A recent US Supreme Court (SCOTUS) ruling has shifted regulatory enforcement from the federal agencies to the judicial system. On 28 June 2024, the Supreme Court struck down a legal principle known as the Chevron Doctrine (or Deference). This doctrine dates to a 1984 Supreme Court ruling (Chevron v Natural Resources Defense Council) that allows federal agencies to use their own expertise to interpret ambiguities in the law. It became the foundation for the federal system of regulation through federal agencies: agency rules, intended to clarify and implement statutory intentions, could be enforced by the agencies themselves. This applied technical expertise and relative speed to the application of law. But the latest SCOTUS ruling abandons the need for courts to show deference to agency expertise, overruling the forty-years-old practice. From SCOTUS,
Held: The Administrative Procedure Act requires courts to exercise their independent judgment in deciding whether an agency has acted within its statutory authority, and courts may not defer to an agency interpretation of the law simply because a statute is ambiguous; Chevron is overruled.[1]
The courts need no longer defer to the Chevron Doctrine in cases that involve agency rulings on agencies’ own rules. Since much US cybersecurity regulation is delivered through different federal agencies (such as the FDA, the SEC, and the DHS) rather than directly from acts of Congress, this will have a major effect on the determination and enforcement of cyber regulation in the US. “This landmark decision from the US Supreme Court will likely have tectonic and long-lasting consequences for administrative rulemaking in the US,” comments Ilia Kolochenko, attorney-at-law with Platt Law LLP and CEO at Immuniweb. “By overruling the 40-year-old Chevron doctrine, the Supreme Court gave significantly more judicial power and leeway to courts in the interpretation of federal law that may be (and often is) vague, unclear or just silent on certain elements, such as cybersecurity, privacy or data breach disclosure.”
Bottomline is that if a business appeals an agency decision, the courts need no longer defer to the agency’s opinion on the matter. This could lead more companies to appeal agency decisions, and well-funded companies to treat US regulations in the same way they treat EU regulations: masses of paperwork, dozens of lawyers, and appeal after appeal. “Many are now projecting a tsunami of litigation for federal agencies and/or officials, who will now be able to be sued in perpetuity for decisions made,” comments Ken Dunham, director of cyber threat at Qualys TRU.
Harvard Law School professor Jody Freeman recently added, “It’s a massive power shift back to the courts and away from agencies. And to put this in context, this is part of a series of cases in which the Supreme Court has made it harder for agencies to do their job.”
Kolochenko provided further, “If a court believes that an administrative rule is inconsistent with an implied purpose of the statute… the court may now simply invalidate the rule. SEC rules on cybersecurity and breach disclosure, or the proposed CISA’s rules relating to critical national infrastructure drafted under CIRCIA, and many other rules and regulations, may possibly be invalidated by court.”
CISA’s CIRCIA implementation may be under particular threat. As recently as 4 April 2024, CISA published a Notice of Proposed Rulemaking (NPRM). The Center for Cybersecurity Policy and Law says, “The proposed rule makes several broad interpretations of CIRCIA’s statutory language, requiring extensive reporting of cyber incidents from a large number of entities in critical infrastructure sectors.” On any appeal, the courts no longer need to defer to agencies’ ‘broad interpretations.’ “This change will likely result in more regulatory actions being challenged and ultimately overturned, leading to legal uncertainty for regulatory bodies and the industries they oversee,” adds Jason Porter, VP and CTO at Optiv + ClearShark.
These thoughts are of course pessimistic. One must see how the SCOTUS ruling will play out over time, and there are potentially some more optimistic outcomes. “I see both pros and cons to the recent Supreme Court ruling overturning Chevron deference,” comments Aaron Rose, office of the CTO at Check Point Software. The primary benefit is that it could force Congress to draft more detailed and better defined legislation and ensure that the agencies base their regulations on the letter of the law rather than their own (albeit it more expert) wishlist. “Additionally,” he adds, “increased judicial oversight means that courts will interpret laws rather than agencies, potentially resulting in more consistent and fair rulings based on established legal principles.”
The cons he sees are similar to other people’s concerns. “With the rapid evolution of technology, particularly in cybersecurity, timely adaptation is critical. The Supreme Court’s decision could slow down the implementation of necessary measures, leaving gaps for hackers and bad actors to exploit. While agencies can still create their own rules and regulations to adapt to emerging threats, there is legal uncertainty as to whether these rules will be upheld in courts.” He concludes, “The need for detailed laws could make regulations clearer and more specific to avoid legal challenges, but it might slow down the response to emerging threats and create legal uncertainties.”
Laws are written by politicians who are not technology experts. They are interpreted and enforced by judges who are not technology experts. The only experts in the field are the agencies, but there has been a shift placed in action by SCOTUS. It is difficult to see who benefits from this development in the realm of Cyber Security. Some believe this is akin to the blind leading the blind, while neutering the guide dog.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.securityweek.com/supreme-court-ruling-threatens-the-framework-of-cybersecurity-regulation/
Comments