On April 10, 2014, U.S. Department of Justice Deputy Attorney General James Cole and Federal Trade Commission Chair Edith Ramirez announced a joint DOJ and FTC antitrust policy statement on the sharing of cybersecurity information (“Policy Statement”). The Policy Statement, as well as their remarks, emphasize the seriousness of the cybersecurity challenge and the need to improve cybersecurity information sharing. It is another example of the Obama Administration’s efforts to encourage the sharing of information about cybersecurity threats and vulnerabilities.
The Administration’s 2011 omnibus cybersecurity legislative proposal included robust provisions designed to encourage information sharing between private entities and between private entities and the government. The Obama Administration’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity required certain agencies to share classified and unclassified cyber threat information with targeted companies. And, the Department of Homeland Security and the Federal Bureau of Investigation are rapidly expanding programs designed to facilitate the bi-directional sharing of technical cybersecurity information between the government and the private sector. With this Policy Statement, the Administration is attempting to remove an issue that has hindered private-private cybersecurity information sharing.
The Policy Statement points to guidance that the DOJ issued in 2000 to the Electric Power Research Institute (“EPRI”) stating that it had no intention of initiating an enforcement action against EPRI regarding its program to exchange cyber threat and attack information. Although that guidance is over ten years old, it remains the agencies’ current analysis. The Policy Statement highlights three main points:
- the sharing of cyber threat information can improve efficiency and network security, thereby serving a valuable purpose;
- the information shared is typically technical in nature. It generally does not involve competitively sensitive information, such as current or future prices; and
- the exchange of cyber threat information is limited in scope and unlikely to harm competition.
Accordingly, the two agencies conclude that the “properly designed sharing of cyber threat information should not raise antitrust concerns.”