On December 23, 2025, Japan’s Cabinet adopted a bold five-year cybersecurity strategy. It targets mounting cyber threats with proactive measures. Japan is embracing ‘active cyber defense’ instead of relying solely on traditional measures. This proactive approach imposes continuous costs on attackers.
The Threat Landscape
The timing of this strategy is critical. State-sponsored cyberattacks from China, Russia, and North Korea are rising. Prime Minister Takaichi’s Cabinet describes these as serious national security threats. Beyond conventional attacks, the government has identified emerging risks posed by rapidly advancing artificial intelligence and sophisticated supply chain vulnerabilities. The reality is stark: attackers are becoming more sophisticated, and traditional defense alone is no longer sufficient.
From Passive Defense to Active Deterrence
What sets this new strategy apart is its explicit shift toward active cyber defense. No nation can prevent every cyberattack. Therefore, Japan is moving beyond simple blocking to make attacks costly for adversaries.
The strategy outlines three key policy directions:
1. Government-Led Defense and Deterrence
The National Cybersecurity Office (NCO) was established in July 2025. It will serve as the central hub for security information. This consolidated approach enables faster identification, analysis, and response to incidents. Crucially, police, the Defense Ministry, and the Self-Defense Forces will work together to neutralize threats. This level of coordination that was previously fragmented.
2. Whole-of-Society Cybersecurity and Resilience
Japan recognizes that cybersecurity is no longer just a government problem. The strategy extends protection to critical infrastructure operators, local governments, vendors, small and medium enterprises, and even individuals. This whole-of-society approach builds resilience by ensuring that when attacks inevitably occur, organizations can minimize damage and recover quickly.
3. Building a Talent and Technology Ecosystem
Perhaps the most forward-thinking aspect of the strategy addresses Japan’s structural vulnerability: a severe shortage of cybersecurity talent and heavy dependence on foreign technology. The government plans to develop domestic expertise, establish career pathways for cybersecurity professionals, and invest in cutting-edge research and development. This includes preparing for quantum computing threats—the strategy sets a goal of completing the transition to quantum-resistant cryptography by 2035.
Privacy Protections in an Age of Vigilance
A natural concern arises: how can active defense measures protect privacy? Chief Cabinet Secretary Minoru Kihara addressed this directly, emphasizing that the strategy includes “strict protocols and conditions” for how collected information can be used. The government established the Cyber Communications Information Oversight Committee to maintain transparency and oversight.
International Cooperation
Japan is not acting alone. The strategy strengthens intelligence and operational cooperation with allied nations, advances public attribution of cyberattacks, and supports capacity-building in the Indo-Pacific region through initiatives like the ASEAN-Japan Cybersecurity Capacity Building Center.
What This Means
Japan’s new cybersecurity strategy signals that the era of purely defensive postures has ended. By imposing costs on attackers, building societal resilience, and investing in homegrown talent and technology, Japan is positioning itself at the forefront of a new generation of cyber defense. As Chief Cabinet Secretary Kihara stated, the goal is to “realize the highest level of vigilance in the world to seamlessly address the growingly severe situation in cyberspace.”
For organizations globally—and especially those with ties to Japan—this strategy serves as a blueprint for how advanced democracies can balance security, deterrence, and privacy in an increasingly dangerous digital landscape.
This article is based on announcements from Japan’s Cabinet on December 23, 2025, following the enactment of active cyber defense legislation earlier in the year.