In the last decade, Japan has shifted incrementally from a passive cyber defence strategy to an active one, accepting the necessity of more offensive means despite its pacifist strategic culture. This shift in cyber posture is driven to a larger extent by external factors, particularly the increasing cyber capabilities of its adversaries, which have seriously threatened the country’s national security. However, despite these threats, structural constraints continue to hamper offensive moves.

Emerging cyber threats against Japan

As China and other regional powers, including North Korea and Russia, increasingly undertake targeted offensive operations, Japan’s leaders feel it is no longer adequate to depend on a passive defence cyber strategy, limited to the pretence that detection and response will be enough to deter cyberattacks. The weaponisation and militarisation of cyberspace as a legitimate aspect of warfare have also contributed to Japan’s shifting cyber posture. An active approach, defined by interactions with foreign-government-backed hostile cyber actors and deployment of countermeasures across borders, seems increasingly necessary.

The weaponisation and militarisation of cyberspace as a legitimate aspect of warfare have also contributed to Japan’s shifting cyber posture.

In just a year, the number of incidents of ‘suspicious internet access’, a category that includes cyberattacks, increased from 7,708 in 2022 to 9,144 in 2023. Such incidents have targeted critical infrastructure like airlineshealthcare systemsports, and banking systems. A recent survey of Japanese companies confirmed this trend. The integration of AI with offensive operations and Japan’s position as a US ally in the event of an invasion of Taiwan by China further complicate the challenge.

To fortify Japan’s cyber defences, the government has taken steps to strengthen cyber resiliency through legislation and diplomatic efforts. The 2022 Economic Security Promotion Act, for example, protects critical technologies and reinforces supply chains. Regional and global efforts with allies and partners have complemented domestic initiatives. For example, US-Japan security cooperation on cyber issues has increased in the last two decades, moving beyond information exchange to focus on cooperation in cyber defence (during peacetime and under armed attack) via mechanisms such as the Japan-US Cyber Dialogue and the trilateral cyber working group.

While many of these efforts have focused on bolstering traditional cyber defences, moves toward active cyber defence have attracted attention because of what this shift represents with regard to Japan’s strategic culture.

A more active cyber posture

Japan’s vulnerable position, nestled amongst China, Russia, and North Korea, has compelled it to rethink its military strategy and boost defence spending, including on cyber capabilities. Yet, its post-war non-militarist tradition under the Yoshida doctrine and the pacifist constitution, which prevents Japan from maintaining a military with the capability to fight in wars, constrain offensive action. Despite the passage earlier this year of an active cyber defence bill, which allows threat data collection, remote neutralisation, and stronger public-private cooperation, Japan’s cyber posture remains limited by its political culture and legal restrictions, making a full shift from defensive to proactive cyber operations challenging.

Japan began addressing cyber threats as a national security concern in the 2010s, marked by the 2013 Cybersecurity Strategy. Since then, it has gradually shifted away from a ‘self-defence only approach’ – also called passive defence, this approach focused on monitoring, installing security patches, firewalls, and deterrence by denial.

A gradual expansion of mandate began with the 2014 Basic Act on Cybersecurity and continued through cybersecurity strategies from 2015, 2018, and 2021 and the 2018 National Defense Program Guidelines, which clearly enunciated the growing threat from foreign actors and the need to strengthen cyber capabilities. The 2022 National Security Strategy formally prioritised active defence for the first time.

The elevation of cyber has also allowed Japan to take a more proactive role in regional capacity-building efforts and create a more balanced alliance with the US.

Institutionally, 2022 also saw the creation of the Self-Defence Forces’ Cyber Defence Unit, which centralised the military’s cyber countermeasures, and the establishment of the Equipment Security Management Division within the Acquisition, Technology and Logistics Agency, which is responsible for ensuring cybersecurity of equipment and contractors. The cyber budget, meanwhile, increased sevenfold from 2022 to 2023, from 34.2 billion yen to 264.3 billion yen.

The elevation of cyber has also allowed Japan to take a more proactive role in regional capacity-building efforts and create a more balanced alliance with the US. Japan’s increasing participation in cyber exercises like Locked Shield and Cyber Coalition and its cybersecurity cooperation with the likes of NATO and AUKUS and Indo-Pacific partners such as India and South Korea signal a shift from an insular to an outward-oriented approach.

Structural constraints limit offensive cyber adoption

Even if the strategic culture is changing, legal restrictions make it very difficult for private and public sector agencies to fully embrace the move to active defence. In addition to the constitutional barriers, limitations on hacking and intercepting crime-related communications make the process more cumbersome.

The recent passing of the active cyber defence bill was a case in point. While it allows Japan to take preventive measures against serious threats in cyberspace, it is still more focused on proactive internal measures, such as detection and prevention of malicious activity, and less on activities impacting external networks.

Japan’s efforts to bolster cyber defences are also limited by a dearth of cyber professionals. The Ministry of Defense has struggled to recruit and train sufficient staff. High private sector salaries, strict physical recruitment standards, and unattractive working conditions have disincentivised younger people from working for the government. Meanwhile, domestic cybersecurity firms and startups face high barriers to participation in government procurement due to a lack of experience and limited funding pipelines, which further increases vulnerability to cyber threats.

Japan must grapple with enduring challenges such as insufficient talent development and retention, ineffective cyber institutions, friction with the private sector, and a weak deterrence posture, all of which exacerbate cybersecurity vulnerabilities.

Finally, the lack of a dedicated cyber agency limits the effectiveness of inter-agency information sharing, international collaboration, and partnerships with the private sector.

While Japan’s external threat environment and shifting strategic culture have pushed it to formally adopt an active defence approach to cyber, this is still very much a work in progress. The response has so far been limited to strengthening and taking proactive cyber defence measures – the practical application of offensive measures is yet to be seen. Japan must grapple with enduring challenges such as insufficient talent development and retention, ineffective cyber institutions, friction with the private sector, and a weak deterrence posture, all of which exacerbate cybersecurity vulnerabilities.

While these domestic issues are gradually being addressed, external threats remain inadequately managed, largely due to the constraints imposed by Japan’s strategic culture and legal structure. Unless Tokyo expands its cyber engagement beyond its domestic networks, it will continue to face significant exposure to regional and more distant threats.