The Japanese government’s plan to introduce a cybersecurity bill focused on “active cyber defense” has hit significant delays. Originally expected to be introduced in the fall of 2024, the bill is now unlikely to reach Parliament before the end of the year.
This shift follows the recent change in Japan’s prime minister and the defeat of the ruling Liberal Democratic Party (LDP) in the October general election, leading to a complex political landscape and growing uncertainties around the proposed bill.
Stalled Momentum for Cybersecurity Bill
The Japanese cybersecurity bill’s core objective is to establish Japan’s ability to defend against cyberattacks. It proposes to monitor and detect potential threats to government and critical infrastructure and, if needed, counteract by deploying computer viruses to neutralize adversary servers. However, the active defense approach has sparked concerns over privacy issues, specifically about the potential conflict with Japan’s constitutional protection of communication secrecy, which restricts government surveillance under normal circumstances.
The first step in this legislative journey was an interim report from an expert panel on August 6, recommending ways to enhance Japan’s cybersecurity. However, soon after, then-Prime Minister Fumio Kishida announced he would not participate in the LDP leadership race, signaling his exit from office and halting further meetings on the bill’s development.
The new prime minister, Shigeru Ishiba, now faces political challenges after the ruling LDP-Komeito coalition suffered a stinging defeat in the October elections. Without a majority, the coalition is now looking to opposition parties for support to pass key bills, including the cybersecurity legislation.
As a former defense minister shared, “Coordination inside the government has not ended. The earliest possible cybersecurity bill submission is during next year’s regular Diet session.” In the meantime, the coalition is focused on passing the fiscal 2024 supplementary budget with help from opposition partners, which has taken priority over the cybersecurity initiative.
Concerns Over ‘Active Cyber Defense’ and Communication Privacy
The active cyber defense approach has raised constitutional questions. Given Japan’s strict protections on communication privacy, some government officials and legal experts have voiced concerns about surveillance potentially violating individual rights. Active monitoring of communications to detect cyber threats under this proposed bill could conflict with these protections.
The LDP originally campaigned to raise Japan’s cybersecurity capabilities to match those of the U.S. and Europe. But with former LDP Secretary General Akira Amari, a major supporter of the policy, losing his seat in the recent election, enthusiasm for the active cyber defense bill has weakened, and support within the party appears less certain.
Rising Cybersecurity Threats Highlight Need for Action
As digital technologies increasingly become a part of daily life in Japan, cybersecurity issues have become a major concern. In recent years, Japan has witnessed a rise in cybercrimes ranging from cyberbullying to ransomware and online fraud. For instance, in 2020, cyberbullying took center stage after the tragic suicide of Hana Kimura, a young professional wrestler who was harassed online. Since then, Japan has seen a steady rise in ransomware attacks, online banking frauds, and other cybercrimes. In 2023 alone, online banking frauds resulted in losses exceeding 8.7 billion yen.
Data breaches have also become more common, affecting both the public and private sectors. In July 2024, Recruit Co., Ltd., a prominent Tokyo-based company, reported a data breach involving its real estate wing, SUUMO, exposing the sensitive data of over 1,300 employees. Although customer data was not compromised, the incident brought attention to potential vulnerabilities in Japan’s corporate cybersecurity practices.
A Push for Mandatory Reporting of Cyberattacks
In response to rising cyber threats, the Japanese government is also exploring a mandate requiring private companies operating critical infrastructure to report any incidents of cyber damage. Until now, businesses have been hesitant to report cyberattacks, fearing the impact on stock prices and corporate reputation. This lack of transparency has made it harder to assess and contain the impact of cyber threats across sectors.
Under the government’s new plan, critical infrastructure providers—including telecommunications, finance, and transportation—would be legally obligated to report cyber incidents, aiming to create a proactive culture of cybersecurity. In 2022, a voluntary action plan encouraged reporting, but compliance was limited due to its non-binding nature. By turning this recommendation into a legal requirement, officials hope to improve the rapid sharing of information, allowing other businesses to take preventive measures.
The Japan Association of Corporate Executives, a key business lobby, has long advocated for mandatory reporting, highlighting that a coordinated approach is essential to counteract the rising tide of cyber threats.
Designating Critical Sectors for Cybersecurity Oversight
In addition to mandatory reporting, the government has designated 15 sectors as critical infrastructure. These include government and administrative services as well as essential industries like healthcare, finance, and transportation. These sectors play a vital role in national security and economic stability, and they are often targeted in cyberattacks. By classifying these industries as critical, the government aims to prioritize cybersecurity efforts in areas where an attack could have widespread effects on the public and the economy.
Japan’s moves toward enhancing cybersecurity align with its goals to strengthen digital defenses amid growing technological integration in society. Cashless payments, digital health services, and remote work have become integral parts of life, and the resulting rise in cyberattacks underscores the need for comprehensive security measures. With a stronger focus on mandatory reporting, active defense, and collaboration across sectors, Japan aims to better protect its infrastructure, businesses, and citizens from cyber threats.
However, political and legal challenges remain. As the government prepares to reintroduce the cybersecurity bill in 2025, finding a balance between effective defense and constitutional privacy rights will be essential. For now, Japan’s cybersecurity future depends on its ability to unite its political factions and address the public’s concerns over privacy and surveillance.