HHS, DHS and EPA Don’t Need to Dole Out New Cyber Rules

White House officials on Thursday announced that the departments of Homeland Security and Health and Human Services, along with the Environmental Protection Agency, do not need to impose new regulations to defend industry against hacks, because voluntary measures will suffice.

Obama administration officials stopped short of saying whether independent regulatory agencies should prescribe new cyber rules for the energy, financial and other critical sectors. 

A February 2013 presidential executive order required agencies to determine whether current rules are sufficient to carry out forthcoming industry cyber standards. The standards, which came out in February and presently are voluntary, instruct organizations on how to identify, respond and recover from network disruptions. 

"The major outcome is that the administration’s analysis supports our current voluntary approach to address cyber risk," White House Cybersecurity Coordinator Michael Daniel said in a blog post. "The administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information."

Much of the nation's critical infrastructure is governed by independent regulators, which were not required to do an analysis, he noted. 

"The analysis conducted pursuant to [the order] represents a limited subset of critical infrastructure sectors: water, health, transportation, and chemical," Daniel said.

He said there is still more work to do as far as enhancing current cyber regulations. "Over the next two years, these departments and agencies will jointly investigate and leverage opportunities to improve the efficiency, clarity, and coordination of existing regulations," Daniel said.