FTC's Edith Ramirez: Sharing cyber threats info doesn't violate antitrust laws.

The Obama administration has issued a policy statement that says businesses sharing cyberthreat information with one another aren't violating antitrust laws.

"Antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information," FTC Chairwoman Edith Ramirez says in a statement announcing the policy jointly issued by the Federal Trade Commission and Justice Department on April 10.

The policy statement is aimed to ease concerns among businesses that they could be sued for violating antitrust laws if they share cyberthreat information with each other.

White House Cybersecurity Coordinator Michael Daniel, writing in a White House blog, says many companies already share cyberthreat information with one another and that does not lead to anti-competitive practices. He says the FTC and DoJ guidance clarifies "that cybersecurity information can be shared with competitors without violating antitrust law - long a perceived barrier to effective cybersecurity."

To make his point, Daniel cites the distributed denial of service attacks that targeted the websites of many American banks over the past few years, when the Financial Services Information Sharing and Analysis Center brought banks together to exchange cyberthreat information with each other and with the government (see Information Sharing: A Turning Point).

The new policy reinforces a 2000 Justice Department analysis involving the Electric Power Research Institute, which concluded that as long as the information exchanged was limited to physical and cybersecurity issues, those communications didn't present any threat to competition. The legal analysis in that matter remains current, an FTC and DoJ policy says.

Mollifying Businesses

But the new policy and assurances from Daniel and Ramirez won't necessarily placate some businesses. "Companies are looking for complete immunity from the government to share threat information," says Jacob Olcott, a principal at the security consultancy Good Harbor Consulting and former senior staffer on the Senate Commerce Committee. "Only Congress can grant that immunity. DOJ's announcement is important, but companies are still concerned about the liability issue, which will continue to hinder threat info sharing until blanket immunity exists."

In the past two Congresses, the House of Representatives passed bipartisan information sharing legislation, but the Senate has never considered the two bills and the White House has threatened presidential vetoes (see White House Threatens CISPA Veto, Again). Among the administration's concerns with the Cyber Intelligence Sharing and Protection Act is that the liability protections the bill affords companies for sharing cyberthreat information are too broad. CISPA's opponents are concerned that the bill could allow businesses to collude on matters unrelated to cybersecurity but use that guise of cyberthreats to shield them from antitrust lawsuits.

That attitude irritates Republican Sen. Tom Coburn of Oklahoma, who at a Senate hearing last month (see Why Congress Can't Pass Cyber Law), said he envisions a situation where two Internet service providers are sharing cyberthreat information when a Justice Department antitrust division lawyers says, "'Hey, wait a minute, you have to prove that was necessary for cybersecurity rather than you guys colluding to keep somebody out.'

"The ISPs are talking back and forth without immunity because it's the best thing to do for the country to protect us. And yet, what we're finding is resistance here to give them that kind of broad legal liability [protection] because we don't trust them to do what's best for the country as a whole and we think that they're always self-centered; they're only going to do what's good for them and we've already seen in the cyber-arena that ain't true."

Bypassing Congress