Chevron decision crushes Washington's approach to cyber regulations

Driving the news: The Supreme Court on Friday overturned the 40-year-old "Chevron deference" doctrine, which gave legal preference to executive agencies to interpret the laws they're tasked with enforcing.

• Now Congress and the courts are in charge of deciding how agencies interpret and enforce both existing and future statutes.

Between the lines: It's a nail in the coffin for an executive branch-led strategy that attempted to require many organizations to practice basic cybersecurity via new interpretations of existing law.

• The Biden administration had spent the last three years creatively interpreting existing agencies' rules and applying them to security — rather than waiting for Congress to give agencies direct power to mandate basic cybersecurity practices.
• And it's not just about the current administration: Past security regulations have also hinged on open interpretations of existing laws, cyber policy experts at law firm Venable said in a blog post for the the Center for Cybersecurity Policy and Law on Monday.

Yes, but: This regulatory approach had already faced court pushback in the last year.

• An attempt by the Environmental Protection Agency to add questions about cybersecurity to required sanitation surveys by reinterpreting the Safe Drinking Water Act was challenged in a GOP-led lawsuit — and the EPA ultimately rescinded the rule.

What they're saying: "The system was broken before this repeal of the Chevron ruling," Mark Montgomery, director of the Cyberspace Solarium Commission 2.0 at the Foundation for Defense of Democracies, told Axios.

• "But this will make it harder: It will make it harder because Congress is ill-equipped to write regulatory language," said Montgomery, who also is a former White House and Senate staffer.

The big picture: Several critical infrastructure sectors don't have legal requirements to institute basic cybersecurity.

• This is partly because some agencies haven't taken their responsibilities as cyber regulators as seriously as they should, Montgomery added.
• Many offices, like the departments of Education and Agriculture, haven't been requesting nearly enough money to hire more cyber personnel or set up grant programs for schools, food suppliers and more, Montgomery said.

Zoom in: The end of Chevron deference also means more agency legislative affairs staffers, lobbyists and advocates will be on Capitol Hill to build a robust Congressional Record that courts and agencies can rely on, Nicole Tisdale, a former House Homeland Security Committee staffer and White House official, told Axios.

• "You're going to have to include more reports, more evidence into the Congressional Record," Tisdale said. "It's sending letters, it's actively being involved in the markup process, which is not something that the federal government or the private sector fully engages in all the time."

A handful of ongoing cyber regulatory efforts could be immediately affected by the ruling, according to Venable.

• The Cybersecurity and Infrastructure Security Agency's proposed rule mandating critical infrastructure organizations report cyber incidents within 72 hours includes some broad interpretations of the new law it's enforcing that may now need to be rolled back.
• The White House has been hinting at implementing new baseline cybersecurity requirements for hospitals that could need to be revisited.

The intrigue: A lot of the practices Washington will have to follow aren't new, said Tisdale, who now runs her own advocacy firm, Advocacy Blueprints.

• "Congress has always shaped the legislation, and the courts have always used the record to look at congressional intent," Tisdale said. "It's always been this connected circle; overturning Chevron just requires a lot more effort on Congress' part."