Abstract

Japan has been developing its cyber defence strategy and capabilities in recent years, with renewed calls for a shift to an approach of ‘active cyber defense’, most notably in new Prime Minister Shigeru Ishiba’s first policy speech to parliament (Kaneko, 2024). Working towards achieving this shift, Japan has been investing in its domestic cyber capabilities, with emphasis on recruitment efforts, and strengthening its partnerships with like-minded countries. However, amidst current domestic political uncertainties, potential difficulties in enacting crucial legislative changes may slow down, or even halt, the transition to a more active cyber defence posture and strategy.

The Concept and Strategy of ‘Active Cyber Defense’

A shift towards the implementation of ACD, which was first outlined in the National Security Strategy of 2022, is likely to signify a notable shift in Japan’s cyber defence strategy. On one hand, ACD involves expanding the existing cyber-defence approach. This includes a broader scope of targets protected by the Ministry of Defense (MOD) and Japan Self-Defense Forces (JSDF) as these agencies are also expected to improve their ability in responding to cyber threats (Mochinaga, 2024). Additionally, other governmental agencies and private sector stakeholders are expected to play larger roles in protecting critical infrastructure from cyber threats (Mochinaga, 2024), signalling a stronger whole-of-government and whole-of-society approach to cyber defence. However, the more noteworthy aspect of the ACD lies in the proactivity it introduces to cyber defence operations, where the goal is to enable the pre-emptive neutralisation of adversaries to proactively prevent significant cyber attacks that could pose threats to national security (Japan Cabinet Decision, 2022).

Capability Development

In view of the resources needed for such a strategic shift, Japan has had to ramp up its defence spending on cyber capabilities. While the cyber-related allocation of its defence budget was 34.2 billion yen for Financial Year 2022 (FY2022) (Ministry of Defense of Japan, 2022b), the figure has increased to approximately 236 billion yen for FY2023 and 203 billion yen for FY2024, respectively (Ministry of Defense of Japan, 2024b).

Recognising the need to also develop its human resource capabilities, Japan has announced various plans to expand its pool of cyber-security personnel, particularly within its defence agencies and forces. In 2022, alongside the introduction of the ACD concept, defence policy documents, such as the Defense Buildup Program and National Defense Strategy, called for the expansion of the Self-Defense Forces’ Cyber Defense Command and an overall growth in the number of MOD and JSDF personnel working on cyber-related matters (Ministry of Defense of Japan, 2022a; Ministry of Defense of Japan, 2022b). More recently, the SDF has also outlined enhancements to its recruitment processes for cyber unit officers, with differentiated tests and potentially less stringent physical fitness requirements (Nagatomi, 2023). Amidst competing demands from the private sector for cyber talent, the MOD is also planning to implement upward revisions of the salaries of its cyber personnel to be higher than those of ordinary SDF personnel, though there are still concerns over how they match up to the attractiveness of compensation packages offered by the private sector (Nagatomi, 2023). 

Furthermore, in line with the goal of enhancing governmental response capabilities, the Ministry of Land, Infrastructure, Transport and Tourism has also announced plans to establish a dedicated unit to enhance the cybersecurity of certain vital infrastructures including airports, railroads, and ports (Kanaoka, 2024).

Japan has also been active in its engagement with other countries, forging cyber ties with various partners and like-minded countries in the region and beyond. There has been extensive cooperation and dialogue between the US and Japan in the cyber domain (Ministry of Foreign Affairs of Japan, 2024a; U.S. Department of Defense, 2024), and the two countries are also working towards developing a joint trilateral cyber-defence network with the Philippines (U.S. Department of State, 2024). Security partnerships in the cyber domain have also been strengthened with its other Quad partners, with joint statements from Japan’s recent 2+2 Foreign and Defence Ministerial Consultations with Australia and India having outlined enhanced bilateral cybersecurity cooperation with each partner country (Ministry of Foreign Affairs of Japan, 2024b, 2024c). Additionally, Japan plays a key role in building the cybersecurity capabilities of its ASEAN partners, having been facilitating training exercises at the ASEAN–Japan Cybersecurity Capacity Building Centre. Such ties are expected to further deepen in light of a recent announcement, in October 2024, to also include training drills for ransomware situations, with such training potentially yielding insights for similar future initiatives to engage various island-nations in the Pacific (Watanabe, 2024). 

Therefore, it is clear that Japan is now investing heavily in developing its cyber-defence capabilities, sparking some optimism despite recent criticism of the previously laggard pace of such development (International Institute of Strategic Studies, 2024).

What Next?

The Defense of Japan 2024 White Paper has emphasised the threat of cyber attacks posed by countries such as China, North Korea, and Russia (Ministry of Defense of Japan, 2024a), which indicates the strong possibility for Japan to further deepen its cooperation with countries who share similar cyber-security and cyber-defence concerns. Japan is likely to work more closely together with existing partners like the US, the other Quad countries, and ASEAN member states, but may also further engage other island nations in the Indo-Pacific region.

On the domestic front, while the implementation of the ACD concept has gained traction in recent months, there are still predominant legislative hurdles to be overcome. Specifically, certain aspects of ACD or other potential cyber-security policies may run afoul of the Japanese Constitution, where Article 21 outlines that “No censorship shall be maintained, nor shall the secrecy of any means of communication be violated”, or other laws such as the Act on Prohibition of Unauthorized Computer Access (Wright, 2024). Moreover, the recent shaky electoral performance by PM Ishiba’s Liberal Democratic Party has created uncertainty surrounding the formation of a new LDP-led ruling coalition in the lower chamber of Japan’s parliament, as the LDP–Komeito coalition lost their majority for the first time in 15 years (Nikkei Asia, 2024). Therefore, it remains to be seen whether the Ishiba government will have sufficient political leverage to push through the necessary legislative changes, sparking doubts about the rate at which the ACD concept can be fully operationalised and implemented.