Japan passes cybersecurity law

Japan on Friday approved a law that aims to introduce “active cyber defense” with the aim of preventing attacks before they occur and allowing the surveillance of communications.

The law was approved by a majority, after the Executive added an amendment that explicitly states that “the privacy of communications will be respected”, and the system is expected to come into operation on a large scale in 2027.

The introduction of active cyber defense aims to achieve capabilities “equal to or superior to those of the main European and American countries”, and was defined in the National Security Strategy formulated in 2022.

The Japanese government is establishing joint bases for the police and the Self-Defense Forces (Army) to strengthen the capabilities of infrastructure operators, and public-private cooperation will also be deepened, including the sharing of sensitive information.

The so-called Active Cyber ​​Defense Law seeks to provide the Japanese government with greater preventive capabilities against cyberattacks , and aims to bring Japanese legislation into line with the United States or the European Union, in an attempt to respond to the numerous attacks suffered in recent years.

The legislation is structured around three main points: strengthening public-private cooperation, the use by the Government of information on communications services provided by national telecommunications providers, and the application of measures to penetrate and neutralize the server of a cyber attack.

The law allows the police to neutralize enemy servers, while the cybersecurity unit of the Self-Defense Forces can intervene on the orders of the prime minister , if necessary.

Situations that would justify military intervention include highly organized cyberattacks by a foreign government entity on “ critical computers ,” such as those used by the central or local government, by operators of basic infrastructure, by the Self-Defense Forces, or by U.S. troops stationed in the country.

The regulation also requires operators of critical infrastructure in 15 areas, including the power grid, railways, communications, and postal and financial services , to inform the government if they suffer a cyberattack.

Authorities may penalize entities that fail to report cyberattacks, as well as employees who disclose information collected during surveillance activities.

Under the new law, the government will be able to monitor certain aspects of communications between Japan and foreign countries if a cyberattack is suspected , although in principle the content of communications will remain private and surveillance will be limited to information such as Internet protocol addresses or transmission and reception times.