On May 16th, 2025, the Japanese Parliament enacted a landmark piece of cybersecurity legislation: the Japan Active Cyberdefense Law. It was a historic moment for the country's digital defense, empowering law enforcement and military agencies to conduct pre-emptive cyber operations before they materialize.
However, the law doesn't just affect Japan's internal security posture; it reflects a global trend of nations and organizations reshaping their cyber defense strategies to keep pace with increasingly sophisticated, state-sponsored cybercrime. Let's explore it in a little more depth.
The Context: Why Japan Enacted This Law Now
The Active Cyberdefense law comes in the wake of several major attacks on both Japan's public and private sectors. In 2020, for example, Chinese state-sponsored hackers reportedly compromised Japan's defense networks in a major incident a former US military official described as "shockingly bad."
However, this law is also a source of national pride. In 2022, Japan suffered "Blair Shock," when the then-US Director of National Intelligence, Dennis C. Blair, publicly criticized Japan's digital defenses. In fact, it may be more accurate to view the Active Cyberdefense Law as a reaction to this criticism than to actual cybersecurity incidents; this perhaps explains why the law grants such wide-ranging offensive powers to Japan's military and police.
Inside the Japan Active Cyberdefense Law
So, what's actually in the law? It authorizes government agencies to:
- Monitor foreign internet traffic that transits through or originates in Japan.
- Conductive pre-emptive countermeasures, including neutralizing attacker infrastructure abroad.
- Launch joint cyber operations between the Self-Defense Forces (SDF) and police agencies.
- Mandate businesses to report cyberattacks and newly deployed communication devices.
Notably, the law draws a line at domestic surveillance – a provision that would likely have proved enormously unpopular. Private communications like emails or messages remain off-limits, with agencies limited to analyzing technical metadata such as IP addresses, attack commands, and traffic flow. Moreover, all pre-emptive cyber operations must be pre-approved by an independent oversight body to address privacy concerns and uphold constitutional protections.
The Active Cyberdefense Law and International Cybersecurity Policy
When we zoom out, we see that Japan's Active Cyberdefense Law doesn't exist in a vacuum. In fact, it mirrors broader shifts in international cybersecurity policy. Countries like the US, UK, Israel, and Australia have all adopted cybersecurity legislation that enables more aggressive, real-time responses to digital threats. Cyber strategies are increasingly shifting to proactive measures that prioritize resilience, speed, and deterrence, not just mopping up after a breach.
However, Japan's law stands out for its deliberate attempt to balance offensive capability with civil liberties. Built-in guardrails, such as prior judicial oversight and an explicit exemption for the content of private communications, are, arguably, proof that fundamental rights can exist alongside assertive cyber defense strategies.
As such, the potential ramifications of the Active Cyber Defense Law are enormous. For countries seeking to bolster cyber resilience while maintaining public trust, the law could act as not just a model but proof that it can be done.
What it Means for the Private Sector
Of course, the law will have impacts on the private sector, primarily related to private-public collaboration. For example, critical infrastructure operators and other organizations will need to:
- Report cyber incidents and device deployments to national authorities.
- Align their defenses with government-led intelligence and response strategies.
- Anticipate increased scrutiny of communications infrastructure, particularly those with international exposure.
The law will likely introduce new technical challenges for companies doing business in or routing traffic through Japan's networks. However, it also offers an opportunity to engage in a more unified, national approach to cyber defense.
Key Takeaways from the Active Cyberdefense Law
As noted, the implications of Japan's new law extend far beyond its borders. It is a legal recognition that cyber threats have matured faster than the frameworks designed to stop them, and likely always will. For other governments – or any organization, for that matter - the Active Cyberdefense Law offers three valuable lessons:
- Timing Matters: Don't legislate or introduce policies after a crisis; do so in response to escalating threats. This approach can make the difference between resilience and regret.
- Checks and Balances Build Trust: Independent oversight makes offensive cybersecurity more publicly acceptable.
- Public-Private Alignment is Essential: Information sharing and unified threat response must be hardwired into legislation and policy, not left to ad-hoc arrangements.
What Comes Next
That said, Japan's work is only just beginning. To implement the law, the country must build operational capacity within law enforcement and military cyber units, develop clear rules of engagement for pre-emptive cyber operations, and work to deepen ties with international allies and private sector partners.
Want to learn how Fortra does offensive security with our Cobalt Strike & Outflank Security Tooling red team tools and Core Impact pen testing software?
Request a demo here.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
