Japan goes on the offensive against cyberattacks

In November 2018, Mr Yoshitaka Sakurada, then Japan’s minister for cybersecurity, blithely told Parliament: “I have never used a computer in my life.” The astonishment only deepened when he demonstrated that he was not even familiar with the concept of a USB drive.

At the time, the Japanese government’s lack of expertise in information technology was mainly viewed with amusement. Some social media users joked that at least the minister could not be hacked.

However, matters took a more serious turn in 2020 when it was revealed that Chinese hackers affiliated with the People’s Liberation Army had compromised Japan’s most sensitive defence networks. The hack was not detected by Japan’s cybersecurity experts. It was only identified thanks to the United States’ National Security Agency (NSA).

This security breach was judged so bad that General Paul Nakasone, the then head of the NSA and US Cyber Command, and Mr Matthew Pottinger, White House deputy national security adviser, rushed to Tokyo to impress upon the Japanese government the need to act urgently. Yet, Japan remained lethargic. As a result, Mr Dennis Blair, the former US director of national intelligence, warned Japanese lawmakers during a visit to Tokyo in April 2022 that Japan’s cybersecurity was the worst among US allies and that this was a serious liability in the US-Japan alliance.

Fast-forward to 2026 and the cybersecurity threats that Japan faces have only grown. The country still struggles to contain them, but that laid-back attitude is gone. It has, in fact, moved from reactive responses to cyberattacks to a policy of “active defence” that allows for pre-emptive threat detection and disruption of hostile activities.

A new cybersecurity strategy adopted in late 2025 also called for collaboration across multiple fronts: with like-minded partners, between the private and public sectors and joint efforts involving the police, the Defence Ministry and the Self-Defense Forces to neutralise attacks.

State-backed actors, hacktivists, and cybercriminals

The overhaul of Japan’s cybersecurity system had a number of drivers. One was the dangers posed by rapidly advancing technology, in particular artificial intelligence. Another was the scale of attacks from state-backed hackers. Aside from Chinese hackers, Japan must also contend with cyberattacks from Russia and North Korea.

This threat intensified after Moscow labelled Japan an “unfriendly country” in response to Tokyo’s opposition to Russia’s full-scale invasion of Ukraine in 2022. Japan must also contend with a North Korea that has been emboldened by its signing with Russia of comprehensive strategic partnership, including a mutual defence clause, in June 2024.

The ongoing war in the Middle East provides a further reminder of what can be achieved by state-backed cyberactors. It has been reported that Israel hacked thousands of Iran’s street cameras to identify targets among the Iranian leadership for assassination. Previous attacks, including by Israel’s Unit 8200 cyber-ops team, have also involved snarling traffic by disrupting Tehran’s streetlights and blocking members of the Basij militia from being able to withdraw cash at ATMs, Israeli officials told the Washington Post.

A particular worry for Prime Minister Sanae Takaichi at a time of fraught ties with China is the so-called “patriotic hacktivists”. These individuals and groups are not formally affiliated with the governments, yet seek to further their countries’ interests by attacking perceived foes.

As if this were not enough, there are also financially motivated cybercriminals. The business model of these groups is to intrude into companies’ computer systems. Once they have access, they disable key functions and steal sensitive data. They threaten to devastate the companies’ operations and leak confidential information unless a ransom is paid.

One of the most prominent such attacks occurred in July 2023 when LockBit 3.0, a Russia-linked ransomware group, targeted Nagoya Port, disrupting operations for nearly three days and causing logistical problems for major companies, including Toyota.

Another major ransomware attack took place in September 2025 against Asahi Group Holdings, one of Japan’s largest brewers. That time, Qilin, a different Russia-linked cybercrime group, claimed responsibility. To keep Japan’s thirsty drinkers supplied, Asahi had to revert to taking orders manually. Full recovery took months and contributed to a 26 per cent decline in profits for the first nine months of 2025.

The threat from Pyongyang comes in various forms but it has gained notoriety for cryptocurrency theft and the “fake foreign engineer” scheme whereby North Korean operatives disguise themselves as foreigners with the help of generative-AI and land remote work at IT companies.

Japan awakens

Long viewed as passive in the face of such threats, Japan has belatedly responded with the landmark Active Cyber Defense (ACD) law. Although enacted in May 2025, implementation is phased, with key provisions only entering into force later in 2026.

The ACD law entails three fundamental changes.

First, the legislation mandates that operators of critical infrastructure in 15 different sectors, including energy, telecommunications and transportation, must notify the authorities about cyberattacks. This will give the government real-time visibility over the scale of cyberthreats.

This provision is particularly important because of what Mr Shigeru Kitamura, former national security adviser, describes as the longstanding “wall of silence” between government and industry. This refers to the tendency of many Japanese firms to conceal the details of cyberattacks to avoid reputational damage.

Second, the ACD law grants the government authority to intercept foreign internet traffic traversing domestic infrastructure. This has raised privacy concerns, yet the law explicitly excludes domestic communications. It also authorises access only to metadata, such as IP addresses and timestamps, and not to the substantive content of messages.

Third, the new legislation permits the Japanese authorities to pre-emptively infiltrate the computers of attackers, and, if a threat is identified, to neutralise the danger by taking down relevant servers. These “pro-active” cyberdefence operations will begin on Oct 1.

This is the most striking feature of the ACD law because the emphasis on pre-emptive attack sits awkwardly with Japan’s traditional emphasis on self-defence, in line with its pacifist Constitution of 1947.

Mr Kitamura argues that this major change is essential, telling Cybernews that “under previous regulations our hands were often tied until a crime had already taken place”. Thanks to the new law, “we will no longer be sitting ducks”.

Although this is certainly groundbreaking, no one should expect Japan to suddenly start large-scale offensive cyberoperations. Rather than complex action against a state actor such as North Korea, Japan’s first forays into pro-active cyberdefence are more likely to take the form of quiet monitoring of adversaries’ systems. At most, we can expect the limited use of distributed denial of service (DDoS) attacks against cybercriminals deemed to pose an imminent threat. Any cyberoperations to disable foreign infrastructure must also be approved by an independent oversight committee.

More to do

The law on Active Cyber Defense is a major step forward, but its provisions will only be valuable if Japan develops sufficient operational capacity to make use of them. This is primarily a question of talent.

As admitted to Reuters by former vice-defence minister Kazuhisa Shimada, “Japan as a whole lacks cybersecurity human resources”.

This problem is especially pronounced for the Japanese security agencies because, unlike the private sector, they can only employ Japanese nationals. Added to this, government salaries are lower than in the private sector. Skilled techies may also be put off by the rule-bound and hierarchical work environment of the Japanese bureaucracy.

The target is to raise the number of nationally certified cybersecurity experts to 50,000 by 2030 from about 24,000 in 2025.

Efforts are already under way to meet this goal, including by moving to raise pay and ease physical fitness requirements for cyber experts within the Self-Defense Forces. Further such efforts are needed.

Furthermore, success in combatting cyberthreats depends on close collaboration with like-minded countries and partners. Japan and NATO, for instance, share intelligence on malware and take part in cyber dialogues and exercises.

Another form of collaboration is in safeguarding critical supply chains and enhancing cybersecurity standards for smart devices. In March, Japan and Singapore signed a memorandum of cooperation to mutually recognise each other’s labelling scheme for IoT (internet of things) products.  

However, many countries remain hesitant to share their most sensitive intelligence due to Japan’s poor reputation for information security. The Japanese government is often viewed as leaky. Moreover, since the 1980s, Japan has been labelled a “spy paradise” due to its fragmented and underfunded counterintelligence structures and absence of legal restrictions against espionage.

This is one reason why the Five Eyes, an intelligence-sharing pact comprising the United Kingdom, Canada, New Zealand, Australia, and the United States, has not been receptive to working more closely with Japan.

Addressing this problem is already a priority for Prime Minister Takaichi. On March 13, her Cabinet approved a Bill to upgrade the Cabinet Intelligence and Research Office to a more powerful National Intelligence Bureau. This Bill will be placed before Parliament during the current session that lasts until July 17.

Subsequent proposals include measures to introduce a foreign agent registration system and an explicit anti-espionage law. The Takaichi government also has ambitions to create a foreign intelligence service, a Japanese counterpart to Britain’s MI6 and the US’ CIA.

These reforms should alleviate partners’ concerns about information security and open the way to closer cybersecurity cooperation.

Yet, their passage is not guaranteed. The Takaichi government will need to work hard to explain the need for the changes and overcome public opposition to what some regard as government overreach.

Furthermore, Japan’s small and medium-sized enterprises, which make up the vast majority of its private sector, need pushing. A 2024 survey found that about 70 per cent of SMEs have yet to fully implement cybersecurity measures. 

The Active Cyber Defense law helps end Japan’s reputation as a laughing stock when it comes to cybersecurity. But even when fully implemented, many more challenges await, not least in advances that have taken us from the basic USB drive to quantum computing’s encryption-breaking potential.