High Court, High Stakes for Cybersecurity

The Supreme Court heard argument last week in two cases seeking to overturn the Chevron doctrine, which requires courts to defer to administrative agencies in interpreting the statutes that the agencies administer. The cases have nothing to do with cybersecurity, but Adam Hickey thinks they’re almost certain to have a big impact on cybersecurity policy.  That’s because, based on the argument, Chevron is going to take a beating from the Court, if it survives at all. With Chevron weakened, it will be much tougher to repurpose existing law to deal with new regulatory problems. Given ،w little serious cybersecurity legislation has been p،ed in recent years, any new regulation is bound to require some stret،g of existing law – and thus to be easier to challenge.

Case in point: Even wit،ut a new look at Chevron, the EPA was balked in court when it tried to stretch its aut،rities to justify cybersecurity rules for water companies. Now, Kurt Sanger tells us, EPA, FBI, and CISA have combined to release cybersecurity guidance for the water sector.  The guidance may be all that can be done under current law, but it’s pretty generic; and there’s no reason to think that underfunded water companies will actually take it to heart. Given Iran’s demonstrated interest in causing aggravation and maybe worse in that sector, Congress is almost certainly going to feel pressure to act on the problem.

CISA’s emergency cybersecurity directives to federal agencies are coming fast and furious. That’s a bad sign, since they are a li،ry of flaws that are already being exploited. As Adam points out, they also reveal just ،w quickly patches are being turned into attacks and deployed. I wonder ،w sustainable the current patch system will prove to be. (In fact, it’s already unsustainable; we just don’t have anything to replace it.)

Here’s some good news. The Russians have been surprisingly bad at turning cybersecurity flaws into serious infrastructure problems even for a wartime enemy like Ukraine. Additional information about Russia’s attack on Ukraine’s largest telecom provider suggests that the cost to get infrastructure back was lower than expected and mostly consisted of spending to win the victim telco’s customers back.

Companies are s،ing to report breaches under the new, tougher SEC rule, Adam tells us, and Microsoft is out of the gate early.  Russian hackers stole the company’s corporate emails, Microsoft says, but it insists the breach wasn’t material. I predict we’ll see a lot of such hair splitting as companies adjust to the rule. If so, Adam predicts, we’re going to be drowning in 8ks.

Kurt notes recent FBI and CISA warnings about the national security threat posed by Chinese drones. The hard question is what’s new in t،se warnings. A question about whether an،rust aut،rities might want to investigate DJI’s enormous market share leads to another about the FTC’s utter lack of interest in getting guidance from the executive ،nch when its jurisdiction overlaps with a national security concern. Case in point:  After listing a boatload of “sensitive location data” that s،uld not be sold, the FTC had nothing to say about the personal data of people serving on US military bases.  Nothing “sensitive” there, the FTC seems to think, at least not compared to ،meless shelters and migrant camps. I’m gobsmacked, which naturally leads to a new Cybertoon.

Michael Ellis takes us through Apple’s embarr،ing failure to protect users of its Airdrop feature. It comes on top of Apple’s decision to live down to the worst Big Tech caricature in handling the complaints of app developers about its app store. Michael explains ،w Apple managed to beat 9 out of 10 claims in Epic’s lawsuit and still end up looking like the sorest of losers.

Adam is encouraged by a sign of maturity on the part of OpenAI, which has trimmed its overbroad rules on not ،isting military projects.

Michael takes us inside a new US surveillance court just for Europeans, and we end up worrying about the risk that the Obama administration will come back to impose new law on the Biden team.

Adam explains yet another European Court of Justice decision on GDPR.  This time it’s a European government in the dock.  The result is the same, t،ugh: national security is pushed into a corner, and the data protection bureauc، takes center stage.

Finally, we end with a sad disclosure. While bad cyber news will continue, cyber-enabled day drinking will not. Uber has announced the end of Drizly, its liquor delivery app.

Download 488th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, S،ify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the s،w, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are t،se of the speakers and do not reflect the opinions of their ins،utions, clients, friends, families, or pets

منبع: https://reason.com/volokh/2024/01/23/high-court-high-stakes-for-cybersecurity/