By Gina Chon in Washington
Companies that declined to share cyber threat information with each other out of fear of violating antitrust laws no longer have to worry, the Department of Justice and the Federal Trade Commission said on Thursday.
The US agencies issued a policy statement making clear that sharing that kind of information to mitigate or prevent cyber attacks would not raise anti-competitive concerns by government officials, as long as it was properly handled.
The agencies acknowledged that worries about violating antitrust laws was a barrier to information sharing, just as cyber attacks are becoming more sophisticated and affecting a wider population.
The Department of Homeland Security this week warned businesses about a new bug called “Heartbleed,” which has affected many web sites and exposes user names, passwords and credit card information. During the last holiday shopping season, customers of Target were victims of a data breach of credit card numbers and other information affecting 70m customers.
The policy statement recognises that sharing cyber threat information differs from exchanging competitive information such as current or future prices, output or business plans, which could raise antitrust concerns. If companies are unclear whether a move addressing cyber threats qualifies, they can request guidance from DoJ or the FTC.
“This is an antitrust no brainer,” said Bill Baer, a DoJ official. “This is something companies can do and should do. It’s actually very good public policy.”
Mr Baer spoke at a press conference that was also attended by deputy attorney-general James Cole, White House senior adviser Rand Beers and Edith Ramirez, FTC chair. It remains to be seen whether the policy statement will be enough to address private sector concerns about potential antitrust violations.
“This is an antitrust no brainer. [It] is something companies can do and should do.”
– Bill Baer – Justice Department official
The agencies said cyber threat information was usually technical and covered a limited type of information. For example, sharing a signature that identified a virus for a previously unknown threat would help the recipient prevent, detect or contain an attack. Therefore, sharing that knowledge appears unlikely to raise competitive concerns.
Mr Cole, who said he met with companies in San Francisco, Chicago and other cities to hear their concerns, said Congress still needed to pass cyber security legislation, which has stalled and also failed to pass in 2012.
He said that kind of proposal would make it easier for the government and private parties to share information, create national rules for reporting data breaches and increase penalties for perpetrators.
Senate judiciary committee chairman Patrick Leahy, a Democrat, praised the policy statement by the DoJ and FTC, and said Congress must do its part. “Developing a comprehensive national cyber security strategy is one of the most serious and unmet needs confronting the nation today,” he said.
The DoJ last provided an antitrust analysis of cyber threat information in 2000 at the request of the Electric Power Research Institute. At that time, the DoJ said it had no intention of taking enforcement actions against company proposals to exchange certain cyber security information, including real-time threat information, as long as it was limited to physical and cyber security issues.
The agency said that legal analysis remained current.