State Lawsuit Over New Cyber Rule Tees Up Legality of Federal Policy Changes
As the federal government takes increasingly directive steps to increase expectations for private sector cybersecurity, one of its more recent regulatory moves has drawn a federal court challenge. On April 17, 2023, the states of Missouri, Arkansas and Iowa filed in the U.S. Court of Appeals for the Eighth Circuit a petition for review of cybersecurity mandates from the Environmental Protection Agency, which were announced on March 3, 2023. While this case arises out of a specific EPA action and has unique impacts on states, it may shed light on the validity of creative interpretations of existing laws and regulations to justify new cyber regulatory actions across government. Wiley’s cyber team has been engaged in cyber regulatory policy affecting tech and critical infrastructure for more than a decade, and is keenly interested in the fate of the EPA and other agencies’ actions on cybersecurity mandates.
The EPA requirement is part of several federal cyber policy changes
The EPA’s action is one of many developing and anticipated new federal cyber mandates. Indeed, the White House’s recent National Cybersecurity Strategy lamented “the lack of mandates” and called for additional regulation, using existing authorities and seeking new ones from Congress if needed. The White House encouraged state action on cyber while touting recent federal action to establish requirements for water systems—the action challenged this week by the states.
On March 3, the agency released a Memorandum and fact sheets (here and here) on its Interpretive Rule, which the agency said “clarifies…that states must evaluate the cybersecurity of operational technology used … when conducting … sanitary surveys or through other state programs.”
In sum, the EPA is now requiring states to evaluate the cybersecurity of operational technology used by public water systems through surveys already conducted by state regulators under existing statute and regulatory authorities, which have not focused heavily on cyber. This additional burden on state regulators and the thousands of water systems under their supervision raised eyebrows and the ire of the states that sued.
What is at issue in the case?
The states assert that the Cybersecurity Rule “requires States to change how they conduct sanitary surveys under the Safe Drinking Water Act and imposes increased technology costs on small (and rural) Public Water Systems.”
The lawsuit makes several claims to invalidate the new requirements as unlawful. The memorandum and rule were not put out for public comment prior to their issuance (though comment is being taken post-publication), and the states object to the burdens that the new requirements impose.
The states present core arguments about usurpation of their sovereignty and they challenge the agency’s process and authority to regulate cybersecurity. “By claiming to reinterpret its authority, EPA seeks to evade (rather than obey) the procedures required for promulgating a new rule.” They assert that “the federal government must follow the rules like everyone else,” including “the Administrative Procedure Act and other statutory obligations.”
They further argue that “EPA also ignores the scheme by which Congress intended to regulate cybersecurity under America’s Water Infrastructure Act of 2018” and otherwise lacks authority in part because Congress has not provided the agency authority to regulate cyber as “Congress continues to consider policy options on cybersecurity vulnerabilities.” In sum, the states claim that “EPA cites no new statutory authority to support its new Cybersecurity Rule. That is because there is none; EPA now claims it has had this authority all along.”
The states seek to have the new rule declared unlawful and set aside.
What comes next?
The Court of Appeals will set a briefing schedule and the EPA and the states will have the opportunity to litigate these issues. Affected and interested parties, such as other states or water systems, may seek to intervene in the case to add to the states’ argument or to defend the agency’s actions. At least one stakeholder group has said it plans to participate.
EPA doubtless will present robust arguments about its existing authorities, but will have to defend both the substance of its new obligations as well as its choice to issue an interpretive rule, dispense with notice and comment, and claim existing authority rather than go to Congress for more direction.
Other agencies will no doubt be watching how this case unfolds, and how the federal government defends its approach. Likewise, other critical infrastructure sector participants will be keen to see how this court reviews the agency’s claims of authority as well as the process used to interpret existing rules in new ways. This case is unique because of the dual federal and state regulatory regime applicable to water systems and the special prerogatives asserted by the states as sovereigns, but the litigation and the federal government’s defense of its mandate will be worth watching.
Given the uncertainties about various agencies’ power and competence to oversee cybersecurity, the ongoing efforts led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and the risk of fragmentation as standards are pursued across agencies and between state and federal regulators, policymakers may want to defer to further Congressional direction on substantive cyber mandates for the private sector.