Japan’s recent “active cyberdefense” law signals a larger shift in their interpretation of the constitution, trading passivity for new privacy concerns.
On May 16, 2025 Japan enacted their new Active Cyberdefense law, allowing the government to infiltrate and defuse hostile servers before an attack can occur. This offensive approach stands in opposition to the traditional interpretations of Article 9 in Japan’s national constitution, which “renounce[s] war as a sovereign right of the nation and the threat or use of force as means of settling international disputes.” The article, preventing any war capacity from being maintained, has been a key part of Japan’s pacificist stance and has underlined the country’s past preference for defense over offense. Now, Japan seems to be moving away from this passivity in favor of preemptive positioning.
The law grants the government the authority to look into more than just potentially hostile servers. Metadata, including internet traffic, IP addresses involved in communication with foreign countries (via Japan), and IP addresses involved in communication between Japan and foreign countries, can be monitored and investigated. Still, the law does not permit the government to examine communications that are entirely domestic, and the content of the communications, like email texts, are still private and protected from surveillance - somewhat supporting Article 21 of the constitution, which prohibits “the secrecy of any means of communication be[ing] violated.”
Of course, metadata can still reveal a lot of information about one’s digital profile - like which websites are visited, who you contact, how frequently you communicate with them, and how long these communications last. Abuse of this data was a critical concern for the Constitutional Democratic Party of Japan, which pointed out that the information could be used for criminal investigations. In response, the Prime Minister, Shigeru Ishiba, assured all parties that “[u]se beyond the scope of cybersecurity purposes is not acceptable. The supervisory board will continue to inspect whether it is being used appropriately.”
Even with these offensive priorities, the Active Cyberdefense law still strengthens the titular cyber defense. Organizations in critical infrastructure sectors, like railway and electricity, are now obligated to inform the government of cyber breaches. This ruling is part of a larger global trend of countries requiring cyber incident reporting - Australia’s 2024 Cyber Security Bill, the European Union’s (EU’s) Cyber Resilience Act, and the United States’ (US’) Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) all mandate some reporting with varying time restraints around important cyber incidents.
While the law is newly enacted, it had been in the works for a couple of years. Amendments enabling the government to start offensive cyber operations were first proposed in late 2022 with the aim of “open[ing] the door for Japan to retaliate in cyberspace and neutralize attackers,” while also “allow[ing] the government to defend private sector infrastructures, such as power grids and financial networks.”
Japan experienced an onslaught of cyber attacks in 2021 and 2022, with a remarkable uptick in ransomware, including a hack that forced Toyota to shut down its plants and factories. Chinese military hackers also infiltrated Japan’s classified defense networks in 2020. Since then, cyberattacks have continued to be a considerable problem, with a sizable number of attacks on the foreign and defense ministries, and the semiconductor industry, coming from MirrorFace (a persistent hacking group linked to the Chinese government). With this context, it’s not surprising that the Japanese government would attempt a more aggressive form of cyber defense in hopes of becoming “a level equal to major Western powers”.
Under the law, signs of a possible cyberattack will move Japan’s Self-Defense Forces, working with the police, to neutralize the threat. Ensuring the government’s new abilities aren’t abused, the law also establishes an independent oversight board that monitors the law’s enforcement while protecting individual rights. In fact, officials who illegally use the collected information could face up to four years in prison or up to ¥2 million ($13,760) in fines. Lastly, the active cyberdefense law calls for collaboration with Japan’s allies (Australia, the EU, the US, and NATO’s Cooperative Cyber Defence Centre of Excellence).
While the new law won’t go into effect until 2027, Japanese officials are optimistic about Japan’s cybersecurity future. Japan’s chief cabinet secretary, Yoshimasa Hayashi, said the law will help them “identify and respond to cyber attacks more quickly and effectively”, pushing Tokyo to “equal or exceed” the cyber capabilities “of major European countries and the US.” Still, several opinion pieces show that the Japanese people may be a bit more skeptical about the privacy risks that come with the law. With luck, the punishment for federal data abuse or leaking will deter any misuse of metadata.