Japan Takes Unconventional Approach to Cybersecurity with Passage of Active Cyberdefense Law
In a significant shift from its historically pacifist stance, Japan has passed the Active Cyberdefense Law, allowing preemptive offensive cyber actions to counter threats before damage occurs. This move marks a major departure from the country's previous commitment to non-aggression under Article 9, as it seeks to bolster its defenses and enhance its cyber capabilities in line with those of major Western powers.
The new law enables government agencies to carry out hacking back operations, infiltrating and neutralizing infrastructure employed by threat actors targeting Japan and its organizations. Furthermore, the law allows authorities to preemptively target hostile infrastructure, even before attacks occur, thereby providing a more proactive approach to cyber defense.
One of the key aspects of the new legislation is its impact on the interpretation of Article 9 for national and allied security. The Japanese Self-Defence Forces will now be empowered to aid allies in handling advanced cyber threats, reflecting this shift in the law's application. This change aims to enhance Japan's ability to provide broader military support to its allies while ensuring national security.
Aiming to Achieve Operational Readiness by 2027
The Japanese government has set a goal to make the new legal framework fully operational by 2027, according to Yoshimasa Hayashi, Japan's chief cabinet secretary. He stated that the law is intended to enable Japan to "identify and respond to cyber attacks more quickly and effectively." Moreover, he emphasized that Tokyo seeks to equal or exceed the cyber capabilities of major European countries and the US.
Key Provisions to Balance Security with Individual Rights
To address concerns over potential government overreach and violation of individual rights, particularly in the realm of communications secrecy, the government revised legislation. A new independent panel will be established to provide prior approval for data acquisition and analysis, as well as actions to neutralize hostile servers. This ensures that government surveillance is conducted properly.
The revisions also include stipulations in the law to uphold personal rights, further addressing opposition party concerns about government overreach. These measures demonstrate a commitment by the Japanese government to strike a balance between enhancing national security and protecting individual privacy.
Threat Landscape Remains Concerning for Japan
Risk of cyber threats remains significant in Japan, with both financially motivated actors and APT groups posing a threat. In recent instances, Japan has faced notable breaches, such as the April 2025 incident involving hundreds of millions in unauthorized trades linked to hacked brokerage accounts, and the March 2025 data breach at NTT that exposed nearly 18,000 corporate customers' information.
Additionally, a cyberattack against Japan Airlines (JAL) in December resulted in the suspension of ticket sales for flights departing on Thursday. These incidents underscore the importance of bolstering cybersecurity measures in Japan to counter these ongoing threats.
A New Era in Cybersecurity Cooperation for Japan
The passage of the Active Cyberdefense Law represents a significant step forward in Japan's commitment to enhancing its cyber defense capabilities. By adopting this proactive approach, Japan can better protect itself from emerging threats and support its allies in an increasingly complex global cybersecurity landscape.