Improving Japan’s Cyber Defense

The Japanese Cabinet’s February 7 proposal to the Diet to allow National Police and Self-Defense Forces to neuter adversary cyberspace code targeting Japanese critical infrastructure is a much-needed reform. Japan must recognize the realities of cyberspace and keep pace with emerging cyberspace threats, including developing preemptive cyber defense capabilities.

Cyber threats have escalated in both frequency and sophistication, posing significant challenges to national security. Japan faces unique hurdles in bolstering its cyber defense capabilities due to self-imposed legal restrictions rooted in its pacifist constitution and for being a world exemplar in liberal democratic government.

Japan’s approach to cybersecurity has undergone significant transformation over the past two decades. The nation’s initial focus was predominantly on defensive measures, emphasizing the protection of critical infrastructure and information systems. However, the increasing complexity of cyber threats has necessitated a shift towards more proactive strategies.

In 2013, Japan introduced its first National Security Strategy (NSS2013), marking a pivotal moment in its cybersecurity policy. This strategy underscored the importance of safeguarding cyberspace as a critical component of national security. Subsequent policy documents have further reinforced this idea, reflecting a progressive attitude toward cyber threats.

Subsequently, Japan has taken steps to enhance its cyber defense infrastructure. In 2018, a new defense strategy was published, leading to the creation of a dedicated cyber operation unit within the Self-Defense Forces (SDF). This move signified the formal acknowledgment of cyberspace as a new defense domain, aligning Japan’s military posture with contemporary security challenges, and recognizing cross-domain defense was necessary.

In 2022, Japan introduced the concept of active cyber defense, marking a strategic shift towards conducting operations to neutralize adversarial cyber activities preemptively. The updated National Security Strategy articulated the government’s commitment to this proactive posture, aiming to enhance deterrence and resilience against potential cyber threats.

Article 9 of Japan’s constitution is interpreted by many as a limit on the use of force, restricting the nation to defensive military actions. This constitutional framework presents challenges in justifying offensive cyber operations, even when intended for preemptive defense.

The existing legal framework in Japan emphasizes defensive cybersecurity measures. The Cybersecurity Basic Act, for instance, focuses on protecting information systems and critical infrastructure but lacks provisions for offensive cyber activities. This legal interpretation constrains the government’s ability to engage in cyber espionage or offensive operations, even in the face of escalating threats. This is illogical, given the realities of the cyber domain.

In cyberspace, unlike all other military domains, effects are launched with a button and occur instantaneously where targeted. There are no international waters or airspace in which to intercept malign cyberspace activities. Therefore, states are faced with the reality that they must:

  • Accept attacks and hope to adequately defend against them or recover from them, or
  • Preempt known imminent threats by neutering malign capabilities in the networks of the hostile cyber actor, in violation of that state’s sovereignty

Should Japan know that a North Korean ballistic missile was about to be launched, targeted against Japanese territory, Japanese defense elements would have the legal right to preemptively attack that missile before it was launched. Cyberspace attack operations pose this dilemma in every case.

One approach to navigating legal constraints is the reinterpretation of existing laws to accommodate proactive cyber defense measures. By framing certain offensive cyber operations as extensions of self-defense, Japan could justify actions aimed at neutralizing imminent threats. This strategy would require careful legal analysis to ensure compliance with both domestic and international law.

The United States has developed a comprehensive legal framework to facilitate both defensive and offensive cyber operations. This framework balances the need for proactive cyber defense with adherence to domestic and international law. Japan ought to develop such frameworks too – and fast.

The United States has reinterpreted existing legal authorities to justify cyber-attack operations in certain cases, but only for defensive purposes. The U.S. Department of Defense recognizes that the rights and limitations of the Law of Armed Conflict applies to cyberspace, allowing for cyberspace attack (but defensive) actions under certain conditions.

Japan should consider reinterpreting its existing legal frameworks to allow for more proactive cyberspace defensive measures. This would involve a more nuanced interpretation of constitutional provisions and could be achieved through legislative amendments or new policy directives.

Implementing policy reforms that define better the scope of permissible, defensive cyberspace operations is crucial. This includes updating the Cybersecurity Basic Act to incorporate provisions for active cyber defense and clarifying the roles of various government agencies in cyber operations.

Investing in capacity building is also essential to develop a skilled cyber workforce capable of executing advanced cyber operations. This involves enhancing training programs, fostering research and development in cybersecurity technologies, and promoting public-private partnerships to leverage expertise from the private sector.

Developing a robust legal framework that balances the need for proactive cyber defense with constitutional constraints is imperative. This may involve enacting new legislation that delineates the authority for preemptive (defensive) cyber operations, establishes oversight mechanisms, and ensures compliance with international law.

Engaging the public in discussions about cybersecurity policies can build support for necessary reforms. Transparency in policy development and clear communication about the nature of cyberspace and cyber threats and the rationale for proposed measures can foster public trust and acceptance.

Enhancing Japan’s cyber defense requires a multifaceted approach that addresses legal constraints, leverages international partnerships, and invests in capacity building. By drawing lessons from the U.S. experience and adapting them to its unique legal and cultural context, Japan can develop a resilient cyber defense posture capable of addressing contemporary threats while adhering to its constitutional principles.

James Van de Velde, Ph.D., is a Professor at the U.S. National Defense University. The views expressed in this article are those of the author and do not reflect the official policy or position of the U.S. National Defense University, the U.S. Department of Defense, or the U. S. Government.