On January 24, the Japanese government convened this year’s ordinary Diet session, which will run for 150 days, at least until June 22. The administration of Prime Minister Ishiba Shigeru is planning to submit 59 important bills during the ordinary session. Among those 59 bills, the Active Cyber Defense Legislation is one of the most significant, given its implications for the national security and defense of Japan.
The Active Cyber Defense Legislation was presented by the Japanese government to executives of the Liberal Democratic Party (LDP) on January 16, and the LDP approved the draft legislation shortly afterwards. After the meeting, LDP Policy Research Council Chairman Onodera Itsunori commented, “The lives of Japanese people will be at risk if we do not improve our cybersecurity capabilities as soon as possible.” He pointed to recent cyberattacks on Japan Airlines, which occurred at the end of December.
The Ishiba government drafted the new legislation in order to fundamentally strengthen Japan’s cybersecurity capabilities. According to an outline released by the government, the legislation contains three main points: reinforcement of public-private cooperation, government utilization of information on communications services provided by domestic telecommunications providers, and implementation of measures to penetrate and neutralize an attacker’s server.
Companies related to critical infrastructure in 15 fields (electricity, gas, oil, water, railways, trucking, ocean shipping, aviation, airports, telecommunications, broadcasting, postal services, finance, credit cards, and ports) will be obliged to report cyberattacks to the government as a form of public-private cooperation. The government will then advise them on how to limit the damage and prevent future incidents.
The government will also have the ability to monitor certain aspects of communications between Japan and foreign countries if a cyberattack is suspected. In an attempt to address privacy concerns, the legislation limits government monitoring to “what is known as mechanical information, such as internet protocol addresses and transmission and reception times,” The Japan Times reported. The actual content of the communication would be private.
Measures to penetrate and neutralize an attacker’s server would be conducted by police with approval by the third party. In case of a highly organized cyberattack, the prime minister shall order the Self-Defense Forces (SDF) to take measures for defense against the cyberattack. In addition, the legislation includes the reorganization of the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
As previously reported by Takahashi Kosuke in The Diplomat, however, Japan’s cybersecurity policy has been criticized as “lagging behind” domestically and externally. Former U.S. Director of National Intelligence Dennis C. Blair informed Tokyo in April 2022 that Japan’s cybersecurity had not caught up with the United States and its allies. Blair gave three recommendations to improve the situation: 1) appoint a Japanese counterpart to the White House’s national cyber director, 2) establish an organizational counterpart equivalent to the U.S. National Security Agency (NSA), Cyber Command, and Five Eyes, and 3) reorganize Japan’s NISC to be a cooperative partner for the U.S. Joint Cyber Defense Collaborative (JCDC).
In response to the domestic and external pressure and criticism – including the so-called “Blair shock” – the administration of Prime Minister Kishida Fumio included the introduction of active cyber defense in the 2022 National Security Strategy. The 2022 NSS stipulated: “Japan will introduce active cyber defense for eliminating in advance the possibility of serious cyberattacks that may cause national security concerns to the Government and critical infrastructures and for preventing the spread of damage in case of such attacks, even if they do not amount to an armed attack.”
As reported by Thisanka Siripala in The Diplomat, the relevant legislation was scheduled to be submitted to the extraordinary Diet session last year. However, the Japanese government has not been able to enact the Active Cyber Defense Legislation for more than two years. Why has it taken so long for Tokyo to prepare the legislation?
There are three major reasons for the delay, as previously pointed out in The Diplomat. First, there has been fear that the active cyber defense system might violate Article 21 of the Japanese Constitution, which guarantees “secrecy of communications,” and the Telecommunications Business Law, by which the secrecy of communications is legally protected.
Second, if the Japanese government is allowed to penetrate and neutralize an attacker’s server, such an act might be regarded as a violation of Japan’s Act on Prohibition of Unauthorized Computer Access that prohibits unauthorized access to systems.
Third, although Japan can exercise the right to individual and collective self-defense in light of the Japanese Constitution and international law, it has been pointed out that “preemptive” defense measures based on the active cyber defense system might be incompatible with Japan’s principle of exclusively defense-oriented policy (senshu boei) based on Article 9 of the Japanese Constitution (also known as the “peace clause”).
In public discussions of the law, Mainichi Shimbun argued in an editorial that the Japanese government must not violate the individual rights of the Japanese people under the name of so-called “public welfare.” Similarly, an Asahi Shimbun editorial emphasized that the right to privacy should not be a “bargaining chip” in the deliberation of the legislation.
Does this mean that it would be difficult for the Ishiba administration to enact the legislation during this ordinary session? Since the Ishiba government is a minority ruling coalition, the cooperation of opposition parties is essential for passing any legislation, and it does not seem to be difficult for Ishiba to gain support from the opposition. Despite some criticisms, the bill has solid public support.
According to an opinion poll reported by Nikkei Shimbun on July 1 last year, 65 percent of respondents supported the necessity of the Active Cyber Defense Legislation, while only 10 percent opposed the legislation. Looking at party affiliation, 70 percent of the LDP supporters and 68 percent of the Constitutional Democratic Party (Japan’s largest opposition party) supporters favored the enactment of the legislation.
Notably, not only the CDP but also other major opposition parties, such as the Democratic Party for the People (DPFP) and Nippon Ishin no Kai (Japan Innovation Party) are supportive of introducing the active cyber defense system. Tamaki Yuichiro of the DPFP demanded in November 2024 that the Ishiba government should introduce the active cyber defense system within the year 2024. Likewise, Baba Yoshihisa of Nippon Ishin expressed his view in November 2024 that the introduction of the active cyber defense system is “absolutely necessary” for Japan.
Not surprisingly however, the Japanese Communist Party expressed its opposition to the active cyber defense system, calling the idea “extremely dangerous” because such a measure might lead to a “preemptive” attack by the Japanese government.
Given the power balance of the current Diet, support from opposition parties is a must for the enactment of the Active Cyber Defense Legislation, but it seems that the enactment process could be relatively smooth given the rhetorical support offered by the major opposition parties at this stage.
The most important thing for the Ishiba government to enact the Active Cyber Defense Legislation is to provide sufficient explanation of the necessity of the legislation to the Japanese people during the deliberation process at the Diet. According to a survey by the Kioicho Strategy Institute reported on December 14, 2024, 30 percent of respondents answered that they had never heard of “active cyber defense” at all, and 44 percent responded that they had heard of it but do not know the details. The survey indicated that most Japanese people do not have proper knowledge of the active cyber defense system. Accordingly, meticulous explanations and deliberations are necessary in the enactment process of the legislation at the Diet.
At the same time however, the Ishiba administration is expected to finalize the enactment process as swiftly as possible to improve cybersecurity capabilities as part of Japan’s national security strategy. Furthermore, now that Tokyo and Washington are ready to begin collaborative research on cyberattacks that exploit artificial intelligence (AI), the enactment of this legislation is imperative for the enhancement of the Japan-U.S. alliance system.