SIIA Applauds DOJ and FTC Guidance that Sharing of Cybersecurity Information Does Not Violate Antitrust Laws

Companies have sometimes been reluctant to share cyber threat information due to concerns over violating antitrust laws. Last Thursday, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) addressed these concerns by issuing a joint policy statement affirming the legality of cybersecurity information sharing under the antitrust laws. The Agencies (DOJ and FTC) acknowledged that information sharing is critical to mitigating the severity and frequency of cyber attacks and therefore issued guidance.

SIIA applauds the Agencies’ commitment to protecting American enterprise and advocating for the necessary information sharing to combat the increasing number of cyber threats. This is an important step forward.  Congress can add to it by passing legislation that would provide a safe harbor against the risk of frivolous lawsuits for companies that share cybersecurity threat information.

Deputy Attorney General James M. Cole in remarks at the Pen and Pad Briefing had this to say,

“Some companies have told us that concerns about antitrust liability has been a barrier to being able to openly share cyber threat information with each other. We have heard you. And speaking on behalf of everyone here today, this guidance responds to those concerns, lets everyone know that antitrust concerns should not get in the way of sharing cybersecurity information, and signals our continued commitment to expanding the sharing of cybersecurity information.”

The importance of sharing cyber threat information, in the interest of protecting and improving the safety of American networks cannot be overstated. This system of sharing as indicated by Cole has three parts:

  1. Companies sharing with government
  2. Government sharing with companies
  3. Companies sharing with each other

Assistant Attorney General Bill Baer reiterated,

“As we are well aware, cyber threats are increasing in number and sophistication, and sharing information about threats, such as incident reports, indicators and threat signatures, is something companies can do to protect their information systems and help secure our nation’s infrastructure. This kind of information sharing is good public policy. And the antitrust agencies support it.”

To read the Department of Justice/Federal Trade Commission “Antitrust Policy Statement on Sharing of Cybersecurity Information” please click here.

Sabrina Eyob is the Communications and Public Policy Intern at SIIA. She is a recent graduate of Michigan State University, where she studied Comparative Cultures and Politics, and International Relations.

SIIA Responds to RFI on Acquisition Provisions in Cybersecurity Executive Order

Earlier this week SIIA submitted comments in response to the proposed implementation of Section 8(e) of Executive Order 13636 – Improving Critical Infrastructure Protection, issued on February 12, 2013.  We greatly appreciate the opportunity to provide formal comments to GSA and DOD on this critical section of the Executive Order.

SIIA shares the overall goals of the Administration in developing a cybersecurity framework that improves our ability to protect government information and critical infrastructure from cyber-attacks.  In fact, many SIIA members provide products and services that protect businesses, consumers and public sector entities from cyber-attacks, viruses and a wide-range of online security threats.  As a result of this experience, these members have a critical voice in the debate on the implementation of Section 8(e) of the Executive Order.  While we recognize the importance of the overall goals of the Executive Order we have some significant concerns regarding the potential effects of its implementation as proposed in the RFI.

Most notably, we have an overarching concern that the RFI itself does not accurately reflect the carefully crafted definition of “critical infrastructure” reflected in the Executive Order.  Instead the RFI appears to sweep all IT companies or their customers into the same regulatory basket as the most critical systems.  This distinction is crucial as not all systems and assets should be required to comply with this level of regulation.

In addition, SIIA expressed concerns in our comments about how the development of a broad cybersecurity framework, an ongoing process at NIST, may impact sector-specific guidance such as what is proposed here for government contractor / acquisition sector.  As a result, we have requested that the implementation of Section 8(e) be delayed until NIST cybersecurity framework has been fully developed.

Furthermore, we support the “common criteria” as a globally recognized, effective solution to a rapidly changing IT marketplace, we caution the Administration to avoid  establishing any new, overly prescriptive supply chain or software assurance scheme that would establish the Government as a leader in the process of developing technology or the would create a US centric standard, as this would conflict with the proven security regime that has long been the foundation of our national security strategy.

We also point out concerns about how that which is proposed in this Executive Order may impact the consistent, accepted, risk-based government cybersecurity requirements contained in FISMA.  Beyond its impact on FISMA, the Executive Order may also overlap with and be redundant to the FedRAMP program, potentially subjecting any Internet-enabled computing services utilized by the government to new baseline security assessments, on top of the existing FISMA and FedRAMP requirements. Not only would this practice be costly, slow, and inefficient, but it could lead to new technology-specific overlays for services that are already being utilized and assessed by the federal government in a technologically-neutral way.

Lastly, we highlight our concerns regarding the potential effect of the rules proposed as a result of the Executive Order on the other major cyber-related requirements, both current and proposed, including those found in the FAR, the DFARS, FISMA and the last two National Defense Authorization Acts.

Michael Hettinger is VP for the Public Sector Innovation Group (PSIG) at SIIA. Follow his PSIG tweets at @SIIAPSIG. Sign up for the Public Sector Innovation Roundup email newsletter for weekly updates.

SIIA Hails House Passage of Cybersecurity Legislation, Urges Senate to Act

SIIA commends today’s House passage of the Cybersecurity Intelligence Sharing and Protection Act (CISPA, H.R. 624) and three other critical cybersecurity bills passed earlier in the week. Following the House passage of this legislation, I issued the following statement:

Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks as well as increasing security across the board. SIIA supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats.  Today, the House clearly recognized this vital need, and as cybersecurity threats and damage continue to grow, it is essential that the Senate move quickly to approve these bills.

CISPA creates the necessary flexibility for businesses to share security information without fear of legal or regulatory liability. Specifically, CISPA would protect companies and organizations that share threat and vulnerability information with the government from legal liability and the risk of lawsuits, while also providing a critical exemption from antitrust laws that currently discourage information exchanges between private companies.

Additionally, SIIA applauds House passage of three other key cybersecurity measures to reform federal information security management and enhance cybersecurity R&D. These measures include:

  • Federal Information Security Amendments Act (H.R. 1163)
  • Cybersecurity Enhancement Act (H.R. 756)
  • Advancing America’s Networking and Information Technology Research and Development Act (H.R. 967)

With cyber threats more sophisticated and targeted than ever, now is the time to act on critical cybersecurity legislative priorities. We urge the Senate to move with all deliberate speed to consider these key measures and advance the Nation’s cybersecurity readiness.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

SIIA Calls for Support for Cybersecurity Legislation

SIIA called on congressional leaders today to enact legislation that would help the government detect cybersecurity threats.  In a letter sent today, SIIA thanked Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) for their bipartisan leadership with regard to the Cyber Intelligence Sharing and Protection Act (CISPA), and urged members of the House Select Intelligence Committee to support this legislation.  In the letter, I commented:

Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks – increasing security across the board. SIIA supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats.  Specifically, CISPA would provide needed legal certainty that threat and vulnerability information voluntarily shared with the government would be provided safe harbor against the risk of lawsuits, and it would also provide a critical exemption from antitrust laws that currently discourage information exchanges between private companies.


Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

SIIA Joins other Trade Groups in Supporting Cyber Legislation Introduced Today

Today, SIIA joined with other leading trade associations in support of the Cyber Intelligence Sharing and Protection Act (CISPA), bipartisan cybersecurity legislation introduced today by Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) to enhance sharing of cyber threat information between the public and private sectors.  Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating cyber-attacks. CISPA would establish a framework that enables the public and private sectors to work together in sharing information on known threats and vulnerabilities, and enactment of this legislation would increase security across the board.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

SIIA Applauds Cybersecurity Commitment Announced in Tonight’s State of the Union Address

SIIA congratulates President Obama and his Administration for making cybersecurity a priority. We appreciate the President’s efforts to seek broad input in crafting the Executive Order signed today. We are particularly pleased that the Executive Order excludes commercial information technology products and consumer information technology services from the definition of ‘critical infrastructure at greatest risk.’ The Administration is clearly seeking to advance American innovation with this effort, however, the way in which the Order is implemented will be critical in determining its success or failure.

As we work with the Administration on implementation, a priority for our industry will be to avoid rigid regulations that impede the innovation that is essential for effective cybersecurity.

A regulatory approach seeking to cover a broad, rapidly-evolving cross-section of industry would have the unintended consequence of slowing technological innovation and limiting our collective cybersecurity preparedness. Therefore, it is essential that the Administration work with industry to implement the Executive Order in a way that retains necessary flexibility. Technological innovation must be allowed keep up with rapid developments pertaining to both cybersecurity threats and protections.

To that end, we look forward to continuing to work closely with the Administration and congressional leaders to implement this policy.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Policy team on Twitter at @SIIAPolicy.

SIIA Says Proposed EU Cybersecurity Strategy is too Prescriptive and Overly Broad

In reaction to today’s European Union cybersecurity announcement, SIIA is concerned that the new strategy is too broad in the scope of industries to be covered and will threaten innovation. In response, I issued the following statement:

SIIA commends the European Commission for conducting a thoughtful, comprehensive review of network and information security across the European Union. There is a critical need to focus on the best cybersecurity practices that will help protect governments, businesses and citizens around the world from increasingly sophisticated cyber-attacks.

However, we are concerned about the scope of the Commission’s regulatory approach.  It is overly broad, too prescriptive and threatens to suppress the very innovation that will help businesses, governments and citizens anticipate and address changing cybersecurity threats.

The proposal’s cybersecurity performance requirements will likely lead to technical mandates and rigid regulatory standards and reporting obligations.  Its scope goes well beyond critical infrastructure, where the harms from cyber-attacks are the greatest.  In doing so, it threatens to engulf a broad range of other industries, thereby wasting scarce security resources on areas where the dangers are not urgent.

Today’s cyber threats are global and ever-changing – rigid, far-reaching regulations will almost certainly do more harm than good.  SIIA supports policies that provide the necessary flexibility to keep up with rapid technological developments pertaining to both threats and protections.  SIIA and its member companies look forward to working with the Commission as it considers this proposal and possible amendments.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Policy team on Twitter at @SIIAPolicy.