The Cyber Counter-Capacity Enhancement Law (CCEL) strengthens Japanese cybersecurity. But the line between security and warfare is becoming increasingly blurred, and democracy is struggling to protect it by Andrea Monti – Initially published in Italian by Wired.it
It all began in 2021 with the ReVil case, when the FBI, the US Department of Defence and other US agencies, together with Russia and other countries, took action against a deadly ransomware gang, using hacking back techniques to disable the servers used by the criminals and track them down using spyware.
However, anticipating the neutralisation of the platform that managed the ransomware while the judicial investigation was ongoing raised a number of legal issues about the true nature of such actions, which potentially resemble hostile acts against sovereign countries rather than police investigations. It is true that they are directed at individuals, but it is also true that if the infrastructure used by these individuals is based in another country that is not involved in the criminal action, some form of legitimacy is required in order to target it, otherwise we would be faced with an act of war. There is, indeed, no difference between launching a missile or a drone to strike a physical installation and sending a virus or using hacking techniques to take control of a server located abroad. In other words, the need to block a cyber attack originating from another state does not justify the violation of the national sovereignty of the targeted state.
Military operation or public security measures?
Despite these complexities, which are not easy to manage, following the United States and Italy, Japan has also decided to go down this path with the Ccel – Cyber counter-capacity enhancement law –, which is worth analysing because, unlike Western nations, Tokyo can use force, at least formally, only to defend itself within its own borders. This limitation, provided for in Article 9 of the Japanese Constitution, would therefore seem to preclude the offensive and strategic — i.e. military — use of government powers related to cybersecurity, but this is not exactly the case.
All activities provided for by the CCEL, including the collection and analysis of data traffic and the use of “active measures”, must be carried out in accordance with citizens’ rights, limiting technological surveillance to a minimum and under the control of an independent commission. Therefore, such an approach excludes(would exclude) the government from using these powers to violate the sovereignty of other countries.
‘This law’, explains Professor Masahiro Matsumura of St. Andrew’s University in Osaka interviewed by Wired, ‘is intended to be applied in situations that do not reach the threshold of armed attack. It also authorises the adoption of measures necessary to access computer systems used for malicious actions and neutralise malicious actors. Therefore, it is not possible to invoke the application of the rules of war and the provisions of international law relating to the use of armed force.‘
The use of preventive measures
However, a potentially problematic aspect is represented by a clause in Article 2 of the law, according to which active cybersecurity measures may also be used to prevent intrusions that could damage public and state cybersecurity. Therefore, from a Western perspective, the provision could be interpreted as legitimising pre-emptive attacks similar to those considered admissible in the military sphere by US doctrine based on the concept of pre-emptive strikes.
‘From my point of view,’ Professor Matsumura, believes, “it is not correct to say that this law authorises preventive attacks as part of cybersecurity measures. This concept is completely absent from our political debate and the new legislation is consistent with this approach. The terms “active cybersecurity measure” have a completely different meaning in our legal system from “cyber operation”. In the first case, we are talking about measures that serve to protect state and critical infrastructure, while in the second case we are talking about actual military operations that are not part of the Japanese institutional lexicon.”
The importance of international cooperation
As long as the active approach is practised within national borders, there are no particular problems because, apart from differences between countries, crime prevention and preventing the continuation of crimes are structurally the responsibility of police forces and the judiciary. However, as mentioned above, things are not so simple when enforcement actions have to be carried out in another country. On the other hand, the need is extremely real if it is true that, as stated in an official document illustrating the contents of the law, over 99% of cyber attacks recorded in 2024 by the Japanese authorities originated abroad.
The regulatory response is contained in Article 3 of the law, which expressly refers to the importance of promoting international cooperation in the use of Japan’s technological capabilities in investigations involving other countries. The CCEL does not say so explicitly, but it is reasonable to infer that this provision brings the “cross-border” use of active cybersecurity measures within the scope of international agreements and cooperation, including judicial cooperation.
The problem of attribution
In this regard, one aspect that the CCEL does not cover (as is the case elsewhere, including Italy) is the obligation to identify the political nature or otherwise of an incident (including cyber incidents) affecting critical infrastructure.
Formally, this would not be necessary because the rules do not deal with attacks in the military sense, but this formal justification is very weak. It is clear that, pragmatically, it is preferable to consider actions against critical infrastructure as acts of “normal” criminality or even not to venture down this path.
On the other hand, if there were or if official confirmation were sought of the state origin of an operation against national infrastructure, this would automatically trigger a diplomatic escalation that would be difficult to manage and therefore at risk of reaching the point of no return.
In theory, the legal distinction works; in practice, however, and at least from the perspective of an analysis based on political realism, it seems more like a tool to mask the possibility of committing a hostile act in the seemingly innocuous form of a security measure. Because, to quote Shakespeare, “a rose by any other name would smell as sweet”.
Rule of law or Macthpolitik?
As mentioned, Japan is not the only country to have made such a regulatory choice, which is part of a broader international trend that favours the direct use of force based on the overlap (or confusion) of the roles of public security, judicial police, defence and private activity. In general terms, in fact, removing this distinction, even if only when networks and computers are involved, means undermining the separation of powers and, in particular, the loss of the role of the judiciary as an independent guarantor of compliance with the law, including, and above all, by the state. Therefore, the game will be played, not only in Japan but also in Italy, where such rules are already in force and others are in the process of being enacted, on the actual possibility of verifying, on a case-by-case basis, how these powers have been exercised, particularly those relating to preventive surveillance.
Technology as an anaesthetic for public debate
On these issues — perhaps in Japan, but certainly in Italy — there has been no significant debate in civil society. The public would probably have realised the scope of these legislative choices if, instead of authorising “digital incursions” and “cyber countermeasures”, a government had planned the use of armed forces in traditional operations, with men in uniform and guns at the ready. But the technology, with its aseptic appearance and the distance between screen and reality, has anaesthetised the collective perception.
Using a virus to disable a server or using hacking techniques to take control of it does not risk bringing home coffins wrapped in flags, does not require state funerals, or even heart-wrenching live television broadcasts. Thus, hidden behind strings of code, a power sheltered from scrutiny can continue to expand without too many questions, protected by the fact that a computer has no voice to demand justice.
However, it is not only the silence of civil society that is worrying. We should also ask ourselves whether parliaments are capable of holding to account (but whom?) for decisions that they are increasingly unable to understand and that are even more often delegated to the next Big Tech company.