Broken Ethernet cable is seen in front of binary code and words "cyber security" in this illustration taken March 8, 2022. REUTERS/Dado Ruvic/Illustration/File Photo
Cybersecurity is increasingly being treated as a matter of national importance. That shift became clear on December 23, 2025, when the government approved a new Cybersecurity Strategy. It aims to make the country "a nation with world-class resilience" that is "capable of responding seamlessly and continuously" to worsening conditions in cyberspace.
The document is built around three pillars:
- Defense and deterrence against intensifying cyber threats.
- Enhancement of society-wide cybersecurity and resilience.
- The formation of an ecosystem for human resources and technologies supporting Japan's cyber response capabilities.
Prime Minister Sanae Takaichi echoed this approach in her first policy speech on February 20. She declared that Japan would further strengthen cybersecurity measures to "promote the fundamental strengthening of the nation's defense capabilities."
Expanding Targets
In today's threat environment, cybersecurity is no longer simply about preventing leaks or protecting secret files. In a February 22 article, cyber deterrence researcher Hitoshi Sato argued that cyber security in the defense sphere is about protecting "the conditions needed for essential government and business functions to keep running before a fight begins."
That includes the systems used by the Self-Defense Forces to pass orders and share information between commanders, bases, and operational units. It also includes the systems used to manage repairs and stockpiles, coordinate movement, control base access, and work with outside contractors. In his analysis, these are the real targets of cyberattack.
However, the consequences of cyberattacks are no longer confined to military targets or classified systems. The same logic now applies to manufacturers, retailers, logistics networks such as ports, and civilian functions whose disruption can inflict serious economic and social damage.
NTT Corporation's Chief Cybersecurity Strategist Mihoko Matsubara makes exactly that point. Speaking exclusively to JAPAN Forward, Matsubara pointed to the ransomware attack on the Port of Nagoya in July 2023 and the attacks on Asahi Group Holdings and Askul Corporation in the fall of 2025. She said those cases showed that "even one cyber criminal activity can paralyze supply chains, and it can take months to recover business operations."
A Structural Weakness
That was also the central concern raised by Masayoshi Someya, chief cybersecurity strategist at Palo Alto Networks, in a December 2025 discussion on PIVOT. Japan is at a turning point in cybersecurity," he said. "Digital infrastructure has become more complex through telework, cloud migration, and generative AI, while cyber risk is only increasing."
Someya warned that many Japanese companies and institutions still face a structural cybersecurity problem. Too often, he said, "different divisions, offices, group companies, or overseas subsidiaries adopt separate tools for separate needs." He calls this individual optimization.
The result is a patchwork system that is more difficult to manage, harder to monitor, and more likely to leave security teams overwhelmed by complexity. What is needed instead, Someya argues, is "the exact opposite of individual optimization ー the idea of overall optimization." Cybersecurity, he argues, needs to be applied across the organization as a whole, ideally through integrated platforms rather than scattered tools.
Someya also warns that many organizations are still relying too heavily on people manually sifting through floods of alerts from different systems. Defenders cannot "process them all," he explains. It leads to burnout and missed warning signs. "Even skilled personnel often become exhausted and leave after just two or three years," he said.
That strain makes the problem worse because attackers often do not need sophisticated methods to break in. As defenders grow overloaded, familiar entry points remain easy to exploit.
The Weakest Links Are the Simplest
Takayuki Sugiura, representative director of the Japan Hacker Association, explains that logic clearly.
Speaking about the Asahi ransomware case and the Qilin cybercrime organization on the YouTube channel TechLIVE by ITmedia in December 2025, Sugiura stressed how ordinary many intrusion paths still are. "The methods are mostly the same," he said, citing VPN access, stolen login details, and phishing. "Once attackers get in, they steal additional login information and move laterally toward core systems such as servers, business operations platforms, and backup infrastructure."
What many people imagine as phishing is credit-card fraud, he said. But attackers now often target VPN or single sign-on credentials instead. Once a victim enters an ID, password, and authentication information, "they take everything." Sugiura's conclusion was stark: "Passwords are not something you should type in."
He also warned that companies become especially vulnerable when they postpone updates to the central computer systems on which their business relies. According to Sugiura, one of the biggest weaknesses is that "many operators leave those essential systems unpatched for too long."
Defining Critical Infrastructure
That points to a broader problem: cyber disruption is no longer confined to sectors governments formally classify as critical infrastructure.
As Matsubara warns, Japan cannot respond by simply labeling more and more sectors "critical." If the government adds too many sectors, "prioritization would be no longer possible," she notes. Instead, she argues that the government needs to keep updating its "understanding of the threat landscape and adjusting the list of critical infrastructure sectors as necessary."
RELATED:
- Asahi Case Aftermath: Companies Should Make Cyber Defense Top Priority
- Cyberattacks Spur Japan's Breakthrough Ransomware Tool
Author: Daniel Manning
