On May 16, Japan’s parliament passed a landmark law. This new legislation will let Japan switch to an “active” cyber defense strategy starting in 2026. This is a huge change from Japan’s old “passive” approach.

For years, Japan’s cyber defense was like “siege warfare.” It meant waiting behind firewalls for an attack to happen before a response could be mounted. But with threats from state-sponsored hackers and organized crime on the rise, this approach isn’t enough anymore. The new strategy is more like “guerrilla warfare” — it’s about proactively finding and neutralizing threats before they can do any real damage.

What the New Law Will Do

This legislation focuses on four main pillars to make Japan’s cyber defense stronger:

Public and Private Sectors Will Work Together

Operators of Japan’s most important systems—like power grids and financial networks—must now legally report any cyberattacks to the government. A new “Cyber Threat Information Sharing Council” will be created. This will help the government and private companies share information and respond to threats faster. It will also give the government a better view of Japan’s overall cyber security landscape.

Authorities Can Monitor Communications Data

The new law gives the government the power to collect communications-related data like IP addresses and command strings to track down threats. But don’t worry, a special supervisory board will be set up to make sure no one is spying on the personal, private conversations of citizens. The “substantive content” of communications is off-limits.

Taking the Fight to the Enemy

This is the most significant change. The police and Self-Defense Forces can now directly access and neutralize computers and infrastructure used for cyberattacks. This could involve launching a DDoS (distributed denial of service) attack against a threat or disabling a malicious server. These actions will only be taken in serious situations that require an immediate response.

Upgrading Japan’s Defense Institutions

Overall, the law strengthens Japan’s cyber defense institutions. This will help Japan’s authorities gather and coordinate threat information more effectively, especially against state actors. It also makes it easier for Japan to work with its international allies to take down threats that cross borders.

The Biggest Challenge: Finding Enough People

While the new law is a great first step, Japan faces a major hurdle: a shortage of cyber security experts. The country needs people with skills in diplomacy, military affairs, and intelligence to make this “active” approach work.

A 2020 survey by the Ministry of Economy, Trade, and Industry (METI) estimated a shortage of about 190,000 cyber security professionals. To help close this gap, METI announced a plan to double the number of registered information security specialists by 2030. This issue also impacts international cooperation, as Japan needs skilled personnel to handle classified information shared by foreign governments.

Looking Ahead

This legislation is just the beginning. The threats in cyberspace are always changing. The new law is an important step towards a more robust and proactive cyber defense. It also signals Japan’s commitment to what the US calls “persistent engagement” — a strategy of continuously engaging with adversaries to disrupt their operations and block attacks before they happen. Japan is ready to begin this new, endless cyber warfare.

This blog post is inspired by content originally published on nippon.