The U.S. Supreme Court has turned the Biden administration's plans to clean up critical infrastructure's cyber hygiene inside out.

Why it matters: Critical infrastructure organizations have failed to implement basic security practices like multifactor authentication on their own — leaving them easy targets for attacks without new regulations.

Driving the news: The Supreme Court on Friday overturned the 40-year-old "Chevron deference" doctrine, which gave legal preference to executive agencies to interpret the laws they're tasked with enforcing.

• Now Congress and the courts are in charge of deciding how agencies interpret and enforce both existing and future statutes.

Between the lines: It's a nail in the coffin for an executive branch-led strategy that attempted to require many organizations to practice basic cybersecurity via new interpretations of existing law.

• The Biden administration had spent the last three years creatively interpreting existing agencies' rules and applying them to security — rather than waiting for Congress to give agencies direct power to mandate basic cybersecurity practices.
• And it's not just about the current administration: Past security regulations have also hinged on open interpretations of existing laws, cyber policy experts at law firm Venable said in a blog post for the the Center for Cybersecurity Policy and Law yesterday.

Yes, but: This regulatory approach had already faced court pushback in the last year.

• An attempt by the Environmental Protection Agency to add questions about cybersecurity to required sanitation surveys by reinterpreting the Safe Drinking Water Act was challenged in a GOP-led lawsuit — and the EPA ultimately rescinded the rule.

What they're saying: "The system was broken before this repeal of the Chevron ruling," Mark Montgomery, director of the Cyberspace Solarium Commission 2.0 at the Foundation for Defense of Democracies, told Axios.

• "But this will make it harder: It will make it harder because Congress is ill-equipped to write regulatory language," said Montgomery, who also is a former White House and Senate staffer.

The big picture: Several critical infrastructure sectors don't have legal requirements to institute basic cybersecurity.

• This is partly because some agencies haven't taken their responsibilities as cyber regulators as seriously as they should, Montgomery added.
• Many offices, like the departments of Education and Agriculture, haven't been requesting nearly enough money to hire more cyber personnel or set up grant programs for schools, food suppliers and more, Montgomery said.

Zoom in: The end of Chevron deference also means more agency legislative affairs staffers, lobbyists and advocates will be on Capitol Hill to build a robust Congressional Record that courts and agencies can rely on, Nicole Tisdale, a former House Homeland Security Committee staffer and White House official, told Axios.

• "You're going to have to include more reports, more evidence into the Congressional Record," Tisdale said. "It's sending letters, it's actively being involved in the markup process, which is not something that the federal government or the private sector fully engages in all the time."

A handful of ongoing cyber regulatory efforts could be immediately affected by the ruling, according to Venable.

• The Cybersecurity and Infrastructure Security Agency's proposed rule mandating critical infrastructure organizations report cyber incidents within 72 hours includes some broad interpretations of the new law it's enforcing that may now need to be rolled back.
• The White House has been hinting at implementing new baseline cybersecurity requirements for hospitals that could need to be revisited.

The intrigue: A lot of the practices Washington will have to follow aren't new, said Tisdale, who now runs her own advocacy firm, Advocacy Blueprints.

• "Congress has always shaped the legislation, and the courts have always used the record to look at congressional intent," Tisdale said. "It's always been this connected circle; overturning Chevron just requires a lot more effort on Congress' part."

A newly discovered open-source vulnerability could be as widespread as Heartbleed or Log4j, researchers warned yesterday.

Why it matters: Many companies are short-staffed during the Fourth of July week, meaning vulnerable systems may not get patched quickly enough to prevent all possible attacks.

Zoom in: Researchers at Qualys discovered a bug in a popular OpenSSH server — which many organizations use to secure communications and manage remote access — that would allow attackers to gain complete control of the system the code is running on.

• The flaw — dubbed "regreSSHion" — affects how systems authenticate a user's identity and has a severity score of 8.1 out of 10.
• OpenSSH has fixed the issue, but it requires users to update to the latest version as soon as possible.

Threat level: More than 14 million instances of the vulnerable OpenSSH tool were running online as of yesterday.

• Once they exploit the flaw, hackers could install malware, manipulate data, and create backdoors to keep accessing corporate networks.
• However, exploiting the bug is challenging because it requires multiple attempts to get right, Qualys noted, but advancements in deep learning could speed up exploitations.

What we're watching: Some experts have already warned this issue could be as widespread as Heartbleed — a 2014 vulnerability believed to have affected roughly 500,000 websites running an open-source encryption tool.

An Australia-based security startup has raised a $7.5 million seed funding round to help major corporations use generative AI without fear of bots spilling their secrets, the company exclusively shared with Axios.

The big picture: Companies haven't yet figured out how to bring AI agents or chatbots into their workflows while protecting proprietary information.

• Redactive AI offers tools that set guardrails for what information AI tools can access and retrieve.

Driving the news: Redactive said today it raised a $7.5 million seed round led by Felicis Ventures and Blackbird Ventures.

• Atlassian Ventures and automation company Zapier also participated in the round.

Zoom in: Redactive was founded by a pair of former Atlassian employees — Andrew Pankevicius and Alexander Valente — and AI engineer Lucas Sargent after working with companies on their cloud transitions and conducting cybersecurity reviews during that process.

• The tool is designed to help engineers and data governance teams set guardrails for the AI tools they're trying to let their companies use — including those that set permissions for what information different employees can access.
• This could be especially helpful for organizations looking to use AI agents, which can act on a specific employee's behalf to pull data or do a specific task, Pankevicius told Axios.

What they're saying: "We're really trying to virtualize that AI engineer that's in so much demand right now to augment normal software teams," Pankevicius said.

• That mission means that Redactive has to have top-tier subject-matter expertise itself, Pankevicius noted, and that triggered the need for venture capital dollars.

The intrigue: Redactive is already working with two prominent Australian financial services organizations. Other customers include frontier technology companies, according to a press release shared with Axios.

What's next: The startup says it will use the new funding to hire about five employees across the engineering, customer success and marketing teams. The company currently has 10 employees, Pankevicius said.

• Redactive will also use some of the funds to bring on more employees in the U.S.

@ D.C.

❌ CISA director Jen Easterly says she doesn't see a ban on ransom payments happening in the U.S. (The Record)

🪖 The head of the Defense Department's IT agency said his office is looking at ways to better defend itself against Chinese hackers, whose "risk tolerance continues to change." (Nextgov)

@ Industry

😵‍💫 Workers at auto dealerships say a pair of cyberattacks on CDK Global will now likely affect their payroll and other services. (CNN)

📉 Cyber insurance premiums are starting to fall, even as the number of ransomware attacks continues to rise, according to a new report from insurance broker Howden. (Reuters)

@ Hackers and hacks

🤯 Data breaches have exposed at least 1 billion stolen records so far in 2024. (TechCrunch)

👀 Predator spyware has gone nearly silent, suggesting recent sanctions have successfully stonewalled its operators' work. (CyberScoop)

The National Park Service, of all places, has perfectly embodied what it was like for me (and I'm sure many of you) to log on during a summer holiday week. 😎 🐻