The Best Day
March 3rd, 2023, was an exciting day in the cybersecurity regulatory space. A memo released by the Environmental Protection Agency (EPA) marked the first federal mandatory cyber regulation outside of incident reporting in the United States.
The new requirement was tailored. It narrowly targeted public water systems (PWSs) water filtration systems and only requires that the state survey the networks of these organizations. It did not require a complete overhaul of every water filtration system’s cybersecurity program nor did it require a change in policy or governance for these organizations. These surveys would simply provide “an onsite review of the water source, facilities, equipment, operation, and maintenance of a PWS for the purpose of evaluating the adequacy of such source, 11 facilities, equipment, operation, and maintenance for producing and distributing safe drinking water.”
Regardless of how narrow the rule was, everything had changed with this shift away from the voluntary guidelines many organizations ignore completely toward greater state buy-in for critical infrastructure. As noted in the EPA’s original memo, “PWSs are frequent targets of malicious cyber activity, which has the same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack.” This change is a welcome shift in the laissez-faire approach the federal government previously took for cybersecurity in line with the new National Cyber Strategy.
Instead of embracing this change that could have a significant positive impact on national security, some are determined to stop these kinds of requirements from being implemented. Three states’ Attorneys General (Iowa, Missouri, and Arkansas) filed a lawsuit against the EPA, claiming that this rule is a federal intrusion on a state issue and that the requirement would be overly costly for small and rural PWSs.
In a press release on the issue, Iowa AG Brenna Bird justified her joining the suit, saying: “At a time of soaring inflation, where it’s hard enough to make ends meet, the federal government insists on making Iowans’ water bills more costly. We’re going to hold the Biden Administration accountable and protect Iowans’ pocketbooks.”
While cost can be justification for striking down a law by a court, it is unlikely to win the day. The more likely basis of the decision will be the federal overreach argument. Last year, the EPA’s attempt at regulating carbon emissions was struck down by the Supreme Court in a 6-3 decision that ruled that if an agency wants to issue regulations on something big and new, the regulation is presumed invalid unless Congress specifically authorized regulation in the space.
This line of reasoning is the same as that behind the recent student loan forgiveness decision in which it was decided that the Executive Branch was outside of its authority in forgiving student debt. However, according to the decision, Congress would be within its bounds to do the same.
Unfortunately, it is possible that these decisions spell trouble for the mandatory EPA rule as authority has not explicitly been given by Congress for the agencies to govern in this area. Permissions have been given by Congress for rules to be made around incident reporting with provisions such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) but not for other mandatory cybersecurity regulations.
Tell Me Why (it Matters)
In the words of CISA Director Jen Easterly, “We can’t PSA our way out of [cyber risk].” Cyber threats are not going to simply disappear on their own and recommendations, resources, and guidelines can only go so far.
Many organizations, especially those in the public utility or related sectors, don’t want to make room in an increasingly tight budget for cybersecurity. In some sectors, like the financial sector, the economic incentives of ensuring high levels of cybersecurity exist, making recommendations and guidelines useful in this self-governing example. However, when the financial incentives don’t exist, cyber expense is often seen as a bottomless bucket to pour money into rather than as a critical component of doing business.
Mandatory requirements are the way forward for these sectors– and they must be. The National Cyber Strategy requires this shift, particularly for critical infrastructure sectors. For this Administration to follow a core pillar of its cybersecurity strategy, it will have to find a way around the Court.