Japan will allow its Self-Defense Forces to conduct offensive cyber operations starting October 1, 2026, signaling a major shift toward proactive cyber defense amid a growing digital threat landscape.

This active cyber defence framework enables the SDF to identify and neutralize hostile cyber infrastructure as part of a broader security posture.

Officials emphasize privacy and legal procedures, with information collection governed by specific requirements and active cyber defence reviewed by a dedicated cyber management committee.

The plan includes the ability to hack back under a framework approved by recent legislation, aiming to target attacker infrastructure rather than civilians.

The move follows an interpretation of postwar constitutional limits and seeks to address sophisticated cyberattacks affecting daily life, with new laws enabling access to attackers’ servers and coordination among the NPA, intelligence agencies, and the SDF.

Analysts note Japan’s current cyber power ranking as Tier Three, behind the US and other major nations, with aims to close capability gaps.

Context for the shift includes rising regional tensions and a notable 2023 cyber incident at Asahi beer attributed to Russian-linked actors, which accelerated policy momentum.

Officials describe the security environment as the most complex since World War II, with cyber threats impacting infrastructure, daily life, and economic activity.

Ongoing cyber incidents in Japan, including outages at a major brewer and campaigns against Japanese organizations, illustrate persistent cyber risks shaping policy.

A government cyber-management committee will review and authorize offensive actions on a case-by-case basis, rather than granting unilateral discretion to the JSDF.

The initiative builds on a reinterpretation of Article 9, evolving from 2014 changes that expanded support for allied actions, and positioning Japan as a more capable cyber partner.

Regulations will enable proactive cyber-defense with oversight by the cyber-management committee, while authorities balance attack capabilities with citizens’ privacy protections.