Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive. By Ed
Bailey, Principal Technical Evangelist at Cribl
The recent US Supreme Court
(SCOTUS) decision in Loper Bright Enterprises v. Raimondo will impact the pace
and effectiveness of US cyber regulation in the short and long term because key
federal regulators have don't have clear congressional authority to create
cybersecurity regulations. The court's decision effectively overturned the
Chevron Doctrine, a longstanding precedent that called for judges to give
deference to federal agencies' interpretation of laws passed by Congress.
Going forward, Federal courts
will have greater ability to modify or overturn regulations and enforcement
decisions, and courts will not have to defer to an agency's interpretation of
the law simply because a statute is unclear. This decision will open current
and new Federal cybersecurity regulations to challenges from a range of
plaintiffs because Congress has not clearly delegated the authority to make
cybersecurity regulations to key Federal regulators.
A wide range of IT, Security
and GRC teams will be impacted by rules that are delayed, struck down, or
weakened as the long-term impact of this decision works its way through the
Federal courts, agency rulemaking process, and Congress. It is more important
than ever that these IT and Security teams keep their options open by adopting
flexible, open telemetry management frameworks so they can respond and adjust
as the impact of Loper Bright develops over the next 2-3 years.
What Is
the Chevron Doctrine
In June 2024, SCOTUS ruling
in Loper Bright Enterprises v. Raimondo largely reversed its seminal decision in Chevron v. Natural Resources Defense
Council - the 1984 precedent that called for judges to
give deference to federal agencies' interpretation of laws passed by Congress.
This ruling was also known as "Chevron deference" or the "Chevron doctrine."
This doctrine played a massive role in the growth of the administrative state
as it gave the agency interpretation of a law great weight if Congress enacted
an ambiguous law.
How
Congress Writes Laws
To most people, federal laws
mean Congress passes a specific law that the agencies enforce exactly as
Congress specifies. In practice, Congress often passes a law that empowers an
agency to create and enforce rules and regulations based on the principles of
the law. The rules and regulations are not directly passed down from Congress.
The reason for this process is that Congress lacks the expertise to write the
sort of detailed laws around a host of highly technical subjects. The other
reason less discussed is that Congress declines to spend the time required to
write detailed laws to support the day to day workings of the country. These
functions are delegated to the agencies because they have the expertise and
time to create detailed rules and regulations. The clear downside of this
approach is that it gives agencies enormous power.
The
Implications of Loper Bright
The Loper Bright decision
effectively removes this deference unless Congress clearly delegates to the
agency the ability to determine how an ambiguous law would be applied in
practice. Today, in light of Loper Bright, a Federal judge has the sole power to
determine what the ambiguous law means and can take input from almost anywhere.
This is a significant shift of power from the executive to the judicial branch.
This raises issues of whether the judge has the expertise to determine whether
a rule or regulation is what Congress intended. How will the judge be educated,
and how long will the process take? The issues around forum shopping will come
into play as well. How many challenges will be filed in the Northern District
of Texas and the appeal heard by the US Court of Appeals for the Fifth Circuit?
This is going to get messy for a lot of agencies and the people and companies
that they regulate.
For example, IT and Security
teams in finance have been preparing for the SEC to finalize new rules around
Enhanced SCI. What happens if this work is put on hold for a legal challenge or
a judge rules the proposed regulation is unconstitutional and stops the update?
That means lots of wasted time. This process could repeat itself over the next
couple of years. Companies want clarity around what is expected from the law
and a timeline for compliance and chaos is not helpful.
My
Prediction
I believe that in late Q1 or
Q2, 2025, an industry trade group will file suit to challenge key Federal
cybersecurity regulations. My guess is it will start with the SEC's proposed
amendments to Regulation SCI. Cybersecurity regulations created under the umbrella
of the Gramm-Leach-Bliey Act are at risk as well. Healthcare cybersecurity
regulations tied to reimbursements under the authority of the Centers for
Medicare and Medicaid Services (CMS) are another set of regulations that may be
targeted.
A
Cautionary Scenario
A federal judge will grant an
injunction that stops updates to Regulation SCI. The SEC's position is given
minimal weight by the court, substituting its own expertise and judgment over
the law and factual issues, overruling the SEC and striking down the proposed
rule. After 3-5 years of appeals, the issue makes its way to SCOTUS and the
judgment is affirmed and the proposed rule is dead.
In addition, perhaps Congress
gets responds by passing a clear set of laws that creates even more regulations
and then IT and Security teams have to scramble to comply. Meanwhile, life
continues for IT and Security teams who are already overwhelmed and simply want
a clear set of rules.
The Road
Ahead
It will take time for Loper
Bright's impact to work through the Federal courts, agency rulemaking process,
and Congress. The legal impact is mostly uncertain, but the practical impact is
clear. IT, Security, and GRC teams will be in limbo because the state of future
regulation implementation is unclear, and several key cybersecurity regulations
may soon be called into question.
It is more important than
ever to make forward-looking architectural decisions that focus on agility and
include flexible, open telemetry management frameworks so that regulatory
changes become minor adjustments instead of significant, expensive re-engineering
efforts. Otherwise, teams risk getting caught unprepared and must put aside
business critical work to re-engineer processes that comply with Federal
regulatory requirements.
##
ABOUT
THE AUTHOR
Ed
Bailey, Principal Technical Evangelist at Cribl
Ed
Bailey is a passionate engineering advocate with more than 20 years of
experience in instrumenting a wide variety of applications, operating systems
and hardware for operations and security observability. He has spent his career
working to empower users with the ability to understand their technical
environment and make the right data backed decisions quickly.