Diving Deep into Cybersecurity: EPA’s Sink or Swim Saga

In a comical twist, the EPA dived into cybersecurity, only to withdraw its rule on states reporting threats to public water systems. After facing a legal tsunami from states and water associations, the EPA is now drying off, ready to lobby Congress. A belly flop or a strategic backstroke? This is the EPA Cybersecurity Rule Withdrawal story.

Hot Take:

When it comes to cybersecurity, the U.S. Environmental Protection Agency (EPA) might have sprung a leak. After dipping their toes into the deep end of cybersecurity legislation with a rule requiring states to report cybersecurity threats to their public water systems (PWS), they’ve since performed a backstroke following lawsuits from a trio of states and a couple of water associations. Now, they’re drying off and planning on lobbying Congress for similar legislation. Proof that when it comes to cybersecurity, it’s sink or swim?

Key Points:

  • The EPA has withdrawn a rule requiring states to report cybersecurity threats to their PWS after facing lawsuits from Missouri, Arkansas, Iowa and water associations.
  • The states argued that the rule exceeded the EPA’s statutory authority and was arbitrary and capricious.
  • The water associations argued that the rule exceeded the EPA’s authority under the Safe Drinking Water Act.
  • The EPA’s next plan is lobbying Congress to pass similar legislation.
  • The Biden administration is mandating that all federal agencies adopt minimum cybersecurity standards for organizations under their respective umbrellas.

Need to know more?

The One Where EPA Got Soaked

The EPA thought it had the perfect solution to the rising tide of cybersecurity threats to public infrastructure: a rule that required states to report such threats to their PWS. Unfortunately, some states and water associations disagreed, arguing that the rule was overstepping its bounds and failed to consider important aspects of its implementation. The result? A complete withdrawal of the rule and the lawsuits against it being dismissed.

Wading Through the Legalities

Just like a poorly constructed dam, the legal arguments against the EPA's rule held water. The states claimed the rule exceeded the EPA’s statutory authority and ignored congressional actions, while the water associations argued that the rule went beyond the scope of the Safe Drinking Water Act. They contended that smaller water systems, which would have been regulated by the rule, lacked the resources to meet the new requirements.

Aquatic Cybersecurity: The Next Wave

Despite this setback, the EPA is not ready to throw in the towel. They plan to lobby Congress to pass similar legislation, showing they're still committed to keeping the nation's public infrastructure safe from cybersecurity threats. This comes as part of a larger effort by the Biden administration to enforce minimum cybersecurity standards across all federal agencies. So while the initial dive might have been a bit rough, it seems the EPA is still determined to make a splash in the world of cybersecurity.

And the River Flows On

In other related news, a bipartisan coalition of representatives introduced the Cybersecurity for Rural Water Systems Act of 2023, aiming to provide much-needed funding and technical assistance to rural water and wastewater systems. The water associations are supporting this effort, showing that while they might not agree with the EPA's approach, they're not washing their hands of cybersecurity altogether.
Tags: Biden administration, Cybersecurity Regulations, EPA, Federal Cybersecurity Regulations, Public Water Systems, Rural Water Systems Act of 2023, Safe Drinking Water Act