The use and scope of information technology has grown dramatically since 2000 — and along with that growth have come ever greater cybersecurity threats to businesses, government agencies and consumers.
The need to counter actual threats, as well as to prevent potential cybersecurity problems, calls for sharing information among vulnerable parties. However, businesses have been worried that sharing cyberinformation involves another risk: the chance that such practices would be deemed anticompetitive under federal antitrust laws.
Two government agencies — the Federal Trade Commission and the U.S. Department of Justice — recently addressed the issue in a joint statement — the first time since 2000 that the federal government has provided any formal guidance on cybersecurity information sharing.
“Properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources,” the FTC/DoJ policy states.
The policy is designed to reduce uncertainty for those who want to share ways to prevent and combat cyberattacks, the agencies said.
“Private parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cyber security information,” said Deputy Attorney General James Cole.
“Because of the FTC’s long experience promoting data security, we understand the serious threat posed by cyber attacks,” said FTC chairwoman Edith Ramirez. “This statement should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cyber security threat information.”
Both the IT sector and the broader business community have quickly supported the FTC/DoJ policy.
“Many companies have expressed concerns about risks from sharing cybersecurity threat information,” said David Hoffman, vice president of Intel. “One of the risks has been the concern that information sharing could be misinterpreted as a violation of antitrust laws. The FTC/ DoJ statement is a helpful step to remove a significant concern.”
New Policy Builds on Past Guidance
“Sharing technical information about cyber threats, while protecting people’s privacy, is a critically important way for companies to defend themselves against attacks. In a fast-moving threat environment, it promotes nimble, adaptive commercial innovation,” said Victoria Espinel, president of the Business Software Alliance. “We are pleased the administration has confirmed there are no antitrust concerns standing in the way of this kind of legitimate cyber information sharing.”
The FTC/DoJ statement, issued last month, builds on advice provided to the Electric Power Research Institute in 2000. In response to a request for guidance, the Justice Department issued a letter to EPRI saying that it had no intention of initiating an enforcement action against EPRI’s proposal to share certain cybersecurity information, including exchanging actual real-time cyberthreat and attack information.
“Although the nature, complexity, and number of threats have changed since the Justice Department issued the EPRI letter, the legal analysis in the letter remains very current,” DoJ says in last month’s statement.
The government’s primary concern regarding antitrust impacts relates to the sharing of competitively sensitive information — such as current and future prices, cost data, output levels and business plans.
Since cybersecurity information — such as incident reports, indicators and threat signatures — are unlikely to reveal competitively sensitive information, companies should feel confident about sharing cybersecurity information without triggering antitrust action, the agencies said.
“The FTC/DoJ policy is significant because, as was noted in the document, the nature, complexity and number of threats have changed since the Justice Department issued the EPRI letter, and it is important to know that the agencies still believe the EPRI analysis is valid,” Intel’s Hoffman told the E-Commerce Times.
Joint Action Is Rare
“Some commentators in the cybersecurity community, including the American Bar Association standing committee on law and national security, had recently noted that antitrust concerns have ‘triggered suspicion about close coordination’ among corporate competitors, including cybersecurity information sharing,” David Laing, a partner at Crowell & Moring, told the E-Commerce Times.
“The antitrust agencies’ joint statement was intended to remove those concerns,” he said.
The joint statement applies generally to all businesses, not just those engaged in critical infrastructure such as electric power, Laing noted.
“The interesting aspect of the statement is that it is a joint policy of the two antitrust agencies, which is a rare event,” he said. While a previous joint effort on mergers took years for the agencies to develop, the cyberpolicy came together in a matter of months.
“We certainly have a fairly mature information sharing program through the Financial Services Sector Coordinating Council,” said Doug Johnson, vice president and senior advisor for risk management policy at the American Bankers Association.
The ABA is actively involved with the coordinating council, as well as the Financial Services Information Sharing and Analysis Center, in programs designed to share “timely, relevant and actionable physical and cybersecurity threat and incident information,” he said.
“The FTC/DoJ policy certainly enhances those efforts,” Johnson told the E-Commerce Times. “I think this policy could also spur greater cross-industry cooperation, say between the finance and telecom sectors.”
While the updated policy is designed to encourage cybersecurity information sharing, there are still precautions companies should take when engaging in such activities.
For example, the policy statement “does not reduce potential liability under privacy laws, such as the Electronic Communications Privacy Act (ECPA), for the disclosure of communications or personal information related to cyber threats,” said Burt Braverman, a partner at Davis Wright Tremaine, in a blog post. “Those laws remain a concern for cyber security information sharing efforts.”
Also, “companies or associations intending to engage in cyber security information sharing should proceed cautiously,” to guard against the inclusion of prohibited exchanges of competitively sensitive information or even the appearance of unlawful collaboration, he said.
“Cyber security information sharing practices should be framed to comply with the new FTC/DoJ policy statement, and in appropriate instances, participants in such exchanges may even wish to seek further guidance from the agencies,” Braverman added.
The policy statement also caught the eye of key lawmakers who have been working on legislation dealing with information security issues.
“Improving our country’s cyber security is a team effort. It requires cooperation and trust between the security experts in our federal agencies and in the private sector,” said Sen. Jay Rockefeller, D-W.Va., chairman of the Senate Commerce Committee.
The FTC/DoJ policy statement “should give the business community confidence that they will not face potential liability for sharing cyber threat information,” he said. “I am disappointed that Congress has still not acted to promote information sharing through legislation, but congratulate the Obama Administration for taking action to address this important issue.”