Olympic-caliber cybersecurity: lessons for safeguarding the 2020 games and other major events

Visualisation of the communication network in Tokyo

metamorworks /Adobe Stock

Researchers explored the cybersecurity threat landscape of the Tokyo 2020 Olympics, the lessons that can be learned from previous Olympic Games, which actors pose a cybersecurity threat, and what policy options can help planners mitigate these risks.

Planning early, cooperating and sharing information, and allocating resources using a risk-based approach are among the team's policy recommendations.

Background

Since at least the 2004 Athens Olympic Games, cybersecurity has been a growing concern for Olympic host nations and the International Olympic Committee. As Olympic organisers’ reliance on information and communications technology infrastructure has steadily increased over successive games, so too have cybersecurity requirements.

The Olympic Games attracts athletes from more than 200 nations and worldwide media coverage, which makes the event a rich target for those seeking to cause politically motivated harm, enrich themselves through crime, or embarrass the host nation on the international stage. Going forward, security planners need to consider the overall cybersecurity threat landscape if they are to lessen threats, allocate resources, and host a resilient, safe and secure Olympic Games.

Goals

The purpose of the study was to assess the cybersecurity threat faced by the Tokyo 2020 Summer Games and Paralympic Games, and produce a set of policy options tailored to the different contexts under which cyber threats to Tokyo 2020 could occur. The study was designed around six research objectives including performing case-study reviews of cyberattacks at previous Olympic Games and producing an infographic visualising the threat landscape and the threat actors within it.

Methodology

By synthesising many sources of primary and secondary data, the study team developed a graphic that provides an at-a-glance overview of the threats facing the Tokyo Olympics. This will hopefully guide Olympic security planners, computer emergency response teams, and policy- and decisionmakers as they prioritise and address cybersecurity threats. The risk assessment also considered the motivation, sophistication, and likelihood of threat actors to collude with one another.

Findings

Types of threats

  • Targeted attacks, aimed at high-profile Olympic assets, individuals, or organisations (e.g., broadcasting systems, Olympic commissioners, Japanese cybersecurity organisations), for either financial or political gain, could result in severe breaches or financial or reputational losses.
  • Distributed denial of service (DDoS) attacks against Tokyo 2020 infrastructure or associated networks could disrupt the availability of services or distract from other ongoing attacks. DDoS attacks could be launched by advanced threat actors, such as foreign states, or less sophisticated groups, such as hacktivists.
  • Ransomware attacks could affect a wide range of devices, services, and underlying infrastructure supporting the Tokyo 2020 Olympics, including participant and visitor devices, transportation services, and point-of-sale systems.
  • Cyber propaganda or misinformation could be used to damage the reputation of individuals, sponsor organisations, or the host nation. It could also be used for political purposes or to disrupt the Olympic Games themselves.

Types of threat actors

  • Foreign intelligence services—should they choose to act—pose the greatest threat, with a high level of technical sophistication and the potential to have a large impact;
  • Cyberterrorists and cybercriminals are also of concern, although less so than foreign intelligence services. Cyberterrorists have only a moderate level of technological sophistication, but their potential impact on the games could be severe. And while cybercriminals have high levels of technical skill, we assessed both the likelihood and potential impact of these attacks as only “medium”;
  • Although they are newsworthy when they do occur, we judged attacks from hacktivists and insider threats as carrying a lower risk to the games;
  • Finally, ticket scalpers are likely to exploit cyber vulnerabilities for profit, but their threat to the security of the games is low when compared with other actors.
The cyber threats, actors, and impacts facing Tokyo during the 2020 Summer Olympic Games

Policy Options

  1. Plan early. The earlier cybersecurity planning and preparation begins, the more time there is to assess event-specific threats, shape a community of stakeholders and build trust among them.
  2. Cooperate and share information. There are many cybersecurity stakeholders in the public and private sectors who must collaborate, cooperate, and share information to reduce cybersecurity risks in advance of the Olympic Games.
  3. Know the mission and have a common security goal. For a successful public-private, multi-stakeholder cybersecurity strategy to succeed, all parties must understand and buy into a common goal.
  4. Clearly define all stakeholder roles and responsibilities, and revisit them throughout the preparation and execution of the games.
  5. Allocate resources to lessen cybersecurity risks. By taking a risk-based approach to cybersecurity, we developed a prioritised list of threat actors to consider. Effectively reducing these risks will require adequate resources are apportioned appropriately.
  6. Deter the riskiest adversaries with a targeted cyber defence campaign. The riskiest threat actors are likely to be foreign intelligence services and cyberterrorists. A targeted deterrence campaign might dissuade these adversaries from attempting to attack altogether and convince them that the costs of executing an attack are too high and the chances of success are too low.
  7. Incorporate cybersecurity into broader security planning. Planners should incorporate cybersecurity into broader security planning efforts, training, and exercises right from the start. Planners should work to build a cybersecurity community and incorporate “cyber” into the broader Olympic security community, as cyberattacks can have widespread physical security effects.