On April 10, Deputy Attorney General James Cole, White House senior adviser Rand Beers, the head of the U.S. Department of Justice Antitrust Division and the chairwoman of the Federal Trade Commission announced the release of the antitrust agencies’ “Antitrust Policy Statement on Sharing of Cybersecurity Information.” This statement — consistent with prior DOJ guidance — makes clear that the FTC and DOJ do not view the antitrust laws as a barrier to sharing cybersecurity information, even among competitors.
The sharing of operational information is a critical element in the fight against cyberthreats. Every day, government agencies and private companies face a wide variety of cyberattacks, including hacking efforts to circumvent logical security mechanisms, exploitation based on weak or stolen credentials, malicious software in the form of spyware, keyloggers, RAM scrapers, and backdoors, strategic Web compromises such as watering holes, and social engineering in the form of phishing and SMishing, to name just a few.
Threat actors constantly change their tactics in order to circumvent the efforts of network defense professionals, frequently targeting large numbers of entities in search of vulnerabilities that they can exploit. In this environment, the sharing of current intelligence about cyberthreats and vulnerabilities between private entities and between the government and the private sector is essential.
Information security professionals rely on timely cybersecurity information to keep up with the current attack vectors of hostile nation-states, hacktivists, criminal organizations and terrorists. Through robust information-sharing about the latest IP addresses, URLs, email addresses, malware, social engineering schemes and other tools or tactics in use by hackers, network security professionals significantly increase their ability to block or mitigate the effects of a cyberattack.
The administration recognizes the importance of sharing information about cyberthreats and vulnerabilities. The president’s 2013 “Executive Order on Improving Critical Infrastructure” requires certain agencies to share classified and unclassified cyberthreat information with targeted companies. And, the Department of Homeland Security, the Federal Bureau of Investigation and the U.S. Department of Energy are rapidly expanding programs designed to facilitate the bidirectional sharing of technical cybersecurity information between the government and the private sector. And, the U.S. Department of Homeland Security, the Federal Bureau of Investigation and the U.S. Department of Energy are rapidly expanding programs designed to facilitate the bidirectional sharing of technical cybersecurity information between the government and the private sector.
However, concerns about possible reputational harm, litigation or regulatory action have hindered effective information-sharing. These concerns take a variety of forms but antitrust risk has proven to be a significant issue. In a testament to the ubiquity (and, arguably, success) of antitrust compliance efforts, companies have been reluctant to share cyberthreat information with their competitors out of fear of the consequences of violating the antitrust laws. Having been well counseled by their lawyers about the substantial criminal and civil penalties resulting from antitrust violations, companies have expressed concern about engaging in activities that appear to run contrary to that guidance, even in furtherance of the laudable and shared goal of protecting the nation’s information technology infrastructure.
Congress has attempted to address these concerns through legislation intended to remove perceived statutory obstacles to information-sharing. For example, the Cyber Intelligence Sharing and Protection Act of 2013, the National Cybersecurity and Critical Infrastructure Protection Act of 2013 and the Cybersecurity Act of 2012 all would authorize private entities to share cyberthreat information with other private entities and with the government “notwithstanding any other provision of law.” This provision would effectively address companies’ antitrust concerns, but it does not appear likely that cybersecurity legislation will become law any time soon. In this context, the “Antitrust Policy Statement on Sharing of Cybersecurity Information” is significant. It responds to industry’s concerns by clearly establishing that properly designed and executed cyberthreat information-sharing does not raise antitrust concerns.
The analysis underlying the policy statement is not new. The antitrust agencies have long recognized that information-sharing can be necessary to achieve pro-competitive benefits and economic efficiencies in a variety of contexts. For that reason, the antitrust agencies have interpreted the antitrust laws as permitting such sharing if it is unlikely to lead to competitive harm.
Information-sharing activities generally are analyzed under the flexible rule of reason standard, which considers the overall effect of an agreement. This approach considers the business purpose of an agreement and the type of information shared. Certain information exchanges, such as those involving price, output, costs or future plans, are more likely to raise competition concerns than sharing less competitively sensitive information.
Consistent with this standard, the “Antitrust Policy Statement on Sharing of Cybersecurity Information” acknowledges that as a general matter the sharing of cyberthreat information has the valuable purpose of protecting IT networks, and it involves only a narrow category of information. In addition, the policy statement cites guidance, now more than a decade old, in which the DOJ concluded that information- sharing in the context of cybersecurity threats was appropriate in certain circumstances.
In 2000, the Electric Power Research Institute (EPRI) requested that the Antitrust Division issue a business review letter that would provide EPRI with the DOJ’s enforcement intent with respect to EPRI’s proposed Enterprise Infrastructure Program (the “EIS Program”) — a collaborative effort among energy industry participants designed to respond to cybersecurity threats.1
A primary component of the EIS Program was facilitating information exchanges among competing electric power, natural gas and petrochemical companies. This included the sharing of: (1) energy industry-specific “best practices” for cybersecurity programs; (2) information relating to cybersecurity vulnerabilities in operating equipment, electronic information and communications systems; (3) real-time reporting and analysis of cyberthreats and attacks; and (4) potentially, desired electronic security requirements and features in the form of commonly accepted functional security specifications for future equipment and systems.
The Antitrust Division responded favorably to the EPRI proposal, concluding that the information exchange would not restrict competition. Relevant to the analysis were certain measures that lessened the possibility that the proposed information exchange would have anti-competitive effects, including:
- Open membership for industry members;
- Limiting information exchanged to physical and cybersecurity information;
- Avoiding discussion about specific prices for equipment, electronic information or communications systems and company-specific, competitively sensitive information (i.e., prices, capacity, future plans);
- Not recommending any manufacturer’s products or systems; and
- Not allowing the EIS Program to serve as a conduit for discussions or negotiations between or among vendors, manufacturers or security service providers.2
Earlier this year Antitrust Division Deputy Assistant Attorney General Renata Hesse cited this guidance favorably in a published speech delivered at Stanford. The additional release of the policy statement makes clear that the EPRI business review both reflects antitrust agencies’ view of cybersecurity information exchanges and is applicable to other industries as well.
Of course, the policy statement is not a free pass for companies to engage in unlawful information- sharing. Whether or not any particular cybersecurity information-sharing program violates the antitrust laws will continue to depend on the specifics of the collaboration, and companies should always have antitrust safeguards in place. However, as Assistant Attorney General Bill Baer stated last week, “This is an antitrust no-brainer … . [A]s long as companies don’t discuss competitive information such as pricing and output when they are sharing cybersecurity information, they’re ok.”