Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo and have the privilege today to sit down with two experts on a topic that I think is front of everyone's mind when it comes to cybersecurity. The recent Supreme Court overturned Chevron deference and it has implications that are broad in a whole bunch of policy areas, but also
have a number of specific cyber flavors. Here to shed light on this topic, we have Ari Schwartz. Ari is managing director of Cyber Services at Venable. And Harley Geiger is counsel on cyber issues at Venable as well. Both come at this issue with a lot of expertise. Ari was a special assistant to the President, has executive branch
expertise on cyber related issues, did stints at Department of Commerce. And Harley comes at it from a legislative perspective, having actually drafted legislation on Capitol Hill. Gentlemen, thank you for joining us today. I thought we'd start with sort of stepping back and actually trying to make sense of what the ruling itself means and Chevron deference. Just generally speaking, Harley, you maybe want to take a first crack at that.
Sure. So in talking about Chevron deference, I think it's to take a big step back and go to something, start real basic. So we have in this country three branches of government. We have the Congress, the legislative branch, which will make the laws. We have an executive branch that enforces those laws, and we have a judiciary which decides questions about those laws. So Congress makes a law, it's ambiguous or there's a lot of vagueness in the law. This happens all the time. And an agency is
tasked with actually enforcing that law. And to do that, they have to interpret what Congress said. They have to make interpretations about those vague terms and those ambiguities. So they do. They have a rulemaking and they will require companies to do things or require individuals to do things. When individuals or companies don't, according to the agency, they can bring an enforcement action. Now when that happens, it can get challenged. So an
individual or a company or another government agency even can challenge that regulation. And they might say in those court cases, we don't think that this regulation is what Congress intended. The agency is supposed to carry out Congress's intent when they're making a regulation or enforcing it. And we think this went beyond what Congress intended. Now, Chevron comes from a court case in 1984. This is Chevron versus the National Resources Defense Council.
And what that said was that at this point, this point where a court is hearing a challenge to regulation or an enforcement action and somebody is saying, we don't think that this is what Congress intended at that point. Under the Chevron doctrine or Chevron deference, courts were supposed to defer to the agency. They were supposed to say, well look, we're going to give a lot of weight to the agency's interpretation of
Congress's intent. That was in place for some 40 years. And we had gotten into a rhythm in regulation in this country where Congress was able to pass sort of open ended ambiguous laws and then leave it to agencies to sort of fill in the gaps. And it was harder back then to bring up a challenge against regulations saying that the agency had overstepped their bounds. Now fast forward to just a few weeks ago. The Supreme Court took that doctrine and tossed it out. It had been
in place for 40 years. It's no longer in place. And what it means is when there is a question before the court about whether an agency regulation or an enforcement action is what Congress intended, whether it's valid authority, the court no longer has to make that deference, no longer has to defer to the agency. The courts will
decide for themselves and there will still be some deference. They'll still take into account what the agency thinks is Congress's intent, but it does not take nearly as much weight as it did previously. As a result, regulations are more vulnerable to court challenge and now judges have greater power to reverse or modify regulations or enforcement actions because they can act independently without having to defer to those agencies. And this has far
reaching implications for cybersecurity policy, but also virtually every other regulation in this country. Harley,
thank you. And I'm definitely going to want to pull on the thread on whether or not we think the judicial branch is equipped and has the wherewithal to really weigh into this. But before we jump into that, want to sort of get Ari some of your thoughts. So what impact, and I know it's early days and precedents are actually being set potentially and I'd love to pull that thread in a little bit, but what do you think this means for cybersecurity policy? What's the executive branch
deal to do it right now? It could have a major impact and likely will
have a major impact on cybersecurity because most tech policy is written with that open ended piece to it. They don't want to. Congress doesn't want to fight over technical pieces of techn of technology. So either the, the technical side of the standards or the what or what type of technology they're going to use or what you know, how to go about making certain kinds of decisions or the, or the kind of weeds of, you know, what's the best solution for a technology in the space that
might change in the next 10 years or 12 years. So they leave a lot to the agencies historically for technology policy and cybersecurity is no different from that. So we see a lot of openness. In this administration, probably even more so than most.
Correct. Correct. I think, I mean this Congress and this administration, you have the Congress
that's leaving things more wide open and a administration that's more apt to be interpretive of, of the open space there. So what do you think there? And, and this
is for both of you. What, what do you think agencies are doing right now? So if you're at CISA or at DOD or at DOE or at the nsc as some of us. Yeah. Lived in the past, what, what do you think's going on right now? I think, I mean, from the career side, there's really not much
difference. Right. Especially over the last 10 to 12 years, you've had different folks come in and their review is always Our job is to interpret the law that Congress gave us and to implement it the best we can. And we know if they gave us a lot of latitude, we better be able to prove that we're doing this in line with what Congress said. That said, sometimes the political will push things in a certain direction and now they have to be more circumspect about that. I
don't think they've. There hasn't been a, you know, a new set of rulemaking where we've seen that in place just yet, but certainly, but when you talk to the career folks about it, they say you, it doesn't have an impact on the strength. They don't love the idea of having worked on a rule for four years and having it get thrown out. But they, but they also real. But that was the case before too. So Harley, I see you want to jump in on that. So
I'll just say that for, for cybersecurity and a lot of other areas of technology law, Congress has not really kept pace with where business practices are, where cybersecurity threats are, and has legislated relatively little in this area. And as a result of that, many agencies have revisited older statutes that had, had passed in earlier eras, often about protecting consumer information or protecting consumer safety and adapting that to modern threats. And that
is where some of our cybersecurity rules have come from. And agents and I would argue just. Generally speaking, technology advances so quickly that we're always going to be laggard
a little bit. Right. Whatever law we put in place might be overtaken to an extent, Principles aside. To an extent, I think we should revisit that perhaps. Privacy and
cybersecurity I think have long been around to the point that we probably could be further ahead than we are in terms of legislating on it. But within agencies right now, we know that agencies that have proposed rules are looking at those rules. And in light of this new legal landscape post Chevron deference, I saw a story just this morning that the the NSC is looking at proposed rules on hospitals for the whether or not they will survive or be modified post Chevron. Are there any precedents
set thus far already that you're seeing? So I mean this is days old, it's not years old, but so great question. And the answer I think is yes, there
is a precedent. In a recent case that just came out, this is the SolarWinds case, the district court made a ruling on that. And one of the things that was at issue in that court case was the SEC's charges that the company's internal controls for cybersecurity were deficient and the SEC used an authority to that. Actually, if
you look at the statute says it's internal accounting controls. But the SEC has for some time been using this authority as a cybersecurity authority and has extracted multimillion dollar settlements from more than one company when they have had cybersecurity incidents or some sort of alleged failing in their security controls. So I understand this. It's not only looking
forward, but it also has the potential to look through rear view mirrors and back repeal. Absolutely. And just to finish the thought, in this case, the court ruled, and
this was just last week, the court ruled that the SEC did not in fact have this authority. So this is the first time that this was brought up, brought before a court. And the court said, looking at the statute, it says internal accounting controls, not cybersecurity controls. This is clearly intended to be a financial control. And so this is something that if it were challenged again by the agency and reviewing whether
or not they have the authority. This is a post Chevron question, right? We look at the statute, what did Congress intend? How is the agency actually carrying this out? And before this decision, which is by the way, the looper bright decision before that decision overturning Chevron deference, the the court would have to defer to the sec. That is no longer the case so it's actually a seismic effect. And I would say
there have been some, some experts that have looked at the court ruling and said, well, it's not gonna have that big of a difference because it settled law. The court said, settle law is settled, and we're not going to go back and change all that. However. Right. In this case, yeah, there wasn't. It hadn't been brought before. Right. And so that. And most of the cybersecurity cases we're gonna see haven't been
brought. There hasn't been a challenge in the courts before. So it is very impactful in a space like cybersecurity where the law is newer and there hasn't been in. The regulations are newer and there hasn't been that many challenges. And I definitely want
to pull the thread on congressional intent and how Congress can better work with executive agencies and obviously judicial. But before I do that, and, and again, this is early days. We don't know what the, the full impact would be, but a lot of emphasis to harmonize regulations. What does this mean for harmonization? Does that sort of make this obe? I don't know. I think if Congress can get that into the, into
the law. Right. And gets to talk about harmonization being a key piece and how we do that, make that work across different sectors, working internationally. Right. That could be a driver for. To make things make more sense in this space, that they don't have to go through each different piece of this in such great detail. If they can agree on some, okay, this is the type of certification that people have to have or something that people have to understand. You know, if Congress can agree on
that. Right. So it could be a help. But if they can't get to that point, then it's not gonna help. And the good government person in me hopes that
that would in fact be the case, that it could actually drive positive change. But, Harley, I'd be curious what some of your thoughts. So my, my take is that
harmonization is going to be more difficult than it would have been if this Supreme Court decision did not change more patchwork is. That is where I see this going. That's right. But to. For the immediate term, Congress has woken up to the problem of, you know, inconsistent regulations across sectors. There's more than one hearing on this. The.
There's more than one bill now that is looking into this. But none of these, none of these actions by Congress actually give agencies authority to get rid of their existing regulatory structure, to go to a harmonized regulatory structure. And until they have that ability, then anything that the agencies do to change their regulations is now more vulnerable
to legal challenge. So I think to Ari's point, part of the key here is going to be whether Congress can get its act together and legislate on a harmonized cybersecurity regulatory framework. And frankly, I don't see that being imminent. And I would also
add whether or not they have the expertise, because most laws are, you can, I don't want to say, drive a truck through, but they're, but they're pretty subject to interpretation now. I think you are going to have to be a little more or a lot more prescriptive. And what do you think that means? Well, I think they
can go two ways. So Congress can be prescriptive or Congress can give a lot of power explicitly to agencies. I think that the problem here is not whether it's possible. I think that the problem is more political in general. It has been a political, politically contentious to give agencies a lot of rulemaking authority. If agencies clearly have rulemaking authority and if that rulemaking authority is clearly broad, then there is not an
issue of congressional intent. But in general, for things like privacy and security, there has been a reluctance for Congress to do that. So the other route, as you, as you suggest, is to be very prescriptive in legislation. That has also been difficult. You know, you enshrined something in legislation. It's very hard to change. And as you noted, technology does change. Especially as it changes quickly. And I would just add that sometimes
there is a difference between oversight of security agencies and those that have regulatory authorities. It gets a little complex. But I think that is one of the differentiators from that I think will factor into some of that decision making, I would say. I
mean, in this administration, the White House has said we're going to be creative. They literally have said we're going to have creative use of regulatory authority as it relates to cybersecurity in order to make sure we're covering sectors where there hasn't been any action that's gone now. Like we've been there before. And those are, I mean, to
serve the American people at the White House is a privilege of privileges. But what do you think this means? Now, if you were in your old job, this would demand a wake up call now. Yeah, I think, I think it would. I think
it would change the strategy. It would drive you. This administration, I feel like, has
felt. Like legislative legislation happens too slowly for the cyber threats that we're seeing today.
And they purposely aimed at procurement policy, which could still be the case here because this does not cover procurement policy. So they would be, but, but they want to make sure they're covering stuff where the for eight in sectors and that aren't necessarily government contractors. Right. So they're also are looking at, we're looking at regulation. To do regulation now means legislation. Right. They cannot no longer say legislation takes too long. They
have to engage with Congress in order to get things done. And Harley, what do
we think about the judicial branch in particular? Do they have the staff? Do they have the expertise? Do they have the desire to jump into this in the way they need to? So it looks like I think the. Answer is no, that they
don't generally have the staff or the resources, particularly in comparison to agencies when it comes to technology and other non legal topics. If anybody has worked with congressional offices, you know that they are already on a lean budget. Judicial officers tend to be on a leaner budget still, but they're going to be facing these deeply technical cases
in a variety of areas. Again, not just cybersecurity, privacy, technology, the environments. I mean there is now potentially a great wave of litigation that can come as a result of this particular decision. And one of the things that I think is important to notice here too is that our structure, our judicial system is divided into districts and circuits. And we have a, you know, a state system, a federal system. These, these
courts can reach differing conclusions. And a one circuit does not necessarily have to be bound by the decisions of another circuit. And until it is resolved by the Supreme Court. And, and so we might see theoretically more circuit splits which for companies that service an entire nation, you know, that suddenly turn makes your compliance picture that. Much
more difficult, which is already difficult for a number of companies that have to transcend. I, and I do want to get to what the implications are from a private sector and corporate perspective. But sort of before I leave the judicial, I mean I go back to some of the counterterrorism when we were getting judges up, bringing them up to speed on tftp, a number of complex related national security issues. There was
a massive education campaign to all of that. Is that, do you see that happening here or do you think that, or do you think we're going to see individual cases have outsized precedent and impact? I think it's too early to, I think it's
too early to know on the educational piece. So it took a while. But in my opinion, both Congress and the executive branch agencies have actually done a pretty admirable job of shoring up their, their Technical chops. They have created programs where they can, you know, have a tech Congress fellows where they have detailees and there's a fair amount of expertise, especially in agencies, but also to some extent in Congress that was
just not there maybe 10 years ago. So they've gotten a lot better on these subjects. I have not seen that same effort yet in the judiciary, but I'll note that it took a while for that to really get going with the administration and with Congress. So it's possible. Sounds like something Venable might want to zero in on
because I think there is opportunity there too. Right. Cannot confirm nor deny. No, but, but to jump to some of the private sector related questions, I mean, and without mentioning who your clients are and the like, what are they asking you right now?
Well, I think, you know, there are trade associations I want to that are looking at specific laws that, that and regulations that cover them and whether those are now open to challenge and maybe they weren't before. I think that's a big area of question right now. There's also the question of just what, what does this mean? Do we have to still continue complying with regulations? How do we go about looking at that, some of these things? And for, I think for the most part it hasn't
changed anything in terms of compliance yet. Right. And companies have to keep going and doing what they're doing from that point of view. So. And my gut tells me
and disagree, but the narrative I hear is they like some sense of certainty. This
is less certainty. This is less certain. If you are a company, particularly general counsel at a large company, this is going to make you very uneasy. There is going to be less certainty for a long time now. So I think our message right
now has been not to make any big changes based on this. That. You mean
don't throw out your cyber security programs. That's right. That even, you know, like it
doesn't invalidate. It doesn't. Until a court rules otherwise. This doesn't invalidate any regulations. Absolutely. What it does is make them more vulnerable to being modified or reversed in court. But that process can take some time. Even the case I mentioned earlier took a
while, took a couple of years. And so no big changes. But to be aware of it, to track litigation a little bit more closely and for public policy teams sort of adjacent to legal teams, to be aware of this dynamic when you're talking with agencies and with Congress, because the strategy of policymaking and rulemaking now has to change if they want to avoid being modified or overturned in court. And to lean
forward on an issue like this, that's actually very smart because I think it is very early in terms of full awareness and understanding. But, but the fact that both of you are sitting down today to be part of that informational I think is a very strong step forward because I think we're all trying to figure out exactly
what it means. What do you think it means, Ari, from a critical infrastructure perspective, in particular, if you're an owner operator of a lifeline sector or systemically important critical infrastructure. It depends on what sector you're in really because some of the agencies have
very, very clear authority even dating back even before, you know, 40 years of when the Chevron deference has been placed. So I think that if you're in one of those sectors, I think you know what you need to do. And there's not going to be much challenge in other sectors where there's not clear authority for security. Right. Then that it's going to be harder to bring those kind of regular, that regulatory structure and put it in place. We know the water sector challenged the epa. That
was before the, even before this. And they won that they were. That it was
too broad. So certainly if the EPA thought that was their best place to bring this, whatever they're going to do now is even less so. So I think there's some sectors where there, where there is less certainty. I, you know, the thing about cybersecurity is, you know, regulatory liability is only one piece of the liability you have to worry about. So I think you should be very focused on the actual security and less on compliance if you're in one of. Those, you and me both, because
I do worry. The concern I've historically had with some of the regulatory. It does provide that check the box and, and I'm not suggesting done right. It leads to that. But that is sort of the, at least the race to the bottom on some of it. And we prefer risk management, you know, authorities and risk management regulations
that make it so that you know your own business you figured out you should demonstrate that you're doing risk based. Those are hard to put together. But in some sector that has nothing, I would certainly go much more risk based. If you're compliance oriented, you have a checklist that's still better than nothing. Yeah. In that sector. So
I would, I would say also that what we're. The dynamic is now such that it's going to be broadly deregulatory in the absence of new congressional action and that it will fall more to individual companies and sectors to manage their cybersecurity risks on a more voluntary basis. And we know that there are many companies that do that and do it very well. But we also know that there are actors that cut corners when it comes to cybersecurity and sort of roll the dice. It's always too
much until the day. It'S not enough until the day your system is encrypted by,
you know, by, by a ransomware gang. And, and, and I think unfortunately regulation has in the past provided a, a, a means of prodding those types of organizations to, to take another look at their cybersecurity programs and potentially shore them up. And it's this, in this environment that becomes a bit more difficult. So the need is still there, the threats are still, you know, still growing. But it's going to have to
be, I think greater reliance on self regulation. And fair to say, and we're not
advising legal counsel to anyone here obviously, but to any company that you're actually advising whether this changes a whole lot. They still need to have a system, a process, a, a bunch of steps they've taken to make that case. Right. I, I mean all things said and done, if they take a risk based approach, doesn't mean they always have to apply the exact same level of ingredients, everyone else's, but they still
need to be able to make that case. They need visibility on their systems and, and need visibility to, to, to be able to articulate that they're most moving the needle. So I, I, I, I certainly hope no one takes this as a pass on security, but rather maybe a re examination on what that could look like. Am I fair on that? Absolutely. And, and like we said earlier, this is not invalidate
any existing regulations. I think what it does is it make it, it makes it harder to regulate going forward for better or for worse. And when it comes to critical infrastructure, as we sort of said at the, at the outset, Congress has not legislated a great deal on critical infrastructure cybersecurity. And so there's been a lot of talk, a lot of voluntary initiatives to create a baseline of cybersecurity practices that can
be reused for critical infrastructure. The nist framework being one, CISA's Cross Sector Performance goals being another. And, and it is I think very, very helpful that we have that background now. But there also has to be, and I think there is to an extent industry self pressure to actually meet them, those best practices and guidelines. And unfortunately I think that it is less likely that we will see a specific movement
to harmonization and cross sector Critical infrastructure, cybersecurity. You know, I want to pull a
thread. So what other challenges do you think? And obviously the general uncertainty. But what else do you think we ought to be thinking right now if you were advising some of these entities? Well, I think as new legislation comes up, there's this question
of how much certainty you want in it. Right. So do you go with this sense that Harley said and we give more authority to the agency, specifically the agency can do X, Y and Z and it's part of their just general operating authorities, or do we put it into a regulation and have Congress go through all the steps of, of going about doing it? And I think that those kind of figuring some of those new things out, a new law is a, is and. There'S a
Goldilocks, not too much, not too little, somewhere in between. Right, right. If the law
is going to happen anyway, you as a company, where does that fit for you? You know, as in a trade association world, you know, is it, is there a way you can do it so that there's more based on existing self best practices and things that you've been supportive of from the beginning? Right. So. And how do you get that written in there and done in the right way? So without jumping
into all the sort of SEC regulation but Circe, this could have significant implications. Thoughts?
Yes, no, I'm glad you raised that. So Circia, this is the cyber incident reporting for critical infrastructure acts. And, and there you do have a statute that Congress passed that did have a fair amount of detail but ordered CISA to have rulemakings to implement it. And we are in the middle of the proposed rulemaking right now. And so these comments have been submitted, they've now been posted to the website and CISA
is in the process of considering them when Chevron deference evaporated. And, and so there were parts of that rule, that proposed rule that I think struck everybody as being very broad and that includes the definition of covered entities. So you know, it's not just applicable to critical infrastructure owners and operators. It's anyone who's an active participant in a critical infrastructure sector and there's 16 sectors that comprises a huge swath of the
economy. I think a lot of entities did not realize they were going to be swept into this. Another definition, the definition of covered cyber incident that you have to report to, there's not a lot of harmonization, even though the bill that underlies the rule is trying to push towards harmonization. And so it ended up being very broad, very, very detailed in a way that I think caught a lot of folks off guard, including some of the sponsors of the original legislation in Congress. From both sides
of the aisle. Yeah, yeah. So Senator Peters as well as Representative Garbarino and then
separately a group of three, including Representative Green and Swalwell, they all submitted comments saying that CISA had gone beyond their intent. And in some cases these are the representatives and senators that had sponsored the bill to begin with and said that in those three areas in particular, covert incident, covert entity harmonization, that CISA was overstepping congressional intent. And that is very powerful ammunition in a court case now that Chevron deference is
no longer with us. So if the proposed rule became final in its current form, I think it would be more vulnerable to court challenge. And so CISA being in an open rulemaking, has to be somewhat tight lipped about, you know, what their internal process looks like. But I am sure that they are. Looking also got to know,
they got to be a little responsive. Yeah, they don't, they don't want to see
their work in, in crafting this rule get overturned or modified. This is actually the
first rule that they've ever crafted. This is the regulation they've ever done. And they've been very, very circumspect about how people can comment and making sure that they're following all the letter. Yeah. And this is the bottom of the eighth inning. It wasn't
in the beginning of the game. So, yeah, I think that will, that will have implications. Right. I mean, we're pretty absolutely confident. I'm not a gambler, but I'm pretty, I'm pretty confident that will actually have some, some, some impact there. I did not,
I did not think prior to this development, you know, the loss of the Chevron, Chevron deference, that sizzle was going to make a lot of changes. I think that the tenor of the rule making was such that I think they wanted to be very broad and they were going to take ambiguities and turn them into a greater ability on their part to get these incident reports. Now, given both the changed legal landscape and the letters from Congress on what their intent really was, I think that
they have to make some changes or it'll get brought up in court. I think
you're right about that. And you've both spent time in, in roles at the center for Democracy and Technology. That's looked at. Is there an analogy here with privacy laws?
Oh, you bet. So I think if you look at where privacy is today, Congress waited and waited to actually pass. Something hasn't happened. Industry resisted comprehensive privacy legislation for, for like a decade. But then Europe went ahead and moved with GDPR and states got tired of this and they also moved ahead. And now we are in a
place where we have this tremendous patchwork. Congress is not really able to act because to do so would require coming to consensus on some contentious topics like private right of action and so forth. And it's hard to change where the states already are. They have to think about their constituents back home. And we've been in limbo on this issue in Congress and so we're being led by non US regulations that apply
outside of those countries borders and the states. And it's a tremendous patchwork. At our law firm, I sit in on meetings with our privacy group and there is a great deal of discussion always about how to craft privacy policies and internal compliance for
different states. Well, we can word our privacy policies to say if you're a Colorado resident, you know, if you're a Connecticut resident and it is a very difficult compliance picture, we are headed down that same path in cybersecurity for you know, we talk about cross sector, cross sector security regulation and, and we are now in a place where Congress is less likely I think to, to move, to move on it. Agencies are less likely to be able to, to pass a rule that is not going
to be open to court challenge. But in the meantime, Europe has already moved ahead just like with privacy. They've already moved ahead with security regulations. They've got several, the Cyber Resilience act being one. And it's a matter of time, just a matter of time before I think states get sick of seeing their hospitals and their own critical infrastructure hit with ransomware and they, they start acting as well. So do you think
this will. And Ari, I want to jump, but I just want to pull one, one more thread on that because I mean when you look at data breach notification and when you have national perspectives and then every state, I mean just from a filing perspective, the paperwork is insurmountable, isn't it? I mean this is a digital problem and very analog solution. It's surmountable. But it is a real headache. Right, but it's
a headache to your point. It's difficult, it's expensive and it hasn't solve the problem of privacy and data breaches. And, and I worry that if you have something similar,
multiply that and mushroom that by how many orders of magnitude you got, you got your hands full, you're gonna have nothing. But no offense to the lawyers here, we, we love Lawyers, but we also need a combination of people who can do that as well as implement. I mean I feel better, I personally feel better about U.
S Regulatory agencies writing the cyber security rules for U. S Companies and I do by European regulatory agencies writing it for U. S Companies. That's my personal view. But that is the direction we're headed right now with, with the cyber Resilience act. And then they also have these, a few directives that are out there that are, that
are going to cause a cascade of regulatory structures around them too. So I think that we, you, you are going to see the Europeans lead there the way that they've been leading in privacy in the regulations and we, and the US has been following. No, and Ari, you've looked at this from the exec, but, but it's CD
this was an area that I'm sure was near and dear to you at that time. And there are analogies. There are also some differences. No, there are big differences.
I mean, because one thing about security is security policy is basically usually made when there's an incident that happens. There's some control set that builds around to solve that incident to solve that or to solve our vulnerability comes up and there's some control
sets that are built around to solve that kind of vulnerability. And then we build a structure around those and say okay, you should be doing this, this stuff and then it gets built into a code of practice and then from there sometimes it becomes regulatory, sometimes people just do it. So there's a, it's, it's about the incidents and, and the vulnerabilities that are out there. Then we see them, that we build
this control sets. Privacy is the other way around. Privacy is like, you know, we were basically saying here's a set of practices that we like to see and that people should do that are fair to the user and fair to the consumer in this space. And here are some controls that you can do to do those things that are fair to the consumers, to the consumer and it's less reactive in that way. So it's the bottom up nature of security means it's more accepting and people
are more willing to put money into it from the, from the beginning. And PII
data and data that could be detrimental to our national security are not always the same. I, I mean in all assume your data to one extent or there's a.
Lot of crossover, there is a lot of crossover security and privacy. I mean you can't do privacy without security, for example. And, and yeah, there's a lot of security that you can't do without privacy. But there's. It's not some overlap. Yeah. As well.
We're getting. So I think that one of the takeaways here should be for the private sector broadly to consider how to change this situation and whether or not having something like a comprehensive or harmonized cybersecurity regulation might be in their best interests. Industry eventually came around to that for privacy and data breach notification and. But as we discussed, it might be a little bit too late, at least in the short term,
to get there. I think I'd had an organization that I work with tell me that they were proud that they were one of the ones to call for comprehensive privacy legislation at the federal level as early as 2018. But this has been on the radar of governments and. When did you testify, ari? Is it 1998? Was that
1998? Yeah. So it's. We don't have. We should not wait that long for cybersecurity.
Is that John Kyle? I testified. We might have been at the same. It was
a House hearing. Okay. Okay. I'm trying to remember who that is. No, no worries.
No worries. I'm sorry. Yeah, yeah, yeah. Sorry I cut you off. No, it's okay. So not that you led the witness, but I actually. What are your two take two, three takeaways, Ari, in terms of what it is and also what personally, I think. I mean, you know, who is this really great for? This is really good
for. For trial lawyers who are going to be. Or not trial lawyers, you know, lawyers for trade associations, I should say, that are going to be pushing against this. So it's very good for lobbyists that need to be very much more legislation, to be much more persistent sites. So they need to get in and do that. And the policy experts that feed into that discussion with the lobbyists to get the lobbyists open the door and the policy experts come in and then do that and go
into more detail that those. That's who it's probably best for immediately. I think the bigger takeaway, though, is that there is going to be uncertainty. We're going to have court splits. Right. Where one court's going to say this. This reg should be interpreted this way. Part of that could literally be defined based on the incident. Right. Because
you can interpret incident differently so that. And you can have incidents that have, I think, outsized sort of impact. That's a good point. I mean, it. The case. You
know, we always say bad cases make bad. Bad rulings for bad law. So. And I think that's going to be the, the situation here too. If we can get things that cases where there can be more certainty around them, that would be great. But that's not going to be like not very likely the case case in a lot of these situations. So Harley, any other takeaways? So I think Congress needs to
be more clear about its language and about its intent and more deliberate about cybersecurity legislation. Agencies need to, as best they can for rulemakings going forward, draw a line as clearly as they can to, to that legislative intent, which might mean more narrow, more focused rules. Rules. And I mean, I respect the work that agencies do. They're in a tough position. They're trying to match their regulations with evolving threats. We don't
want to see all of that overturned. You know, stick with solid ground for the judiciary. I hope that the judiciary takes seriously that cybersecurity and technology is a highly technical discipline and makes an effort to, there's opportunity there to gain education. I think there is opportunity there and I bet you that there's appetite for it too. But
like any, like anyone else, you know, they're, they're super busy. Yeah, that's right. For the private sector, again, I wouldn't make any big changes right now, but I think that keeping your eye on the ball and staying on risk management is very important, even if it's not something that is strictly required by compliance. You know, continue to, to, to manage your risks, go above and beyond and consider whether or not to be more vocal about the need for Congress to act in a way that's harmonized
and consistent to protect us all. Very well said both of you. The one friends
of mine often say a pessimist is an optimist with experience. I tend to remain optimistic on a lot of these issues, but getting laws passed is hard. I'm very proud of the track record my colleagues had at the Solarium Commission, but I think that's a once in a, not every year opportunity. I, I, I just worry that it's hard to get a post office name these days, let alone complex laws. And once we get a little more prescriptive, it's going to get even harder. I think
I'm going to stick with Harley's last point. On the optimism side, if you, I'm optimistic, you know, if we can, if we can keep people focused on risk management, that's going to be the best outcome of this whole thing is like if you can just say, right, if you stay focused on risk management, doing real security, figure out where your real risks are. Then the compliance can fall underneath that like you can. And go figure, that's actually good for the country, for the client, for customers.
I. I'm glad you both foot stomped that last question. Any. Any questions? I didn't ask that. I should have. You didn't ask about AI and I appreciate that. Thank
you. That's a good answer. Great answer. Yeah. Gentlemen, thank you so much for joining
us today. Thank you for all your hard work. Thank you for continuing to fight the good fight. This fight is by no means over. And. And however we interpret or others interpret Chevron deference and the overturning, we will still be at this problem and fighting it. Thank you. Thank you. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in
terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.