Japan has passed a landmark law allowing the government to be more proactive in combating cyber attacks after suffering a record onslaught from criminal gangs and state-sponsored hackers.
The Active Cyberdefence Law (ACD), which was enacted by parliament on Friday, marks a “pivotal moment” in Tokyo’s development of an effective cyber defence strategy, according to cyber security experts.
The country’s pacifist postwar constitution and its privacy protections have long limited the government’s approach to cyber security, leaving the country’s companies, infrastructure and organisations vulnerable.
The law will “enable us to identify and respond to cyber attacks more quickly and effectively”, said Japan’s chief cabinet secretary Yoshimasa Hayashi on Friday, adding that it would help “realise the goal of improving the response capability in the field of cyber security . . . to equal or exceed that of major European countries and the US”.
For years, Tokyo’s efforts to strengthen its defences against a rising volume and sophistication of cyber attacks have been restrained by Article 21 of the constitution, which stipulates that “the secrecy of any means of communication” shall not be violated.
Police require a warrant for any wiretapping and can only use it in investigations into a limited number of offences that does not include cyber crime.
When the ACD legislation was first approved in January by the ruling Liberal Democratic party, the chair of the government’s policy research council Itsunori Onodera warned that “the lives of Japanese people will be put at risk if we do not upgrade our cyber security capabilities as soon as possible”.
The ACD does not permit surveillance of domestic communications, but it allows Tokyo to monitor IP addresses used in communications between foreign countries that pass through Japan, and between Japan and the rest of the world.
This provides a workaround to the constitution’s domestic privacy protections, while addressing the fact that the overwhelming majority of cyber attacks on Japanese entities originate from overseas, according to the government.
The law will also empower the police and Japan’s Self-Defense Forces to mount their own attacks to neutralise hostile actors’ servers, and will oblige Japanese operators of critical infrastructure to report cyber breaches to the authorities, which they have been reluctant to do in the past for fear of admitting vulnerability.
“The momentum to pass this law has been driven by a rapidly rising number of incidents and record number of attacks where critical infrastructure such as seaports, electricity networks, public transport and hospitals in Japan have been hit by attackers believed to be backed by hostile foreign governments,” said one senior government adviser who declined to be named.
A National Police Agency (NPA) report published in March showed record levels of certain types of cyber attacks, including ransomware and phishing. Government advisers told the Financial Times that other forms of attacks associated with state-sponsored actors were also at an all-time high.
In an unusually forthright disclosure in January, the NPA and National Centre of Incident Readiness and Strategy for Cybersecurity revealed a years-long, cyber-espionage campaign operating in Japan, which it called “MirrorFace” and said it suspected of being backed by China.
The agency said the campaign was aimed at “stealing information related to Japan’s national security and advanced technology”.
Passage of the ACD comes as Japan seeks to develop a homegrown ability to respond to digital attacks, having long relied on technology from countries such as the US and Israel, and to strengthen its defence posture amid rising geopolitical tensions in the region.
The Ministry of Economy, Trade and Industry warned this week that Japan faced an estimated shortfall of 110,000 qualified cyber security personnel, citing private sector research.
Toshio Nawa, chief technology officer of Nihon Cyber Defence and former head of security for Japan’s air defence command, said there was a “strategic imperative” for Japan to end its reliance on cyber tools built by other nations.
“Our laws, our threats and our cultural context are different and our cyber defences must be too,” he said.
