In January 2025, Japan’s National Police Agency alleged that Chinese hackers were stealing sensitive information related to security and advanced technology from Japanese government agencies, companies, and individuals. While not unprecedented, the campaign was highly organized, beginning in 2019, targeting over 200 victims and netting over 10,000 files. Japan was in the middle of an online conflict.
Last December, the country was hit with a wave of online attacks, with distributed denial of service (DDoS) attacks up 60% to an all-time high. Over the important New Year period, when many Japanese return to their hometowns, DDoS attacks disrupted services offered by some of the country’s biggest businesses, ranging from baggage checks at Japan Airlines, online banking at MUFG Bank, and system failures at mobile carrier NTT Docomo and lenders Resona Bank and Mizuho Bank. It was an unusually large, damaging attack.
In contrast to a conventional DDoS attack, in which hijacked devices shut down individual target servers by flooding them with data requests, the so-called “carpet-bomb” assaults were orchestrated attacks by command servers. They hit multiple servers and devices and were able to halt the operations of an entire business.
“The greatest threats to cybersecurity in Japan now are attacks on social infrastructure that causes it to stop functioning and requiring a long time for recovery,” said Toshinori Kajiura, president of the Japan Cybersecurity Innovation Committee, a thinktank focused on establishing a secure, safe digital society.
“Largely the threats to Japan are similar to threats to the U.S.: state-sponsored cyber operations from China, Russia, and North Korea, and then various cybercrime groups,” said Benjamin Bartlett, an assistant professor of political science at Miami University in Ohio who specializes in cybersecurity. “One scenario that the government is concerned about is cyberattacks by China against critical infrastructure in the case of any conflict over Taiwan, which would obviously pose quite a challenge to Japan, though fortunately it is a relatively low-probability (although not no-probability) scenario.”
It wasn’t easy to respond to the recent spate of carpet-bomb attacks with conventional countermeasures, so experts in Japan have called for “active cyber defense” to fight back. That requires changes to Japanese cybersecurity laws formulated years ago.
Before Japan’s legislature passed an active cyber defense (ACD) bill in May, Dai Mochinaga, a professor in the College of Systems Engineering and Science at Shibaura Institute of Technology, testified in support of the new legislation at a House of Councillors committee. He noted that long-term campaigns, such as an assault on U.S. systems by Volt Typhoon (allegedly affiliated with China), are an example of recent attacks. The campaign lasted more than five years; it took the U.S. more than two years to detect and respond.
Mochinaga warned that attackers are mounting campaigns that are longer and more sophisticated, while defenders struggle to deal with compromised computers that can be used to launch more attacks against targets in other countries. The ACD bill does not elaborate on all the details of the new security posture, but it allows the central government, through the Japanese police and Self-Defense Forces, to monitor and analyze Internet communications within or outside Japan and then infiltrate and neutralize servers used for attacks. The government is to establish an expert panel to finalize a basic policy on active cyber defense based on the legislation by the end of the year.
This law sets Japan in a more proactive stance, one that’s more in line with international standards. It also mirrors Japan’s increased spending on military defense amid perceived threats from China and North Korea, with the government aiming to spend the equivalent of 2% of gross domestic product by fiscal 2027.
Japan’s federal government has said that the content of suspicious communications, such as email messages, would not be part of the program, and an independent body would monitor government operations, but the bill remains controversial in Japan, where the 1947 Constitution guarantees secrecy of communication. Opposition parties said the law could be used to gather evidence in criminal investigations; the parties that supported it even added a resolution demanding it be limited to cyber-defense purposes.
“The Japanese government’s approach was previously limited to defending government systems. The new legislation includes the protection of critical infrastructure under government-led operations,” explained Mochinaga. “Japan’s ACD concept enables proactive actions based on threat intelligence and behavioral analysis. It aims to prevent serious harm from cyberattacks while maintaining public order. The scope of countermeasures includes network-based interventions without physical damage or functional loss to target systems.”
Japan’s ACD is expected to come into effect in stages between 2026 and 2027. One of the first steps was the establishment in July of a National Cybersecurity Office to expand and replace the National Center for Incident Readiness and Strategy for Cybersecurity (NISC), established in 2015. In a sign of the increased importance being placed on cyber defense, the head of the Cybersecurity Strategy Headquarters, under which NISC operated, was upgraded from reporting to the chief cabinet secretary to reporting directly to the prime minister.
The ACD strategy faces several challenges. One is a lack of skilled cybersecurity workers in Japan. An industry-ministry expert panel in May said that Japan needs 50,000 cybersecurity experts by 2030, specifically individuals certified as Registered Information Security Specialists under a national license created in 2016; only 24,000 people have the certification now. A report by the International Information System Security Certification Consortium (ISC2) said Japan is facing a cybersecurity expert shortage of about 110,000 people. Low salaries and underinvestment in science and technology education and research are part of this problem.
“Society-wide awareness of cyber risks and improved security literacy is one of the major problems Japan faces,” said Kajiura. “Many people still believe that cybersecurity is something only experts can do, and ordinary citizens do not believe that if they own a smartphone, they are already at cyber-risk and that there is something they need to do.”
Other issues include lack of a common understanding of cybersecurity measures among government ministries and agencies, and a lack of clear procedures for detecting cyber threats, planning responses, and evaluating outcomes, according to Mochinaga. Still, he’s sanguine about the new policy. “The Japanese government will be able to carry out operations with enhanced capability to prevent serious damage before the attack materializes,” he said.
“What the private sector is hoping is that critical infrastructure operators will be able to reduce damage by having access to information that the government has that will contribute to cyber defense, but it is unclear what kind of information will be provided specifically, and how it will be useful,” said Kajiura.
For his part, Bartlett sees Japan’s cybersecurity under the Ministry of Defense and police as becoming “more national security-oriented, whereas it had been focused more on economic security.” He said that although details are still being worked out, he’s uncertain about the overall effectiveness of the new strategy: “Whether all of this will lead to better outcomes in terms of reducing the risk of cyber incidents in Japan is harder to say.”
Tim Hornyak is a Canadian journalist based in Tokyo, Japan, who writes extensively about technology, science, culture, and business in Japan.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment