Feds OK Businesses to Share Cyberthreat InfoPolicy Statement Seeks to Lift Barrier to Information Sharing
The Obama administration has issued a policy statement that says businesses sharing cyberthreat information with one another are not violating antitrust laws.
"Antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information," FTC Chairwoman Edith Ramirez says in a statement announcing the policy jointly issued by the Federal Trade Commission and Justice Department on April 10.
The policy statement is aimed to ease concerns among businesses that they could be sued for violating antitrust laws if they share cyberthreat information with each other.
White House Cybersecurity Coordinator Michael Daniel, writing in a White House blog, says many companies already share cyberthreat information with one another and that does not lead to anti-competitive practices. He says the FTC and DoJ guidance clarifies "that cybersecurity information can be shared with competitors without violating antitrust law - long a perceived barrier to effective cybersecurity."
To make his point, Daniel cites the distributed denial of service attacks that targeted the websites of many American banks over the past few years, when the Financial Services Information Sharing and Analysis Center brought banks together to exchange cyberthreat information with each other and with the government (see Information Sharing: A Turning Point).
The new policy reinforces a 2000 Justice Department analysis involving the Electric Power Research Institute, which concluded that as long as the information exchanged was limited to physical and cybersecurity issues, those communications didn't present any threat to competition. The legal analysis in that matter remains current, an FTC and DoJ policy says.
But the new policy and assurances from Daniel and Ramirez won't necessarily placate some businesses. "Companies are looking for complete immunity from the government to share threat information," says Jacob Olcott, a principal at the security consultancy Good Harbor Consulting and former senior staffer on the Senate Commerce Committee. "Only Congress can grant that immunity. DOJ's announcement is important, but companies are still concerned about the liability issue, which will continue to hinder threat info sharing until blanket immunity exists."
In the past two Congresses, the House of Representatives passed bipartisan information sharing legislation, but the Senate has never considered the two bills, and the White House has threatened presidential vetoes (see White House Threatens CISPA Veto, Again). Among the administration's concerns with the Cyber Intelligence Sharing and Protection Act is that the liability protections the bill affords companies for sharing cyberthreat information are too broad. CISPA's opponents are concerned that the bill could allow businesses to collude on matters unrelated to cybersecurity but use that guise of cyberthreats to shield them from antitrust lawsuits.
That attitude irritates Republican Sen. Tom Coburn of Oklahoma, who at a Senate hearing last month (see Why Congress Can't Pass Cyber Law), said he envisions a situation where two Internet service providers are sharing cyberthreat information when a Justice Department antitrust division lawyers says, "'Hey, wait a minute, you have to prove that was necessary for cybersecurity rather than you guys colluding to keep somebody out.'
"The ISPs are talking back and forth without immunity because it's the best thing to do for the country to protect us. And yet, what we're finding is resistance here to give them that kind of broad legal liability [protection] because we don't trust them to do what's best for the country as a whole and we think that they're always self-centered; they're only going to do what's good for them and we've already seen in the cyber-arena that ain't true."
The issuance of the policy statement isn't the first time the Obama administration has used tools in its arsenal to advance its cybersecurity agenda when it couldn't get Congress to go along. In February, the administration issued the cybersecurity framework, a package of IT security best practices for critical infrastructure operators (see The Evolving Cybersecurity Framework), after Congress balked at legislating such guidance.
And, in a recent interview with Information Security Media Group, Daniel said the Obama administration might develop a set of voluntary best practices along the lines of the cybersecurity framework if Congress fails to enact a national data breach notification law.
"We can use our convening power, like we have with [the cybersecurity framework], to talk about how we want voluntary standards to be in this space," said Daniel, a special assistant to the president (see Top Obama Adviser Speaks Mind on Cyberthreats). "There is certain space for us to make some progress in there without necessarily getting all the way to legislation."
Still, Daniel says the administration wants to work with Congress to enact information sharing legislation. "While the administration works to expand the sharing of cybersecurity information through executive action, we will work with Congress to carefully update laws to further facilitate cybersecurity information sharing while preserving the rights of individuals," he says.
Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., laments that Congress has failed to enact information sharing legislation. "Today's announcement ... should give the business community confidence that they will not face potential liability for sharing cyber threat information," Rockefeller says in a statement. "I am disappointed that Congress has still not acted to promote information sharing through legislation, but congratulate the Obama administration for taking action to address this important issue."
Rep. Mike Rogers, the Michigan Republican who sponsored CISPA, did not immediately respond to requests for a comment on the new information sharing policy.
According to the FTC, the new policy emphasizes that the legitimate sharing of cyberthreat information is very different from the sharing of competitively sensitive information such as current or future prices or business plans, which may raise antitrust concerns. The policy statement says cyberthreat information is typically technical in nature and covers a limited type of information, and disseminating that information appears unlikely to raise competitive concerns.