Japan Goes on Offense With New 'Active Cyber Defense' Bill

The Japanese government is on a mission to catch up to US national cybersecurity preparedness standards and has just passed bold legislation aimed at bolstering the country's cyber-response capabilities.

Together, the two articles of legislation constitute what's referred to as the Active Cyber Defense Bill, which enables the Japanese government to take more aggressive measures to stop cyberattacks before they can cause widespread damage.

After some delays in 2024, the bill was finally presented to, and approved by, the country's leading Liberal Democratic Party (LDP) last month. On Feb. 7, it was approved by the Cabinet (which consists of the prime minister and up to 19 other ministers), and was in turn submitted to the National Diet, Japan's parliament.

The passage of the law follows a warning in January from Japan's national police that Chinese state-backed threat actor MirrorFace has been committing wide-scale cyber espionage since 2019 in an effort to steal Japan's national security secrets.

"The country is grappling with a mix of state-sponsored attacks, particularly from neighboring nations, and criminal activity targeting its advanced industrial base," Bugcrowd founder Casey Ellis explains. "Ransomware, supply chain attacks, and IP espionage (e.g., MirrorFace) are all high on the list, as are concerns around prepositioning attacks against critical infrastructure and the defense industry. Its move toward legalizing 'active cyber defense' is a bold step and, to me, is a reflection of the country's delicate geopolitical and geographic position."

Japan Faces Cyber-Defense Hard Truths

The overhaul of Japan's cyber-readiness efforts dates back to April 2022 and is a wake-up call delivered to the country's leadership by former US Director of National Intelligence Dennis C. Blair. He was sharply critical of the country's cybersecurity efforts, and this distressed Japanese lawmakers so much that his message left them in what is now known as "Blair Shock."

Blair told Tokyo's government a hard truth: that its cybersecurity preparedness just wasn't up to the standard of its allies in North America and Europe. To amend that, he suggested the government establish new positions and agencies equivalent to those in the US, such as the US Cyber Command and the executive position of National Cyber Director.

Then-Prime Minister Fumio Kishida's administration took the criticism to heart. As soon as it had the opportunity that December, it released a new National Security Strategy with new goals for improving cybersecurity response capabilities. Most notably, the government introduced what it called "active" cyber defense, "for eliminating in advance the possibility of serious cyberattacks that may cause national security concerns to the Government and critical infrastructures and for preventing the spread of damage in case of such attacks, even if they do not amount to an armed attack." In short: identifying the source of a cyberattack early, and defeating it before it can cause serious harm.

In case that sounds a bit like government overreach, lawmakers have since clarified how exactly its active cyber defense will work.

Roughly speaking, the first half of the Active Cyber Defense Bill defines the more passive changes Japan will implement in its national cyber posture.

Among other things, the bill establishes a cybersecurity council and a committee overseeing information gathering and analysis. It requires that critical infrastructure providers report cybersecurity incidents and imbues the prime minister's office with new power to collect certain relevant information through telecommunications providers. It also lays out restrictions on how the government can use that collected data and what sensitive information must be filtered out.

The second piece of legislation introduces more active measures for ensuring Japan's cyber defense.

The military will enjoy new powers to actively protect both its systems and certain systems associated with the US military presence in its borders. And, notably, law enforcement will be hiring new "cyber harm prevention officers," whose job will be to proactively address major cyber threats by, for example, shutting down enemy servers during an incident. When time is short, the prevention officers may act even without explicit approval from relevant oversight bodies.

Ellis says that "the idea of 'vigilante hacking' is controversial but not without merit in specific, controlled scenarios. It signals a shift toward a more proactive stance, which is arguably overdue given the evolving threat landscape."