According to local newspaper Nikkei, Japan’s Ministry of Internal Affairs and Communications has put forward a set of cyber-security proposals in relations to the Games, and intends to request around 20 billion yen (£103 million) in government funding over the four years, starting from fiscal 2016.
This funding will go towards training for local authorities, schools, SMEs and enterprises, with the ministry also overseeing drills to prepare for attacks linked to the Games, such as websites being hacked and ticket sale scams. There are also reportedly plans for red teaming exercises.
The ministry, which did not respond to our request for comment, aims to create industry-wide forums so companies can share best practices and other knowledge in the realm of cyber-security in the run-up to the Olympics.
One security expert, who played a key and senior role in securing the 2012 London Olympics, toldSCMagazineUK.com that the games is probably being used ‘as a vehicle’ to reduce the much-publicised information security skills gap.
The Nikkei report cites one study which claims that 160,000 of the 265,000 infosec personnel in the country lack the skills need for the job.
“My reading of this is that it must be broader than just the Olympics,” said the expert, speaking anonymously and citing ambitions to reduce the skills-gap in particular.
“It’s to fix stuff that should’ve been fixed anyway. This is pretty normal in Olympic cities,” he continued.
“They know they will get attacked, so they might as well use this as a vehicle to improve things…It’s quite a sensible initiative.”
The expert added that, during 2012, the ability to share intelligence between government and government agencies was essential and while this is done formally through IOC handover mandates, discussions will also be on-going between London, Rio and Tokyo on a more informal basis. He noted there was a ‘flurry of activity’ from Tokyo to London on security matters after the host nation won the bid.
He continued that getting the balance between ‘party atmosphere’ and security was an important consideration three years ago – “I think we got it right” – but stressed that all threats are contextual, based on the host nation and any political motives.
In London’s case, dubbed the first digital games, it was focused on sending real-time results to smartphones, and he senses disruption attacks could also target the Rio and Tokyo games as mobile proliferation continues.
“This is now established as part of the Olympic delivery,” he said. “That means that any cyber-problems will be instantly visible.” He was cautious on what threats might look like in 2020, although agreed with SC‘s assertion that denial-of-service attacks from hactivists would not be unexpected.
London organisers admitted at the time to being hit by six serious attacks, and were at one stage concerned about an attack during the opening ceremony.
In a document outlining the games, Gerry Pernell, CIO of Locog at the time, detailed how across all LOCOG systems there were 166 million security-related events, of which 783 required investigating.
Six of these were “serious cyber-security incidents” between 26th July and 4th August, with three significant attacks on LOCOG from internet. “No disruption was experienced,” read the paper.
Jane Wainwright, director for data protection and cyber-security at consultancy PwC but formerly head of corporate security at LOCOG for London 2012, said that the skills gap would be an issue for any forthcoming games, as London also experienced three years ago.
“If you invest heavily, and the 50,000 sync together to do something, the thing is how do you ensure they are there at the end? If its five years away, can you retain them? Do you have a contingency plan if not?”
Wainwright added that the Olympic Committee would need to consider all threats, from having the “boots on the ground” for ticket fraud and those scaling the fences to “disruptions from cyber”. They would also need to work with sponsors and other partners to distinguish if this was a threat was genuinely against the Games or just the sponsor.
She added that there was “nothing overly unusual, or even Olympic themed” during the 2012 Games, although generally it was ticketing fraud attempts, denial-of-service (DoS) attacks and generally “people who want to have a go.”
“I don’t think we saw anything Olympic specific, nothing spectacular,” she continued, adding that terrorism was “considered” but possibly “overestimated.”
Nonetheless, future-gazing is vital, added Wainwright.
“In planning and preparation, you must look forward and think what cyber looks like in 2020. We did that quite well with government, private sector and academics. It made that prediction much stronger.”
What should Tokyo and Rio be doing on training? “First and foremost, you have to have people who live and breathe the Olympic spirit. It wasn’t just a job [at 2012 London] it was part of our strength. It was a key skill we sought out.”
But she admitted this layered with cyber-security skills was “quite rare” to find, especially when also asking for those with experience being involved with complex, multi-nation sporting events.
“It’s a collective effort…we should tackle it together, it’s not seen as an individual endeavour.”
Wainwright continued that organisers would have to view the threats as “anything is possible” and said that they should ask themselves how they are managing the threats.
Mark Hughes, president at BT Security, also told SC that keeping ahead of the threats is tricky. “Protecting an event the scale of the Olympic Games means ensuring you have the right defences, people and processes in place to respond and protect your network in every eventuality,” he said in an email.
“When we started thinking about how we’d protect the London 2012 Games, we learnt very early on that we’d need to invent new ways of dealing with huge volumes of data – the traditional security methods that had been around for years simply wouldn’t cut it. One of the first big things we did was to create a truly IP environment, so that all traffic – be it voice, data or broadcast – was on one single network.”
“While predicting which threats will and will not be around using data or threat projection reports is useful, five years is a long time, and cyber-criminals are getting better and more advanced in their attacks every day. The good news is that we, the security industry, are keeping pace with them, getting better and more advanced in the way we defend against these threats too.”
The next Olympic Games takes place in Rio, Brazil. Last month, the Brazilian Cyber Defence Centre (CDCiber) announced that the country would have nearly 200 specialists, military personnel and technicians “working on cyber-protection” during the games.