Recently the United States federal antitrust enforcement agencies — the Federal Trade Commission and the Justice Department’s Antitrust Division — issued a joint policy statement designed to “make it clear that they do not believe that antitrust is, or should be, a roadblock to legitimate cybersecurity information sharing.” The release made headlines globally, but the real story is that the risk of antitrust exposure for exchange of cyber risk information, even among direct competitors, was and remains almost non-existent.
That is because the U.S. antitrust laws (principally Section 1 of the Sherman Act) prohibit horizontal conspiracies and agreements among rivals, like price fixing, that harm competition. In some areas, information exchange can be competitively problematic, for instance where firms share non-public bidding or price data, or M&A transactions where the deal parties “gun jump” by acting as if they were already merged instead of continuing to compete independently. Yet as the policy statement confirmed, “cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans” and is thus “highly unlikely to lead to a reduction in competition.”
That’s hardly new. More than a decade ago DOJ said exactly the same thing in approving a proposal for cybersecurity information sharing in the electric industry, and Antitrust Division chief Bill Baer called the 2014 reaffirmation “an antitrust non-brainer.” But perceptions can have consequences, and some had voiced the fear that the exchange of IT security information among competitors could present a slippery slope, a forum for the kind of hard-core anticompetitive agreements the government loves to prosecute. At least that is what the White House, which called antitrust law “long a perceived barrier to effective cybersecurity,” reasoned in encouraging the FTC-DOJ clarification. So clearing away the underbrush of misinformation should help reassure business executives that companies which share technical cybersecurity information such as indicators, threat signatures and security practices, and avoid exchanging competitively sensitive information like business plans or prices, will simply not run afoul of the antitrust laws.
Continue reading Cybersecurity & Antitrust