Cybersecurity and the ‘Good Cause’ Exception to the APA
In the absence of congressional action setting minimum cybersecurity requirements for critical infrastructure, many sector-specific agencies could use authorities to protect public safety that are already available in their organic statutes. However, concerns about the lengthy delays entailed in notice-and-comment rulemaking under the Administrative Procedure Act (APA) may be discouraging many agencies from even starting the process.
But agencies need not subject themselves to the agonies of full-blown rulemaking, especially for targeted and interim measures adopted in response to a documented crisis. The APA itself contains an exception, actually invoked quite often, to dispense with notice-and-comment “when the agency for good cause finds ... that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.” (There are actually two separate good cause exceptions in 5 U.S.C. § 553: the one just quoted, in subsection (b), which permits exceptions to notice-and-comment, and one in subsection (d), which permits an agency to make rules effective immediately, without the normal 30-day waiting period after publication. Most courts and commentators refer to the good cause exception in the singular and I’ll do so here.)
Before stumbling on the good cause exception, I had looked briefly at presidential emergency powers, seeking among the hundred-plus examples in the U.S. Code any that might support emergency action to impose cybersecurity mandates on critical infrastructure. The Congressional Research Service and Brennan Center compilations of presidential emergency authorities yielded few results. One candidate is Section 706(c) of the Communications Act, 47 U.S.C. § 606(c), which authorizes the president in an emergency to suspend or amend the rules and regulations applicable to “any or all … devices capable of emitting electromagnetic radiations,” but its scope is much-debated. And, of course, the International Emergency Economic Powers Act, which confers on the president broad authority to regulate transactions involving foreign countries or nationals, has been one tool invoked to keep Chinese-made products out of the communications networks, but it is not a good fit for home-grown products and networks.
So that takes us back to the APA and its good cause exception. The exception has been in the news lately because the district court that struck down the federal mask mandate on public transportation on April 18 relied in part on finding that the Centers for Disease Control and Prevention had improperly invoked the good cause exception to notice-and-comment rulemaking. But Judge Kathryn Kimball Mizelle’s mask mandate opinion and a long string of other decisions point the way to successful use of the exception in the cybersecurity context.
The courts are split on what standard of review to apply to agency invocations of the good faith exception, but they are uniform in agreeing that the exception is to be narrowly construed. The APA requires the agency invoking the exception to provide “a brief statement of reasons” for why it believes notice and comment are contrary to the public interest, but agencies should not take the word “brief” literally. Upon judicial review, the burden is on the government to justify its finding. Indeed, the U.S. Court of Appeals for the Sixth Circuit said in its 2009 United States v. Cain opinion that “the Government’s burden to show that good cause exists is a heavy one.” An agency’s bare assertion of experience or expertise is not enough. The D.C. Circuit stressed in its 1992 opinion Tennessee Gas Pipeline Co. v. FERC that an agency must present facts or evidence. As the Congressional Research Service concluded in its survey, “conclusory claims by an agency of an emergency situation, unaccompanied by independent facts, are insufficient to constitute good cause.” Moreover, some courts have been strict in not allowing after-the-fact embellishments of the record, limiting their review to the rationale and evidence that the agency invoked when it took the action.
Despite these limits, most rules issued without notice and comment stand. An analysis of rules issued between 1995 and 2011 found the vast majority (98.5 percent!) of those issued under the exception are not judicially reviewed, and the majority of challenges heard are rejected. And while that track record may not have been sustained since, the Supreme Court’s 2020 decision in the case over the availability of contraceptive services under the Affordable Care Act made it much harder to challenge interim final rules issued under the exception when coupled with a request for comments on a final rule.
And one key point stands out. As a recent survey concluded, “Emergency actions in response to concerns for public safety are perhaps the paradigmatic context for invoking good cause.” Also weighing heavily in courts’ assessments is whether the rule is interim and subject, after taking effect, to revision through the normal notice-and-comment procedure. These are known as interim final rules. The U.S. Court of Appeals for the D.C. Circuit has held that “the interim status of the challenged rule is a significant factor” in the good cause analysis. Also, the less expansive the interim rule, the less the need for public prior comment.
We have had two recent experiences with the application of the good cause exception to national emergencies: 9/11 and the coronavirus pandemic. In the 2004 case Jifry v. FAA, the D.C. Circuit upheld the Federal Aviation Administration’s use of the good cause exemption to issue rules governing the suspension and revocation of pilot’s licenses for security reasons, finding that the rule was necessary to protect the public from security threats in the aftermath of the 9/11 attacks. In finding the good cause standard satisfied, the court gave great weight to “the government’s legitimate concern over the threat of further terrorist acts involving aircraft.”
In the case of the coronavirus pandemic, while the Florida district court struck down the mask mandate, the Supreme Court and the U.S. Court of Appeals for the Eleventh Circuit upheld the rule requiring vaccines for workers at Medicare- and Medicaid-supported hospitals, also issued under the exception. The difference between the agencies’ justifications for their actions on the mask mandate versus the vaccine mandate is striking and relevant. In the mask mandate case, the judge found that the government’s explanation consisted of a single conclusory sentence. The judge contrasted this with the vaccine mandate, where the agency provided almost four pages of reasoning, with 40 footnotes of supporting sources. The Supreme Court, in upholding the vaccine mandate, found this justification sufficiently specific and detailed (although it still was not enough for the dissenting four justices). The Eleventh Circuit, in a separate case on the vaccine mandate that never reached the high court, stressed how the government identified specific reasons why, in the environment of healthcare facilities that provide care to patients covered by Medicare or Medicaid, the ongoing pandemic constituted good cause. The same lesson about the need for detail and a sector-specific focus can be found in other cases. For example, in Sorenson v FCC, the D.C. Circuit found the Federal Communication Commission’s one paragraph of explanation to be “simply too scant.” As Judge Mizelle concluded in the mask mandate case, “The regulations that succeed often contain detailed and careful explanations of the agency’s reasoning.”
Another example of post-9/11 emergency rulemaking may be especially instructive for cybersecurity-related measures today. Immediately after 9/11, the Nuclear Regulatory Commission issued several safeguards and threat advisories to its licensees urging, but not requiring, them to strengthen their capabilities and readiness to respond to a potential attack. The commission followed up by consulting with other government agencies and industry representatives to evaluate the threat environment and to assess the adequacy of security measures at licensed facilities. Five and a half months after the attacks, in February 2002, without formal notice and comment, the commission adopted new security rules for nuclear power plant operators, mandating specific measures, including some related to cybersecurity. (The commission was not acting under the general APA exception but rather under a provision of its rules that allows the commission to modify the licenses of nuclear power plants and to make those changes effective immediately if, “for stated reasons,” the commission finds that the public health, safety or interest so requires.) The commission recognized that licensees may have already initiated many of the measures in response to previously issued advisories or on their own. But the commission said that its initial review of current safeguards, as well as information provided by the intelligence community, convinced it that certain compensatory measures should be required consistently throughout the nuclear reactor community.
Now, the United States faces a similar situation. The Cybersecurity and Infrastructure Security Agency and other government agencies have issued multiple advisories, urging critical infrastructure to get their “shields up.” Many entities have responded, but very likely not uniformly or completely. If agencies have insights into areas of vulnerability where security has not been upgraded consistently across a sector, a mandate could be warranted. Meanwhile, the threat intelligence becomes more urgent. On March 21, President Joe Biden said that his administration had “evolving intelligence that the Russian government is exploring options for potential cyberattacks.” The language may have been lost on some, but this was an extraordinary use of very fresh (“evolving”) intelligence, precisely the kind of specific information that could be used to support a finding that there is an emergency—and the facts backing it up—to satisfy the good cause exception. (This is much stronger than what the Nuclear Regulatory Commission acted on after 9/11, when it cited only the ”generalized high-level threat environment.”)
I’m not suggesting that the executive branch use the good cause exception to impose general cybersecurity requirements. On the contrary. The judicial record shows that an invocation of the good cause exception is more likely to be upheld if narrowly focused and based on detailed reasoning and evidence offered at the time the rule is issued.
It certainly appears those criteria are being met concerning specific industries and specific threats. For example, on April 13, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI released a joint advisory warning that certain advanced persistent threat (APT) actors had “exhibited the capability” to gain full system access to multiple industrial control system and supervisory control and data acquisition devices. The warning listed, by model number, the specific devices of two specific manufacturers that were vulnerable. A technical appendix specifically described the APT actors’ tools. The advisory “urged” critical infrastructure organizations to implement a set of specific detection and mitigation measures and especially called out energy sector organizations.
If the vulnerable devices are known, if the attack tools are documented and the mitigations are known, and if the president is saying that there is fresh intelligence of an adversary exploring options for attack, surely that constitutes good cause to move swiftly. To the extent that sector-specific agencies have authority to issue rules for the safety or reliability of critical infrastructure—and to the extent they have specific insights into vulnerabilities—they can avoid the delays and uncertainty inherent in notice-and-comment rulemaking by issuing an interim final rule while inviting comment on any changes necessary in light of unexpected problems in implementation or further changes in technology or the threat environment.