In the spring of 2025 Japan entered a new era in digital security with the passage of new active cyber defense legislation. A look at what it means for the government to try to get ahead of threats before they arise, rather than sticking to its previous passive, reactive approach.
Guerrilla Warfare in the Cyber Domain
On May 16, the Diet passed legislation enabling Japanese authorities to adopt “active” defense measures to preempt and prevent serious cyberattacks. The Active Cyber Defense Act will come into effect in 2026 and will structure Japan’s cyber defense strategy around four pillars:
- Strengthened collaboration between the public and private sectors
- Monitoring of communications data for threat detection
- Counter-access to sources of cyber attacks and neutralization by authorities
- Strengthened cyber security institutions
Japan’s cyber security approach up until now has been “passive” in that it relied on defense based on firewalls and antivirus measures confined to the networks of the parties targeted. This resembled “siege warfare,” where the authorities had to wait until they were attacked before responding with countermeasures.
Active defense, however, is more like “guerrilla warfare.” The successful conduct of such combat involves identifying the patterns of enemy attacks and understanding their movements, ambushing them at chokepoints where they are vulnerable, and disrupting their supply lines. Active cyber defense exploits enemy vulnerabilities to disrupt attackers’ operations and employs technical measures to increase the cost of their attacks, hopefully deterring them in the first place.
Centralized Coordination by the Government
Let’s take a closer look at the pillars of the new approach and how they will be implemented in practice.
To enhance public-private collaboration, operators of Japan’s critical infrastructure will now be legally required to inform the government when they suffer a cyberattack or when they introduce new, important IT systems to operate this infrastructure. To this end, a “Cyber Threat Information Sharing Council” will be established to strengthen cooperation on cyber incident response and regularize information and intelligence sharing between the government and the private sector. This new platform will also enable the government to better supervise critical infrastructure that could be targets of cyberattacks and promptly request operators to address zero-day vulnerabilities. By mandating private-sector reporting, the government will also gain a more comprehensive understanding of Japan’s cyber security situation at any given time for improved strategic planning.
In terms of “monitoring communications data for threat detection,” the new law legally empowers the government to collect domestic communications-related data to identify and analyze cyber threats. The focus will be on so-called “communication data” related to cyber incidents, such as IP addresses, character strings to execute commands, dates and times of transmissions, and communication logs that could be used to identify the type of malware used and the attack source. However, the government will not be able to collect and analyze the “substantive content” of personal and private communications of citizens. To this end, an independent cyber communications supervisory board will be established to monitor government operations and ensure respect for the secrecy of communication guaranteed by Article 21 of Japan’s Constitution.
The third pillar enables the police and Japan’s Self-Defense Forces to directly counter access and neutralize computers and infrastructure used for cyberattacks and remove malicious software. Legally, such actions will only be undertaken in a restricted range of situations when a rapid response is necessary to prevent or mitigate serious cyber incidents. Japan’s cyber authorities will be able to remotely track watermarked electronic files stolen by attackers and neutralize relay servers used by attackers. It will also be legally permissible for government agencies to counter access and take down computers used by attackers. For example, Japanese authorities could launch a distributed denial of service attack against an imminent threat—flooding a server with a massive number of requests to overload and essentially prevent the server from functioning.
The above pillars represent an overall strengthening of Japan’s cyber defense institutions and allow Japanese authorities to proactively gather and centrally coordinate threat information related to advanced cyberattacks, including those perpetrated by state actors. This in turn will enable improved information exchange with allied and like-minded countries. When other countries make requests of Japan, such as to neutralize attacks by a state-sponsored actor or highly organized criminal organization, Japan will be better positioned to facilitate effective international cooperation.
Human Resources a Major Challenge
The biggest obstacle to implementing this active cyber defense approach is human resources. There is a shortage of cyber security experts, but current training for Japanese professionals is inadequate, especially as it applies to national security matters. Japan’s cyber security experts require greater knowledge of diplomacy, military affairs and intelligence to facilitate an “active” approach. A recent significant step forward in this vein was the introduction of national security clearances in May 2025. This clearance system allows government officials and private sector employees who have been vetted by higher-level authorities to access classified government information that could threaten Japan’s national security if leaked.
However, this is only the first step—it is essential to develop other institutional frameworks for training personnel. While it is difficult to precisely identify the extent of the shortage of cyber security personnel, a useful reference is a 2016 survey conducted by ISC2 (the International Information System Security Certification Consortium), a nonprofit organization that certifies professional cyber security qualifications. This survey predicted that Japan would face a shortage of approximately 170,000 cyber security personnel by 2024. Similarly, the Ministry of Economy, Trade, and Industry in 2020 also estimated that there was a shortage of approximately 190,000 people. Even the shortage of personnel needed for national security-related cyber security is estimated to be in the tens of thousands. As the new ACD legislation made its way through the Diet in May 2025, METI announced that it would double the number of registered information security specialists who possess advanced information security capabilities by 2030, raising their number to 50,000.
This human resource issue also has international dimensions. One government plan involves the sharing of information on threats and undisclosed zero-day vulnerabilities obtained from foreign governments with the private sector based on the observation of certain confidentiality restrictions. Therefore, Japan’s critical infrastructure operators and companies operating in the cyber domain must also secure personnel capable of dealing with the national and international security implications of the new legislative and strategic regime.
The new legislation is only a starting point. Threats in cyberspace are evolving daily and transcend national borders. In the future, national security-focused cyber actors need to be prepared to continuously prevail in a 24/7 battle against cyber adversaries, including against state-based actors. This is the concept of “persistent engagement” promoted by the United States in its active defense strategy. Persistent engagement is characterized by maintaining continuous contact with adversaries while detecting cyberattacks in advance and blocking them in the adversary’s domain. Since the focus of defense is on disrupting the adversary’s operations, the defense side requires advanced technical capabilities and enhanced judgment and analytical capabilities.
Furthermore, comprehensive national security capabilities in the cyber domain will not only include being able to operate within cyberspace. To enhance Japan’s capabilities in this arena, the government must also be able to engage in information collection, intelligence analysis, diplomacy, and economic pressure beyond cyberspace. In particular, when attacks are perpetrated or enabled by state-sponsored actors, Japan must be willing to take decisive measures in collaboration with the international community. The introduction of active cyber defense represents a significant evolution in Japan’s cyber security strategy. It also marks the beginning of endless cyber warfare.
(Originally published in Japanese. Banner photo © Pixta.)
