The Biden administration’s push to tighten the cybersecurity of US critical infrastructure has drawn its first major lawsuit, sparking a court battle that could weaken the federal government’s ability to protect the facilities and devices that underpin American life.
The stakes of the lawsuit brought by the attorneys general of Arkansas, Iowa, and Missouri—who are seeking to invalidate a new Environmental Protection Agency (EPA) requirement for states to assess water systems’ cybersecurity practices during routine inspections—reach beyond Americans’ tap water. Other agencies are paying close attention as they craft rules for hospitals, emergency broadcast systems, and other vital infrastructure.
The EPA case highlights the vulnerability of Biden’s strategy of issuing cyber regulations without explicit congressional authorization, a weakness already evident in legal challenges to White House policies like student loan forgiveness. The lawsuit could presage new efforts by Republican-led states and business groups to undermine regulations intended to prevent hackers from sowing chaos.
The legal morass also underscores the need for the US to settle long-running disagreements about the role of the government in safeguarding privately owned infrastructure.
“There's a debate that we're going to have to work through as a country over how much regulation is enough and whether you should be regulated at all,” says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. “In some ways, we dodged the debate, and now it's come home for us to look at.”
When President Joe Biden took office in 2021, his cyber policy aides were determined to move beyond what they saw as the failed approach of trusting private-sector critical infrastructure operators to protect their systems. But because the laws giving regulatory agencies their powers were written before the emergence of cyber threats, imposing rules on companies sometimes required creative strategies.
White House officials had to “look for new and innovative ways” to mandate secure practices, says Jeff Greene, who served as chief of cyber response and policy at the National Security Council (NSC) during Biden’s first year in office.
The hunt for legal authorities to regulate critical infrastructure was nothing new. Recent presidents have routinely sought to enact their agendas while skirting a gridlocked Congress. “We had an era where the response to Congress being slow was to use these executive branch workarounds,” Lewis says. “And those are being challenged across the board.”
Now, for the first time, cyber mandates are getting swept up in that pushback.
Biden officials may not have been too worried about lawsuits when crafting the EPA directive because of their experiences with previous cyber regulations. After pipeline companies objected to new Transportation Security Administration (TSA) rules, the agency worked with the industry to address its concerns and avoided a legal battle. Similar rail and aviation regulations were likewise uncontroversial.
“The fact that you haven’t seen challenges is reflective of the lengths to which the administration has gone to try to work with those sectors,” says Greene, who is now the senior director for cybersecurity programs at the Aspen Institute. “The administration really has gone out of its way to do this collaboratively.”