High Stakes in Cybersecurity: The Unique Role of the High Court

The Supreme Court heard argument last week in two cases seeking to overturn the Chevron doctrine, which requires courts to defer to administrative agencies in interpreting the statutes that the agencies administer. The cases have nothing to do with cybersecurity, but Adam Hickey thinks they’re almost certain to have a big impact on cybersecurity policy. That’s because, based on the argument, Chevron is going to take a beating from the Court, if it survives at all. With Chevron weakened, it will be much tougher to repurpose existing law to deal with new regulatory problems. Given how little serious cybersecurity legislation has been passed in recent years, any new regulation is bound to require some stretching of existing law – and thus to be easier to challenge.

Case in point: Even without a new look at Chevron, the EPA was balked in court when it tried to stretch its authorities to justify cybersecurity rules for water companies. Now, Kurt Sanger tells us, EPA, FBI, and CISA have combined to release cybersecurity guidance for the water sector. The guidance may be all that can be done under current law, but it’s pretty generic; and there’s no reason to think that underfunded water companies will actually take it to heart. Given Iran’s demonstrated interest in causing aggravation and maybe worse in that sector, Congress is almost certainly going to feel pressure to act on the problem.

CISA’s emergency cybersecurity directives to federal agencies are coming fast and furious. That’s a bad sign, since they are a library of flaws that are already being exploited. As Adam points out, they also reveal just how quickly patches are being turned into attacks and deployed. I wonder how sustainable the current patch system will prove to be. (In fact, it’s already unsustainable; we just don’t have anything to replace it.)

Here’s some good news. The Russians have been surprisingly bad at turning cybersecurity flaws into serious infrastructure problems even for a wartime enemy like Ukraine. Additional information about Russia’s attack on Ukraine’s largest telecom provider suggests that the cost to get infrastructure back was lower than expected and mostly consisted of spending to win the victim telco’s customers back.

Companies are starting to report breaches under the new, tougher SEC rule, Adam tells us, and Microsoft is out of the gate early. Russian hackers stole the company’s corporate emails, Microsoft says, but it insists the breach wasn’t material. I predict we’ll see a lot of such hair splitting as companies adjust to the rule. If so, Adam predicts, we’re going to be drowning in 8ks.

Kurt notes recent FBI and CISA warnings about the national security threat posed by Chinese drones. The hard question is what’s new in those warnings. A question about whether antitrust authorities might want to investigate DJI’s enormous market share leads to another about the FTC’s utter lack of interest in getting guidance from the executive branch when its jurisdiction overlaps with a national security concern. Case in point: After listing a boatload of “sensitive location data” that should not be sold, the FTC had nothing to say about the personal data of people serving on US military bases. Nothing “sensitive” there, the FTC seems to think, at least not compared to homeless shelters and migrant camps. I’m gobsmacked, which naturally leads to a new Cybertoon.

Michael Ellis takes us through Apple’s embarrassing failure to protect users of its Airdrop feature. It comes on top of Apple’s decision to live down to the worst Big Tech caricature in handling the complaints of app developers about its app store. Michael explains how Apple managed to beat 9 out of 10 claims in Epic’s lawsuit and still end up looking like the sorest of losers.

Adam is encouraged by a sign of maturity on the part of OpenAI, which has trimmed its overbroad rules on not assisting military projects.

Michael takes us inside a new US surveillance court just for Europeans, and we end up worrying about the risk that the Obama administration will come back to impose new law on the Biden team.

Adam explains yet another European Court of Justice decision on GDPR. This time it’s a European government in the dock. The result is the same, though: national security is pushed into a corner, and the data protection bureaucracy takes center stage.

Finally, we end with a sad disclosure. While bad cyber news will continue, cyber-enabled day drinking will not. Uber has announced the end of Drizly, its liquor delivery app.

Download 488th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets