Cyber Defenders To Need Prior OK To Neutralize Servers; Govt Eyes Establishing Independent Organ To Give Approval

The Yomiuri Shimbun

2:00 JST, January 16, 2025

Police and the Self-Defense Forces are expected to be required to obtain prior approval from an envisaged independent organ in principle when they take measures to penetrate and neutralize servers used in cyberattacks under a new system the government plans to introduce to prevent major cyberattacks, according to government sources.

The government plans to introduce a new law and revise relevant existing laws to introduce the “active cyber defense” system.

The “active cyber defense” system will be designed to fundamentally strengthen Japan’s cyber defense, by boosting public-private cooperation, using communication information, and conducting measures to penetrate and neutralize servers.

To realize the plan, the government will submit bills to introduce a new law and revise current laws to the ordinary Diet session, to be convened on Jan. 24, aiming for early passage.

Under the envisaged scheme, the police and SDF will conduct measures to penetrate and neutralize the servers used by cyberattackers in case concerns over serious cyberattacks emerge through analysis of communication intelligence. The independent organ that will give prior approval will be positioned as a highly independent government administrative body under Article 3 of the National Government Organization Law, similar to the Japan Fair Trade Commission, and will be under the jurisdiction of the Cabinet Office.

To realize the plans, the government will revise the Police Duties Execution Law to stipulate that police officers who will take measures to penetrate and neutralize the servers will obtain prior approval from the independent organ.

The government also plans to revise the Self-Defense Forces Law to allow the prime minister to “order the SDF to take measures to protect communications” when “an extremely highly organized and deliberate act” by foreign forces is recognized.

In case there is no time for the police or SDF to obtain advance approval, they will be exceptionally allowed to make an after-the-event notification to the independent organ.

To boost public-private cooperation, the government plans to oblige major providers of core infrastructure in 15 fields in the country, including electricity and finance, to file reports to the government if they come under cyberattack.

If core infrastructure suffers damage from cyberattacks, it will have significant impacts on society and the economy. Therefore, the prime minister will conclude agreements with individual operators and obtain prior consent and receive communication information from foreign countries.

The government will also be able to obtain and analyze communication information by obtaining approval from the independent organ, without prior approval of the parties involved, in the case of communications sent between foreign countries and Japan via foreign servers that could be used for cyberattacks.