Japan Strengthens Cybersecurity Strategy to Combat Evolving Threats Beyond Data Theft

Cybersecurity has emerged as a critical national priority for Japan, underscored by the government’s approval of a new Cybersecurity Strategy on December 23, 2025. This strategy aims to position Japan as “a nation with world-class resilience,” capable of responding effectively to the escalating challenges in cyberspace.

The strategy is structured around three foundational pillars:

1. Defense and Deterrence: Strengthening measures against increasing cyber threats.
2. Societal Resilience: Enhancing cybersecurity across all sectors of society.
3. Ecosystem Development: Creating a robust framework for human resources and technologies that bolster Japan’s cyber response capabilities.

Prime Minister Sanae Takaichi reinforced this commitment during her inaugural policy speech on February 20, emphasizing the need to bolster cybersecurity measures to enhance the nation’s defense capabilities.

Expanding Targets

In the current threat landscape, cybersecurity extends beyond merely safeguarding sensitive data. Cyber deterrence researcher Hitoshi Sato highlighted that effective cybersecurity in the defense sector involves ensuring the continuity of essential government and business operations before conflicts arise. This includes the systems utilized by the Self-Defense Forces for communication and coordination, as well as logistical operations that manage repairs, stockpiles, and contractor interactions.

The ramifications of cyberattacks are increasingly affecting not just military installations but also critical civilian infrastructure such as manufacturing, retail, and logistics networks. These disruptions can lead to significant economic and social repercussions.

Mihoko Matsubara, Chief Cybersecurity Strategist at NTT Corporation, pointed to notable incidents, including a ransomware attack on the Port of Nagoya in July 2023 and attacks on Asahi Group Holdings and Askul Corporation in late 2025. She noted that a single cyber incident can incapacitate supply chains, often requiring months for businesses to recover.

A Structural Weakness

Masayoshi Someya, Chief Cybersecurity Strategist at Palo Alto Networks, expressed concerns regarding Japan’s cybersecurity landscape during a December 2025 discussion. He noted that the complexity of digital infrastructure has escalated due to factors like telework, cloud migration, and the rise of generative AI, all while cyber risks continue to grow.

Someya indicated that many Japanese organizations face a structural cybersecurity challenge, often due to disparate tools being used across various divisions and subsidiaries. This “individual optimization” leads to a fragmented system that complicates management and monitoring, overwhelming security teams. He advocates for “overall optimization,” where cybersecurity measures are integrated across the organization rather than relying on isolated tools.

Additionally, Someya warned that organizations often depend too heavily on personnel to manually sift through numerous alerts from different systems, leading to burnout and missed warnings. Skilled professionals frequently leave the field after just two to three years due to the stress of managing overwhelming workloads.

As defenders become overloaded, attackers can exploit familiar vulnerabilities, often using straightforward methods to gain access.

The Weakest Links Are the Simplest

Takayuki Sugiura, representative director of the Japan Hacker Association, elaborated on the simplicity of many cyber intrusion methods. In a discussion about the Asahi ransomware incident and the Qilin cybercrime organization, he emphasized that attackers frequently utilize common techniques such as VPN access, stolen login credentials, and phishing.

Sugiura noted that what many perceive as phishing often involves targeting VPN or single sign-on credentials. Once attackers acquire a victim’s ID, password, and authentication details, they can gain extensive access to systems. He cautioned that companies become particularly vulnerable when they delay updates to essential systems, leaving them unpatched for extended periods.

Defining Critical Infrastructure

The evolving nature of cyber threats raises questions about the definition of critical infrastructure. Matsubara cautioned against the government’s tendency to label an increasing number of sectors as “critical.” She argued that if too many sectors are designated as such, it would hinder effective prioritization. Instead, she emphasized the need for the government to continuously update its understanding of the threat landscape and adjust the classification of critical infrastructure sectors accordingly.

As reported by japan-forward.com.