In pre-school, we were taught (well, before it was considered the mark of creeping socialism) that sharing was good. Share your toys. Share snacks. Why we even shared colds, flu’s and viruses. That’s how much we cared. But when it came to sharing information about information security vulnerabilities, incidents, threats and solutions, companies (well, their lawyers) frequently cited fear or antitrust litigation as a reason to not share information.
On April 10, the United States Department of Justice (DOJ) and the United States Federal Trade Commissions (FTC) allayed those fears by issuing a policy statement encouraging companies to share such information.
So everything is smooth sailing, right?
Not so much.
Share and Share Alike
The DOJ/FTC guidance is intended to promote the sharing of “information about cybersecurity threats, such as incident or threat reports, indicators, threat signatures, and alerts (collectively, “cyber threat information”).”
The guidance indicates that the sharing of this kind of information is “highly unlikely to lead to a reduction in competition and, consequently, would not be likely to raise antitrust concerns.” Nevertheless, the guidance notes, “Some private entities may be hesitant to share cyber threat information with each other, especially competitors, because they have been counseled that sharing of information among competitors may raise antitrust concerns.”
So the guidance is intended to allay these fears and continue to promote such sharing, whether directly or through Information Sharing and Analysis Centers (ISAC’s). So we are all free to share, right?
Not so much.
Most companies that refused to share cybersecurity information because of antitrust concerns simply didn’t want to share the information, and were using the antitrust provisions as a smokescreen to refuse to share the data, or to refuse to participate in information sharing programs. While the concerns are not trivial, they are pretty close – in most cases. Despite having cyber threat information around since at least the mid-1970’s, there has not been a single case of an investigation or prosecution of any entity for sharing such information – even with a direct competitor.
That may be because the companies refused to share the data, or because of the positions of DOJ and FTC that information sharing is a good thing. So refusal to share data because of antitrust fears is like refusing to swim because you ate 45 minutes ago. It’s POSSIBLE you could get a cramp, but let’s face it, you’re just afraid of the water. So the general sharing of threat and vulnerability information to enable the entire industry or world to become more secure is pretty much no problem.
Like everything else in the law, though, the devil is in the details.
In addition to “information about cybersecurity threats, such as incident or threat reports, indicators, threat signatures, and alerts (collectively, “cyber threat information”)” companies could also share threat responses, threat response technologies, and raw data. The DOJ/FTC guidance does not help companies understand the legal ramifications of this kind of information sharing. So, for example, if Ford, GM and Chrysler set up a “joint automotive command center” where the CISO’s of each company could see in real time the security dashboards of all three companies, this would both be a good model for “information sharing” and a potentially anti-competitive action.
Data protection can also promote a competitive advantage. If one company is doing a good or great job in protecting data, this can elevate their market position with respect to their competitors. “Shop at Wal-Mart, we don’t lose your data…” If companies now share threat or other information, that competitive advantage may be lost.
The DOJ/FTC guidance does not address response technologies. Every day companies emerge (many from Israel) with new responses to various threats. These can be hardware, software, polices, practices – whatever. These responses may themselves be proprietary, confidential , trade secrets or subject to patent protections. If THAT kind of information is shared, this could also raise antitrust concerns.
You’re not my friend…
The real problem with sharing cyber security information, like sharing in kindergarten is that we don’t share equally. I am more than happy to share with Jillian (she’s pretty), but not so much with Jane (she smells funny).
Because cybersecurity information enables companies to protect themselves from threats, there is a real possibility that the data can be used in an anti-competitive way. Ford, GM and Chrysler can share data with each other, but exclude Toyota, Mazda and Honda.
The US corporations are protected, their Japanese rivals, not so much. Voilà! Buy ‘merkin! And we can impose nondisclosure and non use obligations on our competitors by virtue of our information sharing. Thus Ford can impact the actions and inactions of GM and Chrysler.
Companies may also impose conditions for participation in information sharing collaborations. While the information sharing itself is not anticompetitive, the conditions for being able to obtain this information may be.
The simple one is to say, “I will tell you [competitor] about the fact that I have been hacked, but you can’t disclose this to anyone else…” Fine. So what happens if a competitor learns (through a sharing arrangement) that its rival has suffered a major data breach, but isn’t complying with data breach disclosure laws, and is keeping it secret? That fact enables the competitor to extort concessions or other goodies from its rival.
For example, HTCIA – the High Tech Criminal Investigator’s Association shares information about forensics, tools, techniques, threats, etc., but its bylaws prohibit criminal defense lawyers or investigators working with them from being members, and swear all of its members to secrecy. Thus, tools become available to only a small fraction of those who need them.
By treating cybersecurity information as a valuable commodity, its sharing or non sharing becomes anticompetitive.
Cyber threat information is a shield intended to protect individuals and companies. But any good shield can be used as a weapon. The DOJ/FTC guidance does little to allay the genuine fears that this shield could be used to obtain competitive advantage by some or all of the participants in the economic marketplace. So while companies should feel free to share information with their rivals, the issue is not whether, but how and with whom.
Oh, and don’t share the milk. That’s just gross.