A Republican-Led Lawsuit Threatens Critical US Cyber Protections

The Biden administration’s push to tighten the cybersecurity of US critical infrastructure has drawn its first major lawsuit, sparking a court battle that could weaken the federal government’s ability to protect the facilities and devices that underpin American life.

The stakes of the lawsuit brought by the attorneys general of Arkansas, Iowa, and Missouri—who are seeking to invalidate a new Environmental Protection Agency (EPA) requirement for states to assess water systems’ cybersecurity practices during routine inspections—reach beyond Americans’ tap water. Other agencies are paying close attention as they craft rules for hospitals, emergency broadcast systems, and other vital infrastructure.

The EPA case highlights the vulnerability of Biden’s strategy of issuing cyber regulations without explicit congressional authorization, a weakness already evident in legal challenges to White House policies like student loan forgiveness. The lawsuit could presage new efforts by Republican-led states and business groups to undermine regulations intended to prevent hackers from sowing chaos.

The legal morass also underscores the need for the US to settle long-running disagreements about the role of the government in safeguarding privately owned infrastructure.

“There's a debate that we're going to have to work through as a country over how much regulation is enough and whether you should be regulated at all,” says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. “In some ways, we dodged the debate, and now it's come home for us to look at.”

When President Joe Biden took office in 2021, his cyber policy aides were determined to move beyond what they saw as the failed approach of trusting private-sector critical infrastructure operators to protect their systems. But because the laws giving regulatory agencies their powers were written before the emergence of cyber threats, imposing rules on companies sometimes required creative strategies.

White House officials had to “look for new and innovative ways” to mandate secure practices, says Jeff Greene, who served as chief of cyber response and policy at the National Security Council (NSC) during Biden’s first year in office.

The hunt for legal authorities to regulate critical infrastructure was nothing new. Recent presidents have routinely sought to enact their agendas while skirting a gridlocked Congress. “We had an era where the response to Congress being slow was to use these executive branch workarounds,” Lewis says. “And those are being challenged across the board.”

Now, for the first time, cyber mandates are getting swept up in that pushback.

Biden officials may not have been too worried about lawsuits when crafting the EPA directive because of their experiences with previous cyber regulations. After pipeline companies objected to new Transportation Security Administration (TSA) rules, the agency worked with the industry to address its concerns and avoided a legal battle. Similar rail and aviation regulations were likewise uncontroversial.

“The fact that you haven’t seen challenges is reflective of the lengths to which the administration has gone to try to work with those sectors,” says Greene, who is now the senior director for cybersecurity programs at the Aspen Institute. “The administration really has gone out of its way to do this collaboratively.”

The White House doesn’t have the same control over the EPA, which is an independent agency, but Greene says that from what he saw, the agency tried to collaborate with the water sector.

The NSC did not respond to a request for comment about the EPA lawsuit and its possible effects on the administration’s agenda. The EPA declined to comment because the litigation is pending.

The Republican attorneys general challenging the EPA directive make several claims. They say the agency failed to follow the proper procedure for issuing a regulation. They allege that the EPA exceeded its authority under the Safe Drinking Water Act and subsequent legislation. And they argue that, by requiring state water regulators to fold cybersecurity into their inspections, the federal government is usurping states’ sovereign authority to regulate water facilities and unconstitutionally burdening them with new work.

Michael Blumenthal, an environmental regulation lawyer at McGlinchey Stafford, says the EPA did appear to have violated the Administrative Procedure Act by issuing its directive to states as a reinterpretation of existing guidance about states’ responsibilities to conduct “sanitary surveys” of water facilities, thus sidestepping the public comment process.

Peggy Otum, a partner at WilmerHale who leads the law firm’s environment practice, says the state-sovereignty argument reflects a broader debate about how much the federal government—and the EPA in particular—can burden states with new mandates. “‘Who's gonna pay for it?’ is the main question,” Otum says.

Greene was skeptical of this argument. The White House is aware of the water sector’s funding issues, he says, but that’s not a good enough reason to refrain from mandating better security.

But the most consequential argument in the case concerns whether the EPA’s regulatory authority for the water sector even extends to cybersecurity. Blumenthal says the Safe Drinking Water Act “does not give them the authority to fold in cybersecurity.”

The EPA derived its authority from newly reinterpreted definitions of key terms in its guidance to states, but Blumenthal says that approach was invalid and would allow mandates that were “never contemplated to begin with.”

Greene argues that laws like the Safe Drinking Water Act, while enacted before cyber threats gained prominence, were clearly intended to let the EPA protect vital resources against all manner of dangers. “It would be an overly literal reading of the intent of these [laws] to say, ‘They didn’t think about cybersecurity, so you can't cover it,’” Greene says. “That's like saying, ‘The colonial armies didn’t think about air assets.’”

Courts have historically deferred to agencies in lawsuits over the interpretation of their core statutes, but this principle, known as Chevron deference, “is hanging on by a thread” at the US Supreme Court, Otum says.

The EPA lawsuit looms large as a potential stumbling block for the Biden administration’s new national cyber strategy, which describes critical infrastructure regulation as a national security imperative. Other regulators “are going to watch this case very closely to see what happens,” Blumenthal says.

The Department of Health and Human Services is working on cyber rules for hospitals, which, like water facilities, are heavily regulated by states. The Federal Communications Commission (FCC) is preparing rules to secure the Emergency Alert System, a critical tool for state and local authorities. And the Federal Trade Commission (FTC) is updating its security regulations and sharpening its oversight of data breach disclosures.

If the EPA loses this case, Biden’s cyber regulation push might turn into a fractious slog. Agencies could face a barrage of lawsuits from industries worried about the cost of regulations and Republican-led states eager to support business interests and spurn mandates from Washington.

“Everyone's sniffing around to see what they can push back on,” Lewis says. The FTC, he noted, is already “facing significant challenges.”

The EPA case is a microcosm of broader disputes over regulation, but it also highlights the uncertain future of cyber rules in particular. Congress has declined to clarify or expand agencies’ authorities, although Blumenthal and Greene agreed that a court loss for the EPA could energize that effort. In the meantime, if a creatively issued cyber regulation reaches the Supreme Court—which could happen if multiple appeals courts issue different rulings on it—the high court’s conservative supermajority is unlikely to uphold a burdensome federal rule that lacks an explicit statutory basis.

Proponents of strong cyber rules say this uncertainty is untenable and endangers national security.

“The Russians and the Chinese may not be ready to attack critical infrastructure,” Lewis says, “but if they change their minds, we don't want to find out that a court battle over regulation gave them an advantage.”