TOKYO — A yearlong postponement may have bought Tokyo more time to prepare for the first pandemic-marred Olympics, but it also gave cybercriminals a bigger window to target the event.
The Japanese Olympic Committee’s revelation last week that its computers and servers were attacked in April was not an isolated incident, with U.K. and U.S. officials announcing as early as October that Russian military intelligence had launched attacks on the Tokyo 2020 organizing committee.
HIgh-profile and logistically complex events like the Olympics are a prime target for hackers, with every edition from London 2012 to Pyeongchang 2018 suffering cyberattacks. The stakes are even higher this time for Japan, where COVID tracing apps will be critical to segregating athletes, foreign visitors and the Japanese public.
A cyberattack could halt television broadcasts — the International Olympic Committee’s biggest source of revenue — disrupt schedules, or shut down the city’s public transportation, said Kyung Kim, head of Asia Pacific cybersecurity at Washington-based FTI Consulting.
“It’s a great platform to embarrass the host nation,” said Kim, who served as the U.S. Federal Bureau of Investigation’s liaison with Pyeongchang 2018 organizers. In the middle of the opening ceremony, hackers took down the organizing committee’s Wi-Fi network and Olympics app, disrupting logistics for meals, hotel reservations and ticketing for 18 hours.
U.S. officials later alleged that Russian military operatives hacked the 2018 games in retaliation for the IOC banning Russia for large-scale doping at the 2014 Sochi Olympics. Russian hackers masked their IP addresses to frame North Korea, another major source of cyberattacks, whose athletes were competing under a unified flag with South Korea.
With Russia still banned from fielding a national team and North Korea’s participation uncertain due to the pandemic, the threat to the Tokyo games is doubled.
“We are expecting state-sponsored attacks, but I guarantee there will be professional hackers targeting not just the Olympic committee, but also third-party vendors,” said Kim.
Japanese companies have grown vulnerable to cyberattacks in the past year as employees transitioned to telework. A study released this week by the International Institute for Strategic Studies, a British think tank, assessing the cyber capabilities of 15 major countries described Japan as “less capable” in cybersecurity despite its economic heft and leadership in information and communications technology. Weak cyber defenses and loose internal coordination lumped Japan in the third and lowest tier, along with Iran and North Korea.
Vulnerabilities could exist in the mobile applications developed by the Japanese government to track foreign visitors and trace COVID infections. Hackers may also take advantage of the sheer number of people looking for information about how to secure tickets, get vaccinated, and travel around Tokyo.
“The fans and the teams need to understand that there might be applications out there trying to lure them,” said John Kirch, senior vice president at Uppsala Security, a Singapore-based consultancy operating in South Korea and Japan.
Joint international law enforcement efforts for the Olympics, if successful, could provide a global model for cybersecurity, especially as ransomware attacks aided by cryptocurrency transfers increasingly hit critical infrastructure.
“The Pyeongchang Olympic committee and the Korean police, intelligence agencies, prosecutor’s office and international law enforcement began coordinating 18 months [before the opening ceremony],” said Kim. “They brainstormed likely attacks and mitigation strategies, formulating instant response plans and exercising rollouts.”
Kirch believes educating athletes, officials and fans attending the games will be a critical defense for the Olympics. “You need to educate your team and the public on what types of attacks can occur,” said Kirch. “The Japanese government and the Olympics need to regularly patch vulnerabilities in their apps and encourage app updates.”
So how has Japan prepared for potential attacks? Tokyo 2020 organizers told Nikkei Asia they were “enhancing cyber defense capabilities.”
“We are also sharing information and conducting training in cooperation with the government of Japan and other relevant organizations,” the committee said in a statement to Nikkei.