Virtualization Technology News and Information
Article
RSS
Cribl 2025 Predictions: The Demise of the Chevron Doctrine will Materially Impact US Cybersecurity Regulation

vmblog-predictions-2025 

Industry executives and experts share their predictions for 2025.  Read them in this 17th annual VMblog.com series exclusive.

By Ed Bailey, Principal Technical Evangelist at Cribl

The recent US Supreme Court (SCOTUS) decision in Loper Bright Enterprises v. Raimondo will impact the pace and effectiveness of US cyber regulation in the short and long term because key federal regulators have don't have clear congressional authority to create cybersecurity regulations. The court's decision effectively overturned the Chevron Doctrine, a longstanding precedent that called for judges to give deference to federal agencies' interpretation of laws passed by Congress. 

Going forward, Federal courts will have greater ability to modify or overturn regulations and enforcement decisions, and courts will not have to defer to an agency's interpretation of the law simply because a statute is unclear. This decision will open current and new Federal cybersecurity regulations to challenges from a range of plaintiffs because Congress has not clearly delegated the authority to make cybersecurity regulations to key Federal regulators. 

A wide range of IT, Security and GRC teams will be impacted by rules that are delayed, struck down, or weakened as the long-term impact of this decision works its way through the Federal courts, agency rulemaking process, and Congress. It is more important than ever that these IT and Security teams keep their options open by adopting flexible, open telemetry management frameworks so they can respond and adjust as the impact of Loper Bright develops over the next 2-3 years. 

What Is the Chevron Doctrine

In June 2024, SCOTUS ruling in Loper Bright Enterprises v. Raimondo largely reversed its seminal decision in Chevron v. Natural Resources Defense Council - the 1984 precedent that called for judges to give deference to federal agencies' interpretation of laws passed by Congress. This ruling was also known as "Chevron deference" or the "Chevron doctrine." This doctrine played a massive role in the growth of the administrative state as it gave the agency interpretation of a law great weight if Congress enacted an ambiguous law.

How Congress Writes Laws

To most people, federal laws mean Congress passes a specific law that the agencies enforce exactly as Congress specifies. In practice, Congress often passes a law that empowers an agency to create and enforce rules and regulations based on the principles of the law. The rules and regulations are not directly passed down from Congress. The reason for this process is that Congress lacks the expertise to write the sort of detailed laws around a host of highly technical subjects. The other reason less discussed is that Congress declines to spend the time required to write detailed laws to support the day to day workings of the country. These functions are delegated to the agencies because they have the expertise and time to create detailed rules and regulations. The clear downside of this approach is that it gives agencies enormous power. 

The Implications of Loper Bright

The Loper Bright decision effectively removes this deference unless Congress clearly delegates to the agency the ability to determine how an ambiguous law would be applied in practice. Today, in light of Loper Bright, a Federal judge has the sole power to determine what the ambiguous law means and can take input from almost anywhere. This is a significant shift of power from the executive to the judicial branch. This raises issues of whether the judge has the expertise to determine whether a rule or regulation is what Congress intended. How will the judge be educated, and how long will the process take? The issues around forum shopping will come into play as well. How many challenges will be filed in the Northern District of Texas and the appeal heard by the US Court of Appeals for the Fifth Circuit? This is going to get messy for a lot of agencies and the people and companies that they regulate.

For example, IT and Security teams in finance have been preparing for the SEC to finalize new rules around Enhanced SCI. What happens if this work is put on hold for a legal challenge or a judge rules the proposed regulation is unconstitutional and stops the update? That means lots of wasted time. This process could repeat itself over the next couple of years. Companies want clarity around what is expected from the law and a timeline for compliance and chaos is not helpful. 

My Prediction

I believe that in late Q1 or Q2, 2025, an industry trade group will file suit to challenge key Federal cybersecurity regulations. My guess is it will start with the SEC's proposed amendments to Regulation SCI. Cybersecurity regulations created under the umbrella of the Gramm-Leach-Bliey Act are at risk as well. Healthcare cybersecurity regulations tied to reimbursements under the authority of the Centers for Medicare and Medicaid Services (CMS) are another set of regulations that may be targeted. 

A Cautionary Scenario

A federal judge will grant an injunction that stops updates to Regulation SCI. The SEC's position is given minimal weight by the court, substituting its own expertise and judgment over the law and factual issues, overruling the SEC and striking down the proposed rule. After 3-5 years of appeals, the issue makes its way to SCOTUS and the judgment is affirmed and the proposed rule is dead. 

In addition, perhaps Congress gets responds by passing a clear set of laws that creates even more regulations and then IT and Security teams have to scramble to comply. Meanwhile, life continues for IT and Security teams who are already overwhelmed and simply want a clear set of rules. 

The Road Ahead

It will take time for Loper Bright's impact to work through the Federal courts, agency rulemaking process, and Congress. The legal impact is mostly uncertain, but the practical impact is clear. IT, Security, and GRC teams will be in limbo because the state of future regulation implementation is unclear, and several key cybersecurity regulations may soon be called into question. 

It is more important than ever to make forward-looking architectural decisions that focus on agility and include flexible, open telemetry management frameworks so that regulatory changes become minor adjustments instead of significant, expensive re-engineering efforts. Otherwise, teams risk getting caught unprepared and must put aside business critical work to re-engineer processes that comply with Federal regulatory requirements.

##

ABOUT THE AUTHOR

Ed Bailey, Principal Technical Evangelist at Cribl

Ed Bailey 

Ed Bailey is a passionate engineering advocate with more than 20 years of experience in instrumenting a wide variety of applications, operating systems and hardware for operations and security observability. He has spent his career working to empower users with the ability to understand their technical environment and make the right data backed decisions quickly.

Published Thursday, December 05, 2024 7:33 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2024>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234