The Network Is the Territory

Japan's National Cybersecurity Office, the Active Cyber Defense Era, and What It Means for Critical Infrastructure

Japan has stopped waiting at the firewall. Its newest security body is built to detect threats early, coordinate across government and industry, and, within strict legal limits, disrupt attacks before they land.

Doradus Labs Intelligence and Security Series

This is the fifth and final piece in a series on Japan's security architecture, and it lands where every other agency in the series eventually points. The Cabinet Intelligence and Research Office fuses intelligence for the Prime Minister. The Public Security Intelligence Agency watches the home front. The National Police Agency Security Bureau turns assessment into operational public safety. The Defense Intelligence Headquarters reads the electromagnetic and cognitive map. Underneath all of them now runs a single connective layer, because there is no longer a national-security problem without a network dimension. That layer is the responsibility of Japan's National Cybersecurity Office.

In 2025, Japan made a decision that many governments have debated and few have committed to. It moved its cybersecurity posture from passive to active. For years the model was the one most organizations still use: defend your own perimeter with firewalls and antivirus, and hope the walls hold. The new model, enabled by legislation passed in May 2025 and rolling out through 2026 and 2027, is built on detecting threats earlier, sharing information faster across the public and private sectors, and, in narrow and overseen circumstances, reaching out to disrupt attacks at their source. The institution at the center of that shift is the National Cybersecurity Office, and its story is the most directly useful in this series for anyone who runs critical infrastructure, because the obligations and the lessons land squarely on the private sector.

The Network Is the Territory

Every other agency in this series has a building that matters. CIRO sits in Nagatacho, the Public Security Intelligence Agency and the police in the Kasumigaseki ministry blocks, the Defense Intelligence Headquarters inside the Ichigaya defense complex. The National Cybersecurity Office is different. It sits within the Cabinet apparatus in central Tokyo, but its address is almost beside the point, because its territory is not a district. It is the nation's networks: government systems, critical-infrastructure control systems, telecommunications backbones, and the countless private systems the country runs on.

What did change in a way worth noting is the office's standing. When the body that became the NCO operated as Japan's incident-readiness center, its leadership reported through the Chief Cabinet Secretary. With the 2025 reform, the office was elevated so that its leadership reports directly to the Prime Minister. That is a deliberate signal. Cybersecurity in Japan has been promoted from an information-technology function to a first-order national-security concern, and the reporting line now reflects it.

From NISC to the NCO

The office has a history worth a sentence. It began in 2015 as the National center of Incident readiness and Strategy for Cybersecurity, usually shortened to NISC, the secretariat charged with coordinating cybersecurity policy across a fragmented government. On July 1, 2025, following the 2022 National Security Strategy and the legislation enacted that May, NISC was reorganized and expanded into the National Cybersecurity Office, headed by a newly created National Cyber Director.

Its core functions are unglamorous and essential. The NCO is the central coordinator of cybersecurity policy across the Japanese government. It operates as the governmental computer emergency response team, and together with JPCERT/CC, which covers the private sector, the two form Japan's national CERT. It runs a government-wide monitoring function that watches for malicious traffic flowing into and out of government systems and shares warnings across agencies. It sets common security standards for government bodies and audits their compliance. And it frames the threat in national-security terms: its own materials describe attacks on critical infrastructure, including state-backed attempts to halt or destroy the functions that infrastructure performs, as a major concern for the country.

In December 2025, the government adopted a new five-year cybersecurity strategy that names cyberattacks a serious security threat and commits to a coordinated approach between government and the private sector. The NCO is the body expected to make that coordination real.

Passive to Active, and What That Means

The logic behind the change is straightforward. Passive defense assumes the decisive fight happens at your own boundary, which is no longer where it happens. By the time a sophisticated intrusion reaches a firewall, the attacker has often already spent months preparing: staging infrastructure, stealing credentials, and probing suppliers. Active defense is an attempt to compress that advantage, to notice the preparation rather than only the strike.

The heart of the change is the Active Cyber Defense Law, passed by the Diet in May 2025 and taking effect in stages across 2026 and 2027. It is built on four pillars, and it helps to understand them plainly, because they describe a model that extends well beyond Japan.

The first pillar is public-private cooperation: stronger information sharing, incident-reporting expectations for critical-infrastructure operators, and a mechanism for government to notify vendors of vulnerabilities in critical systems. The second is the analysis of communications information to detect the early signs of an attack, focused on the metadata of international communications, such as addresses and timestamps, rather than the content of messages. The third is access and neutralization: authority for designated bodies, the police and in the most serious cases the Self-Defense Forces, to reach attacker infrastructure and disable it, for example by taking down a relay server being used in an ongoing campaign. The fourth pillar is the organizational reform that created the NCO itself.

The shorthand for this is defending forward. Instead of waiting passively behind a firewall for an attack to arrive, the state aims to see threats forming and, when necessary and lawful, to interrupt them closer to the source. It is a significant change in posture, and Japan has deliberately phased it: the communications-analysis capability and the neutralization authority each come online over the following months and years rather than all at once, under conditions set in law.

The Oversight Question

A capability like this cannot be separated from the question of restraint, and Japan's debate over the Active Cyber Defense Law was, at its core, a debate about that. Japan's Constitution protects the secrecy of communications, and the Telecommunications Business Act obliges carriers to uphold it. Allowing the government to analyze communications data, even metadata, sits in tension with that tradition, and the law tries to manage the tension with limits rather than ignore it.

The communications-analysis power is bounded. It centers on international communications, excludes the content of messages, applies where threats are difficult to detect by other means, and requires approval from an independent body created for the purpose, the Cyber Communications Information Oversight Commission, which is meant to supervise how the government uses these authorities.

Not everyone is convinced. Opposition lawmakers and civil-liberties advocates argued that even large-scale analysis of metadata can reveal associations and beliefs, and questioned whether the oversight commission will be independent and transparent enough in practice. The government counters that the safeguards and the narrow scope are sufficient, and that the threat to critical infrastructure leaves little choice. This is not a settled question, and it should not be treated as one. It is the same balance every agency in this series has had to strike, the balance between capability and accountability, now playing out in the newest domain.

What Counts as Critical Infrastructure Now

The reason Japan moved is that the nature of the attacks changed. Earlier waves of cyber intrusion mostly sought to steal: personal data, intellectual property, secrets. The attacks that worry governments now aim to disrupt, to take a system offline and keep it there. The 2023 ransomware attack that halted container operations at the Port of Nagoya is the kind of event that reframes cybersecurity as a national-resilience problem rather than a data-protection one, and hospitals, which Japan treats as critical infrastructure, have continued to be hit.

Japan now organizes critical-infrastructure protection around roughly fifteen sectors, including electricity, gas, telecommunications, finance, medical care, water, logistics, transportation, and, more recently, ports and harbors. Under the new framework, operators in these sectors face clearer expectations to report incidents and share threat information, and the businesses and IT systems that serve them are pulled into the same perimeter. If your organization runs or supplies any of these functions, the national-security framing is no longer an abstraction. It is becoming a compliance reality.

An Alliance Problem, Not Just a National One

Japan is not defending its networks alone, and the active-defense shift is partly about being a more capable partner. The state-aligned actors that most concern Japanese officials, operating from or linked to China, Russia, and North Korea, do not respect borders, and the infrastructure they use is global. Japan has responded by deepening cyber cooperation with its allies. The February 2025 joint statement with the United States singled out security cooperation in cyberspace, and Japan has maintained regular cyber dialogues and exercises with NATO. Domestically, the government has floated a public-private Cyber Council modeled on the United States Joint Cyber Defense Collaborative, an arrangement built to put government and private-sector defenders in the same room in real time.

The implication for a private operator is easy to miss and important to absorb. Threat information increasingly flows through international and public-private channels, and an organization that is not connected to those channels is defending with a narrower view of the battlefield than the adversary has. Being part of the network of defenders is itself a form of defense.

The Vendor and Supply-Chain Turn

One of the most consequential and least discussed parts of the reform is how it allocates responsibility. Modern critical systems are rarely run by a single organization. They are built and maintained by a chain of IT vendors, managed-service providers, software suppliers, and contractors, and a weakness anywhere in that chain becomes a weakness in the whole. Japan has recognized this directly. Draft guidelines circulated in late 2025 set out to clarify how cybersecurity responsibility is divided between government and critical-infrastructure operators on one side, and the IT service providers that support them on the other. The government also gains a role in notifying vendors about vulnerabilities found in critical systems.

The message to anyone in the technology supply chain is unambiguous. If you build, host, manage, or maintain systems that matter, you are now part of the national-security picture, whether or not your contract uses that language. Provenance, patching, monitoring, and a clear division of who is responsible for what are no longer back-office details. They are the difference between being part of the defense and being the way in.

Lessons for Critical Infrastructure and the Boardroom

The NCO model translates into a practical agenda for any operator, and it does so with one important boundary that must be stated first. The active part of active defense, reaching out to disable an attacker's infrastructure, is a government authority exercised under strict legal oversight. It is not an invitation for private organizations to strike back, which remains both unlawful and reckless. The lesson for a business is everything that surrounds that authority: earlier detection, faster sharing, and serious resilience. In practice:

None of this requires the budget of a national government. It requires the same posture the NCO embodies: proactive rather than reactive, shared rather than siloed, and accountable rather than unchecked.

Conclusion: Where the Series Lands

Across five agencies, a single pattern has held. Japan's security institutions are built to fuse many signals into clear judgment, to act within legal limits and under independent review, and, increasingly, to move from reacting after the fact to anticipating what is coming. CIRO does it for the Cabinet, the Public Security Intelligence Agency for domestic threats, the police for public order, the Defense Intelligence Headquarters for the military and cognitive domains, and the National Cybersecurity Office for the networks that now run through all of it. The 2025 and 2026 reforms, the shift to active cyber defense and the parallel move to a more coordinated national intelligence structure, are two expressions of the same conviction: that the threats of this decade demand institutions that see early and act together.

For the boardroom, the conclusion of the whole series is the one the NCO makes unavoidable. Security is no longer a function you delegate to a perimeter and forget. It is a continuous, shared, accountable discipline that belongs at the top of the organization, because the line between an information-technology incident and a national-security event has effectively disappeared. The institutions that will weather this decade, public or private, are the ones that stop waiting at the firewall and start, within clear limits, watching the whole territory. For the high-availability environments we care about most, from utilities to gaming floors to the systems that keep a city running, that shift from reactive response to predictive awareness is no longer optional. It is the work.

Sources