Feds Address Antitrust Concerns On Cyberthreat Sharing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Feds Address Antitrust Concerns On Cyberthreat Sharing

Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.

The Justice Department and the Federal Trade Commission are trying to allay private-sector fears that sharing cyberthreat information could be seen as a violation of antitrust laws.

In an important signal to private enterprises, on Thursday the DOJ Antitrust Division and the FTC released a joint policy statement to "make it clear that they do not believe that antitrust is -- or should be -- a roadblock to legitimate cybersecurity information sharing."

Sharing technical cyberthreat information is fundamentally different from sharing competitively sensitive information, the agencies explained. The policy statement covers different types of sharing, structured and unstructured, person-to-person, automated or hybrid. Information can include incident or threat reports, threat indicators, threat signatures, and alerts.

[Easing industry's concerns for sharing cyberthreat information may also speed adoption of White House guidelines for protecting critical infrastructure. Read more: Feds Launch Cyber Security Guidelines For US Infrastructure Providers.]

The policy statement does not change anything; sharing that does not have a negative impact on competition already is allowed under the FTC's Competitor Collaboration Guidelines and the agencies have never considered sharing of security information a violation.

The policy statement says that sharing this type of technical information is allowed and encouraged in any industry sector. "It remains the agencies' current analysis that properly designed sharing of cybersecurity threat information is not likely to raise antitrust concerns," it said.

White House cybersecurity coordinator Michael Daniel
White House cybersecurity coordinator Michael Daniel

Increased threat-information sharing has long been seen as necessary to improving the nation's cybersecurity. Despite this, actually sharing such information has remained challenging. Government agencies with access to details about cyberthreats are often reluctant to share those details with industry because of the sensitive nature of the intelligence; and industry executives are reluctant to share with government because of concerns about liability and exposure of confidential information. Concerns about antitrust laws have stymied cooperation among companies.

This does not mean that information sharing is not happening. A number of "trust networks" have been established, and a number of industry sector Information and Sharing and Analysis Centers serve as vehicles for collaboration.

But many organizations still are cautious and, in the absence of legislation specifically enabling cooperation, the administration is promoting sharing through executive action. In a February 2013 executive order, President Obama highlighted the need for government to share information with the nation's private sector. But sharing also is needed within the private sector, and the DOJ-FTC policy statement provides clearance for that.

In a White House blog post, cybersecurity coordinator Michael Daniel wrote that, "reducing barriers to information sharing is a key element of this Administration's strategy to improve the nation's cybersecurity, and we are aggressively pursuing these efforts through both executive action and legislation."

He praised the policy statement and warned of the risk of doing nothing. "Companies should assess whether the remaining risks they perceive for engaging in legitimate information sharing are greater than those they face for failing to protect their customer data, their intellectual property, and their business operations from the growing cyberthreats to them."

"Today's announcement makes clear that when companies identify a threat, they can share information on that threat with other companies and help thwart an attacker's plans across an entire industry," Daniel said.

Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.

William Jackson is writer with the <a href="http://www.techwritersbureau.com" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
Randy Naramore,
User Rank: Apprentice
4/14/2014 | 9:27:30 AM
Re: Cybersec information sharing
Information sharing will come from vendors that companies have relationships with but also joining various groups will help to get valuable information to the people who can use it. One such group is  "Infragrad" (https://www.infragard.org), joint partnership between FBI and companies. 
Lorna Garey
Lorna Garey,
User Rank: Author
4/11/2014 | 3:04:10 PM
Re: Cybersec information sharing
The fault for a lack of sharing, IMO, lies squarely with security vendors' marketing teams that see knowledge of a threat as a competitive advantage. The practioners I know would love to be able to get together with peers in a secure way periodically to discuss what they see happening in the wild. It's the suits gumming up the works.
Bill Jackson
Bill Jackson,
User Rank: Apprentice
4/11/2014 | 2:47:16 PM
Cybersec information sharing
It will be interesting to see if the corporate lawyers who have been urging caution in sharing threat information take this policy statement to heart and encourage information sharing agreements.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll