Active Cyber Defense - background and timeline

TL:DR

On May 16th, 2025, a bill to introduce the "Active Cyber Defense (ACD)" was passed by the plenary session of the House of Councilors of Japan, and the bill was enacted. The Japanese government plans to begin operating the system in 2027. The ACD is the act of taking preemptive cyber-security measures before a cyber attack occurs, to prevent exploits against critical national infrastructure. However, not fully "preemptive" measures are not allowed; it is still a context of counter attack.

 

Introduction:

In previous TWIS articles,  I have discussed the “Active Cyber Defense (ACD)” which is going to be introduced in Japan, because I believe that ACD will be so influential that it will change the tide in national security posture in Japan. In this article, I will summarize the timeline and provide some background.

 

Background:

Although ACD is a term applied to cybersecurity from the military term "Active Defense (AD)" in the first place, AD is a concept that enables preventive attacks for defensive purposes.

Under the current interpretation of the Japanese Constitution, the Japanese Self-Defense Force (SDF), which is the equivalent of armed forces (but not legally military force) is allowed to use weapons to fight back only when the military or Japanese civilians are attacked by the enemy. So, the SDF is not unconditionally allowed to use AD as a preventive attack. For example, the SDF has all the weapons it needs to protect Japanese land and water. But it cannot bomb outside Japan, even if it is used to attack.

Cyber attacks were also considered to be subject to this criterion. So far, only when it was confirmed that hackers/bots had entered the government’s internal network have they been dealt with. This was reportedly a major impediment to investigating the source of the cyber attack and preventative measures could not be effectively taken.

However, many have voiced that such restrictions make effective defense in cyberspace difficult, so a more proactive defense posture is required. Especially, cyber-attacks are now being directed at infrastructure and private companies, and the voices to seek ACD have gotten larger.

Given this context, the Japanese government's promotion of ACD as an "instance" of AD, albeit limited to cyber attacks, is a major turning point in national security policy within the last few decades. However, ACD does not have all the features of AD, and does not always allow preventive attacks. Concerns like protecting privacy are considered.

 

Timeline

Around 2022-2023, the term "Active Cyber Defense" has often appeared in the news in Japan. The terminology was not settled and ACD was sometimes called "Offensive Cyber Operation (OCO)", however they've now decided to call it ACD.

On August 7th, 2023, the Washington Post reported that Chinese military hackers had intruded into the military network of the SDF and stolen sensitive data 3 years ago, and this scoop was very shocking to the Japanese Cabinet (and also to the Japanese intelligence community, I believe).
To address this, the Japanese Office set up an expert panel consisting of several experts to discuss the introduction of ACD.  The cabinet  also planned to re-organize the current National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and establish a new command post organization to run ACD.

The cabinet prepared to submit the law’s amendments and other proposals to the ordinary parliamentary session in 2024.

On December 19th, 2024, the cabinet released the outline of the ACD bill. The main pillars of the bill are to strengthen the protection of key infrastructures such as electricity and railroads, and to establish a third-party organization to check the appropriateness of the collection of communications information. At this release, the way to protect privacy information is also revealed. To be consistent with the “secrecy of communication” (Article 21 of the Japanese Constitution), which has been pointed out as an issue, the third-party organization will be defined as a highly independent “Article 3 Committee” based on Article 3 of the National Government Organization Law. The Committee will be responsible for inspecting whether the government is collecting information more than the necessary limits and whether it is properly disposing of information that is no longer needed.

The bill to amend related laws to give the police and the SDF the authority to take detoxification (maybe this means neutralization) measures. The Cabinet submitted the bill to the ordinary parliamentary session and they expected that will be accepted by the end of 2024. However, it was delayed and approved by the country’s main Liberal Democratic Party (LDP) in January 2025. It was on February 7th that the cabinet finally approved the bill, and it was sent to the Diet. After Diet approval, the next step is the House of Representatives,  and the House of Councilors.

Japan's national police reported that the Chinese state-backed threat actor MirrorFace has been committing wide-scale cyber espionage since 2019 to steal Japan's national security secrets. This report helped to get the bill passed. However, at the same time, challenges to implementing the ACD were also discussed. While it is named as “Active Defense”, the bill does not allow 100% "preemptive" that means you can attack before they do,  and it can only be activated after suffering an attack (it is still vague on this), and they do not have enough personnel to do it nation-wide.

On April 8th, 2025, a majority of the ruling and opposition parties in the plenary session of the House of Representatives passed the ACD bill and sent to the House of Councilors after amendments were made, such as increasing parliamentary involvement. 

On May 16th, 2025, the ACD bill was passed in the plenary session of the House of Councilors, and then the bill was finally enacted.

For executing ACD, the National Cyber Headquarters (NCH, or National Cyber Office) is going to be established on July 1st, 2025. As mentioned before, NISC will be re-organized as NCH. The ACD bill would also allow the Government to get agreements with operators of critical infrastructure and obtain communications information to monitor for the cyber attack threat.