Tech Security Bytes

,

The Supreme Court Takes Aim at Chevron: Implications for Cybersecurity Regulations (and why you shouldn’t panic)

Cover Image: belchonock

Introduction

On June 28th, the US Supreme Court issued a decision that could significantly alter the regulatory landscape, including cybersecurity regulations. In the Loper Bright / Raimondo and Relentless / Department of Commerce cases, the Court overturned the “Chevron Deference Doctrine,” a key piece of administrative law for nearly four decades.

Media reactions have been predictably dramatic, with headlines proclaiming, “A stunning reversal of 40 years of administrative law” and “Supreme Court paves way for a ‘legal earthquake’.” Even the official dissent got in on the colorful language, calling the decision “judicial hubris” in which the court “gives itself exclusive power over every open issue… involving the meaning of regulatory law” (Dissenting Opinion, Kagan, P.3).

But as with many things, the reality is neither as groundbreaking as it’s made out to be, nor will it cause rapid chaos or unwinding of established norms. New legal challenges, where possible, will take months or years and aren’t guaranteed to succeed. 

While we’ve seen some significant legal and regulatory moves in our space over the last 5 – 10 years, I don’t think this is going to be one of them, at least for Cybersecurity.  Let’s dig into the details and see what this decision really means in our space. 

Standard disclaimer: I am not a lawyer, and nothing I say should be construed as legal advice.   

Example news coverage in security community : CSO Online,  centerforcybersecuritypolicy.org

image: stock_market_visuals

TL / DR: 

  • The decision overturned the 1984 “Chevron Deference Doctrine”, used as the basis for interpreting the limits of federal agency authority since then.
  • Under Chevron, if an agency’s authority wasn’t clear in the law, courts would generally defer to the agency’s own interpretation of their authority. 
  • With Chevron gone, such legal ambiguity is once more subject to judicial review. (as it was previous to the 1984 decision)
  • This restricts the power of federal regulatory agencies in the US and puts more onus on Congress to clearly delegate authority. 
  • There is no immediate impact on standing regulations, but the decision does open them to new legal challenges – which may or may not succeed in court.
  • For security professionals, this means a possible trend of partial deregulation over the next several years as new cases work through the judiciary
  • Expect regulatory movement, if it does happen, to be most likely around regulations from agencies with tenuous links to information or security – core regulations likely will be unchanged

Details, including a dive into the legal aspects of the decision, the reasoning for it and the arguments against, follow. 

If you’re either a legal addict or a masochist, the 114-page decision and dissent can be found here.

For those interested, a breakout at the end of this article gives a detailed rundown of core arguments / points made in the case itself.

Historical Context – Whence and why this administrative state?   

Because Congress is messy, sometimes cowardly, and (also) can’t see the future

The Rise of Federal Agencies

To understand the significance of this decision, we need to look at the historical context of federal agencies and their authority.

Federal agencies have existed since the founding of the United States, with the Departments of State, Treasury, and War (now Defense) created by Congress in 1789.  New agencies were added periodically, with a large expansion in the late 19th and early 20th centuries, peaking around the 1930s – 1940s with FDR’s new deal and its aftermath. 

Most federal agencies were established by acts of Congress, with their mandates and delegated powers outlined in law, with varying degrees of specificity to their mandates and scopes.  Many agencies were granted statutory and regulatory authority – the ability to create binding regulations in their area of influence.

image: Olivier26

The problem with ambiguity

The challenge, of course, is that laws, including those establishing agencies, often contain ambiguities. Sometimes these are unintentional results of the legislative process. Other times, they reflect congressional reluctance to make hard choices. Often, they’re simply a reflection of changing times – Congress can no more foresee the specific concerns of 100 years from now than the founders could have anticipated the intricacies of internet regulation.

For most of U.S. history, these ambiguities were resolved through judicial review.  Courts would interpret the law given its historical context, consider precedent, weigh arguments, and render binding decisions.  This power was based in the Constitution, hardened in the landmark Marbury v. Madison Supreme court case, and was the process for disambiguating the limits of administrative power in the United States. 

This process and its relation to federal agencies was further codified and clarified in the Administrative Procedures Act (APA) of 1946, which was drafted to ensure that newly minted regulatory bodies’ power, and the zeal of their leaders, was checked.  The APA reaffirmed the courts’ duty to independently interpret the law in cases of ambiguity regarding agency authority, definition of terms, etc.

Understanding Judicial Review

  • Definition: Judicial review is the power of courts to review actions of the legislative and executive branches and determine whether they comply with the Constitution and other applicable laws.
  • Legal Basis:
    • Constitution: Article III of the U.S. Constitution establishes the judicial branch and provides the foundation for judicial review by vesting judicial power – especially interpretation of law – in the Supreme Court and other federal courts.
    • Marbury v. Madison (1803): This landmark Supreme Court case, decided by Chief Justice John Marshall, firmly enshrined the principle of judicial review and in particular the ability to carry interpretation of law all the way to the Constitutional level. 
  • Key Facts: Judicial Review…
    • … Ensures no law or government action can supersede the Constitution.
    • … Is a crucial check on the powers of the other branches of US government.
    • … Allows courts to protect individual rights by striking down unconstitutional laws or executive actions.
images: Wikipedia

The Chevron Decision: A Shift in Judicial Approach

The case

In 1984, the Supreme Court’s decision in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. introduced a new framework for dealing with questions of agency authority. The case revolved around the interpretation of “stationary source” in the Clean Air Act, and, absent a specific definition in written law, whether the EPA’s mandate allowed it to set a specific definition.

In addition to ruling on the case specifics (siding with the EPA’s definition and authority to make it), the court established a guiding principle for future questions around ambiguous definitions of regulatory power. 

This framework became known as the Chevron Deference Doctrine and had two steps:

  • Step 1: Does existing law explicitly spell out the specific case at hand?  If so, follow the law as written.
  • Step 2: If not, and the agency has proposed an interpretation that is not “arbitrary, capricious, or manifestly contrary to the statute.” – defer to the agency.
    • Of note: The agency doesn’t require the best interpretation, or even a correct one, just one not abjectly in contradiction to written law or “crazy” in the vernacular. 
    • i.e. the fundamental test is – “is this at least somewhat reasonable?”

The New Standard (and was it really so new?)

This doctrine effectively told courts to defer to agencies’ interpretations of ambiguous statutes unless those interpretations were patently unreasonable or clearly contrary to the law. 

The previous baseline had been to assess questions about proposed rules without assuming the agency was “in the right” and to apply some standards of due diligence and logical consistency to determine the correct course.

This was captured in what was known as Skidmore Deference, based on a decision in the 1944 Skidmore Vs. Swift & Co. It codified the standard in use at the time, that courts should defer to agencies based upon:

  • The validity of the agency’s reasoning – e.g. is it logically consistent at a basic level. 
  • The consistency of the agency’s interpretation with prior pronouncements / regulations.
  • The formality of the agency’s process (e.g., whether the interpretation was issued in a formal adjudication or rulemaking versus an informal letter or guidance).
  • The expertise of the agency in the relevant subject

Under Chevron, we moved to a model of “defer to the involved agency’s interpretation (Even if suboptimal), provided it is not outright unworkable.”

If these sound like variations on a theme, it’s because they are

Portions of the court (notably the textualist / originalist side of it) have pushed back on the need for Chevron, and what value it was adding over the APA, periodically over the last few decades, culminating in the recent decision. 

With Chevron overturned, it seems a lot may be up in the air again.  Or is it? 

Implications for Cybersecurity Regulation

General Implications

So, with all of that said, what does this new standard mean practically for a security professional? 
Here are the key implications. 

  1. No Immediate Changes: Existing regulations remain in effect. Your current compliance requirements haven’t changed overnight.
  2. Potential for Future Challenges: The decision opens the door for new legal challenges to existing regulations. However, these will need to originate in new damage-based lawsuits, which will take time to work through the courts.
  3. Agency-Specific Impact: Regulations from agencies with broad, clearly defined mandates related to information, technology, or security are less likely to be successfully challenged.
  4. More specific laws: – If congressional leaders want to assure consistent future regulatory outcomes, they will need to ensure adequate specificity in delegation of authority to agencies in future laws related to agencies. 

Impact on Specific, Recent Regulations

Adding this all up – while changes may come down the pike, we should expect them to be limited in scope, and come on a slow burn. 

Other articles have raised alarm bells around a variety of existing and pending cyber-related regulations, but haven’t analyzed those rules against the regulatory backdrop sans Chevron and so are effectively only wildly speculating about risk.  (I’m looking at you CSOOnline and centerforcybersecuritypolicy …)

Given that’s obviously less helpful, I’ve selected a few of interest from their lists and examined them: 

  • SEC Breach notificationsLikely to survive any challenges
    • The Securities and Exchange Act mandates “Anti-Fraud” practices, which prohibit omissions or deception that could impact the sale of a security.
    • A breach would impact perception of risk / value, and therefore a notification mandate is fully in line with that clause. 
    • Other provisions require accurate books and records, internal accounting controls, which further imply a minimum bar of security is required. 
  • FCC Breach Notifications (including recent 2023 expansion) Also probably safe
    • The FCC is granted (by the 1934 Communications and 1996 Telecommunications Acts) broad powers to regulate all forms of communications, explicitly including computer systems and networks.
    • They are explicitly granted powers to establish rules to ensure their availability, efficiency, and the security of customer information. 
    • The FCC also has ample precedent in this space, with many previous telco disclosure rules on the books establishing a pre-Chevron frame of reference. 
  • TSA Cybersecurity RegulationsExpect no changes here
    • Existing rules here are broad, including disclosure and minimum technology security standards covering gas pipelines, aircraft and airports, passenger and freight railroad carriers, and surface transportation networks.
    • TSA was incorporated and granted very broad powers to create regulations in support of travel safety by the Aviation and Transportation Security Act of 2001.  These were further greatly expanded in the Homeland Security Act of 2002 (which also brought the TSA under DHS) and Pipeline Safety Improvement Act of 2002 and should easily cover all provisions of current and recent regulations.    
  • Gramm-Leach-Bliley Act (GLBA) FDIC reporting rules will likely remain
    • Another set of breach notification requirements, similar to others above.  
    • The GLBA specifically mandates institutions to “establish … appropriate standards for … administrative, technical, and physical safeguards..” for protecting the security and confidentiality of customer information. 
    • Reporting rules are common in most frameworks in this space and easily pass muster for being “appropriate.”
image: lemono

What about pending rules?

We can apply similar scrutiny to pending rules, and the same basic comments apply. 

So, for example, the FCC’s proposed rule around Border Gateway Protocol security likely has nothing to worry about, given that agencies broad mandate and powers. 

Similarly, Proposed Executive Orders by the Biden administration (e.g. for hospitals) will largely depend under what agency they are claimed and how they’re framed, but shouldn’t be materially more or less “safe” after this decision. 

The common thread?  Agencies with clear, congressionally granted authority in a given area are on firmer ground.  Regulations stemming from more tenuous or broadly interpreted authority may face greater scrutiny (And risk)

Conclusion: Measured Attention and Concern, Not Panic

I may be the minority opinion here, based on news headlines, but I don’t see the Loper Bright / Raimondo decision as materially impacting cybersecurity as a profession in any short-term measurable way.  I’m also skeptical of whether the broader impact will be as great as many attribute it to be – though I’m admittedly less versed in other regulatory areas. 

That said, it does warrant ongoing attention – the regulatory landscape may shift over the next few years, but it won’t happen overnight.  Of course, that was also true before this latest ruling… 

Instead of worrying about potential deregulation from this decision, I would continue to focus on:

  1. Maintaining solid fundamentals – lack of MFA and falling to phishing are far more likely to sink your business than a sudden regulatory change coming out of this decision
  2. Staying informed about emerging technologies and threats –The “still not quite here AI revolution”, the broadening of ransomware targets and potential risk of increased nation-state activity in the current political landscape all deserve at least as much concern and attention as this ruling. 
  3. Keeping general attention on the regulatory landscape – without letting it distract from other core security responsibilities.  If you’re doing security right, you should already be doing this. 
Law / regulations are just one area to keep an eye on.
Now if only all of our SOCs and threat intel feeds looked this cool

This decision is a significant development in administrative law, but it’s neither likely to cause rapid sweeping changes nor is it a cybersecurity apocalypse.

Stay informed, adapt as necessary, and keep your focus on the fundamentals of good security.

The threat landscape isn’t waiting for the legal dust to settle, and neither should you.

Breakout: The case to overturn Chevron: Reasoning and Objections

The recent decision to overturn Chevron has sparked intense debate in legal and regulatory circles. For those curious about the decision itself, I offer a summary of key points raised in the decision and the dissenting opinion.

Below is my own summary, having read the full opinion, dissent, and relevant amicus brief content. Points and counterpoints are aligned horizontally with each other, such that content on a single row represents views on a single topic, from each perspective. The “defending” side is italicized and the side making the base argument is in standard font.

Majority Opinion PointsDissent points
APA Incompatibility  
Chevron, by defaulting to agency interpretation of ambiguity, contradicts the APA’s mandate for courts to decide “all” questions of regulatory ambiguity.  		Deference is Decision
By adopting a default stance, courts are still effectively “deciding” – they are just doing it in bulk. 
Inconsistent application and complex exceptions  
Chevron was applied inconsistently since its inception, not being applied at all in some cases, and spawning half a dozen exception rules over the years.  		Manageable exceptions
The handful of exceptions can easily be defined in plain English, and are no more complex than the framework(s) courts used to directly adjudicate ambiguity under the APA
Historical Inconsistency
Chevron broke from a 180 year pattern of the courts directly adjudicating ambiguity in regulatory agency definitions on a case-by-case basis, including the 40 or so post APA		Stare Decisis  
Overturning a decision in place for 40-years violates the principle of respecting legal precedent.

 
Legal, Not Policy Questions:
Resolving ambiguity under the APA is about legal interpretation of congressional law defining agencies and terms pertaining to them, and informed by expert input from agencies, involved parties, and briefs. 

Expertise Gap   Courts / Judges lack the expertise to rule on complex or technical regulatory matters, such as when scientific or engineering terms are nebulously referenced in law.
No Assumed Delegation

Ambiguity doesn’t necessarily imply intent to delegate and can arise for many reasons, including error. 

APA selective mention of deference in policy and fact-finding clauses but not legal interpretation clauses shows intent as to where deference was intended.    Congress did not need to pass a law codifying disagreement with Chevron, the APA already covered it.  		Implied Delegation

 Congress creates agencies with the purpose of delegating authority, and has a long history of deferring to the Executive and its agencies.    It’s reasonable to assume Congress’ intent therefore is that ambiguity should be resolved by agencies, not courts.    

If Congress had disagreed with this interpretation, they had 40 years to pass a law overriding Chevron.
Comparison of key points and counterpoints made in the majority decision and the dissenting opinion.

So, what are we left with?  Two groups of lawyers, arguing about what is reasonable to assume Congress wants, both in the past and present, when congress doesn’t explicitly specify it. 

With valid logical and legal justifications for either side, this is mostly a recipe for circular arguments and accusations of partisan political bias.

Sean Reilly
, ,

Leave a comment