The Commerce Department could hit a legal snag with its proposal to require cloud companies to verify their customers’ identities and report on their activities. The pending rule, part of an effort to clamp down on hackers’ misuse of cloud services, has drawn industry criticism for alleged overreach. A major tech trade group warned Commerce that its “proposed regulations risk exceeding the rulemaking authority granted by Congress.” (Commerce declined to comment.)
Lawsuits could also target other regulations—including data breach reporting requirements from the Federal Trade Commission, the Federal Communications Commission, and financial regulators—that rely on laws written long before policymakers were thinking about cybersecurity.
“A lot of the challenges where the agencies are going to be most nervous [are] when they’ve been interpreting something for 20 years or they newly have interpreted something that’s 30 years old,” says the cyber attorney.
The White House has already faced one major setback. Last October, the Environmental Protection Agency withdrew cyber requirements for water systems that industry groups and Republican-led states had challenged in court. Opponents said the EPA had exceeded its authority in interpreting a 1974 law to require states to add cybersecurity to their water-facility inspections, a strategy that a top White House cyber official had previously praised as “a creative approach.”
All Eyes on Congress
The government’s cyber regulation push is likely to run headlong into a judicial morass.
Federal judges could reach different conclusions about the same regulations, setting up appeals to regional circuit courts that have very different track records. “The judiciary itself is not a monolith,” says Geiger, of the Center for Cybersecurity Policy and Law. In addition, agencies understand cutting-edge tech issues much better than judges, who may struggle to parse the intricacies of cyber regulations.
There is only one real solution to this problem, according to experts: If Congress wants agencies to be able to mandate cyber improvements, it will have to pass new laws empowering them to do so.
“There is greater onus now on Congress to act decisively to help ensure protection of the critical services on which society relies,” Geiger says.
Clarity will be key, says Jamil Jaffer, the executive director of George Mason University’s National Security Institute and a former clerk to Supreme Court Justice Neil Gorsuch. “The more specific Congress gets, the more likely I think a court is to see it the same way an agency does.”
Congress rarely passes major legislation, especially with new regulatory powers, but cybersecurity has consistently been an exception.
“Congress moves very, very slowly, but it’s not completely passive [on] this front,” Lilley says. “There’s a possibility that you will see meaningful cyber legislation in particular sectors if regulators are not able to move forward.”
One major question is whether this progress will continue if Republicans seize unified control of the government in November’s elections. Lilley is optimistic, pointing to the GOP platform’s invocation of securing critical infrastructure with heightened standards as “a national priority.”
“There’s a sense across both sides of the aisle at this point that, certainly in some of the sectors, there has been some measure of market failure,” Lilley says, “and that some measure of government action will be appropriate.”
Regardless of who controls Capitol Hill next January, the Supreme Court just handed lawmakers a massive amount of responsibility in the fight against hackers.
“It’s not going to be easy,” Geiger says, “but it’s time for Congress to act.”
Source link