Cyberattacks May Now Face Preemptive Strikes Under Japan’s New Active Cyberdefense Law

In an unprecedented shift in its digital policy, Japan passed the Active Cyberdefense Law on May 16, 2025, granting its national cybersecurity authorities the legal right to launch preemptive cyber operations against foreign threats. This marks a clear departure from Japan’s traditionally defensive posture, which for decades had focused on monitoring and fortifying rather than deterring and striking.

The new law authorizes the government to track communications across IP protocols between domestic networks and foreign entities when suspicious activity is detected. It also mandates that operators of critical infrastructure, such as power, water, transportation, and telecommunications, report any breach or attempted breach immediately or face legal consequences.

The government justified the move by pointing to a rising wave of cyberattacks targeting Japan, particularly after the 2024 cyberattack on Osaka’s electric utility. That incident was later attributed to a state-sponsored hacking group, according to investigations by Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC).

Public concern over cybersecurity has grown beyond government institutions to individuals as well, especially following repeated attacks on public transit systems and banks. These incidents have sparked intense debate over Japan’s preparedness for a potential cyberwar.

What makes this law especially significant is that it doesn’t just enhance monitoring and reporting. It introduces the concept of proactive cyber response, allowing Japanese agencies to carry out offensive digital operations designed to neutralize threats or disable enemy infrastructure before an attack is launched. While this approach may be effective, it raises important legal and ethical questions about the acceptable boundaries of cyberwarfare and its alignment with global standards for privacy and digital sovereignty.

To understand the weight of this shift, it’s worth recalling the United States’ experience in 2021, when cybersecurity firm FireEye revealed it had been targeted in a sophisticated attack later tied to the SolarWinds espionage campaign. In response, the U.S. adopted a proactive cyber strategy, declaring that defense alone was no longer enough. Japan now appears to be following a similar path, albeit with a more restrained, distinctly Japanese approach.

Sources within Japan’s Ministry of Defense confirmed that the law was the result of months-long consultations with international allies, notably the United States and Germany. Legal mechanisms were also shaped in collaboration with advisors from the UK’s National Cyber Security Centre (NCSC).

Japan is expected to launch a new offensive cyber unit within its Self-Defense Forces later this year. This unit will be tasked with analyzing threats, identifying attack sources, and executing counter-operations beyond Japan’s borders when necessary.

The published text of the law clearly states that such cyber actions must serve “the security of Japan and its highest digital interests,” giving the legislation a strictly defined defensive scope.

In a recent interview, Takayuki Kawamoto, former technical advisor at Japan’s Ministry of Communications, stated: “Japan has always preferred digital silence. But the meaning of security has changed. We no longer live in a world where you wait for the first hit. You strike first, if you can.”

While many experts have welcomed the move, human rights organizations such as Privacy International and Access Now have voiced concerns that such powers could be misused for domestic surveillance, particularly without sufficient oversight. If extended to citizens inside Japan, the law could spark future legal challenges.

From a strategic standpoint, this move places Japan among the growing list of nations embracing active cyber deterrence, alongside the United States, Israel, and South Korea. It could shift the balance of digital power in Asia and position Japan as a more assertive player in a landscape where borders are no longer visible.

Ultimately, Japan’s new Active Cyberdefense Law is more than legislation. It is a declaration of presence in a world increasingly shaped by code instead of bullets. It’s an invisible war, but its consequences are real. And those without the tools to fight it may be the first to fall.