Rival businesses that share information with each other about hackers who've broken into their computer systems won't be running afoul of antitrust laws, the U.S. government has confirmed.
The new policy, issued jointly Thursday by the Justice Department and the Federal Trade Commission, is aimed at tamping down the perception of legal risk associated with bolstering corporate IT defenses as concerns about cybersecurity are at an all-time high.
"Legitimate cyber threat sharing can help secure the nation's networks and can occur without raising antitrust liability issues," said deputy attorney general James Cole."The recent Target breach is another reminder of how far-reaching the cyber threat has become."
Under the clarified rules, businesses will be able to swap incident reports, the digital fingerprints that uniquely identify viruses and malware, and the IP addresses of an attacker, among other things. But competitive information such as pricing and products will still be off-limits.
If companies do not have the clear ability to share threat information, White House senior adviser Rand Beers said, "an attacker can send the same spearphishing message to various companies — some of which may catch it, and others not."
The move comes a year after President Obama signed an executive order granting companies wider access to sensitive government information about online threats, among other measures. Federal agencies have meanwhile been developing a set of voluntary guidelines that businesses can use to protect themselves from online attacks. Those guidelines were released earlier this year, but it's unclear how many in the private sector have adopted the protocols.
Businesses say they need more information from the government to be able to respond effectively to potential threats. They have also called for more leeway to share information among themselves. Before the clarification, a company that alerted a competitor to cyber attacks might have been vulnerable to accusations of anticompetitive collusion. Collaboration between, for instance, Coca-Cola and Pepsi, typically would be closely scrutinized by antitrust officials.
Congress has made little progress on crafting a comprehensive cybersecurity bill that addresses these and other liability concerns, in part due to objections from the White House and consumer groups over data privacy. But the Obama administration's new guidance provides companies with a better grasp of the legal landscape when it comes to sharing threat information. And the White House is signaling that further changes may be coming.
"As we run into more of those barriers where businesses say, 'I can't share because of A, B and C,' we'll knock them down," said Cole.