Key Points
- As cyberattacks continue to intensify, the Japanese government has shifted its cybersecurity posture from a primarily defensive approach to an “active cyber defense” strategy that includes measures that directly counter malicious actors. This shift is beginning to reshape the relationship between the government and private-sector organizations.
- Changes in the nature of public–private collaboration in the cyber domain reflect a transformation in the underlying purpose of that cooperation. Whereas earlier efforts focused on enhancing resilience and facilitating information-sharing through joint initiatives, recent priorities have shifted toward ensuring national cybersecurity—and increasingly, national security—through active cyber defense.
- For the government, key challenges include producing integrated intelligence from diverse sources, delivering timely information to private companies, clarifying incident-reporting requirements while minimizing burdens, and designing incentives that encourage reporting incidents without penalizing compliance. For private-sector organizations, challenges include gaining visibility into their own system conditions including outsourced environments, strengthening coordination with vendors and partners, and establishing robust internal structures for incident reporting.
Evolving Roles of Government and Industry in Cyber Defense
Japan’s 2022 revision of its National Security Strategy marked fundamental shift in its approach to cyber threats. Previously, its efforts focused on reducing risks on the victim’s side through vulnerability mitigation. Under the new policy, Japan incorporate active cyber defense measures, such as disabling compromised computers, moving beyond a purely defensive posture.
This shift has transformed the purpose of public–private collaboration. Traditionally, collaboration focused on strengthening resilience through joint initiatives and information-sharing. Today, the focus is on ensuring cybersecurity—and, increasingly, national security—through active cyber defense. Consequently, the government is expected not only to promote information-sharing, but also to function more explicitly as a central hub—consolidating information, analyzing threats, and coordinating responses.
Information sharing has also evolved. Tokyo now leads the collection, analysis, and dissemination of data, moving away from industry-led voluntary efforts. The National Cybersecurity Office (NCO) released a draft Cybersecurity Strategy in 2025 that emphasizes more proactive and bidirectional information-sharing between the public and private sectors. Under this approach, private companies will be better positioned to use government-provided information to strengthen their own cybersecurity measures. To offer effective support, the government will collect incident data and information on the status of computers from private organizations and integrate this information with intelligence provided by foreign counterparts.
Several factors underlie these strategic changes, including the growing sophistication of cyberattacks and the rising cost and practical limits of efforts to minimize damage. Until now, defenders have sought to manage increasingly complex threats by adopting a wide range of measures—deploying security products, establishing internal rules, training staff, encouraging software updates, issuing alerts, and sharing information across organizations. While such diversification has been necessary, it has also highlighted the inherent limits of purely defensive, organization-by-organization approaches.
Comprehensive protection is costly and, in practice, impossible to implement perfectly. One major reason is that responsibility for protecting organizational systems has largely been delegated to system administrators. Even when government agencies and security institutions encourage organizations to take action—such as updating software, which requires no additional cost and only modest effort—many incidents reveal that companies have not fully understood the status of their systems, have continued to use devices beyond their support period, or have not implemented essential security measures.
If left unaddressed, vulnerable computers may remain exposed and become attractive targets for attackers. Such devices may also be exploited in attacks against critical infrastructure or used as staging points for attacks on third countries. To mitigate these risks, the Japanese government has adopted a more proactive approach—collecting and analyzing information on designated critical computing systems and incidents, proactively providing information to the private sector, and countering threats through access controls and neutralization measures.
Challenges for the Government
Tokyo faces several interrelated challenges: generating integrated intelligence from collected information, providing actionable information to private companies in a timely manner, clarifying which incidents must be reported, and reducing reporting burdens.
Under Japan’s new Cyber Response Capability Enhancement Act, the Japanese government plans to obtain information on cyberattacks by requiring notifications regarding critical infrastructure equipment, incident reports, and the use of telecommunications data. These will be supplemented with information independently collected by the Ministry of Defense, the National Police Agency, and intelligence provided by foreign partners. All of this information will be integrated and analyzed comprehensively.
A key challenge is whether the Japanese government can provide integrated intelligence to private-sector organizations at a moment when it is operationally useful. In the past, some information-sharing mechanisms offered limited data or provided information only after an attack had concluded, reducing their utility. Under the new system, Tokyo will be able to issue appropriate notifications through the reporting framework for designated critical computing systems and provide highly sensitive information through the security clearance system. However, these processes involve unfamiliar and largely untested operational practices, and determining how and when to provide information to the private sector remains an unresolved—and politically sensitive—issue.
Reducing the burden of incident reporting is another critical priority. NCO published the standardization of incident reporting formats for ransomware or DDoS-related damages, but a key question moving forward is how clearly it can define which incidents require reporting and to what extent.
The government also need to address private-sector concerns that reporting a cyber incident might expose companies to administrative penalties. To encourage proactive reporting, the government will need to design incentives that ensure companies are not disadvantaged for complying with reporting requirements.
Challenges for Private-Sector Organizations
For private-sector organizations, the key challenges include understanding the actual condition of their systems—including those operated through outsourcing—strengthening coordination with external partners, and establishing mechanisms for rapid incident reporting.
Under Japan’s Cyber Response Capability Strengthening Act, designated operators of specified critical infrastructure will be required to notify government agencies of the equipment and services they use. The cabinet secretariat has indicated that notifications will cover items such as VPNs, firewalls, authentication servers, and cloud services during the discussion at the National Diet. Operators need to register product names, manufacturers, and network configurations to the relevant minister. Complying with these requirements will necessitate a thorough understanding of an organization’s own systems, including those managed through outsourcing arrangements.
Moreover, employees, including senior management, must share a common understanding of system configurations, operational practices, the scope and management of outsourcing, collaboration with external organizations, and the cyber threats associated with these environments. When core system security and hardening measures are outsourced, accurately assessing the security posture of the vendor becomes a critical starting point.
Effective collaboration with outsourced service providers is another challenge. Some past incidents in Japan were caused by failures to apply system updates at outsourced vendors. Organizations must therefore strengthen coordination by properly interpreting information provided by the government and specialized agencies and ensuring they remain informed about the status of outsourced systems.
Establishing robust incident-reporting mechanisms is also critical. Mandatory reporting will eliminate ambiguity in existing standards and enhance the government’s ability to aggregate and analyze data. Because certain incidents must now be reported even if they do not directly disrupt business operations, some critical infrastructure operators—and their vendors—will need to develop new capabilities for detecting, reporting, and responding to cyberattacks.
Challenges in Public–Private Collaboration Abroad, Especially for Incident Reporting
These public–private collaboration challenges are not unique to Japan. In the United States, for example, the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) imposes requirements on designated operators to report cyber incidents and ransomware payments. However, internal government deliberations and coordination among relevant agencies have been slow, delaying the release of the final rule from the originally planned October 2025 to May 2026.
The draft rule received 300 public comments, highlighting concerns about the scope of applicability, reducing reporting burdens on private entities, improving consistency between CIRCIA and other reporting requirements, and ensuring transparency. In the U.S. House Committee on Homeland Security, industry representatives have voiced concerns that “the definition of an incident is overly broad,” “reporting burdens on private companies are excessive,” “consultation with industry has been insufficient,” and “inadequate protections and liability safeguards may discourage reporting.”
Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) requires critical infrastructure operators to maintain cybersecurity standards as robust as their own even when outsourcing essential services. The UK government is considering a new law aimed at protecting and ensuring the continuity of essential services, under which IT service providers would be required to rapidly report major cyber incidents to both the government and affected customers and to develop response plans.
(c) Prime Minister’s Office website, “Prime Minister’s Daily Agenda: Launch Ceremony of the National Cybersecurity Office”
