Japan’s shifting perceptions of cybersecurity

Japan is adopting a more assertive cybersecurity posture, reflecting the broader transformation of its defense strategy.

Key takeaways:

In today’s interconnected world, warfare is no longer confined to traditional battlefields. States and non-state actors increasingly engage in hybrid warfare, blending conventional military tactics with non-military tools. At the heart of this approach lies cyber warfare, which targets government systems, financial institutions, and critical infrastructure.

As societies become more digitalized—from core government functions to everyday online services—cybersecurity has become a cornerstone of national resilience. Many countries have accordingly strengthened their defenses. Japan, however, has long lagged behind major Western nations in this area. In recent years, and particularly with the approval of the 2025 Active Cyber Defense Bill, Tokyo has begun taking decisive steps to close that gap.

Japan’s growing focus on cybersecurity

Japan has been steadily increasing its military spending in recent years. In 2022, then–Prime Minister Fumio Kishida announced plans to raise the defense budget to 2% of GDP by 2027. Since cybersecurity is now an integral part of modern military operations, this budget expansion also supports Japan’s cyber capabilities. Strengthening cybersecurity has long been central to Tokyo’s ambition to become a more trusted defense partner.

Japan’s early approach to cybersecurity was primarily focused on protecting the economy and infrastructure rather than addressing national security concerns. In the early 2000s, government policy emphasized the economic potential of digitalization and the Internet, while paying limited attention to emerging cyber risks. The First National Strategy on Information Security, released in 2006, reflected growing awareness of the need for international cooperation on cybersecurity but still did not frame cyber threats as matters of national defense.

This perception began to shift following a series of high-profile incidents between 2007 and 2011, including cyberattacks on Japanese corporations and government agencies—most notably the 2011 attack on Mitsubishi Heavy Industries. By 2012, cyberattacks had become severe enough for government officials to describe them as a matter of national crisis management. The following year, the National Security Strategy officially defined cyberspace as a new operational domain, marking a shift from viewing cybersecurity as a technical or economic concern to recognizing it as a core national security issue. Since 2014, Japan has consistently expanded its cybersecurity infrastructure, with related expenditures rising from 26.70 billion yen (around $247 million) in 2004 to 71.29 billion yen ($654 million) in 2019.

As part of broader digital transformation efforts, Japan introduced the My Number System in 2016. This 12-digit identification number assigned to residents facilitates online administrative procedures and serves as the cornerstone of the country’s digitalization drive. In September 2021, Japan established a Digital Agency, led by a Digital Minister, to accelerate these efforts. In June 2025, the government approved the Priority Plan for the Advancement of a Digital Society to further strengthen Japan’s digital transformation, underscoring both the benefits and vulnerabilities of a highly connected society.

Digitalization brings not only opportunities but also new risks, as databases and digital platforms become attractive targets for cyberattacks. In December 2022, Japan released three strategic documents outlining its security challenges and policy responses. The National Security Strategy identifies cybersecurity as a critical component of Japan’s defense, asserting that it “should be strengthened equal to or surpassing the level of leading Western countries.” It addresses not only cyberattacks targeting physical infrastructure but also the growing threat of misinformation, echoing the information warfare witnessed during Russia’s invasion of Ukraine. The National Defence Strategy outlines plans to enhance Japan’s intelligence capabilities to counter hybrid and information warfare by 2027, while the Defence Build-up Program calls for establishing a new system within the Defence Intelligence Headquarters to improve the JSDF’s response to information warfare and the creation of a Cyber School to train personnel. In May 2025, the government further announced plans to double the number of qualified cybersecurity professionals, aiming to reach 50,000 by 2030.

What’s behind the push?

Japan’s latest push to strengthen its cyber defenses was likely driven by two key events: the 2020 breach of its classified defense networks by China and Russia’s 2022 invasion of Ukraine.

Domestic calls for stronger action have since intensified. Major General Tanaka Tatsuhiro, former commanding general of the JSDF’s Signal School, has warned that the war in Ukraine should serve as a wake-up call. “If the cyber infrastructure is crushed, all activities will stop. We must defend the cyber infrastructure and the electricity that supports it,” he has emphasized. The 2022 National Security Strategy reflects this growing urgency, calling for “active cyber defense” and expanding Japan’s cyber defense unit more than fourfold to counter the growing cyber capabilities of China and North Korea.

Meanwhile, Mihoko Matsubara, chief cybersecurity strategist at NTT Corp, has noted a surge in ransomware incidents, warning that “it is becoming more challenging to protect our way of life and the critical infrastructure that supports both our daily activities and national security from disruptive cyberattacks in the digital era.” She added that “active cyber defense aims to minimize damage to national security caused by cyberattacks.”

The US-Japan alliance has also been a driving factor. In 2022, Dennis Blair, former US Director of National Intelligence, met with Japanese lawmakers and cautioned that Japan’s weak cyber defenses posed the greatest risk to the bilateral security alliance.

According to Japan’s National Center of Incident Readiness and Strategy for Cybersecurity, cyberattacks against the country have surged in recent years. In September 2022, for example, 23 ministry and agency websites were targeted by the Russian hacker group KillNet. The National Police Agency also detected around 7,700 cases per day of suspicious access attempts against Japanese entities in 2022, around 2.8 times more than in 2018.

The Ishiba Administration and the Active Cyber Defense Bill

Cybersecurity and artificial intelligence featured prominently in both the Liberal Democratic Party (LDP) and the opposition Constitutional Democratic Party of Japan’s platforms during the 2024 leadership race. In his first speech after winning the LDP leadership in October 2024, Ishiba Shigeru underscored cybersecurity as a core priority for his administration, stating: “Additionally, we will work to enhance cybersecurity, including through further accelerating our examination of possibly introducing active cyber defense strategies.” He reiterated this message in November 2024 during his first press conference as the Japanese prime minister, declaring: “Cyberattacks are an imminent threat. We will accelerate our efforts to formulate a bill to further enhance our response capabilities on the cybersecurity front so that we can submit it to the Diet as soon as possible.”

After being postponed in November 2024 due to time constraints, the Japanese government finally approved two landmark bills on “active” cyber defense in February 2025, which will take full effect between 2026 and 2027. This development marks a turning point for a nation long constrained by its pacifist constitution and political aversion to militarism. Article 9 of Japan’s Constitution prohibits offensive military capabilities. Although the Abe administration reinterpreted this framework under the concept of “proactive pacifism,” the JSDF remain bound by a strictly defensive mandate. Since cybersecurity is regarded as part of military operations, it has also been subject to these restrictions. The new active cyber defense bills aim to move Japan beyond this passive posture, enabling a more agile and preemptive response to digital threats while remaining within constitutional limits.

Notably, there has been little political resistance. Both the ruling coalition and opposition parties have acknowledged the urgent need for stronger cybersecurity measures. The active cyber defense legislation is designed to prevent damage caused by unauthorized access to critical computer systems that could endanger national security. Previously, Japan’s cybersecurity approach was reactive; authorities waited until attacks occurred before responding. The new framework allows for proactive monitoring and disruption of hostile cyber operations, acting as a deterrent.

The legislation establishes a comprehensive system requiring Japan’s critical infrastructure operators to report harmful incidents involving their networks to the government. It grants authorities the ability to obtain communication data through agreements with these operators (though the content of private communications remains protected) and to temporarily access international networks. An independent committee will oversee these processes, while analyzed data will be shared with national agencies, foreign governments, and technology vendors to prevent future incidents.

Overall, the new laws represent a significant shift in Japan’s cybersecurity posture. They reflect not only a greater willingness to confront escalating cyber threats but also an understanding that emerging domains, such as artificial intelligence and information warfare, demand proactive and adaptive defenses.

Expect continuity under Takaichi

It seems unlikely that the new Takaichi Sanae administration, which took office in October 2025, will reverse the progress made under Ishiba. On the contrary, Takaichi has long demonstrated a strong interest and active involvement in cybersecurity policy. Already in 2019, when she was the chair of LDP’s Headquarters for Cybersecurity Measures, she proposed the introduction of active cyber defense into Japanese legislaiton.

Takaichi has consistently emphasized the importance of cybersecurity and emerging technologies such as AI. Writing in Bunshun Online in 2023, she argued that Japan must keep pace with other nations and cited a cyberattack in Osaka as a reminder of the vulnerabilities threatening national security. Even during her 2024 campaign for LDP leadership, Takaichi highlighted cybersecurity as a national security priority, stating: “A country that cannot protect cyberspace cannot protect anything else.” She also urged greater investment in cultivating Japan’s human cyber resources.

Given her record, the Takaichi administration is expected to remain strongly committed to strengthening Japan’s cybersecurity capabilities. Despite the political turbulence surrounding her election, cybersecurity stands out as one of the few policy areas in Japan that enjoys broad, bipartisan support.

This work has received funding from the European Union’s Horizon Europe coordination and support action 101079069 — EUVIP — HORIZON-WIDERA-2021-ACCESS-03.