The U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) last week took an important step on cybersecurity by issuing their Antitrust Policy Statement on Sharing of Cybersecurity Information. In their statement, the two agencies clarified they “do not believe U.S. antitrust law is -- or should be -- a roadblock to legitimate cybersecurity information sharing.” ITI welcomes the statement for two reasons.
First, it addresses a real need. ITI has long called on policymakers to address barriers impeding increased cyber threat information sharing—including liability concerns. The objective of sharing cyber threat information is to exchange timely and relevant information that appropriate stakeholders can use to make decisions and take necessary actions, such as stemming losses and protecting systems and customers. It is very challenging to avoid, stop, or minimize cyber intrusions or damage when stakeholders are unaware of them, or become aware too late. Yet entities holding information about cybersecurity threats often decline to voluntarily disclose them, or delay disclosure, for fear that doing so may bring private or government lawsuits or regulatory actions.
We hope and anticipate this DOJ-FTC clarification will enable more entities to provide cyber threat information, even to their competitors. As the FTC explains in its press release, “the legitimate sharing of cyber threat information is very different from the sharing of competitively sensitive information such as current or future prices and output or business plans, which may raise antitrust concerns. Cyber threat information is typically technical in nature and covers a limited type of information, and disseminating that information appears unlikely to raise competitive concerns.” The statement elaborates, “this sharing is virtually always likely to be done in an effort to protect networks and the information stored on these networks, and to deter cyber attacks.” Of course, any cyber threat information sharing must take into account appropriate privacy considerations, a position ITI also has long held.
Second, the DOJ-FTC statement reflects and reinforces one of ITI’s key principles of effective cybersecurity policy: basing policies on risk management. Cybersecurity efforts must facilitate an organization’s ability to properly understand, assess, and take steps to manage ongoing cybersecurity risks in a constantly changing environment.
While the DOJ-FTC statement is a step in the right direction, it addresses only one piece of the information-sharing puzzle. Other liability-related concerns, such as a clarification that cyber threat information sharing cannot be the basis for regulatory action, require congressional action. The administration can go further by continuing to advocate for improvements in cyber threat information sharing from the federal government to industry, as outlined in Section 4 of the February 2013 Cybersecurity Executive Order.
ITI looks forward to continuing to work closely with Congress and the administration to put in place these and other much-needed cybersecurity policies that can improve not only the cybersecurity posture of the United States, but also contribute to greater cybersecurity throughout the shared global digital infrastructure.