the status quo was fine.
And between the two arguments sat the gap that started the afternoon. The plane-crash conversation Shipley wanted, the one where a hospital learns everything it can from an attack so the next hospital is spared, still can’t happen, because the bill that might make it possible does not reach hospitals. The committee’s study put both arguments on the record. The hospitals and the water systems were not in the bill when the senators arrived, and they were not in it when they left.
Hansard Files reads the committee transcripts so you don’t have to. If work like this matters to you, subscribe and help keep it independent.
Related Hansard Files Articles
Source Documents
Standing Senate Committee on National Security, Defence and Veterans Affairs. (2026, May 25). Evidence on Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. (20ev-57709.pdf)