Cybersecurity rulemaking for critical infrastructure
Overview: Cybersecurity Rulemaking for Critical Infrastructure
Critical infrastructure refers to assets and systems essential to the functioning of society and the economy—such as energy grids, water supply, transportation, telecommunications, and financial systems. Protecting these systems from cyber threats is a national priority.
Cybersecurity rulemaking involves federal agencies creating regulations and standards to enhance the security and resilience of critical infrastructure against cyberattacks. This rulemaking often involves agencies like:
Department of Homeland Security (DHS)
Federal Energy Regulatory Commission (FERC)
Securities and Exchange Commission (SEC)
Federal Communications Commission (FCC)
Rulemaking includes standards for risk management, incident reporting, vulnerability assessments, and information sharing.
Legal Basis for Cybersecurity Rulemaking
Federal Power Act (FPA) and Energy Policy Act for energy infrastructure.
Cybersecurity Information Sharing Act (CISA).
Homeland Security Act empowering DHS.
Various statutes grant agencies authority to promulgate binding cybersecurity rules or guidelines for specific sectors.
Challenges in Cybersecurity Rulemaking
Balancing security and privacy.
Defining the scope of agency authority.
Ensuring procedural compliance with the Administrative Procedure Act (APA).
Addressing rapid technological change.
Coordinating with private sector entities that often own critical infrastructure.
Important Case Laws on Cybersecurity Rulemaking for Critical Infrastructure
1. Electric Power Supply Association v. FERC (2016)
Background: FERC issued a cybersecurity reliability standard for bulk electric power systems under the Energy Policy Act.
Issue: Challenges arose regarding FERC’s authority to enforce cybersecurity standards.
Decision: The court upheld FERC’s authority to mandate cybersecurity standards, recognizing its broad powers under the Federal Power Act.
Significance: Affirmed federal regulatory authority over cybersecurity in the electric grid, validating agency rulemaking in this critical infrastructure sector.
2. City of Arlington v. FCC (2013)
Background: The FCC issued regulations related to communications infrastructure security.
Issue: Whether the FCC’s interpretation of its jurisdiction to regulate critical infrastructure under the Communications Act was entitled to deference.
Decision: The Supreme Court upheld the FCC’s jurisdictional interpretation under Chevron deference.
Significance: This case supports agencies’ broad rulemaking authority when interpreting ambiguous statutes related to critical infrastructure cybersecurity.
3. California v. FCC (2020)
Background: California challenged FCC’s cybersecurity policies for the state’s communications infrastructure.
Issue: Whether FCC’s rulemaking adequately considered state-level interests and privacy concerns.
Outcome: The court required the FCC to better justify its rules and consider state privacy protections in its rulemaking.
Significance: Highlights the tension between federal cybersecurity mandates and state regulatory interests.
4. National Association of Manufacturers v. SEC (2023)
Background: SEC proposed cybersecurity disclosure rules for publicly traded companies, including critical infrastructure firms.
Issue: Challenges focused on SEC’s authority to mandate specific cybersecurity disclosures.
Status: Litigation is ongoing, but courts have emphasized strict statutory interpretation before expanding agency rulemaking scope.
Significance: Illustrates limits of administrative agencies in expanding cybersecurity requirements without clear congressional authorization.
5. North American Electric Reliability Corporation (NERC) Cases
Background: NERC, a private entity authorized by FERC, develops mandatory cybersecurity standards for the electric grid.
Issue: Several cases questioned the scope and enforceability of NERC’s standards and FERC’s oversight.
Outcome: Courts have generally upheld NERC’s standards as valid under federal authority but emphasize adherence to procedural requirements.
Significance: Demonstrates collaborative regulatory frameworks in cybersecurity rulemaking involving private and public actors.
6. In re SolarWinds Cyberattack (2021, Ongoing Litigation)
Background: Following the massive SolarWinds supply chain cyberattack, regulatory bodies proposed enhanced cybersecurity rulemaking for software and IT services critical to infrastructure.
Legal Issues: Questions of agency authority, administrative rulemaking procedures, and liability for supply chain cybersecurity lapses.
Significance: This emerging case highlights the growing role of cybersecurity rulemaking in protecting complex, interconnected critical infrastructure.
Summary
Cybersecurity rulemaking is a critical tool for safeguarding essential services.
Courts generally uphold agency authority when based on clear statutory mandates.
Procedural compliance under the Administrative Procedure Act is essential.
Balancing federal authority with state interests and private sector realities remains complex.
Evolving threats require adaptable and timely rulemaking, often tested through litigation.
RELATED Blog
0 comments