Japan Prepares for Olympic-level Cybersecurity

Posted: May 30th, 2019

By Nathan Ryan

Nathan Ryan is an analyst at RAND Europe focusing on cybersecurity and defence technology issues. RAND Europe is not-for-profit research organisation based in Cambridge, UK, that helps to improve policy and decision making through research and analysis.

Japan’s cybersecurity will be put to the test over the next 18 months. The world’s attention will be fixed on the island country as it hosts two major events: the Rugby World Cup in September and the Tokyo Olympics in 2020. The tournaments will likely be an attractive target for digitally-sophisticated adversaries who want to exploit vulnerable systems. Cyber defences will need to be strong enough to keep attackers out and resilient enough to restore systems should things go wrong.

Cyber threats are a huge concern for event planners because of the increasing dependence on technology. Japan’s bid for the 2020 Olympics was underpinned by a vision for “world-class innovation.” Tokyo’s plans to provide high-tech services to athletes, spectators, tourists, and volunteers eclipse the ambitions of Rio, London, and Beijing, the hosts of the most recent Summer Olympics. Given its technology ambitions, Tokyo’s legacy might become the playbook for securing digital systems in future Games.

The Olympics have been the target of several high-profile cyberattacks in the recent past. At Pyeongchang 2018, malware infiltrated the Winter Games systems prior to the opening ceremony. The computer worm Olympic Destroyer took the internet offline at the stadium, downed the telecasts, grounded broadcasters’ drones, shut down the official website, and prevented spectators from printing out tickets and, consequently, attending the ceremony. At London’s 2012 Games, hackers attempted a large-scale, high-impact cybersecurity attack on the opening ceremony, causing concern that the stadium would lose power.

Tokyo’s Games face various potential cyber threats, according to a recent RAND study. The threats include targeted strikes on broadcasting systems as in Pyeongchang or power systems as in London, and attacks that aim to disrupt Tokyo’s transportation system and communication networks. Successful strikes could result in financial losses, compromise personal information, disrupt matches, damage property, and, most worryingly, cause physical harm to participants and attendees—not to mention embarrass Japan on the world stage.

The most likely perpetrators of potential attacks are foreign intelligence services, cyberterrorists, cybercriminals, hacktivists, and ticket scalpers. The study found that intelligence services—should they choose to act—pose the greatest threat because of their high level of technical sophistication and potential to have a large impact. Though cybercriminals are not as technologically advanced, their profit-driven actions could also affect the operation of the Games.

The report recommends that security planners allocate limited resources appropriately to reduce cybersecurity risks, prioritising threat types and cyber attackers as needed. By prioritising the attacker type, a targeted deterrence campaign might dissuade these adversaries from attempting to attack altogether and convince them that the costs of executing an attack are too high and the chances of success are too low. For instance, criminal charges could be brought against individuals who break the law, or “naming and shaming” could be a credible retaliatory action against hostile foreign actors who attempt to disrupt the Games.

Japan is already taking the initiative by launching a bold programme to hack into its own citizens’ internet-connected devices to highlight their vulnerabilities. CCTV cameras, digital TVs, lights, locks, refrigerators, and countless other home appliances in the proliferating Internet of Things (IoT) have been rushed to market with little consideration of the collective cybersecurity risk they pose. Many are susceptible to malware, and attackers have shown it is possible to create large-scale botnets (e.g. Mirai) in order to launch devastating attacks to cripple systems and force them offline.

The approved programme, which would continue through 2024, will allow Japan’s National Institute of Information and Communications Technology (NICT) to scan vulnerable homes and offices for unsecured internet-connected devices. NICT will employ commonly used credentials, usernames, and passwords to try to access about 200 million devices, starting with webcams and routers. When NICT successfully accesses a device, the owner will be contacted and advised to improve security measures.

The cybersecurity challenges of huge sporting events are too numerous to ignore. Japanese security planners have been bold and innovative in their approach to addressing IoT threats, and cybersecurity resilience for the Games will be a priority for them. Non-technical aspects such as shaping the community of people and organisations working towards a common security goal, fostering cooperation, and building trust should also play a role. Fortunately, Japanese cybersecurity planners still have time to prepare, exercise, and mitigate risks so that events are safe and resilient. The Rugby World Cup in September is the perfect opportunity to test their defences—on the field and off.

Read more in The Cipher Brief…