How the Supreme Court Chevron ruling could affect cybersecurity regulations

"The door is open now for any time there's an enforcement action for those businesses who were slapped by the agency to run to court," Brian Arnold said.

When the Supreme Court earlier this summer overturned its 40-year-old Chevron doctrine, it threw into question how far agencies can go in writing new regulations. Several cybersecurity regulations now in the development stage are now in question, according to my next guest. The director of legal affairs at Huntress, Brian Arnold, joined the Federal Drive with Tom Temin to discuss this topic.

Interview transcript: 

Tom Temin
You, like many lawyers, are really examining this whole Chevron reduction, reversal of that 40-year-old doctrine which seems to limit agency’s ability to write detailed regulations, maybe review for us the panoply of regulations now underway in cybersecurity. It’s quite a broad range.

Brian Arnold
That’s right, there are a number of cybersecurity regulations in the hopper. There’s not an overarching cybersecurity act within our country, and so there are various agencies promulgating different rules under their various authorities to protect their different areas they’re in charge of. One of them that is currently being proposed and in discussion right now is one put out by the Cybersecurity and Infrastructure Security Agency (CISA). They have proposed rules given their authority under the Cyber Incident Reporting and Critical Infrastructure Act that Congress passed in 2022, they empowered CISA to fill in the gaps in the rules and create a bunch of framework around this new proposed rule, and effectively, this rule is aimed to compile data, require operators in the critical infrastructure segment of our country — which is transportation, utilities, telecoms, finance, that kind of thing — to report threat actors and breaches to the federal government so that we can compile data and more quickly act on that data, [and] hopefully help us handle threats a little bit faster,

Tom Temin
Sure, but given the specificity of that particular statute, that would seem like the agency rulemaking is well within the bounds of a post-Chevron world.

Brian Arnold
It is; the authority to do so certainly is. But with every agency enacting rules under any act, they do necessarily fill in gaps where previously, with the Chevron deference, which is a 40-year-old Supreme Court deference to an agency, that courts really wouldn’t touch. So businesses really wouldn’t challenge an agency’s enforcement action. The door is open now for any time there’s an enforcement action for those businesses who were slapped by the agency to run to court just to challenge and delay the enforcement of the decision of the agency. There may not be any overturning in this instance, but it could cause substantial delays. And then there’s the risk that you have different courts interpreting differently what CISA did in this case, so it’s not an authority issue. It is more, I think, a delay-type issue in getting any final resolution enforcement actions and guidance to the rest of the industry.

Tom Temin
And then there is the Cybersecurity Maturity Model Certification program — lots of rules surrounding that coming from the Defense Department, and that doesn’t seem to have as much statutory, specific basis. Defense Department wants cybersecurity for people holding federal data in their systems and working with the government, the DoD. And that’s an expensive one; that’s untold hundreds of millions of dollars, maybe billions, in cost to industry to have the certifications and hire these people. What about that one?

Brian Arnold
Certainly, that’s an example of one where there’s not as clear of a delegation of authority. So the challenges could be even broader. The challenges wouldn’t be down in the weeds. It could be higher level. Is there even the authority in the first place? So every layer of the framework under those types of rules in theory could be challenged, and likely would be challenged, and it could take some time to flush out, and there’s a lot of rules that are crafted around decades old legislation. The [Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC)] in particular have enacted and proposed rules in the cybersecurity area that don’t really have a clear hook in their statutory authority. But they had to get creative, because they felt that they needed cybersecurity, and Congress is too slow to act, really, for the speed with which threat actors pop up. So those types of decisions too, and those regulations are all likely going to be subject to more court attacks.

Tom Temin
We’re speaking with Brian Arnold. He’s director of legal affairs at Huntress, and you’ve also postulated that other countries dealing with the United States, maybe selling into the United States, if that’s the case, could be affected by this. What do you mean there?

Brian Arnold
Well, the U.S. is generally considered a leader in a lot of areas, in the tech area and to promote international trade and make sure that businesses that have international presences can operate effectively in all their markets, there usually is a standard set for how they do business. And if the U.S. is in flux in their cybersecurity regime, businesses are not really going to know how they’re going to need to operate. The U.S. can’t really be a leader if we can’t really decide what our own regulations look like.

Tom Temin
In the larger sense of the federal government itself, it wants security in its systems. It wants its suppliers to be secure because they’re handling federal information. Might even hold federal data in their systems. So what’s a way through this that industry and government can agree on, because nobody disagrees with the goals of a secure supply base and a secure government?

Brian Arnold
It’s really a bipartisan issue. It’s not something that should be contentious. I think everybody really does agree that we need to secure our infrastructure. The devil’s really in the details. I think going forward, industry, in order to have short term fixes, is going to have to coalesce around what are the industry standards for contracting with your suppliers. And try to help self-regulate, I think, could be a good first step, but also the Loper decision from the Supreme Court, I think, highlights the importance of organizations and industry and working with the government to craft the regulations in the first place. I think they need to work with Congress and push for bipartisan legislation specifically geared towards cybersecurity, because we don’t have any — very little pockets of it. I think it behooves industry then to start at Congress, and then when there are rules being proposed by various agencies, get involved, try to shore up those rules and regulations before they come out. And there is a process when you propose rules by federal agencies, they propose these rules, they take comments, and then they gather and discuss all the comments and then put out final rules. I think more industries, organizations, businesses, need to get involved in this process to make sure that there’s input and all the cracks are identified before rules come out. But again, this all takes time.

Tom Temin
In your experience watching this, how much does the government tend to take in industry comments when it issues rules. We’ve seen cases where, thank you for commenting, we’re going to go ahead with what we were going to do anyway. And sometimes the rules do get modified as a result of commenting. And in the administrative tradition, they point out that comments, it’s not a plebiscite, it’s not a vote by the commenters.

Brian Arnold
Yeah, it’s really hit or miss; it depends on the agency, depends on the administration as to how much the final rules actually do take in the proposed comments, the depth, and who the comments come from will matter. I think, though, that in this world, the Loper decision, I think, will motivate, or should motivate, the agencies to maybe take more seriously the comments and really take them to heart. If there are threats identified to their proposed rules. I think they need to shore them up, because they’re going to be embroiled in litigation after that, and that doesn’t do anybody any good in the cybersecurity space, critical infrastructure, or really, the world.

Tom Temin
It strikes me that the CMMC rule in particular is kind of close to the original case that prompted this, which, as you mentioned, is Loper. Loper and some of the others were complaining about the fact that they had to pay for fishery inspectors, federal inspectors to be on their fishing boats, and that was an imposition to them. In CMMC, you’re not paying for a federal agent to be in your company, looking at how cyber secure you are, but you must pay for some third party that is certified by the government to come in. And so I see a little bit of a parallel with Loper and companies under CMMC.

Brian Arnold
For sure, you’re going to have people that are not going to want to do it at all, or challenge the types of people, the credentials of the person, the robustness of their review. There are all sorts of areas that can be poked at, and likely will be poked at, but now, whether it makes for good law at the end of the day, it’s still TBD. But what’s clear is it is years down the road when you’re going to get things settled in this area.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more