Moving to remove another hurdle to the unwillingness of some in the private sector to share information about cyber security threats, the Obama administration on Thursday issued guidance saying that antitrust concerns should not stand in the way of the legitimate sharing of such data.
“Today’s announcement makes clear that when companies identify a threat, they can share information on that threat with other companies and help thwart an attacker’s plans across an entire industry,” Michael Daniel, the White House Cybersecurity Coordinator, says on the White House blog.
The nine-page antitrust policy statement was issued jointly by the Justice Department and Federal Trade Commission, which are charged with enforcing antitrust policies, and says the agencies “do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing.”
The FTC and DoJ said they are well aware of cyber threats and want industry to know that as long as the sharing of data about cyber threat indicators and signatures is “legitimate,” then there shouldn’t be antitrust concerns. It says this data sharing “has the potential to greatly improve the safety of our systems.”
“Cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans,” the joint statement says.
Ever since Congress failed to approve cyber security legislation almost two years ago, the Obama Administrations has been working to bolster cyber security protections within the United States and find ways to enable information sharing within the private sector and between the federal government and the owners and operators of critical infrastructure. In February the administration released the first iteration of a Cybersecurity Framework that is meant to promote the voluntary adoption of best security practices and standards within industry to mitigate threats to computer networks (Defense Daily, Feb. 12).
James Lewis, a cyber security expert with the Center for Strategic and International Studies, said that just the potential risk of antitrust issues has been an inhibitor at times to companies sharing cyber threat information. The administration’s statement is really aimed at corporate “general counsels to say, ‘there really is no antitrust concern and we want to remove that particular obstacle to information sharing,’” Lewis told Defense Daily.
The administration still has work to do on improving the climate for the private sector to bolster its cyber defenses but the antitrust statement shows it continues to make progress, Lewis said. Continued improvements that need to be addressed include outdated legislation, which Congress has to tackle, adding liability protections, and modernization of privacy laws, he said, adding that it’s unclear what steps the administration can take with regard to liability protections and it will likely take a while to make progress on privacy matters.
To help make its case that antitrust issues shouldn’t stop the sharing of cyber security information within the private sector, the DoJ/FTC statement cites an October 2000 decision by the Justice Department that said it wouldn’t take “enforcement action” against the Electric Power Research Institute, Inc. (EPRI) for planning to exchange cyber threat data. EPRI is a non-profit organization that conducts research, development and demonstrations related to electrical power generation and distribution.
The private sector and the federal government have increasingly been sharing cyber threat information the past several years, in part due to increased awareness of the pervasiveness of cyber attacks. The White House’s Daniel points out that when financial institutions suffered a spate of denial-of-service attacks the past few years, the Financial Services Information Sharing and Analysis Center “brought banks together to exchange information with each other and with the federal government.”