The White House doesn’t have the same control over the EPA, which is an independent agency, but Greene says that from what he saw, the agency tried to collaborate with the water sector.
The NSC did not respond to a request for comment about the EPA lawsuit and its possible effects on the administration’s agenda. The EPA declined to comment because the litigation is pending.
A Legal Fight on Multiple Fronts
The Republican attorneys general challenging the EPA directive make several claims. They say the agency failed to follow the proper procedure for issuing a regulation. They allege that the EPA exceeded its authority under the Safe Drinking Water Act and subsequent legislation. And they argue that, by requiring state water regulators to fold cybersecurity into their inspections, the federal government is usurping states’ sovereign authority to regulate water facilities and unconstitutionally burdening them with new work.
Michael Blumenthal, an environmental regulation lawyer at McGlinchey Stafford, says the EPA did appear to have violated the Administrative Procedure Act by issuing its directive to states as a reinterpretation of existing guidance about states’ responsibilities to conduct “sanitary surveys” of water facilities, thus sidestepping the public comment process.
Peggy Otum, a partner at WilmerHale who leads the law firm’s environment practice, says the state-sovereignty argument reflects a broader debate about how much the federal government—and the EPA in particular—can burden states with new mandates. “‘Who’s gonna pay for it?’ is the main question,” Otum says.
Greene was skeptical of this argument. The White House is aware of the water sector’s funding issues, he says, but that’s not a good enough reason to refrain from mandating better security.
Open for Interpretation
But the most consequential argument in the case concerns whether the EPA’s regulatory authority for the water sector even extends to cybersecurity. Blumenthal says the Safe Drinking Water Act “does not give them the authority to fold in cybersecurity.”
The EPA derived its authority from newly reinterpreted definitions of key terms in its guidance to states, but Blumenthal says that approach was invalid and would allow mandates that were “never contemplated to begin with.”
Greene argues that laws like the Safe Drinking Water Act, while enacted before cyber threats gained prominence, were clearly intended to let the EPA protect vital resources against all manner of dangers. “It would be an overly literal reading of the intent of these [laws] to say, ‘They didn’t think about cybersecurity, so you can’t cover it,’” Greene says. “That’s like saying, ‘The colonial armies didn’t think about air assets.’”
Courts have historically deferred to agencies in lawsuits over the interpretation of their core statutes, but this principle, known as Chevron deference, “is hanging on by a thread” at the US Supreme Court, Otum says.
“Everyone’s Sniffing Around”
The EPA lawsuit looms large as a potential stumbling block for the Biden administration’s new national cyber strategy, which describes critical infrastructure regulation as a national security imperative. Other regulators “are going to watch this case very closely to see what happens,” Blumenthal says.
The Department of Health and Human Services is working on cyber rules for hospitals, which, like water facilities, are heavily regulated by states. The Federal Communications Commission (FCC) is preparing rules to secure the Emergency Alert System, a critical tool for state and local authorities. And the Federal Trade Commission (FTC) is updating its security regulations and sharpening its oversight of data breach disclosures.