On April 10 2014 the Department of Justice (DOJ) and Federal Trade Commission (FTC) issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues.
Intelligence sharing is considered a productive, if not critical, step towards protecting against and responding to cyberattacks. Businesses are increasingly sharing information to help guard against future cyberattacks or even discover existing undetected attacks on their information systems. In today's increasingly complex threat environment, organisations commonly have similar vulnerabilities in their information systems and often face similar threats, due in large part to malware becoming increasingly commodified on the black market. Thanks to a thriving market for hacker toolkits, advanced malicious software is now available to less technically sophisticated criminals, who can easily configure the same malware to attack across different organisations.
As a result of the heightened threat of cyberattacks, the US government has sought to promote cyberintelligence sharing between the private and public sector through both executive action and legislation. For example, several bills have been introduced in the House of Representatives and Senate to help encourage information sharing by, among other things, establishing a clearinghouse for threat information, incidents and recovery actions. Moreover, President Obama signed the Executive Order on Improving Critical Infrastructure Cybersecurity in February 2013, which called for the US government to increase the volume, timeliness and quality of cyberthreat information shared with US private sector entities. Additionally, information-sharing activities have been incorporated into various information security standards and frameworks. For example, the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, released in February 2014, indicates that entities should have a process in place for receiving information on threats and vulnerabilities from information-sharing forums and sources.
However, information sharing remains a voluntary best practice among security professionals, as no law or regulatory standard has gone so far as to mandate the sharing of threat information with unaffiliated third parties. And although organisations in certain sectors, including financial services, are known to share cyberintelligence with each other through information-sharing and analysis centres (ISACs) and other forums, obstacles still exist to the widespread sharing of threat information across the United States. There are, for example, concerns over the currency and practical utility of some of the threat information being shared. Moreover, for many years concerns have been voiced over the risk that sharing threat information with other businesses might be viewed as an unlawful anti-competitive practice in violation of antitrust laws.
In response to this particular concern over antitrust risks, the DOJ's Antitrust Division and the FTC recently released a joint Antitrust Policy Statement on Sharing of Cybersecurity Information to reduce uncertainty for those who want to share information on cyberattacks. By explaining how their analytical framework applies to information sharing, the agencies sought to "make it clear that they do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing".
In examining information exchanges, the agencies review the nature, business purpose and likely competitive effect of an agreement. The agencies' primary concern is with the sharing of any competitively sensitive information – such as price, cost or output information – that may facilitate price or output coordination and undermine competition among competitors. Although some agreements – such as those fixing prices or outputs, rigging bids or dividing markets among competitors – will almost always be illegal, the central question for most information-sharing agreements is "whether the relevant agreement likely harms competition by increasing the ability or incentive profitably to raise prices above or reduce output, quality, service or innovation below what would likely prevail in the absence of the relevant agreement".
The agencies' recent joint statement applies this framework to cybersecurity threat information exchanges to establish that "properly designed sharing of cyber threat information should not raise antitrust concerns". When evaluating the antitrust risks of sharing cyber-intelligence, businesses should take into account the three main factors that the agencies relied on in coming to their conclusion:
- Cyberthreat information sharing can improve efficiency and help to secure the United States' networks of information and resources – because companies are almost always likely to share information "in an effort to protect networks... and to deter cyberattacks" rather than to conspire or harm competition, the agencies will "consider the valuable purpose behind the exchange of information".
- Cyberthreat information is typically very technical in nature – the agencies note that the "nature of the information being shared is very important to the analysis". Because cybersecurity information such as threat signatures, indicators and IP addresses is highly technical, "sharing of this type of information is very different from the sharing of competitively sensitive information such as current or future prices and output or business plans".
- Cyberthreat information exchanges are unlikely to harm competition – as noted above, "cyber threat information covers a limited category of information". Because of this, disseminating cyberthreat information is "unlikely in the abstract to increase the ability or incentive of participants to raise price or reduce output, quality, service, or innovation".
This analysis mirrors the guidance provided by the DOJ in a business review letter to the Electric Power Research Institute (EPRI) in October 2000. The EPRI had developed an enterprise infrastructure security programme to help exchange industry best practices for cybersecurity programmes, as well as information related to specific cybersecurity vulnerabilities. The EPRI also adopted a number of measures to prevent any anti-competitive effects, including:
- ensuring that all information exchanged related directly to physical and cybersecurity;
- prohibiting the discussion of specific prices for cybersecurity equipment and systems;
- prohibiting the exchange of company-specific competitively sensitive information;
- prohibiting the use of the programme as a conduit for discussions by vendors, manufacturers and security providers with respect to any exchange participants; and
- ensuring that neither the EPRI nor any participant recommended the products or systems of any particular manufacturer or vendor.
As in the agencies' recent joint statement, the DOJ in 2000 noted that the information exchange appeared to pose no threats to competition and could "result in more efficient means of reducing cyber-security costs" and lead to savings for consumers, which "could be procompetitive in effect".
Thus, companies that share technical cybersecurity information such as indicators, threat signatures and security practices, and that avoid sharing competitively sensitive information such as business plans, prices or output, have ample assurance from the relevant agencies in the United States that they should not fall foul of the antitrust laws. Nevertheless, businesses should still conduct a fact-driven analysis of their information-sharing policies and procedures based on the agencies' 2014 guidance in order to ensure that they are sharing cyberthreat information in accordance with antitrust law.
For further information on this topic please contact Joseph G Krauss, Harriet Pearson, Janet McDavid and Christopher Wolf at Hogan Lovells US LLP by telephone (+1 202 637 5600), fax (+1 202 637 5910) or email (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.