Testimony at the House of Councillors Committee on Cabinet

On May 8th, 2025, I honored to testify as a witness before the House of Councillors Committee on Cabinet about Japan’s Active Cyber Defense Act. Following is translation of the prepared statement.

Links

• House of Councillors (Japnese)
• Recording (Japanese only)

Summary

Active cyber defense is an essential capability for Japan to prevent the materialization of damage and to respond at a level on par with—or exceeding—that of major Western countries. The increasing sophistication of cyberattacks has exposed the limitations of a purely defensive posture in cyberspace. Key challenges include enhancing public-private and international collaboration, facilitating systematic response and auditing, and increasing investment in science, technology, and human resources.

1. Sophistication of Cyber Attacks and Limitations of Defense

• Recent cyber attacks are characterized by increasingly sophisticated attack methods, as well as their large scale and persistence. These attacks are a series of repeated attack activities targeting specific organizations or sectors over a certain period of time, using specific methods and infrastructure. Experts refer to this series of repeated activities as an attack campaign.
• Attack campaigns are characterized by their long duration and potential for significant damage. In January 2024, the US government responded to an attack by an organization known as Bolt Typhoon, which is believed to be linked to the People’s Republic of China. This attack lasted for at least five years. On the other hand, it took the defense side two and a half years to detect the attack and respond. As attack campaigns become more sophisticated and prolonged, the defense side is diversifying its response measures by employing multiple approaches.
• However, current countermeasures have limitations in terms of cost and comprehensiveness. It is costly for defenders to establish comprehensive defenses, and it is difficult to implement comprehensive and perfect countermeasures. One of the factors contributing to these limitations is that the repair of compromised computers is left to the discretion of administrators. This limitation creates a situation where attackers can exploit computers left in a vulnerable state for large-scale attacks.
• If this situation continues, computers in Japan will be exploited by attackers, not only exposing domestic critical infrastructure to cyberattacks but also potentially expanding the damage to other countries through exploited computers.
• The United Nations Group of Governmental Experts Report has established an international norm stating that “States must not allow the use of information and communications technology within their territory for the purpose of cyberattacks.” Proactive cyber defense is one means of addressing this norm.
• Access and neutralization are measures to be implemented as a last resort in combination with other countermeasures, and should only be carried out when necessary and justified.
• The use of communication information under this bill is effective in detecting signs of cyberattacks, and access and neutralization enable the government to take measures on behalf of administrators to prevent attackers from exploiting vulnerable computers. This is expected to bring attack campaigns to an end.

2. Challenges

2.1. Enhancement of public-private and international cooperation

• Government ministries and agencies do not have a common understanding of countermeasures. Going forward, it will be important to foster a common understanding, integrate information between the government and private organizations, and ensure that public and private organizations see the same information and respond in accordance with their respective roles.
• The government should reexamine how it shares information and improve its effectiveness. Going forward, rather than establishing a new system, it is important to utilize existing reliable information channels such as JPCERT/CC and establish a system in which the public and private sectors can provide feedback to each other.
• The National Security Council should establish response policies based on international cooperation even at the initial stage of domestic response. Response to cyber attacks often requires cross-border cooperation.
• It is also necessary to be prepared to provide support to other countries and to accept support from them. It is important not only to actively exchange information with allies and like-minded countries, but also to maintain close communication in operational matters and deepen mutual understanding of each other’s capabilities and organizational cultures.
• It is essential to ensure smooth coordination in times of crisis by deepening cooperation through practical multilateral exercises in peacetime.

2.2. Streamlining systematic response and auditing

• In order to respond to cyber attacks at the appropriate time, it is necessary to streamline systematic response and auditing. Measures implemented by the government, including warnings and access and neutralization, require careful consideration, but it is also important to implement them at the right time to maximize their effectiveness. Some of the measures taken by the government in the past were ineffective because they were implemented at the wrong time. Therefore, as part of systematic response, it is necessary to establish procedures for recognizing signs of cyber attacks through the use of communication information, formulating response objectives and plans, determining measures to be taken, measuring effectiveness, and evaluating the results after implementation.
• In establishing systematic measures, it is also necessary to facilitate audits. For example, the process of review and approval for each step should be systematized to ensure swift and reliable measures. In doing so, it is advisable to record the basis for each step and the persons responsible so that the government can fulfill its accountability at each stage.

2.3. Investment in Science, Technology, and Human Resources

• Addressing the shortage of cyber talent in Japan requires investment in science, technology, and human resources. It is necessary to move from the stage of promoting the significance and rewards of such investment to the stage of allocating funds to strengthen the foundation.
• It is necessary to increase the absolute amount of investment in science and technology, including education at universities, in order to supply the government and private companies with highly skilled personnel. In addition, the budget allocation method should allow for duplication of research themes and allocation agencies, and adopt a system that distributes research funds to a large number of researchers.
• Low salary levels are a challenge in terms of investment in human resources. The government should raise the salaries of administrative officials and technical officials with cross-disciplinary capabilities, taking into account the need for careful decision-making based on a broad range of knowledge in areas such as technology, law, and international relations. When recruiting personnel from the private sector, the government should offer salaries commensurate with the resources they have invested in acquiring their skills, experience, and qualifications.
• It is necessary to enable these human resources to build careers within the government with a focus on the cyber field. With the aim of cultivating administrative officials and technical officials with cross-disciplinary expertise centered on the cyber field, it is necessary to establish career paths that allow them to pursue careers in the cyber field, such as assigning them to positions related to the cyber field when transferring personnel.