Update: We have a tracker! All The Federal Lawsuits Related to Trump Admin Executive Orders.
Is Cybersecurity Regulation in the U.S. Over?
Imagine the headline: “A Group of 20-year-old Hackers Break Into Government Data Systems”.
It’s not hard to imagine – we’ve seen plenty of similar headlines in the last 10 years or so. Heck, in 2015, a massive data breach (22.1 million records) occurred at the Office of Personnel Management (OPM). The director of OPM resigned over it. $67 million was awarded in claims to be distributed to those who had their data impacted. That money was still being distributed in 2024.
The OPM breach had a huge influence on cybersecurity laws. It exposed tremendous systemic vulnerabilities relating to attackers used stolen credentials and malware to bypass outdated defenses, supply chain risks by revealing weak security practices across federal contractors. Congressional reports note that the breach “jeopardized national security for more than a generation”2 and forced a shift toward zero-trust architectures and standardized controls. And they were provided right as shown in the 2020 SolarWinds cyberattack.
Consider the regulatory and enforcement timeline:
October 2016: DFARS 252.204-7012 takes effect, requiring defense contractors to implement NIST SP 800-171 controls to protect Controlled Unclassified Information (CUI)[1], [2].
November 2020: DoD issues DFARS Interim Rule with clauses 7019, 7020, and 7021, mandating self-assessments, third-party audits, and preparation for CMMC compliance [4], [5].
November 2021: CMMC 2.0 announced, streamlining requirements while mandating third-party certifications for contractors handling sensitive defense data[3], [5].
January 2023: Whistleblower files False Claims Act suit against Penn State for cybersecurity failures[4]. It settled for $1.25 million in October 2024.[5]
December 2023: CMMC Proposed Rule published, formalizing tiered compliance levels (1-3) based on data sensitivity [6], [5].
August 2024: The U.S. DoJ joins whistleblowers in a False Claims Act suit against Georgia Tech for failure to meet cybersecurity obligations within its cybersecurity research department [6].
Q1 2025: CMMC requirements begin appearing in DoD contracts, with full implementation phased over subsequent years. [4], [5].
So what the FCK is happening now?
Is the U.S. going to drop all enforcement of cybersecurity law now? Because they seem to be turning a blind eye to all requirements for information and systems protection, allowing private individuals without authorization or clearance to access restricted government information, including classified information, at the Treasury and the offices of USAID[7]. While it is not due to the nefarious actions of an adversarial nation state or organized criminal group of hackers, this is a textbook definition of “data breach”: a violation of security resulting in the loss, alteration, or disclosure of information. If they were government employees, it would be considered an “insider threat”. But they were not. Instead, it was what appeared to be the laziest social engineering attack I might have ever seen:
Hacker: Let us in and give us access to everything.
Guard: No, you are not allowed.
Hacker: We have fired your boss.
Guard: OK, here are the keys.
Will there be ramifications?
Honestly? Probably not. While I am writing this, the House Oversight Committee attempted to subpoena Musk for questioning. House GOP members stopped it. The GOP controls both branches of the legislature and the White House (and, arguably, the Supreme Court). If they wanted to make changes, they easily could do so using the mechanisms that have functioned for a couple hundred years. Yet that’s not how they are doing it. Disregarding what this might mean for the country of the United States, it makes things incredibly difficult for your humble cybersecurity lawyer.
What we have here is not just a “credibility crisis”. It is a conflict of interest.
Unsquish your face – I will explain.
You may know that lawyers have rules against conflicts of interest.[8] What may be less known is how conflicts come into play when representing a matter rather than a client. A lawyer with a client that wants to ignore the rules it doesn’t want to follow in its own operations while simultaneously suing others to enforce those same rules will quickly learn what a matter level conflict is when their client is sued for its own wrongdoing. It's basically the law’s way of saying that lawyers cannot represent clients based on “what’s good for me is not for thee”.
What now happens to the suit brought by the U.S. government against Georgia Tech? Georgia Tech argues that none of the cybersecurity controls were truly material to the contract while the DOJ has argued that cybersecurity is material. Consider, then, that U.S. government officials took no action to prevent a highly unsophisticated attack on high-risk systems and restricted information within USAID and Treasury, but the DOJ takes no steps at all to prosecute such violations. When the DOJ inevitably responds to the lawsuits [9] brought against it for its harm to citizens caused by the USAID and Treasury breaches, can it do so without undermining the filings made already with the courts in Georgia? My guess is “probably not”.
What does this mean for the future of cybersecurity law in the United States?
Honestly, I am not sure. I hope, but can no longer accurately predict or rely on, precedent and rule of law prevail. I also like to hope that laws such as the Privacy Act of 1974 will be enforced and those who willfully violated its requirements through the coerced displacement of authority will be held accountable.
Mostly, though, I hope you will understand that lawyers like myself must advise on what the law is now and not what it might be. Until we see what plays out, though, I am as flummoxed as the rest of you as to what the future might be. I can only provide the best advice possible under the auspice that the rule of law still exists in the U.S.
Let’s hope that remains true.
[5] https://www.justice.gov/usao-edpa/pr/penn-state-agrees-pay-125-million-resolve-false-claims-act-allegations-relating-non
[6] https://www.justice.gov/opa/pr/united-states-files-suit-against-georgia-institute-technology-and-georgia-tech-research
[8] https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_7_conflict_of_interest_current_clients/
[9] If anyone has a running list of these suits, please let me know and I will promote. I can barely keep track.
Commentaires