We've Reached a Cybersecurity Turning Point

The US Supreme Court has overturned one of the early cybersecurity regulation and standards catalysts: ?the “Chevron Doctrine”.? Based in an EPA ruling from 1984, the Chevron Doctrine has assigned authority for legislative interpretation to federal agencies, granting courts the latitude to defer to agency expertise when laws were ambiguous. Let's face it, when it comes to cybersecurity, most, or all, of them are. This doctrine has been the unsung hero that enabled agencies to craft well-known regulations like the HIPAA Privacy Rule or GLBA’s CFR Part 314—rules that weren’t perfect but improved the quality and expectations for cybersecurity in the face of fast-moving threats and infrastructure changes.

As of June 28, 2024, that safety net is gone. Organizations may now contest the presumption that agency rules are a proxy for law, and this precedent opens the door to challenges that could upend what little consistency exists in the regulatory landscape.

That sounds grim. And it is. But there’s also a silver lining: disruption breeds opportunity.

Tangled in a Web of Cybersecurity Rules

With multiple agencies providing rules and recommendations that they feel are critical, the landscape of cybersecurity regulation today is a messy patchwork of overlapping mandates and disjoint compensating controls. Take universities, for example. These institutions must juggle compliance with HIPAA for handling healthcare data, the FTC for student and parent financial data, and PCI standards for credit card transactions—sometimes all at once. It’s like being asked to follow three different maps on a cross-country road trip. Sure, you’ll probably reach your destination eventually, but not on an optimal route, and not without the risk of getting lost or overwhelmed.

Sadly, this fractured system also forces organizations to focus on compliance gymnastics rather than actual security.? It’s not hard to see why. When you're drowning in audit checklists and reporting requirements, there’s little room left for innovation or strategic risk reduction.

The end of the Chevron Doctrine amplifies this uncertainty. It’s a wake-up call that our current system is unsustainable. And maybe, just maybe, it’s the spark we need for meaningful change.

Filling the Void with a New Approach

The speed of advancement in our mainstream technologies, AI, and advance threats, makes it obvious why legislation hasn’t kept pace or provided clear, useful, cybersecurity guidance.? Today, though, in a post-Chevron Doctrine environment where the existing regulatory structure is up for redefinition and reform, the challenge of defining rules with appropriate statutory authority is on the table in a way that may allow our industry to cut the Gordian cybersecurity knot.? We have the opportunity to create a new, bold, actionable approach — one akin to the sea-change in a different space, food safety, that followed the 1906 Pure Food and Drug Act, which revolutionized safety standards when unsafe practices and a lack of basic hygiene imperiled both clients and manufacturers in the meatpacking industry.? It justified the need and the authority for the US Food and Drug Administration (FDA).

Imagine a world where cybersecurity standards are as clear, consistent, and expected as those that regulate our food and pharmaceuticals.? Instead of leaders and analysts navigating their way through a multi-dimensional compliance hamster wheel, there could arise a system built on clear, enforceable standards—standards that are forward-thinking, actionable, and designed to reward diligence over paperwork.? Vendors and customers would share a common understanding of exposure, reliability, resilience, and the balance between cybersecurity and functionality.

Elements could (I think should) include:

• Standards for Secure Development: Meaningful criteria for secure software development and supply chain management.
• Certifications: Recognized seals, like those that exist in food safety or energy efficiency, to rate diligence and risk, publicly announcing and asserting product and service security.
• Defining Parameters for Recourse: Definitions of baseline best practices and quality control would provide guidelines through which software creators and services firms can be held accountable for cyber-negligence, giving victims a fair shot at justice and vendors an incentive to improve.

Such a framework wouldn’t just make breaches and vulnerabilities more manageable—it would shift the industry mindset. Suddenly, businesses would have clear incentives to prioritize and integrate better security, while consumers would know which products and providers they could trust. It’s a win-win scenario, with the added benefit of moving cybersecurity from a checklist to a strategic priority.

The Path Forward

The end of the Chevron Doctrine might feel like a blow to cybersecurity, but it’s also a chance to start fresh. It’s an opportunity to strip away the tangled mess of regulations that prioritize compliance over safety and replace it with a framework that works for everyone—businesses, consumers, and governments alike.

This clarity will transform the technology industry, enabling businesses to innovate safely and consumers to trust the technologies they depend on. Unlike the economy and infrastructure of much of the last century, cybersecurity protection is now foundational to living our lives — just like safe food, clean water, and reliable transportation. With a new, evergreen, and consistent standard of care, we can move beyond the current patchwork of rules to a system that rewards diligence and punishes negligence with one voice.

The end of the Chevron Doctrine is a wake-up call — and perhaps, the catalyst we need to build a better, safer digital world.

?