Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks under the Study Group for Industrial Cybersecurity Compiles Final Report

1. Background and purposes

As cyberattacks become more and more sophisticated, it is becoming increasingly difficult for a single organization to unravel the full picture of such an attack. Amid this situation, information sharing on cyberattacks is extremely important from the perspective of ascertaining their full picture and preventing the spread of damages caused by the attacks. To this end, in March 2023, METI, in collaboration with other ministries and agencies, formulated and published the Guidance on Information Sharing and Publication Involving Damages Caused by Cyberattacks, which serves as a practical reference to help victim organizations of cyberattacks to share information on damages incurred due to such attacks with cybersecurity-related organizations.

Leaving the coordination of such information sharing up to the victim organizations themselves may impose a burden on them that outweighs the benefits. To overcome this challenge, the promotion of prompt information sharing through expert organizations that directly support victim organizations is critical. This promotion of information sharing through expert organizations needs to address two challenges: [i] restrictions on information sharing because of non-disclosure agreement (NDA), and [ii] the risk of a victim organization being identified or ascertained from non-confidential information.

To address these challenges, METI launched the Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks. Since then, the study group has held a series of meetings to discuss issues to promote information sharing through expert organizations that contributes to the prevention of extensive damages, rather than information sharing by victim organizations themselves, and compiled a final report and other documents.

2. Highlights of the report

In light of the importance of information sharing and the current challenges, the report provides streamlined approaches to technical information on cyberattacks that can be promptly shared without gaining prior consent from the respective victim companies of such attacks, and it also recommends expert organizations to smoothly share such information in accordance with the approaches.

In addition, from the perspective of providing supplementary documents to the report, the study group compiled the Draft Guide on How to Handle and Utilize Technical Information on Cyberattacks, a document streamlining specific policies to be taken by expert organizations, including processing for de-identification of information from which the specific name or suchlike of a victim company may be deduced. It also presented the Draft Model Contractual Articles on How to Handle Technical Information on Cyberattacks to be Included in  non-disclosure agreement (NDA), a document describing draft contractual articles that an expert organization should include in its NDA with a user organization. Such articles stipulate prior consent to the effect that the expert organization will not, in principle, assume legal liability derived from the sharing of the technical information on cyberattacks that the expert organization has de-identified, as an effort to facilitate smooth information sharing. METI will open a call for a wide variety of comments from the public on the Draft Guide on How to Handle and Utilize Technical Information on Cyberattacks and the Draft Model Contractual Articles on How to Handle Technical Information on Cyberattacks to be Included in NDA.

Moreover, as future challenges that may not be overcome merely by promoting information sharing among expert organizations, the report highlights [i] ideal approaches to public-private collaboration toward information sharing (e.g., ideal approaches to consultations with and reporting to administrative organizations, and information sharing between the government and private companies) and [ii] roles played by vendors in supply chains.

3. Details of the call for public comments

Documents on which METI calls for public comments

• Draft Guide on How to Handle and Utilize Technical Information on Cyberattacks
• Draft Model Contractual Articles on How to Handle Technical Information on Cyberattacks to be Included in NDA

• For details on how to submit your comments, visit here.

Period of the call

From Wednesday, November 22 to Friday, December 22, 2023

Related Materials

• Summary of the Final Report Compiled by the Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks (in Japanese)(PDF:2,912KB)
• Final Report Compiled by the Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks (in Japanese)(PDF:392KB)
• Draft Guide on How to Handle and Utilize Technical Information on Cyberattacks (in Japanese)(PDF:5,219KB)
• Draft Model Contractual Articles on How to Handle Technical Information on Cyberattacks to be Included in NDA (in Japanese)(PDF:116KB)

Related Links

• Study Group for Promotion of Information Sharing on Damages Caused by Cyberattacks (in Japanese)
• Results of the Call for Public Comments on the Draft Guidance on Information Sharing and Publication Involving Damages Caused by Cyberattacks and Publication of the Final Version of the Guidance on Information Sharing and Publication Involving Damages Caused by Cyberattack (in Japanese)

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau