Critical Infrastructure Security , Standards, Regulations & Compliance
Experts Warn of Cyber Regulatory Chaos Post-Chevron Overturn
The Supreme Court's Chevron Ruling Brings Uncertainty for Cyber and AI PolicyThe U.S. Supreme Court's overturning of a long-standing judicial doctrine of deferring to government agencies' interpretation of statutes brings uncertainty for cybersecurity and artificial intelligence.
The Chevron deference - a Supreme Court precedent from the early 1980s that allowed federal agencies to reasonably interpret ambiguous statutes and enforce standards - played a pivotal role in shaping and regulating cyber policy for the public and private sectors. Agencies such as the Federal Communications Commission and the Federal Trade Commission have relied on the ruling to interpret their authorizing statutes and enforce cybersecurity measures against companies that fail to adequately protect consumer data.
See Also: A Secure Platform to Transform Financial Services
The court's 6-3 decision to strike down the doctrine all but ensures inconsistent regulatory standards across circuit court districts and heightened legal battles, said Michael Drysdale, a leading environmental law expert who has worked on cases involving the Environmental Protection Agency and the Clean Water Act. The decision will hinder federal rule-making for generations, he said, as agency regulations will likely become far more cautious and increasingly challenged - and enjoined - in courts across the country.
"Chevron has been one of the most-cited and influential decisions in the last half-century. No longer," Drysdale told Information Security Media Group. The Supreme Court's 35-page ruling in Loper Bright Enterprises v. Raimondo, which struck down Chevron, is "a prospective earthquake," he said.
"The decision will make the already difficult task of agencies to develop and apply rules all the harder."
Brought by a group of New Jersey herring fishermen, the case involved a technical dispute over whether the National Marine Fisheries Service could require the fishermen to pay for on-vessel observers. The agency argued its authority was implied through general enforcement powers, even though the legislation does not explicitly grant those powers.
In a majority decision authored by Chief Justice John Roberts, the court said Chevron had been wrongly decided from the start and had become unworkable over time due to the variety of exceptions and inconsistent applications.
The reversal will likely have a "seismic effect" on digital security regulations, said the Center for Cybersecurity Policy and Law. Regulation writers rely on interpretations of decades-old laws, drafted long before today's cybersecurity threat landscape emerged.
"The judiciary now has greater independence to second-guess security regulations, yet cybersecurity is a highly technical discipline," the center said in a Monday blog post. Data security requirements derived from ambiguous statutes could now be immediately in jeopardy.
Those could potentially include cybersecurity disclosure requirements the Securities and Exchange Commission approved in 2023, cyber incident reporting requirements for financial institutions developed in 2022 under the Gramm-Leach-Bliley Act and a variety of cyber regulations the Transportation Security Administration established that same year.
The Cybersecurity and Infrastructure Security Agency's proposed rule to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 could also be in jeopardy, according to the center, due to its broad interpretations of the bill's statutory language.
"Narrowly targeted rules with sound statutory backing will help ensure this work is not upended by newly empowered litigants," the researchers said, adding that voluntary cyber risk management programs across the private sector might be needed now more than ever "to strengthen the resilience of consumers, enterprises, and society."
CISA, TSA and the EPA did not immediately respond to requests for comment on the ruling, which the Center for Cybersecurity Policy and Law described as a "nail in the coffin" for the Biden administration's cyber policy agenda. The White House has taken a self-proclaimed "creative approach" in recent years to regulating critical infrastructure cybersecurity, interpreting older statutory mandates to create rule-making around ransomware, incident reporting and more.