Government // Cybersecurity
News
4/11/2014
01:41 PM
Connect Directly
RSS
E-Mail
50%
50%

Feds Address Antitrust Concerns On Cyberthreat Sharing

Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.

The Justice Department and the Federal Trade Commission are trying to allay private-sector fears that sharing cyberthreat information could be seen as a violation of antitrust laws.

In an important signal to private enterprises, on Thursday the DOJ Antitrust Division and the FTC released a joint policy statement to "make it clear that they do not believe that antitrust is -- or should be -- a roadblock to legitimate cybersecurity information sharing."

Sharing technical cyberthreat information is fundamentally different from sharing competitively sensitive information, the agencies explained. The policy statement covers different types of sharing, structured and unstructured, person-to-person, automated or hybrid. Information can include incident or threat reports, threat indicators, threat signatures, and alerts.

[Easing industry's concerns for sharing cyberthreat information may also speed adoption of White House guidelines for protecting critical infrastructure. Read more: Feds Launch Cyber Security Guidelines For US Infrastructure Providers.]

The policy statement does not change anything; sharing that does not have a negative impact on competition already is allowed under the FTC's Competitor Collaboration Guidelines and the agencies have never considered sharing of security information a violation.

The policy statement says that sharing this type of technical information is allowed and encouraged in any industry sector. "It remains the agencies' current analysis that properly designed sharing of cybersecurity threat information is not likely to raise antitrust concerns," it said.

White House cybersecurity coordinator Michael Daniel
White House cybersecurity coordinator Michael Daniel

Increased threat-information sharing has long been seen as necessary to improving the nation's cybersecurity. Despite this, actually sharing such information has remained challenging. Government agencies with access to details about cyberthreats are often reluctant to share those details with industry because of the sensitive nature of the intelligence; and industry executives are reluctant to share with government because of concerns about liability and exposure of confidential information. Concerns about antitrust laws have stymied cooperation among companies.

This does not mean that information sharing is not happening. A number of "trust networks" have been established, and a number of industry sector Information and Sharing and Analysis Centers serve as vehicles for collaboration.

But many organizations still are cautious and, in the absence of legislation specifically enabling cooperation, the administration is promoting sharing through executive action. In a February 2013 executive order, President Obama highlighted the need for government to share information with the nation's private sector. But sharing also is needed within the private sector, and the DOJ-FTC policy statement provides clearance for that.

In a White House blog post, cybersecurity coordinator Michael Daniel wrote that, "reducing barriers to information sharing is a key element of this Administration's strategy to improve the nation's cybersecurity, and we are aggressively pursuing these efforts through both executive action and legislation."

He praised the policy statement and warned of the risk of doing nothing. "Companies should assess whether the remaining risks they perceive for engaging in legitimate information sharing are greater than those they face for failing to protect their customer data, their intellectual property, and their business operations from the growing cyberthreats to them."

"Today's announcement makes clear that when companies identify a threat, they can share information on that threat with other companies and help thwart an attacker's plans across an entire industry," Daniel said.

Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Apprentice
4/14/2014 | 9:27:30 AM
Re: Cybersec information sharing
Information sharing will come from vendors that companies have relationships with but also joining various groups will help to get valuable information to the people who can use it. One such group is  "Infragrad" (https://www.infragard.org), joint partnership between FBI and companies. 
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
4/11/2014 | 3:04:10 PM
Re: Cybersec information sharing
The fault for a lack of sharing, IMO, lies squarely with security vendors' marketing teams that see knowledge of a threat as a competitive advantage. The practioners I know would love to be able to get together with peers in a secure way periodically to discuss what they see happening in the wild. It's the suits gumming up the works.
Bill Jackson
50%
50%
Bill Jackson,
User Rank: Apprentice
4/11/2014 | 2:47:16 PM
Cybersec information sharing
It will be interesting to see if the corporate lawyers who have been urging caution in sharing threat information take this policy statement to heart and encourage information sharing agreements.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - July 21, 2014
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.