Cybersecurity regulations face ‘uphill battle’ after Chevron ruling
President Joe Biden’s executive branch has distinguished itself on cybersecurity policy from previous administrations with its willingness to embrace regulations — often with a bit of creative lawyering involved.
But a landmark ruling by the Supreme Court last week that overturned the so-called Chevron doctrine — which holds that courts should defer to federal agencies when interpreting parts of federal law not specified by Congress — threatens to make it much more difficult for the Biden administration to put in place more stringent cybersecurity rules.
A series of damaging supply chain hacks, breaches and an epidemic of ransomware has spurred an effort in the White House to raise the cybersecurity bar across the public and private sector.
Much of that work has come in the form of new or expanded federal regulations, particularly within sectors of critical infrastructure where the government’s rulemaking authorities are often strongest.
The Supreme Court’s gutting of the Chevron doctrine threatens to compromise the legal foundation upon which that work is built.
Harley Geiger, an attorney at the law firm Venable and counsel at the Center for Cybersecurity Policy and Law, told CyberScoop that the Supreme Court’s ruling means that existing cybersecurity regulations may now be more vulnerable to court challenges, particularly ones that rely on reinterpretation of older statutes or ambiguous statutes used to write cybersecurity rules.
Because much of the foundation for the U.S. legal and regulatory system was passed into law decades ago — before the use of digital technologies were ubiquitous in society — agencies have often had to tap laws with more general purposes and argue that they can also address cybersecurity considerations.
“Congress has actually legislated relatively little when it comes to cybersecurity, including problems that are widely recognized, such as critical infrastructure cybersecurity,” Geiger said, “and this has understandably led the executive to revisit existing statutes to see where cybersecurity can fit into established missions for consumer protection, physical safety and sector oversight.”
The Biden administration’s regulatory approach has been particularly reliant on the practice of reinterpreting existing laws and regulations to include heightened requirements around cybersecurity. Even prior to the Supreme Court’s decision to overturn Chevron deference, this approach caused the administration problems.
Last year the Environmental Protection Agency attempted to reinterpret a 50-year-old law, the Safe Drinking Water Act, to require water utilities to consider cybersecurity during their regular audits of water systems. That prompted legal challenges from states and business groups, who succeeded in convincing a federal court to temporarily block the new rule.
Relying on the EPA — an agency whose primary remit is environmental issues — to address cybersecurity issues represents the foremost example of the Biden administration’s creative lawyering to implement more stringent cybersecurity rules. Courts’ skepticism of the move prompted theEPA to eventually withdraw the proposal, and last week’s ruling only increases the obstacles facing White House lawyers looking to find ways to raise the bar on cybersecurity.
Administration officials are now evaluating how to proceed, with White House spokesperson Karine Jean-Pierre saying last week that the “administration is doing everything we can to continue to deploy the extraordinary expertise of the federal workers to keep Americans safe and ensure our communities thrive and prosper.”
Geiger believes other Biden-era cyber regulations could also be under threat in the wake of the Supreme Court’s ruling and that opponents of more stringent rules will be emboldened by the ruling to file lawsuits testing the limits of agencies’ regulatory authorities.
For example, while Congress passed new cyber incident reporting rules for critical infrastructure, the Cybersecurity and Infrastructure Security Agency was given responsibility for a laborious rulemaking process to scope out and define the law and fill in numerous interpretative gaps, such as what constitutes a “covered incident” that companies will have to report to the government.
The agency ultimately opted to use the same language that is used for “significant incidents,” which is defined in the law. A future court could determine that Congress intended for CISA to define a smaller subset of incidents covered under the law. On the other hand, a more prescriptive definition of a covered incident might open the agency to legal challenges for interpreting the law beyond what Congress specified.
Geiger said the agency may need to revise the pending regulation because there are parts of CIRCIA “where CISA is clearly interpreting ambiguous and unclear or open-ended parts of the statute.”
Other cybersecurity actions by federal agencies may also come under attack in the courts. When the Securities and Exchange Commission last year cited the 1934 Securities Exchange Act in an enforcement action against SolarWinds and its CISO for alleged deficiencies in cybersecurity controls that left the company vulnerable to being hacked by Russian intelligence, the U.S. Chamber of Commerce filed a friend of the court brief arguing that the agency had overstepped its legal authority.
“Congress has never granted the SEC authority to regulate other aspects of a public company’s larger internal-control framework,” the chamber wrote.
The ruling could also impact a yearslong effort by the Federal Trade Commission to finalize new regulations on commercial surveillance and data security. Duane Pozza, a partner and co-chair of the privacy, cyber and data governance practice at the law firm Wiley Rein, said much of that process relies on the FTC’s existing statutory authority to regulate unfair or deceptive practices.
The FTC has historically interpreted that authority to include the imposition of “reasonable” cyber and data security requirements, but Pozza said “that is not something that derives directly from a statute.”
“I think to the extent that [the agency] relies on the need to be given deference in trying to do a rule around privacy and data security, I think it’s really going to be an uphill battle,” he added.