Japan has approved a landmark change to its national cybersecurity policy: from 1 October 2025, the Self-Defense Forces (SDF) and national police will be allowed to conduct offensive cyber operations against infrastructure used to launch attacks on Japanese targets. This move marks a transition from a purely defensive stance to a strategy of proactive cyber defense, where the state can not only block attacks but also pre-emptively disrupt hostile cyber capabilities.
Japan’s New Cybersecurity Doctrine and Legal Framework
The decision was announced by Chief Cabinet Secretary Minoru Kihara, who described Japan as facing “the most severe security environment” since World War II. Rapid digitalization of government, critical infrastructure and the private sector has dramatically expanded the country’s attack surface, making cyber resilience a core national security priority.
The new powers are built on legislation adopted in 2023, which first established a legal basis for proactive cyber defense. That law outlined the policy concept; the latest decision defines operational mechanisms – specifying who may employ offensive cyber tools, how they may be used, and under which conditions.
Under the revised doctrine, the SDF and law enforcement agencies will be able to “attack and neutralize” servers, networks and other infrastructure used to conduct cyber operations against government systems, critical infrastructure and private entities in Japan. Authorities emphasize that operations must comply with international law and incorporate safeguards for privacy and civil liberties.
Centralized Decision-Making for Offensive Cyber Operations
Government Cyber Committee as Strategic Gatekeeper
A dedicated Government Cyber Space Management Committee will sit at the center of this model. This body will evaluate, approve or reject requests for offensive cyber operations, providing centralized political and legal oversight over the use of cyber force.
Such a governance structure is designed to limit uncontrolled escalation and ensure that offensive actions are necessary, proportionate and legally justified. Comparable oversight mechanisms exist in other cyber powers, including the United States and several EU member states, where offensive cyber operations are tightly governed by executive-level authorization and legal review.
From Pacifist Constitution to Cyber Operations: Evolution of the Self-Defense Forces
The significance of this shift is amplified by Japan’s post-war legal context. Under Article 9 of the 1946 Constitution, Japan renounced the right to maintain traditional armed forces and wage war. The SDF were created as a strictly defensive military instrument.
Over decades, constitutional interpretations have gradually broadened, allowing participation in UN peacekeeping operations, enhanced air and maritime defense, and ballistic missile defense initiatives. The formal authorization of offensive cyber operations represents a new phase in this evolution, moving the debate on the limits of “self-defense” into cyberspace.
Japan’s Position in Global Cyber Power Rankings
According to the International Institute for Strategic Studies (IISS), at least 26 countries possess offensive cyber capabilities. In its 2023 cyber power assessment, IISS identified the United States as the leading cyber power and placed Japan in the third tier: states with strong competencies in some areas but significant gaps in others.
Authorizing proactive cyber defense is likely intended to close parts of this capability gap. Offensive tools can contribute to cyber deterrence: adversaries must consider the risk that attacks on Japan could trigger disruptive operations against their own command-and-control or operational infrastructure.
Similar logic underpins cyber strategies in countries such as the US, UK and Australia, which openly acknowledge the use of offensive cyber operations as part of integrated defense and deterrence strategies.
Strategic Risks, Attribution Challenges and Need for Cooperation
Expanding offensive capabilities also brings serious risks. In cyberspace, attribution—confidently identifying the true originator of an attack—is technically and politically complex. Misattribution can lead to retaliation against the wrong actor, raising the risk of unintended escalation.
These concerns are widely recognized in international discussions, including UN processes on responsible state behavior in cyberspace. To mitigate them, Japan will need to invest heavily in threat intelligence, forensic capabilities and international information sharing, building trusted channels with allies and partners for joint analysis of major incidents.
Without robust transparency and cooperation mechanisms, a visible growth in offensive capabilities in North-East Asia could accelerate a regional cyber arms race, complicating crisis management and increasing the likelihood of miscalculation.
For governments and businesses worldwide, Japan’s decision underscores a broader trend: nation-states are moving from reactive incident response to proactive, intelligence-driven cyber defense. Organizations should adapt by strengthening multi-layered security architectures, conducting regular security audits, rehearsing incident response scenarios and investing in staff awareness training. As more states adopt offensive cyber postures, the most effective defense for enterprises and public institutions remains disciplined cyber hygiene, continuous monitoring and close tracking of global cyber policy developments.
