Cybersecurity law faces ‘uphill battle’ after Chevron ruling

President Joe Biden’s executive branch has distinguished itself on cybersecurity policy from previous administrations by its willingness to regulate — often with a dash of creative legislation.

But last week’s landmark Supreme Court ruling that invalidated the so-called Chevron doctrine — which holds that courts should defer to federal agency decisions when interpreting parts of federal law not specifically defined by Congress — threatens to make it much harder for the Biden administration to enact more stringent cybersecurity rules.

A series of malicious supply chain attacks, security breaches and a ransomware outbreak have prompted the White House to take action to raise the bar on cybersecurity across the public and private sectors.

Much of this work has involved introducing new or expanding federal regulations, especially in critical infrastructure sectors where the government’s rulemaking powers are often strongest.

The Supreme Court’s rejection of the Chevron Doctrine threatens to undermine the legal foundations on which this work was built.

Harley Geiger, an attorney at the Venable Law Firm and an advisor to the Center for Cybersecurity Policy and Law, told CyberScoop that the Supreme Court’s ruling means that existing cybersecurity laws may now be more susceptible to judicial challenges, particularly those that rely on reinterpretations of older or unclear statutes that were used to create cybersecurity rules.

Because much of the foundation of the U.S. legal and regulatory system was enacted decades ago—before digital technologies became widespread in society—agencies often had to refer to laws with more general purposes and argue that they could also address cybersecurity concerns.

“Congress has actually passed relatively little legislation that addresses cybersecurity, including issues that are widely recognized, such as critical infrastructure cybersecurity,” Geiger said, “and understandably this has led the executive branch to revisit existing statutes to see where cybersecurity might fit into established missions of consumer protection, physical security, and sector oversight.”

The Biden administration’s regulatory approach has relied heavily on the practice of reinterpreting existing laws and regulations to address heightened cybersecurity requirements. Even before the Supreme Court’s decision to overturn the Chevron deference, that approach had caused problems for the administration.

Last year, the Environmental Protection Agency tried to interpret a 50-year-old law, the Safe Drinking Water Act, to require water utilities to consider cybersecurity during regular audits of water systems. That prompted legal challenges from states and business groups that managed to persuade a federal court to temporarily block the new rule.

Relying on the EPA — an agency primarily tasked with environmental issues — to address cybersecurity concerns is a key example of the Biden administration’s creative approach to implementing tougher cybersecurity rules. Court skepticism about the move prompted the EPA to ultimately withdraw its application, and last week’s ruling only adds to the hurdles White House lawyers face as they seek to raise the bar on cybersecurity.

Administration officials are currently evaluating how to proceed, with White House spokeswoman Karine Jean-Pierre saying last week that “the administration is doing everything we can to continue to leverage the extraordinary experience of the federal workforce to keep Americans safe and ensure that our communities thrive and prosper.”

Geiger believes other Biden-era cyber regulations could also be threatened by the Supreme Court ruling, and opponents of stricter rules would be emboldened by the ruling to file lawsuits testing the limits of the agency’s regulatory authority.

For example, while Congress enacted new rules for reporting cybersecurity incidents involving critical infrastructure, the Cybersecurity and Infrastructure Security Agency was given responsibility for the arduous rulemaking process to scope and define the law and fill numerous interpretive gaps, such as what constitutes a “covered incident” that companies will be required to report to the government.

The agency ultimately opted to use the same language used for “significant incidents,” which are defined in the statute. A future court could find that Congress intended CISA to define a smaller subset of the incidents covered by the statute. On the other hand, a more prescriptive definition of a covered incident could expose the agency to legal challenges for interpreting the law beyond what Congress has defined.

Geiger said the agency may need to revise the pending regulation because there are portions of CIRCIA “where CISA clearly interprets ambiguous, unclear, or open-ended portions of the statute.”

Other federal cybersecurity efforts could also face attack in the courts. When the Securities and Exchange Commission invoked the Securities Exchange Act of 1934 last year in an enforcement action against SolarWinds and its CISO for alleged cybersecurity deficiencies that exposed the company to attacks by Russian intelligence, the U.S. Chamber of Commerce filed a friend-of-the-court brief arguing that the agency had overstepped its legal authority.

“Congress has never granted the SEC the authority to regulate other aspects of a public company’s broader internal control framework,” the chamber wrote.

The ruling could also affect the Federal Trade Commission’s years-long effort to finalize new rules on commercial surveillance and data security. Duane Pozza, partner and co-chair of the privacy, cybersecurity and data governance practice at law firm Wiley Rein, said much of that process relies on the FTC’s existing statutory authority to regulate unfair or deceptive practices.

The FTC has traditionally interpreted this authority to include imposing “reasonable” cybersecurity and data security requirements, but Pozza said that “is not directly implied in the statute.”

“I think to the extent that (the agency) relies on the need for respect in trying to legislate privacy and data security, I think it’s going to be a really tough fight,” he added.