Japan’s Cybersecurity Crossroads

BY

Pacific Square

in

Inside the New Active Cyber Defense Law and What It Means for Global Security

On May 16, Japan’s Upper House passed a bill introducing an active cyber defense framework, authorizing the government to collect communications metadata and take measures to prevent cyberattacks. The new law—known as the Active Cyber Defense (ACD) Law—marks a significant shift in Japan’s cybersecurity approach, moving from a primarily defensive and reactive stance to one that allows for more proactive and preventive actions. It also signals Japan’s intention to play a more assertive role in shaping international cybersecurity standards.

For a country whose post-war constitution has long been interpreted as imposing strict limits on the use of military force, this law is nothing short of transformative. It reflects the growing consensus among Japanese policymakers that cyberattacks—especially state-sponsored ones—pose real, immediate, and asymmetric threats to Japan’s national interests.

As one of the world’s most technologically advanced societies, and as a key player in the Indo-Pacific strategic theater, Japan’s evolving cyber doctrine signals new expectations about deterrence, sovereignty, and international cooperation in the digital age.

From Reactive to Proactive: Why Japan Had to Change

Over the past decade, Japan has faced a steady increase in cyberattacks targeting critical infrastructure, government networks, and industrial secrets. Many of these attacks were traced to state-backed actors—primarily from China, North Korea, and Russia—though attribution has always remained diplomatically sensitive.

One watershed moment came in 2022, when a group known as “MirrorFace,” linked to Chinese state interests, launched cyber-espionage operations against Japanese defense firms, ministries, and research institutions. Another wake-up call occurred during the 2020 Tokyo Olympics, which were plagued by persistent hacking attempts against event organizers and government systems.

Despite the threats, Japan’s legal and operational framework for cyber defense remained constrained. Authorities could only act after an attack had occurred, and intelligence gathering was hindered by strict privacy protections and inter-agency silos.

The new law emerged from this crucible of escalating threats, technological urgency, and political resolve. It is designed to move Japan from a “cyber-victim” to a “cyber-actor” with both defensive and preemptive capabilities.

Still, the decision is not without its complexities. While there is broad recognition of the need for stronger cyber defenses, the move raises important legal and ethical questions—particularly in relation to Article 21 of Japan’s Constitution, which protects freedom of expression and the confidentiality of communications. Balancing these constitutional rights with national security objectives will be an ongoing challenge as the new framework is implemented.

Key Provisions of the Active Cyber Defense Law

Here’s what the ACD Law authorizes:

  1. Offensive Cyber Operations (with Constraints)
     For the first time, Japan’s law enforcement and Self-Defense Forces are authorized to preemptively disrupt foreign cyber operations. This could involve neutralizing or disabling malware command-and-control servers, and in certain cases, “hacking back” to destroy tools used against Japan.
  2. Metadata Surveillance at the Internet Border
     Government agencies—particularly the National Police Agency (NPA) and the Ministry of Defense—can monitor internet traffic flowing into and out of Japan. While content surveillance is prohibited (to protect free speech and privacy), metadata such as IP addresses, domain names, and access logs can be analyzed for threat indicators.
  3. Mandatory Reporting for Critical Infrastructure
     Operators of critical infrastructure—telecommunications, power grids, transportation systems, and finance—are now required to report cyber breaches. This overturns years of underreporting due to reputational fears.
  4. Creation of an Independent Oversight Board
     To prevent abuse of these powers, an independent supervisory body will monitor the use of cyber authorities. The board is tasked with ensuring proportionality, legality, and the protection of individual rights.
  5. Collaboration with Private Sector and Allies
     The law encourages public-private partnerships and cross-border cooperation, especially with key allies such as the United States, Australia, and members of the EU and NATO’s Cooperative Cyber Defence Centre of Excellence.

Constitutional Dilemma: Article 9 and Cyberspace

Japan’s post-war constitution—specifically Article 9—renounces war as a sovereign right and prohibits the maintenance of “war potential.” For decades, this has guided the country’s defense and foreign policy decisions, often making it cautious in responding to external threats.

Cyber operations, however, have muddied the waters.

Does preemptively disabling a foreign server used to launch ransomware qualify as an act of war? Is metadata collection from foreign networks an invasion of sovereignty? Can the government hack a hacker before a crime is committed?

These are the constitutional gray areas the ACD Law tiptoes around. Japanese officials have maintained that the law remains within constitutional bounds because:

  • It is narrowly tailored to cyber defense.
  • It targets “ongoing or imminent” threats, not general foreign networks.
  • It operates under strict oversight and with judicial and legislative accountability.

Nonetheless, while the ACD Law explicitly avoids content surveillance, some legal scholars and opposition politicians warn that the law opens the door to broader military capabilities, which could be exploited under a future administration with a more hawkish view. Its permission to analyze metadata still raises profound constitutional questions. Critics argue that metadata — particularly when collected and analyzed over time — can reveal intimate patterns of behavior, speech, association, and thought.

Why Metadata Matters

Civil liberties advocates contend that metadata, while not message content, can be just as revealing:

  • Who you contact

  • How often

  • When and for how long

  • Which websites you visit

In effect, it enables the construction of a person’s digital identity. In the eyes of privacy experts, such profiling — even with content off-limits — constitutes a violation of the “secrecy of communication” that Article 21 enshrines.

Strategic Context: Japan in a Fragmenting Cyber World

Japan’s move must be understood in the broader context of global cyber geopolitics.

  • The U.S. and U.K. have both declared that they reserve the right to conduct offensive cyber operations as part of their national security strategy.
  • China operates under the doctrine of “informationized warfare,” embedding cyber operations into every aspect of military planning.
  • Russia has blended cyber operations with disinformation and kinetic warfare, as seen in Ukraine.

By enacting the ACD Law, Japan signals it’s no longer willing to remain a passive observer in this increasingly contested domain.

It also aligns with Japan’s strategic ambitions under the “Free and Open Indo-Pacific” framework and its growing defense collaboration with partners like the U.S. Cyber Command and Five Eyes intelligence alliance.

Public Reaction and Policy Tensions

The Japanese public remains ambivalent.

A recent Asahi Shimbun poll found that while 62% of respondents supported stronger cyber defenses, only 37% were comfortable with preemptive hacking. Concerns over privacy, state overreach, and the potential for entanglement in foreign conflicts were repeatedly raised.

Within government, some ministries—particularly the Ministry of Internal Affairs and Communications—pushed back against aspects of the bill, warning about mission creep and erosion of civilian oversight. Business leaders, on the other hand, largely welcomed the law, seeing it as a necessary step to protect Japan’s innovation ecosystem from IP theft and cyber sabotage.

Risks and Global Implications

  1. Norm Fragmentation

The ACD Law adds to the growing fragmentation of global norms around cyberspace. While the United Nations Group of Governmental Experts (GGE) has tried to establish universal rules, national doctrines now diverge sharply—some emphasizing restraint, others pursuing dominance.

  1. Risk of Retaliation

Even narrowly targeted preemptive actions may be interpreted by adversaries as hostile acts. Japan could become a more visible target for retaliatory cyber strikes, disinformation campaigns, or geopolitical escalation.

  1. International Law and Attribution

Successfully executing offensive cyber operations requires high-confidence attribution—no easy feat in the obfuscated world of cyberspace. Acting on flawed intelligence could result in unintended consequences, including hitting civilian infrastructure or foreign neutral systems.

  1. Domestic Cyber Capacity Gaps

Despite its technological prowess, Japan faces a shortage of cybersecurity professionals. Scaling up operations under the new law will require significant investment in human capital, training, and cross-agency coordination.

Actionable Takeaways

  • Businesses should study best practices from countries with established proactive cyber defense systems to anticipate potential challenges.
  • Participating in international or domestic threat-sharing councils will provide an opportunity to stay ahead of emerging threats.
  • Companies should actively participate in public-private partnerships to share intelligence and enhance their own security capabilities.
  • Leveraging external expertise, such as from firms like Pacific Square, can fill gaps in knowledge and resources.

Japan’s Quiet Cyber Awakening

With the passage of the Active Cyber Defense Law, Japan has stepped fully into the cyber age—not just as a target, but as an active defender of its digital sovereignty.

It is a pragmatic response to years of unchecked threats and escalating geopolitical competition. But it is also a legal, ethical, and strategic gamble—one that must be constantly reviewed to ensure it remains both effective and consistent with Japan’s democratic values.

As Japan operationalizes this law between now and 2027, the world will be watching. The choices Japan makes could influence the next chapter of global cybersecurity—not only in how we defend ourselves, but also in how we define the rules of engagement in the invisible battles of the 21st century.

 

Stay Ahead with Pacific Square!

Learn more about how Pacific Square can help you expand globally with clarity, confidence, and strategic precision.

If you’re a policymaker, business leader, or investor navigating the post-globalization economy, stay tuned and 🔔 Subscribe for future analysis.

Please enable JavaScript in your browser to complete this form.