The Department of Justice and the Federal Trade Commission have issued joint guidance on the sharing of cyberthreat information among private entities suggesting it is "not likely" to raise antitrust concerns and can help secure networks and infrastructure.
The policy statement on cybersecurity and antitrust is the first since 2000, when DOJ's antitrust division signaled it had no intention of initiating an enforcement action against the Electric Power Research Institute for a proposal "to exchange certain cybersecurity information, including exchanging actual real-time cyber threat and attack information."
DOJ and the FTC point out that sharing is already taking place as the cybersecurity threat has increased, but that some private parties are hesitant to share for fear of running afoul of antitrust laws.
The President issued an executive order last year on government sharing of cyberthreat info with industry, but could not achieve private party exchanges via fiat. But Justice and FTC can offer some guidance about what they would not be suing over.
"Some private entities may be hesitant to share cyber threat information with each other, especially competitors, because they have been counseled that sharing of information among competitors may raise antitrust concerns," the policy advisory advises. "The Agencies do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing. While it is true that certain information sharing agreements among competitors can raise competitive concerns, sharing of the cyber threat information....[P]roperly designed sharing of cyber threat information should not raise antitrust concerns."
"Some companies have told us that concerns about antitrust liability has been a barrier to being able to openly share cyber threat information with each other," said deputy attorney general James Cole of the new advisory. "We have heard you. And speaking on behalf of everyone here today, this guidance responds to those concerns, lets everyone know that antitrust concerns should not get in the way of sharing cybersecurity information, and signals our continued commitment to expanding the sharing of cybersecurity information."