From the Asahi attack to Taiwan tensions, Tokyo has adopted a more offensive approach to national cybersecurity. The architect behind Japan’s new cyber laws explains why.
Shigeru Kitamura, the former national security advisor to the late Shinzo Abe – Japan's longest-serving prime minister – doesn’t mince his words when describing the nation's need for a more preemptive cyber strategy.
“We will no longer be sitting ducks. We now have the capability to disrupt and turn off the infrastructure of those who seek to harm us,” he declares.
Following the Second World War, national security has traditionally focused on defense and diplomacy. Japan’s own constitution has meant that many limitations prevent the country from fighting back against cyberattacks.
Yet with mounting attacks on its critical infrastructure and prized industries in the last decade – not to mention territorial disputes in the South China Sea – Kitamura convinced the establishment that it was time for reform.
“We cannot defend against threats we cannot see. Under previous regulations our hands were often tied until a crime had already taken place. This is close to waiting for a burglar to enter the house before checking the locks."
Shigeru Kitamura
It appears that this momentum will be built on by Japan's newly re-elected prime minster Takaichi Sanae, who has just won the biggest majority of any Japanese leader since 1955. With a massive mandate, she is keep to reassert the world's fourth-largest economy as a regional security leader, building a new national-intelligence agency.
Cybernews met Kitamura at the SimSpace Summit in Florida last week, prior to Sanae's re-election, where he described how he helped transform Japan’s post-war security doctrine from passive cyber defence to preemptive action.
Who is Shigeru Kitamura?
Kitamura has spent decades at the core of Japan’s intelligence and security establishment, beginning his career at the National Police Agency (NPA) and later serving for more than ten years in the Prime Minister’s office, including as Director of Cabinet Intelligence and secretary general of national security.
He thinks he was the right person to lead on the reforms to Japan’s cyber laws simply because he’s no fan of bureaucracy and likes to move quickly.
Japan’s "Active Cyber Defense" law, passed in 2025 and rolled out in incremental stages through 2027, represents, as Kiamura describes, an effort to catch up with other nations and enable Japan to act more as an equal intelligence partner.
The new laws now allow authorities to preemptively identify and neutralize hostile infrastructure, mandates incident reporting by critical infrastructure operators and enable coordination between the NPA, the intelligence agencies, and the Self-Defense Forces.
Japan has also expanded legal protections through secrecy and clearance laws to enable closer collaboration with partners such as the UK and US on issues related to cyber.
“I think changing the law so that we are able to exchange information with allies… and friendly countries is the most important thing,” he says.
A decade of attacks on The Rising Sun
In the run-up to the reforms, Japan had faced years of escalating cyber pressure across critical sectors – from breaches at Mitsubishi to the 2023 ransomware disruptions at the Port of Nagoya and repeated intrusions targeting semiconductor and manufacturing supply chains.
In 2015, an attack on the national pension service exposed the data of over a million citizens while ministries, defense networks and aerospace programmes have been repeatedly targeted in espionage campaigns.
Japan is also a key territory for crypto theft. One of Japan's largest digital currency exchanges, Coincheck, lost some $534m (£380m) worth of virtual assets in a hacking attack on its network eight years ago.
These incidents exposed vulnerabilities in logistics, telecoms, financial and industrial infrastructure, but were largely treated as espionage or criminal disruption rather than national security threats.
But Japan’s new legal push reflects growing geopolitical pressure.
Initially, Kitamura described intense resistance to the reforms when they were proposed. But global events have sharpened the urgency: rising tensions around Taiwan and China’s growing assertiveness in the South China Sea pose a significant threat to Japan's trade and security.
Asahi: cyber attack as an economic weapon
A future conflict, Kitamura predicts, is not likely to begin with missiles but with cyber operations targeting commercial and critical infrastructure.
For this reason, Kitamura believes that the distinction between attacks on companies and attacks on the state is becoming “increasingly meaningless.”
“I think from the viewpoint of the enterprise there is no distinction. I think cyberattacks are equal to the private sector and the government,” he says.
A real turning point, for Kitamura, came last year, when one of Japan’s most celebrated national beer exports came under attack.
The attack on Asahi operations – thought to be carried out by Russian-linked Qilin – led to the suspension of orders and shipments, as well as call center operations, due to the “system failure.”
Operations at most of Asahi factories in Japan were temporarily paralyzed.
“The attack on Asahi was not simply a data breach. It was not about leaked emails or stolen passwords. It was something far more serious. The deliberate destruction of economic infrastructure,” says Kitamura.
The security leader, who now runs his own private consultancy, says that the incident marked a “psychological shift” for enterprises.
“Japanese companies are no longer outside the battlefield. Cyberattacks have evolved into weapons of economic coercion capable of stopping decision-making, production, and supply in a single strike,” he says.
To this end, one of the new rules introduced aims to dismantle what Kitamura describes as a longstanding ‘wall of silence’ between government and industry.
This will apply to around 260 critical industries that fall within 15 identified domains – from transportation to big banks and telecommunications firms – which will have to report whether they have been attacked or not.
Failure to report attacks will carry sanctions, but the government promises discretion to mitigate reputational concerns.
“I think with the private and public sectors communication must be reciprocal,” adds Kitamura.
New ‘hack back’ powers
Japan’s "Active Cyber Defense" law significantly expands what authorities are permitted to do to enable a more coordinated response between law enforcement, intelligence, and the Self-Defense Forces.
The law allows authorities to identify and disrupt hostile servers before any malicious activity has taken place and carry out analysis of international communications metadata to detect patterns linked to cyber threats.
And authorities are permitted to do this below the level of an armed attack against Japan.
Some observers might characterize aspects of this as “hacking back,” but Kitamura frames it as "preemptive disruption" and national "active cyber defense" conducted within a legal framework.
“Until now even if we identified a server preparing to launch a devastating virus against critical infrastructure such as banks and power plants, our authorities have been legally powerless to prevent it. We were forced to watch the arrows flying towards us. This ends now.”
Shigeru Kitamura, Japan's former national security advisor and key architect of Japan's new cyber laws
It’s a huge seachange for a nation previously weighed down by a cloak of national diplomacy – but Kitamura argues the reforms are being carried out with recognition that they simply need to move much faster than their adversaries.
Why AI changes the MO
According to Kitamura the speed and scale of modern disruption has outpaced legal and operational responses – especially with the advent of agentic AI.
While there’s no direct evidence that the Asahi attack was an autonomous AI-driven cyber attack, of the kind outlined by Anthropic last November, the security expert believes that artificial intelligence sits at the center of the next phase of cyber conflict.
“I think AI has totally changed the modus operandi and the way of attacking. To protect our system, we must introduce AI… especially AI agent technology,” he says.
Future attacks may involve coordinated autonomous agents specializing in reconnaissance, intrusion, and lateral movement – acting at speeds beyond human response, he reasons.
Kitamura believes that this transformation will cut to the heart of corporate security structures.
“Most companies are corporate with a hierarchical security structure. A CISO at the top, analysts beneath them, and a family process – detect, analyze, create rules, and execute procedures. With AI, this model is no longer viable,” he explains.
Kitamura believes that human-centric defense has reached its limit.
“We cannot hire our way out. We cannot work longer hours to solve it.”
The answer, he says, is a shift toward autonomous, AI-driven preemptive judgement and action.
Training AI for cyber defense
Central to this evolution, Kitamura says, is the cyber range – a high-fidelity real-time replica of a production environment designed to train both humans and machines.
Kitamura describes it as “a digital twin of real-world networks, services, and data flows where simulated attacks play out in real time.”
The conference at which we met was arranged by a vendor called SimSpace, which developed its cyber range with US Cyber Command, which it claims is designed for both offensive and defensive operations.
Kitamura sees this as essential infrastructure for both humans and their AI agents: they enable AI agents to run through repeated scenarios, fail, learn, and adapt through reinforcement learning.
He adds that they also act as a shared operational environment – a space for collaboration across agencies, industries, and allied nations.
Training AI, however, must be controlled, Kitamura emphasizes.
“An AI that shuts down an entire business at the first anomaly is not useful. This is why Proximal Policy Optimization (PPO) is essential… a logical safety rail that ensures AI learns effectively without making reckless decisions.”
In practice, he says that PPO is a method for training an AI agent to improve in small, safe increments – so it learns without making wild, disruptive decisions.
In cyber defense, that reduces the risk of an overreaction where the “defender” shuts down business systems at the first sign of something unusual.
In this closed loop of training, verification, and optimization, AI becomes adaptable – capable of responding even to unknown threats.
“We move from thinking after being attacked to stopping the attack before it happens.”
“Preemptive defense means anticipating the attacker’s next move and closing the vulnerability before it is exploited.”
Still, Kitamura is clear that AI will not replace human accountability.”Our final responsibility must be assumed by the human and those at the top government or in enterprises,” he says.
A doctrinal shift
Through a combination of legislation and new technology, Japan’s new approach to cyber marks a profound cultural change. It will allow authorities to disrupt attacker infrastructure, share intelligence in real time, and coordinate across public and private sectors.
Cyberattacks, Kitamura warns, are no longer isolated IT incidents. They are instruments of coercion, pressure, and preparation for conflict.
“We were forced to watch the arrow flying towards us,” he said of the old model.
Now, Japan intends to intercept it before it lands.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked