Japan Goes on Offense With New 'Active Cyber Defense' Bill

The Japanese government is on a mission to catch up to US national cybersecurity preparedness standards and has just passed bold legislation aimed at bolstering the country's cyber-response capabilities.
Together, the two articles of legislation constitute what's referred to as the Active Cyber Defense Bill, which enables the Japanese government to take more aggressive measures to stop cyberattacks before they can cause widespread damage.
After some delays in 2024, the bill was finally presented to, and approved by, the country's leading Liberal Democratic Party (LDP) last month. On Feb. 7, it was approved by the Cabinet (which consists of the prime minister and up to 19 other ministers), and was in turn submitted to the National Diet, Japan's parliament.
The passage of the law follows a warning in January from Japan's national police that Chinese state-backed threat actor MirrorFace has been committing wide-scale cyber espionage since 2019 in an effort to steal Japan's national security secrets.
"The country is grappling with a mix of state-sponsored attacks, particularly from neighboring nations, and criminal activity targeting its advanced industrial base," Bugcrowd founder Casey Ellis explains. "Ransomware, supply chain attacks, and IP espionage (e.g., MirrorFace) are all high on the list, as are concerns around prepositioning attacks against critical infrastructure and the defense industry. Its move toward legalizing 'active cyber defense' is a bold step and, to me, is a reflection of the country's delicate geopolitical and geographic position."
Japan Faces Cyber-Defense Hard Truths
The overhaul of Japan's cyber-readiness efforts dates back to April 2022 and is a wake-up call delivered to the country's leadership by former US Director of National Intelligence Dennis C. Blair. He was sharply critical of the country's cybersecurity efforts, and this distressed Japanese lawmakers so much that his message left them in what is now known as "Blair Shock."
Blair told Tokyo's government a hard truth: that its cybersecurity preparedness just wasn't up to the standard of its allies in North America and Europe. To amend that, he suggested the government establish new positions and agencies equivalent to those in the US, such as the US Cyber Command and the executive position of National Cyber Director.
Then-Prime Minister Fumio Kishida's administration took the criticism to heart. As soon as it had the opportunity that December, it released a new National Security Strategy with new goals for improving cybersecurity response capabilities. Most notably, the government introduced what it called "active" cyber defense, "for eliminating in advance the possibility of serious cyberattacks that may cause national security concerns to the Government and critical infrastructures and for preventing the spread of damage in case of such attacks, even if they do not amount to an armed attack." In short: identifying the source of a cyberattack early, and defeating it before it can cause serious harm.
In case that sounds a bit like government overreach, lawmakers have since clarified how exactly its active cyber defense will work.
Roughly speaking, the first half of the Active Cyber Defense Bill defines the more passive changes Japan will implement in its national cyber posture.
Among other things, the bill establishes a cybersecurity council and a committee overseeing information gathering and analysis. It requires that critical infrastructure providers report cybersecurity incidents and imbues the prime minister's office with new power to collect certain relevant information through telecommunications providers. It also lays out restrictions on how the government can use that collected data and what sensitive information must be filtered out.
The second piece of legislation introduces more active measures for ensuring Japan's cyber defense.
The military will enjoy new powers to actively protect both its systems and certain systems associated with the US military presence in its borders. And, notably, law enforcement will be hiring new "cyber harm prevention officers," whose job will be to proactively address major cyber threats by, for example, shutting down enemy servers during an incident. When time is short, the prevention officers may act even without explicit approval from relevant oversight bodies.
Ellis says that "the idea of 'vigilante hacking' is controversial but not without merit in specific, controlled scenarios. It signals a shift toward a more proactive stance, which is arguably overdue given the evolving threat landscape."
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalGraphQL Endpoint Supports Introspection
MediumAnti-CSRF Tokens Check
HighOpen Redirect
LowServer Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
MediumProxy Disclosure
MediumRelative Path Confusion
InformationalInformation Disclosure - Suspicious Comments in XML via WebSocket
InformationalLoosely Scoped Cookie
Free online web security scanner