Japan enacts new Active Cyberdefense Law allowing for offensive cyber operations

Japan on Friday enacted a new law that would permit the country’s authorities to preemptively engage with adversaries through offensive cyber operations to ensure threats are suppressed before they cause significant damage.

The new law, which was first mooted in 2022, is intended to help Japan strengthen its cyber defense “to a level equal to major Western powers” and marks a break from the country’s traditional approach to cyber defense, which had tracked closely to its Article 9 constitutional commitment to pacifism.

The new Active Cyberdefense Law mirrors recent reinterpretations of Article 9, providing Japan’s Self-Defence Forces with the right to provide material support to allies under the justification that failing to do so could endanger the whole of the country.

It explicitly allows law enforcement agencies to infiltrate and neutralize hostile servers before any malicious activity has taken place and to do so below the level of an armed attack against Japan, while the Self-Defence Forces will take responsibility for tackling particularly sophisticated incidents.

The new law is intended to enable Japan to “identify and respond to cyber attacks more quickly and effectively” according to Yoshimasa Hayashi, Japan’s chief cabinet secretary, who added on Friday that it would help Tokyo “equal or exceed” the cyber capabilities “of major European countries and the US.”

The law also provides the Japanese government with the power to analyze foreign internet traffic either entering the country or just transiting through it, although the government has stressed it will not be collecting or analyzing the contents of this traffic, as reported by Kyodo News.

Similar to many countries which provide statutory protections for citizens’ communications, Japan’s efforts to tackle cyberattacks have caused controversy over the potential infringement on Article 21 of the country’s constitution.

The new law will not allow the government to collect and analyze internet traffic generated domestically. The Japanese government has argued that most of the cyberattacks the country faces originate from international sources.

Japan is also to set up an independent oversight panel that will give prior authorization to all acts of data collection and analysis, as well as for offensive operations intended to target attackers’ servers.

The Financial Times reported that financially-motivated and state-sponsored attacks targeting the country were “at an all-time high,” according to a National Police Agency report and government advisers.

In 2023, it was reported that suspected Chinese hackers breached Japan’s cybersecurity agency and potentially accessed sensitive data stored on its networks for nine months before being discovered.

That followed a report by the Washington Post that the U.S. National Security Agency discovered Chinese military hackers had compromised Japan’s defense networks back in 2020, described as “one of the most damaging hacks” in Japan’s history.

Last week, the country’s financial regulator disclosed that $2 billion in unauthorized stock market trades over online trading platforms had been conducted by hackers.