On April 10, 2014, the Department of Justice (“DOJ”) and Federal Trade Commission (“FTC”) issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues.
Intelligence sharing is considered a productive, if not critical, step towards protecting against and responding to cyberattacks. Businesses are increasingly sharing information with each other to help guard against future cyberattacks or even discover existing undetected attacks on their information systems. In today’s increasingly complex threat environment, organizations commonly have similar vulnerabilities in their information systems and often face similar threats due in large part to malware becoming increasingly commodified on black markets. Thanks to a thriving market for hacker toolkits, advanced malicious software is now available to less technically sophisticated criminals, who can easily configure the same malware to attack across different organizations.
As a result of the heightened threat of cyberattacks, the U.S. government has sought to promote cyberintelligence sharing between the private and public sector through both executive action and legislation. For example, several bills (including this one) have been introduced in the House and Senate to help encourage information sharing by, amongst other things, establishing a clearinghouse for threat information, incidents, and recovery actions. Moreover, President Obama signed the Executive Order on Improving Critical Infrastructure Cybersecurity in February 2013, which called for the U.S. government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities. Additionally, information sharing activities have been incorporated into various information security standards and frameworks. For example, the NIST “Framework for Improving Critical Infrastructure Cybersecurity,” released in February 2014, indicates that entities should have a process in place for receiving information on threats and vulnerabilities from information sharing forums and sources.
However, information sharing remains a voluntary best practice amongst security professionals, as no law or regulatory standard has gone so far as to mandate the sharing of threat information with unaffiliated third parties. And although organizations in certain sectors, such as financial services, are known to actively share cyberintelligence with each other through Information Sharing and Analysis Centers (ISACs) and other fora, obstacles still exist to the widespread sharing of threat information across the United States. There are, for example, concerns over the currency and practical utility of some of the threat information being shared. Moreover, for many years concerns have been voiced over the risk that sharing threat information with other businesses might be viewed as an unlawful anticompetitive practice in violation of antitrust laws.
In response to this particular concern over antitrust risks, the DOJ’s Antitrust Division and the FTC (collectively, the “Agencies”) recently released a joint “Antitrust Policy Statement on Sharing of Cybersecurity Information” to reduce uncertainty for those who want to share information on cyberattacks. By explaining how their analytical framework applies to information sharing, the Agencies sought to “make it clear that they do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing.”
In examining information exchanges, the Agencies review the nature, business purpose, and likely competitive effect of an agreement. The Agencies’ primary concern is with the sharing of any competitively sensitive information—such as price, cost, or output information—that may facilitate price or output coordination and undermine competition among competitors. Although some agreements—such as those fixing prices or outputs, rigging bids, or dividing markets among competitors—will almost always be illegal, the central question for most information sharing agreements is “whether the relevant agreement likely harms competition by increasing the ability or incentive profitably to raise prices above or reduce output, quality, service, or innovation below what likely would prevail in the absence of the relevant agreement.”
The Agencies’ recent joint statement applies this framework to cybersecurity threat information exchanges to establish that “properly designed sharing of cyber threat information should not raise antitrust concerns.” When evaluating the antitrust risks of sharing cyberintelligence, businesses should take into account the three main factors that the Agencies relied upon in coming to their conclusion:
- Cyber threat information sharing can improve efficiency and help secure our nation’s networks of information and resources. Because companies are almost always likely to share information “in an effort to protect networks . . . and to deter cyberattacks” rather than conspire or harm competition, the Agencies will “consider the valuable purpose behind the exchange of information.”
- Cyber threat information typically is very technical in nature. The Agencies note that the “nature of the information being shared is very important to the analysis.” Because cybersecurity information such as threat signatures, indicators, and IP addresses is highly technical, “sharing of this type of information is very different from the sharing of competitively sensitive information such as current or future prices and output or business plans.”
- Cyber threat information exchanges are unlikely to harm competition. As noted above, “cyber threat information covers a limited category of information.” Because of this, disseminating cyber threat information is “unlikely in the abstract to increase the ability or incentive of participants to raise price or reduce output, quality, service, or innovation.”
This analysis mirrors the guidance provided by the DOJ in a business review letter to the Electric Power Research Institute (EPRI) in October 2000.
The EPRI had developed an Enterprise Infrastructure Security (EIS) program to help exchange industry best practices for cybersecurity programs as well as information related to specific cybersecurity vulnerabilities. The EPRI also adopted a number of measures to prevent any anticompetitive effects, including 1) ensuring all information exchanged related directly to physical and cybersecurity; 2) prohibiting the discussion of specific prices for cybersecurity equipment and systems; 3) prohibiting the exchange of company-specific competitively sensitive information; 4) prohibiting the use of the program as a conduit for discussions by vendors, manufacturers, and security providers with respect to any exchange participants; and 5) ensuring neither the EPRI nor any participant recommended the products or systems of any particular manufacturer or vendor. As in the Agencies’ recent joint statement, the DOJ in 2000 noted that the information exchange did not appear to pose any threats to competition and, indeed, could “result in more efficient means of reducing cyber-security costs” and lead to savings for consumers, which “could be procompetitive in effect.”
Thus, companies that share technical cybersecurity information such as indicators, threat signatures, and security practices, and avoid sharing competitively sensitive information such as business plans, prices, or output, have ample assurance from the relevant agencies in the United States that they should not run afoul of the antitrust laws. Nevertheless, businesses should still conduct a fact-driven analysis of their information sharing policies and procedures based on the Agencies’ 2014 guidance in order to ensure that they are sharing cyberthreat information in accordance with antitrust law.