Feds Address Antitrust Concerns On Cyberthreat Sharing
Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.
The Justice Department and the Federal Trade Commission are trying to allay private-sector fears that sharing cyberthreat information could be seen as a violation of antitrust laws.
In an important signal to private enterprises, on Thursday the DOJ Antitrust Division and the FTC released a joint policy statement to "make it clear that they do not believe that antitrust is -- or should be -- a roadblock to legitimate cybersecurity information sharing."
Sharing technical cyberthreat information is fundamentally different from sharing competitively sensitive information, the agencies explained. The policy statement covers different types of sharing, structured and unstructured, person-to-person, automated or hybrid. Information can include incident or threat reports, threat indicators, threat signatures, and alerts.
The policy statement does not change anything; sharing that does not have a negative impact on competition already is allowed under the FTC's Competitor Collaboration Guidelines and the agencies have never considered sharing of security information a violation.
The policy statement says that sharing this type of technical information is allowed and encouraged in any industry sector. "It remains the agencies' current analysis that properly designed sharing of cybersecurity threat information is not likely to raise antitrust concerns," it said.
White House cybersecurity coordinator Michael Daniel
Increased threat-information sharing has long been seen as necessary to improving the nation's cybersecurity. Despite this, actually sharing such information has remained challenging. Government agencies with access to details about cyberthreats are often reluctant to share those details with industry because of the sensitive nature of the intelligence; and industry executives are reluctant to share with government because of concerns about liability and exposure of confidential information. Concerns about antitrust laws have stymied cooperation among companies.
This does not mean that information sharing is not happening. A number of "trust networks" have been established, and a number of industry sector Information and Sharing and Analysis Centers serve as vehicles for collaboration.
But many organizations still are cautious and, in the absence of legislation specifically enabling cooperation, the administration is promoting sharing through executive action. In a February 2013 executive order, President Obama highlighted the need for government to share information with the nation's private sector. But sharing also is needed within the private sector, and the DOJ-FTC policy statement provides clearance for that.
In a White House blog post, cybersecurity coordinator Michael Daniel wrote that, "reducing barriers to information sharing is a key element of this Administration's strategy to improve the nation's cybersecurity, and we are aggressively pursuing these efforts through both executive action and legislation."
He praised the policy statement and warned of the risk of doing nothing. "Companies should assess whether the remaining risks they perceive for engaging in legitimate information sharing are greater than those they face for failing to protect their customer data, their intellectual property, and their business operations from the growing cyberthreats to them."
"Today's announcement makes clear that when companies identify a threat, they can share information on that threat with other companies and help thwart an attacker's plans across an entire industry," Daniel said.
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.
William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.