Japan’s cybersecurity shift: Adoption of Active Cyber Defence posture

Image Source: Getty

In February 2025, the Japanese Cabinet passed two bills on strengthening Japan’s cybersecurity. If passed through the Diet, it will give Japan's Self Defence Forces (SDF) and the police powers to bolster the country's cyber defence capabilities further. With the Active Cyber Defence (ACD) legislation, Japan intends to institutionalise new cyber mechanisms, moving beyond the earlier established limitations that restricted certain cyber operations and campaigns.

Japan’s intensifying cyber landscape

In recent years, particularly with the Russia-Ukraine war and the conflict in the Middle East, the cybersecurity threat has become an essential part of the national security conversation across the globe, especially in Japan. For Japan, this has become a serious security and economic concern as the majority of cyber attacks targeting the country originate from across its borders. According to government data, almost 99 percent of cases can be traced outside, to countries like China, Russia, and North Korea. Therefore, with intensified cyber intrusion and attacks, the calls for action to bolster cyber defences have become stronger among the political class and epistemic communities. Addressing this challenge of increasing cyber threat, Yoshimasa Hayashi, Chief Cabinet Secretary, said, “We believe that improving our capabilities to respond to cyberattacks is an increasingly urgent issue, given the current security environment.”

While Japan has taken steps to strengthen deterrence in cyberspace by cooperating with allies and partners regionally and strengthening defensive capabilities, there is still something lacking on the domestic front.

The first phase of cyber attacks targeting Japan by Chinese hackers can be traced back to 2019. Since then, they have repeatedly engaged in cyber espionage and intrusion against critical national infrastructure in Japan. In the last five years, Japan’s National Police Agency has attributed 200 cyber incidents against Japanese companies to a Chinese threat actor—Mirror Face. Some known attacks by the hacker include attacks against the Japan Aerospace and Exploration Agency (JAXA), its Foreign and Defence Ministries, the Cabinet Secretariat, and Port Nagoya. These attacks have focused on stealing technologies and state secrets and targeting influential people based in government, political parties, and think tanks. Another emerging cyber disruptor is North Korea, which has become a serious cyber threat in the last few years, undertaking cryptocurrency theft (US$ 308 million theft from DMM Bitcoin in 2024) and supply chain attacks.

While Japan has taken steps to strengthen deterrence in cyberspace by cooperating with allies and partners regionally and strengthening defensive capabilities, there is still something lacking on the domestic front. Therefore, to fix the existing cyber gap domestically, Japan has taken specific measures to bolster its comprehensive cyber capabilities, considering the realities of the strategic environment in cyberspace.

Adoption of the active cyber defence (ACD) posture

The steps towards strengthening the cyber capabilities were first announced in the 2022 National Security Strategy. However, the government’s efforts were accelerated with the rise of cyber attacks from China, which led to the fast-tracking of ACD legislation. Besides, the legislation becomes critical, particularly in the context of a possible conflict across the Taiwan Strait, recognising the threat posed in cyberspace based on the learning from the Russia- West conflict in cyberspace. With the support of Ishiba Shigeru, a firm believer in strengthening Japan’s cyber defences, the bill was cleared within the party immediately after assuming office in November.

The approval of the ACD bill signals a shift from the earlier held position that restricted any action against the adversaries, even if detected.

The ACD legislation objective is threefold—to collect online communication data to take preemptive action against its cyber adversaries, allow for monitoring of computer networks during peacetime, and reinforce public-private cooperation. The approval of the ACD bill signals a shift from the earlier held position that restricted any action against the adversaries, even if detected. This essentially means a change of posture from passive defence (deterrence by denial) to active defence, earlier denied to Japan’s cyber command. Hence, this change in Japan’s cybersecurity posture signals an incremental shift in alignment with the rise of the sub-strategic culture that supports the adoption of a balanced cyber posture, including limited offensive operations akin to deterrence by punishment. The change can be seen reflected in other areas, including Japan’s increasing defence budget and exporting defence equipment and systems to like-minded countries.

While the ACD diverts from Japan’s traditional defence-oriented policy (Yoshida Doctrine), it emphasises the critical importance of safeguarding the country’s cyberspace, an essential national security priority. The legislation aims to remove the existing legal bottlenecks, including the Act on Prohibition of Unauthorised Computer Access (Article 2, Para. 4) and the prohibition on collecting signal intelligence (Article 21 of the constitution), facilitating likely ‘hacking back’ and allowing external network disruption.

Checks and balances

While the bill has been welcomed, it has also raised concerns about privacy and surveillance in Japan. These concerns pertain to the collection of information particularly. However, to address these doubts, the bill has introduced checks and balances, ensuring no privacy violation occurs. Currently, the bill states that it will collect two types of communication data, foreign-to-foreign communications and the other one being domestic-to-foreign and vice-versa, all under the oversight group’s lens. The aim is only to collect nonessential communication data, including Internet Protocol (IP) addresses and timestamps; other data like email content and subject lines will not be analysed or will be deleted during filtering. This will happen without human intervention and under the oversight of the committee to ensure citizens' privacy. Furthermore, addressing these public concerns, Yoshimasa Hayashi reassured the public, stating that ‘the government will not know the content of conversations and email text.’

For instance, to avoid unnecessary conflict between the agencies, the bill gives the police the primary responsibility for ensuring cybersecurity with conditional intervention by the SDF (under the eyes of an oversight committee).

Regarding public privacy concerns, the bill has built-in guard rails in the form of an oversight committee consisting of five members overseeing the agencies' activities and recommending corrective actions. For instance, to avoid unnecessary conflict between the agencies, the bill gives the police the primary responsibility for ensuring cybersecurity with conditional intervention by the SDF (under the eyes of an oversight committee). Some other notable additions in the legislation include the setting up of the SDF-Police joint operations centre, reorganisation of the National Centre for Incident Readiness and Strategy for Cybersecurity (NISC), mandating reporting of cyber attacks within a proscribed timeline, creation of an ad-hoc post of vice-minister for cyber security, and establishing a cyber council for sharing information. The bill also has provisions to penalise government officials responsible for leaking data and operators for failing to report attacks. The punishment extends to four years in prison and a fine of up to ¥2 million (US$ 13,566).

Nonetheless, despite this incremental shift in Japan’s cybersecurity posture, it does not mean we will  see a hunt-forward operation, as observed in the case of the United States. It remains to be seen how the ACD legislation will manifest itself when put to task in the Japanese cyberspace cultural context.

The bill requires active support from the opposition due to the LDP’s minority ruling coalition. However, based on the bill's current shape and content, it is expected that the opposition (including the Japan Innovation Party and Democratic Party for the People) will extend their support. Thus, the bill is anticipated to pass without any significant obstacle in the current Diet session, which will run till June 22. The legislation will likely be implemented in the fiscal year 2026 following its passing.

Abhishek Sharma is a Research Assistant with the Strategic Studies Programme at the Observer Research Foundation.

• International Affairs
• The Pacific, East and Southeast Asia
• acd legislation japan
• active cyber defense bill japan
• active cyber defense japan
• active cyber defense legislation in japan
• cyber security in japan

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

PREV NEXT