Tuesday, April 15, 2014

Sharing Cyber Threat Info is Unlikely to Raise Antitrust Concerns, Says Agencies' Announcement Apr 11, 2014

By Megan Gates
Antitrust concerns are not raised when companies share cyberthreat information with each other, said the Department of Justice (DOJ) and the Federal Trade Commission (FTC) in a joint statement that was issued yesterday. The two agencies released the statement to make it clear to private entities that they “do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing.”
Previously, some private entities have been hesitant to share cyberthreat information with one another because they had been counseled that sharing that information may raise antitrust concerns. However, the DOJ and FTC disagreed with this counsel.
“While it is true that certain information sharing agreements among competitors can raise competitive concerns, sharing of the cyber threat information…is highly unlikely to lead to a reduction in competition and consequently, would not be likely to raise antitrust concerns,” the statement said.
Instead, the two agencies are encouraging private companies to work together to defend against cyberattacks by sharing technical cyberthreat information, such as threat signatures, indicators, and alerts. The agencies consider this information “technical in nature and very different from the sharing of competitively sensitive information, such as current or future prices and output or business plans,” according to the statement.
By encouraging companies to share cyberthreat information, they can take steps to identify attacks and prevent them, such as identifying malware through signature detection. “Sharing a signature for a previously unknown threat will enable the recipient to take action to prevent, detect, or contain an attack,” the statement said. “Similarly, knowing the source IP address or target port of a Denial of Service (DOS) attack may enable one to take protective measures against such an attack by blocking illegitimate traffic.”
In turn, this kind of information sharing would help improve efficiency and secure U.S. networks of information and resources. Currently, some private-to-private cyberthreat information sharing is taking place, booth informally and through formal exchanges or agreements—like sector-specific Information Sharing Analysis Centers (ISACs). These centers have been established to advance the physical and cybersecurity of critical infrastructures and provide numerous benefits, including increased security, availability, integrity, and efficiency of information systems, the statement said.
This type of information sharing would not be considered in violation of antitrust laws as “it appears that this sharing is virtually always likely to be done in an effort to protect networks and the information stored on those networks, and to deter cyberattacks,” according to an analysis done by the agencies.
The U.S. Chamber of Commerce considered the agencies’ statement “encouraging” and a “positive step forward in strengthening the cybersecurity of U.S. businesses’ networks and systems,” according to a blog post on the organization’s Web site.
The guidance that sharing cyber threat information is not an antitrust roadblock “comes at a helpful time, as many organizations are assessing ways to use the Cybersecurity Framework,” the chamber said, referencing the framework released by the National Institute of Standards and Technology earlier this year. “The DOJ and FTC guidance should encourage more businesses to voluntarily exchange valuable threat data with appropriate industry peers.”
www.securitymanagement.com

No comments:

Post a Comment