Japan Strengthens Cybersecurity with Bold New Active Defense Legislation

In a significant step toward enhancing national cybersecurity, Japan has introduced sweeping legislation aimed at fortifying its cyber defenses and aligning with US standards. The Active Cyber Defense Bill, comprising two key legislative measures, empowers the government to take a more proactive approach to countering cyber threats before they escalate into large-scale attacks.

After delays in 2024, the bill was approved by Japan's ruling Liberal Democratic Party (LDP) last month, received Cabinet approval on February 7, and was subsequently submitted to the National Diet (Japan’s parliament) for final consideration.

Rising Threats Prompt Stronger Cyber Policies

The legislation comes amid increasing cyber threats, including state-sponsored attacks such as those from China-backed threat actor MirrorFace, which has been conducting cyber espionage since 2019 to steal Japan’s national security secrets.

According to Casey Ellis, founder of Bugcrowd, Japan faces a mix of cyber challenges, including ransomware, supply chain attacks, and intellectual property espionage, as well as potential prepositioning attacks on critical infrastructure and the defense sector. The shift to a more assertive cyber posture reflects Japan's complex geopolitical landscape and growing security concerns.

Cybersecurity Wake-Up Call & Blair Shock

Japan’s cybersecurity overhaul dates back to April 2022, when former US Director of National Intelligence Dennis C. Blair delivered a blunt assessment of Japan’s cyber readiness. His critique, now referred to as "Blair Shock," left Japanese lawmakers deeply concerned about their cybersecurity deficiencies compared to allies in North America and Europe.

Blair urged Japan to establish cybersecurity agencies similar to the US Cyber Command and create a National Cyber Director position. In response, then-Prime Minister Fumio Kishida made cybersecurity a national priority, culminating in a new National Security Strategy in December 2022. This strategy introduced "active cyber defense," a policy aimed at detecting and neutralizing cyber threats before they cause serious harm to government and critical infrastructure.

Key Provisions of the Active Cyber Defense Bill

The bill is divided into two parts, addressing both passive and active cyber defense measures:

1. Strengthening Cybersecurity Oversight

   • Establishes a cybersecurity council and an intelligence-gathering committee.
   • Requires critical infrastructure operators to report cyber incidents.
   • Grants the Prime Minister’s Office authority to collect relevant cyber threat data through telecommunication providers, with strict restrictions on sensitive data usage.

2. Expanding Active Cyber Defense Powers

   • Grants the military authority to defend its networks, including those tied to US military operations in Japan.
   • Creates "cyber harm prevention officers" in law enforcement, empowered to neutralize cyber threats by shutting down hostile servers during active attacks.
   • Allows prevention officers to act without immediate approval in urgent situations.

A Controversial Yet Necessary Move

While some view active cyber defense as a form of government overreach, Japanese lawmakers have emphasized that measures will be conducted within strict legal boundaries.

According to Ellis, the concept of "vigilante hacking" is controversial, but in controlled situations, it could be a necessary evolution in cyber defense. As cyber threats become more sophisticated, Japan’s shift to a more proactive stance may be long overdue.