The Commerce Department could find itself in legal trouble with his proposal to demand Cloud companies must verify the identity of their customers and report their activities. The pending rule, part of an effort to crack down on hackers misusing cloud services, has drawn criticism in the industry for alleged overreach. A major technology trade group Trade warned that its “proposed regulations risk exceeding the rulemaking authority granted by Congress” (Commerce Department declined to comment).
The lawsuits could also target other regulations, including data breach notification requirements. The Federal Trade Commission, The Federal Communications Commissionand financial regulators—which are based on laws written long before policymakers began thinking about cybersecurity.
“A lot of the challenges that will make agencies the most nervous are when they’ve been interpreting something for 20 years or when they’ve just interpreted something that’s 30 years old,” the cyber lawyer says.
The White House has already faced a major setback. Last October, the Environmental Protection Agency withdrew cyber requirements for water systems that industry groups and Republican-led states had challenged in court. Opponents said the EPA had exceeded its authority in Interpreting a 1974 law that requires states to to add cybersecurity to its inspections of water facilities, a strategy that a senior White House cyber official had proposed. previously praised as “a creative approach.”
All eyes on Congress
The government’s initiative to regulate the cyber realm is likely to end up in a judicial quagmire.
Federal judges could reach different conclusions about the same regulations, potentially leading to appeals to regional circuit courts that have very different track records. “The judiciary itself is not a monolith,” says Geiger of the Cybersecurity Law and Policy Center. Plus, agencies understand cutting-edge technology issues much better than judges, who can have a hard time parsing the complexities of cyber regulations.
According to experts, there is only one real solution to this problem: If Congress wants agencies to be able to require cyber improvements, it will have to pass new laws that enable them to do so.
“Congress now has a greater responsibility to act decisively to help ensure the protection of the critical services upon which society depends,” Geiger said.
Clarity will be key, says Jamil Jaffer, executive director of the National Security Institute at George Mason University and a former clerk to Supreme Court Justice Neil Gorsuch. “The more specific Congress is, the more likely a court will view it the same way an agency does.”
Congress rarely passes major laws, especially with new regulatory powers, but Cybersecurity has consistently been an exception.
“Congress is moving very, very slowly, but it is not completely passive on this front,” Lilley says. “There is the potential for significant cyber laws to be passed in specific sectors if regulators fail to make progress.”
An important question is whether this progress will continue if Republicans take unified control of the government in the November elections. Lilley is optimistic, noting that Republican Party PlatformThe call to secure critical infrastructure to higher standards as “a national priority.”
“There is a sense in both parties at the moment that there has certainly been some degree of market failure in some quarters,” says Lilley, “and that some measure of government action will be appropriate.”
Regardless of who controls the Capitol next January, the Supreme Court has just given lawmakers an enormous amount of responsibility in fighting hackers.
“It’s not going to be easy,” Geiger says, “but it’s time for Congress to act.”
