Japan to amend laws to allow for offensive cyber operations against foreign hackers
The Japanese government is planning to introduce new laws that will allow it to engage in offensive cyber operations for the purposes of defending itself.
The Nikkei reported that the government will make “legislative changes so it can begin monitoring potential attackers and hack their systems as soon as signs of a potential risk are established.”
Documents seen by the newspaper state that Japan will strengthen its cyber defense “to a level equal to major Western powers” and include measures for “active cyber defense” allowing the authorities to intervene before damage is caused, even when there is no use of traditional force against the country.
The move marks a significant change in Japan’s approach to cyber defense, which has previously tracked closely to the country’s Article 9 constitutional commitment — as introduced in the wake of WWII — which established the country’s pacifist approach to international conflict.
Article 9 of the Japanese Constitution has been reinterpreted in recent years to provide Japan’s Self-Defence Forces with the right to provide material support to allies, under the justification that failing to do so could endanger Japan.
The late Prime Minister Shinzo Abe, who talked about wanting to “break away” from the post-war regime in Japan, had proposed holding a referendum on Article 9 but retired from office for health reasons before the topic was put to the public.
His government’s reinterpretation was welcomed by regional partners, including Australia, Vietnam and Indonesia, as well as the United States. China and South Korea, both of which were occupied by Japanese forces during WWII, expressed some concern.
The new proposed laws regarding cyber conflict would seem to complement the Abe government’s reinterpretation of Article 9, allowing for a greater degree of international cooperation and defense.
Under the existing legal regime in Japan, such offensive cyber operations could only take place after Japan declares a military emergency and formally deploys its Self-Defence Forces.
Nikkei reported that the revised legal framework was part of a slew of proposed revisions to Japan's National Security Strategy, established in 2013, and are likely to be approved by the cabinet before the end of the month.
“The changes will allow the government to defend private-sector infrastructures, such as power grids and financial networks. It also has potential to open the door for Japan to retaliate in cyberspace and neutralize attackers,” it reported.
Earlier this year, Japan alongside the United States, Australia, and India announced the creation of the 'Quad' partnership that would see the Indo-Pacific's most influential democracies work together on several cybersecurity initiatives centered around fortifying software, supply chains and user data.
Each country has faced significant threats from China-based cyber operations, with Australia and Japan joining with the U.S. in accusing the Ministry of State Security of being behind the global exploitation of Microsoft Exchange servers.
The move also follows Japan formally joining NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in November, which has for many years focused on interpreting how international law applies to cyber operations.
Speaking to The Record at the time, Jiro Minier, an East Asian cybersecurity policy analyst, said the move reflected “an intersection of two increasingly important considerations in Japanese security thinking; the criticality of diverse international partnerships in a difficult geopolitical environment, and the need to afford cybersecurity the security policy relevance it is due.”