The Competition Authority

Quick Links

23/07/17
 

Public Statement 3/17: Sharing Information in order to Handle Cyber Threats

PDF:
WORD:
Date of Publication:
23/07/2017

 

 

Public Statement 3/17: Sharing Information in order to Handle Cyber Threats

1.   Preamble

The subject of this public statement is sharing information between commercial bodies for the purpose of handling cyber threats. In view of the increase of cyber threats in recent years, the need of bodies and organizations to share information that may be beneficial to them in dealing with such threats increases, in particular bodies active in a particular field.

Sharing information between competitors may be, under certain circumstances, a restrictive arrangement pursuant to the Antitrust Law, 5948 - 1988 (hereinafter: the “Antitrust Law”). In view of the importance for the economy to be able to share information among commercial bodies in the defense against cyber threats, and the need to protect important infrastructure in the State of Israel, the General Director of the Antitrust Authority considers it important to clarify its position in this matter.

2.   Cyber security - background

Technological advancement in recent decades and in particular the development of the Internet and the computerized systems, has brought with it the gospel of efficiency and innovation in practical life in the modern world, but alongside it came great dependence of the economy upon such systems. As a result of the dependence upon such computerized systems, we are exposed to new threats to the integrity and good working order of these systems, in the form of cyber-attacks and cyber threats by private agents as well as by states and terrorist organizations.

The purpose of such cyber-attacks is to collect information, damage information or shut down services and they may be directed towards infrastructure and important systems in the economy, such as the banking system and the capital market, communications systems, as well as against governmental bodies.

Cyber-attacks have developed in recent years and became more complex and elaborate, and concurrently ways of dealing with such attacks developed. These ways emphasize the need to prevent the attack, inter alia by tracing potential cyber threats and neutralizing them prior to the attack and by maintaining security systems, by uncovering weaknesses in the system and possible ways to harm them. The need of business organizations to handle cyber threats is a considerable challenge, inter alia because the scope of information available to a single organization is insufficient to obtain the best picture of the current state of affairs in terms of the cyber threats against it, and there is real need to access information pertaining to cyber threats that occurred or that might occur in other organizations. In view of that, information sharing systems between organization and bodies are being established worldwide.{C}[1]{C}{C}{C}{C}{C}{C}

The State of Israel attaches great importance to assisting the bodies in the economy in handling cyber threats and has decided to establish a national center to handle cyber threats (hereinafter: CERT”) by the National Cyber Protection Agency, the purpose of which is reinforcement of the resilience of the Israeli economy in handling cyber threats.{C}[2]{C}{C}{C}{C}{C}{C} In addition, the sector regulators have published guidelines and principles relating to the manner of handling of cyber threats in the bodies supervised  by them with refer, inter alia, to the importance of sharing information among such bodies.{C}[3]{C}{C}{C}{C}{C}{C}

Among its activities, the CERT established a system for sharing valuable security information among the various bodies, that will also provide added value beyond the mere transfer of information, such as screening of the information, analysis and processing of the information as well as providing tools and assisting in handling cyber threats. To date, the sharing of valuable security information is expected to be carried out by way of the system for sharing information that was established by the CERT, but perhaps in the future additional systems will be established for sharing valuable security information.

3.   {C}Transfer of information between competitors and sharing valuable security information

Transfer of information between competitors may under the certain circumstances be restrictive arrangement in the meaning of section 2 of the Antitrust Authority as determined in previous decisions of the General Director of the Antitrust Authority.{C}[4]{C}{C}{C}{C}{C}{C}

The main competitive apprehension that arises from the exchange of information between competitors is diminishing the uncertainty of the competitors in the market relating to the business activity if any of them, which may lead to an adjustment among them as to their business conduct in a way that might impair competition. Such apprehension usually exists in the matter of transfer of information as to the business-commercial activity of the parties, such as information as to prices, costs, quantities or business plans.{C}[5]{C}{C}{C}{C}{C}{C} The level of impact of information transfer between competitors on the ability to create adjustment between competitors depends upon additional factors, including the level of competition in the relevant market as well as the agents transferring the information.

The question of classification of an arrangement for sharing information between competitors under the definition of a restrictive arrangement in the meaning of section 2 of the Antitrust Law, depends, therefore, firstly, upon the type of information transferred between the competitors and the question whether such transfer raises apprehension of impairment of competition between the parties.

Insofar as the sharing of information does not pertain to the business activity of the parties but only the information required for the purpose of cyber security, such as information as to cyber threats, indications,{C}[6]{C}{C}{C}{C}{C}{C} weaknesses,{C}[7]{C}{C}{C}{C}{C}{C} malware{C}[8]{C}{C}{C}{C}{C}{C} as well as methodologies and tools to handle cyber threats (hereinafter: “Valuable Security Information”), the Antitrust Authority will not deem such transfer an action that may prevent or diminish the competition between the businesses even if the transfer of information is  between competitors.

The rationale underlying this position is that Valuable Security Information is by nature technical and does not include commercial information or information relating to the business activity of any of the parties, {C}[9]{C}{C}{C}{C}{C}{C} whereas the apprehension of adjustment of business activity between competitors as a result of sharing of information between them arises in cases of sharing information that is sensitive in terms of competition, which pertains to the business activity of the parties.{C}[10]{C}{C}{C}{C}{C}{C} Moreover, sharing Valuable Security Information may even have a pro-competition impact on the economy, because such sharing may aid all bodies, big and small, to secure their infrastructure and their information systems against cyber threats and streamline their security systems.{C}[11]{C}{C}{C}{C}{C}{C}

4.  {C}Free access to information sharing systems

Concurrently with the exchange of Valuable Security Information by way of platforms that are operated by governmental authorities (such as the CERT), such exchange of information may be carried out in the framework of joint ventures engaged in the market or in a certain sector. Similarly, to other joint ventures, these ventures as well may provide value to their participants, in a manner that impacts their ability to compete. Therefore, preventing access to the venture to one or more competitors may diminish their ability to compete, increase the entry barriers to the market and event prevent the entry of new bodies in the sector,{C}[12]{C}{C}{C}{C}{C}{C} and therefore may, per se, constitute a restrictive arrangement.

Because systems that share Valuable Security Information may improve the ability of such bodies to handle cyber threats and streamline their defense array, preventing access, without a reasonable reason, to the system whereby such information is being shares between bodies in a market or sector, to other bodies that are active in such market or sector, for which such information is relevant (taking into consideration their relevant characteristics, such as their fields of activity, their scope of activity and so forth), may leave them at a competitive disadvantage as compared to their competitors thereby bringing about impairment to competition.

5.   Conclusion

Sharing Valuable Security Information constitutes a significant part of the ability of bodies to handle cyber threats and the State of Israel attaches great importance to encouraging bodies in the economy to share Valuable Security Information.

The Antitrust Authority attaches importance as well to encouraging sharing Valuable Security Information, if such sharing does not impair competition. The public statement presents rules for competitive analysis of sharing Valuable Security Information, in a manner that provides criteria for the assessment of information sharing arrangements thereby increasing certainty for bodies that wish to take part in sharing Valuable Security Information without apprehension of violation of the provisions of the Antitrust Law.

 

Michal Halperin

 

the General Director of the Antitrust Authority

 

Jerusalem, 29 of the month Tamuz 5977

  July 23, 2017

 

 

\


{C}[1]{C} For example in Great Britain a national cyber information sharing system is being operated by the National Cyber Security Center (NCSC); in the United States about 20 ventures for sector sharing in various sectors are active, called Information Sharing and Analysis Centers (ISACs), associated under one umbrella organization called the National Council of ISACs (NCI), and in addition private bodies that supply cyber information sharing systems are active, such as the “TruSTAR” system operated by CyberPoint International LLC. 

{C}[2]{C} Decision no. 2444 of the 33rd government “promotion of the national preparations for cyber protection” (15.2.2015).

{C}[3]{C} See for example the guidelines for good banking practice 361 “cyber protection management” (16.3.2015). Link to the cyber protection management document.

And in addition the Institutional Bodies Circular 2016-9-14 “Cyber Risks Management in Institutional Bodies” (31.8.2016) link to the Cyber Risks Management in Institutional Bodies document.

{C}[4]{C} Thus for example a decision pursuant to the provisions of section 14 of the Antitrust Law, 5948 - 1988 as to granting an exemption for a restrictive arrangement between World Liner Data Limited and Limited Container Trade Statistics and international shipping companies (17.4.2016) Antitrust 500965; and a decision pursuant to the provisions of section 14 of the Antitrust Law, 5948 - 1988 as to granting an exemption under terms and conditions from approval as a restrictive arrangement to an arrangement the parties of which are Clal Insurance Company Ltd., Migdal insurance company Ltd., Harel Insurance Company Ltd., Menorah Mivtahim Insurance Ltd., the Phoenix Insurance Company Ltd. and Someh - Haikin KPMG (4.4.2011) Antitrust 5001769; And in addition the public statement by the General Director of the Antitrust Authority: Exemption for necessary exchange of information to solve the year 2000 problems in the field of computer systems (2.3.1999) Antitrust 3002201 (hereinafter: the “2000 Bug Public Statement”).

{C}[5] Thus, for example, a decision pursuant to the provisions of section 14 of the Antitrust Law, 5948 - 1988 as to granting an exemption under terms and conditions from approval as a restrictive arrangement to an arrangement the parties of which are Clal Insurance Company Ltd., Migdal insurance company Ltd., Harel Insurance Company Ltd., Menorah Mivtahim Insurance Ltd., the Phoenix Insurance Company Ltd. and Someh - Haikin KPMG (4.4.2011) Antitrust 5001769;

{C}[6] Data on activity that may indicate that cyber event occurred, might occur or is ongoing.

{C}[7] Weaknesses in computerized systems or their components or in procedures relating to them that may be abused to create a cyber event.

{C}[8]{C} Abilities and tools that are used to take advantage of a weakness.

{C}[9]{C} Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cyber Security Information (April 10, 2014) P.7.

Link to the document.

{C}[10]{C} Thus, for example it was determined that exchange of information relating to solving the Bug 2000 problem do not raise apprehension of impairment in competition, public Statement in the matter of Bug 2000, page 6.

{C}[11]{C} Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cyber Security Information (April 10, 2014) P.6-7.

Link to the document.

Letter from Joel I. Klein, Assistant Att’y Gen., Antitrust Div., U.S. Dep’t of Justice, to Barbara Greenspan, Assoc. Gen. Counsel, Electric Power Research Inst. (Oct. 2, 2000), available at Link to the document.

[12]{C} Compare to the statements made in section 39 of public statement 3/14 “in the matter of trade associations and their activities” (4.9.2014) Antitrust 500682 - “40.    When membership in the association grants access to an asset, information or a service that may have material impact on the competitive capabilities of a dealer, or that may grant access to significant economic activity or to significantly facilitate such access, not admitting it to the association or terminating its membership in it may block or limit its ability to compete in the sector and thereby prevent or reduce the competition in the business and even might amount to a ban”, In addition, in a number of decision of the General Director to grant an exemption from approval of a restrictive arrangement, the exemption was granted under certain terms and conditions that will ensure free and equal access to all the bodies engaged in the sector, thus, for example the decision pursuant to section 14 of the Antitrust Law, 5948 - 1988 as to granting an exemption under certain terms and conditions from approval of a restrictive arrangement the parties to which are the International Air Transport Association and the airlines (20.10.2015) Antitrust 500682; as well as a decision pursuant to section 14 of the Antitrust Law, 5948 - 1988 as to granting an exemption under certain terms and conditions from approval of a restrictive arrangement between the Israel Insurance Companies Association and the insurance companies as to the operation of a clearing system (31.8.2015) Antitrust 500852.