Cybersecurity & Antitrust

Recently the United States federal antitrust enforcement agencies — the Federal Trade Commission and the Justice Department’s Antitrust Division — issued a joint policy statement designed to “make it clear that they do not believe that antitrust is, or should be, a roadblock to legitimate cybersecurity information sharing.” The release made headlines globally, but the real story is that the risk of antitrust exposure for exchange of cyber risk information, even among direct competitors, was and remains almost non-existent.

That is because the U.S. antitrust laws (principally Section 1 of the Sherman Act) prohibit horizontal conspiracies and agreements among rivals, like price fixing, that harm competition. In some areas, information exchange can be competitively problematic, for instance where firms share non-public bidding or price data, or M&A transactions where the deal parties “gun jump” by acting as if they were already merged instead of continuing to compete independently. Yet as the policy statement confirmed, “cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans” and is thus “highly unlikely to lead to a reduction in competition.”

That’s hardly new. More than a decade ago DOJ said exactly the same thing in approving a proposal for cybersecurity information sharing in the electric industry, and Antitrust Division chief Bill Baer called the 2014 reaffirmation “an antitrust non-brainer.” But perceptions can have consequences, and some had voiced the fear that the exchange of IT security information among competitors could present a slippery slope, a forum for the kind of hard-core anticompetitive agreements the government loves to prosecute. At least that is what the White House, which called antitrust law “long a perceived barrier to effective cybersecurity,” reasoned in encouraging the FTC-DOJ clarification. So clearing away the underbrush of misinformation should help reassure business executives that companies which share technical cybersecurity information such as indicators, threat signatures and security practices, and avoid exchanging competitively sensitive information like business plans or prices, will simply not run afoul of the antitrust laws.

Legislation that stalled in Congress last fall would go further, encouraging information exchange by, among other things, establishing a clearinghouse for threat information, incidents and recovery actions and exempting cybersecurity information provided to the government from release under the Freedom of Information Act. On the other hand, some of the larger firms in today’s digital economy — Amazon, Cisco Systems, Facebook, Google, IBM and seven others — have already taken things into their own hands, establishing a joint venture to rewrite the SSL (secure socket layer) standard for secure Web connections in the aftermath of the widely publicized Heartbleed bug. And companies increasingly recognize that in the transactional setting, due diligence on cybersecurity exposure — which by definition requires information sharing — is a compliance imperative. So as one legal commentator noted, with evident exasperation, the FTC-DOJ policy statement seems largely a solution in search of a problem.

The prospects of cybersecurity legislation passing this session of Congress are slim, as they have been for years. Recent Senate debate divided legislators into two camps: one advocating for a regulatory approach, focused on top-down restrictions imposed on private industry by administrative agencies, the other pushing for a voluntary approach based on cooperation with the private sector, focused on information sharing between private industry and government. But different positions on the private sector’s protection from liability — granted in older legislation directed to wireless and wireline communications — prevented the bills from advancing. When the Senate defeated a bill that adopted the voluntary approach, President Obama took matters into his own hands, issuing Executive Order 13636 on improving critical infrastructure cybersecurity, to which critics of federal regulatory overreach have strongly objected.

All of this says, at least to this author, that antitrust exposure is in reality quite low on the totem pole of barriers to more effective cybersecurity practices in the United States. What the independent Center for Strategic and International Studies reported three years ago remains just as true today:

The cybersecurity debate is stuck. Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing and self-regulation are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States.

Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.