No less than three months ago, the Supreme Court struck down the Chevron Doctrine, a legal principle dating back to the 1984 Chevron v Natural Resources Defense Council case. For 40 years, this principle has been the bedrock of federal agency regulations, which means that it has also been the bedrock of cybersecurity regulations. The guiding principle here is that, when there is an ambiguous law governing regulations, the courts have deferred to the knowledgeof government experts (who presumably have a better or more-informed grasp of the intent of the law in question). However, now if an organization appeals a federal agency’s decision on cybersecurity, the courts no longer need to defer to the agency.
As some have noted, this decision devalues the experience of experts and reinforces the power of lawmakers and law officers—neither of whom have a deep understanding of technology. Furthermore, in an area of technology that moves as rapidly of cybersecurity, this could limit the ability of agencies to respond to growing or changing cyber threats. This ruling also has a complicated, and largely negative, effect on federal cybersecurity protection and enforcement, specifically. As noted, if a business wanted to protest an agency’s determination with respect to cybersecurity enforcement, only an appeal is required. This means that well-funded companies can respond to U.S. regulations the way they do to the E.U.’s strict cybersecurity regulations: with appeal after appeal after appeal. Not only does this threaten to bottle up the courts, but it means that companies will be able to continue breaking regulations until a ruling is handed down.
What does this mean for the future of cybersecurity? At the moment, it is impossible to say. With Congress retaining the ability to delegate authority to federal agencies, we can reasonably expect that current cybersecurity efforts will continue; however, this will affect any future attempt at a federal cybersecurity bill by increasing the importance of the drafted language of the text. This could also affect the ability of representatives to find common ground. Additionally, this is expected to add to the pushback of organizations reporting cyberattacks to relevant federal agencies. And as the saying goes, the more ambiguity there is in the reporting process, the more room there is overall for lawsuits.
