close
close

Experts warn of cyber regulatory chaos after Chevron takedown

Posted on by darion

Critical Infrastructure Security, Standards, Regulations and Compliance

Supreme Court’s Chevron Ruling Creates Uncertainty in Cyber ​​and AI Policy

Chris Riotta (@chrisriotta) •
July 2, 2024

The Center for Cybersecurity Policy and Law called the U.S. Supreme Court’s ruling in the Chevron case the “nail in the coffin” for the Biden administration’s cyber policy agenda.

The decision by the U.S. Supreme Court to overturn the long-standing judicial doctrine of reliance on government agencies’ interpretation of statutes raises uncertainty in the areas of cybersecurity and artificial intelligence.

Chevron deference—an early 1980s Supreme Court precedent that allowed federal agencies to interpret ambiguous statutes sensibly and enforce standards—has played a key role in shaping and regulating cybersecurity policy for the public and private sectors. Agencies like the Federal Communications Commission and the Federal Trade Commission have cited the ruling to interpret their authorizing statutes and enforce cybersecurity measures against companies that fail to adequately protect consumer data.

See also: A Secure Platform for Financial Services Transformation


The court’s 6-3 decision to invalidate the doctrine all but guarantees inconsistent regulatory standards across district courts and heightened legal battles, said Michael Drysdale, a leading environmental law expert who has worked on cases involving the Environmental Protection Agency and the Clean Water Act. The decision will complicate federal rulemaking for generations, he said, as agency regulations are likely to become much more cautious and increasingly challenged — and outlawed — in courts across the country.

“Chevron was one of the most cited and influential decisions of the last half-century. Not anymore,” Drysdale told Information Security Media Group. The Supreme Court’s 35-page ruling in Loper Bright Enterprises v. Raimondo, which struck down Chevron, is “a potential earthquake,” he said.

“This decision will make the agency’s already difficult task of developing and administering regulations even more difficult.”


The case, brought by a group of New Jersey herring fishermen, involved a technical dispute over whether the National Marine Fisheries Service could require fishermen to pay for observers on their vessels. The agency argued that its authority was derived from general enforcement powers, even though the regulations did not expressly grant that authority.


In a majority decision authored by Chief Justice John Roberts, the court found that the Chevron case was wrongly decided from the outset and had become unenforceable over time because of its numerous exceptions and inconsistent applications.


The reversal will likely have a “seismic impact” on cybersecurity regulations, the Center for Cybersecurity Policy and Law said. The rulemakers are relying on interpretations of decades-old regulations that were developed long before today’s cybersecurity threat landscape emerged.


“The judiciary now has more independence to challenge security laws, but cybersecurity is a highly technical discipline,” the center said in a blog post Monday. Data security requirements under ambiguous laws could now be immediately at risk.


These could potentially include cybersecurity disclosure requirements approved in 2023 by the Securities and Exchange Commission, cybersecurity incident reporting requirements for financial institutions developed in 2022 under the Gramm-Leach-Bliley Act, and a variety of cybersecurity rules established the same year by the Transportation Security Administration.


The Cybersecurity and Infrastructure Security Agency’s proposed regulations implementing the Critical Infrastructure Cybersecurity Incident Reporting Act of 2022 could also be at risk, according to the center, due to a broad interpretation of the act’s provisions.


“Narrowly focused regulation with strong statutory support will help ensure that this work is not upended by newly empowered litigants,” the researchers said, adding that voluntary cyber risk management programs across the private sector may be needed now more than ever “to strengthen the resilience of consumers, businesses, and society.”


CISA, TSA and EPA did not immediately respond to requests for comment on the ruling, which the Center for Cybersecurity Policy and Law called the “nail in the coffin” of the Biden administration’s cyber policy agenda. The White House has taken a self-described “creative approach” to regulating critical infrastructure cybersecurity in recent years, interpreting older statutory orders to create rules on ransomware, incident reporting and more.