Assessing The Potential Impact of Cybersecurity for Olympic Games in Tokyo

The 2020 Summer Olympic Games, also known as Tokyo 2020 (despite the rescheduling, the event retains the original name for marketing purposes), are scheduled to be held from July 23, 2021, to August 8, 2021, in Tokyo, Japan. Originally scheduled to take place in 2020, the event was postponed as a result of the COVID-19 pandemic. As a global event, there are always potential concerns of cyber attacks such as ransomware, and any conversation around security for Olympic Games should include an element of cybersecurity. Although Tokyo 2020 faces unique challenges, and its organizers’ creativity and resiliency are being put to the test, no credible physical or cybersecurity-related threats associated with the upcoming Olympic events have yet to be identified. Within this piece, we’ll review what the ZeroFox threat research team has observed in the weeks leading up to the games, as well as the types of security incidents that could occur.

Key Findings

• Despite consistent opposition against the Games by segments of the Japanese public and the declared state of emergency in Tokyo, the Japanese government and the International Olympic Committee have made it clear that Tokyo 2020 will be held on schedule. Due to the pandemic, significant security precautions will be in place, including the barring of international spectators and potentially limiting domestic fans. Because of the fast-changing COVID-19 situation in the country, new restrictions are still likely. 
• Overall, the threat of widespread unrest during the Tokyo 2020 events is low.  ZeroFox expects any potential upcoming demonstrations to be primarily concentrated in major population areas, particularly Tokyo, which could intensify in the weeks leading up to the opening ceremony on July 23, 2021. Despite increased media and security presence around key event sites, as well as the limiting of spectators during the Games, ZeroFox expects the risk of sporadic, small-scale skirmishes between protesters and police to continue. 
• As with most large-scale sporting events, cybersecurity remains a concern for 2020 Summer Olympic Games. With Japan’s over-dependence on digital infrastructure during the Olympics, there are potential risks if such systems are infiltrated. Furthermore, as the threat of nation-state cyber attacks or ransomware attacks looms over Tokyo 2020, cybersecurity measures have become a must for Olympic organizers. 

Security for Olympic Games

While most of the pre-Olympic focus has been concentrated on Japan’s preparations for the ongoing COVID-19 pandemic, security preparations for the event venues, athletes, and spectators have been in development for several years. While it is likely that the opening ceremonies for the Tokyo Olympics will be a TV-only event, the Tokyo Olympics organizing committee plans to set up security headquarters in each of the 48 event venues, including the Athletes' Village. As many as 18,000 private security guards will be deployed to help patrol the venues and surrounding neighborhoods. Unlike previous Olympics, organizers have stated that they are satisfied with recruitment levels and have enough private security guards to fully staff their security plan. As the number of spectators remains undecided, organizers have specified that flexibility is important until exact personnel numbers at venues are finalized.

Supplementing the security guards will be about 8,000 security cameras and 2,500 sensors, which will be installed in and around the sites and will monitor for apparent and hidden threats. Advances in artificial intelligence technology have improved the accuracy and effectiveness of facial recognition software, and the Tokyo Olympics hopes to use these advances to bolster its security posture. While the exact usage is undisclosed for security reasons, officials have announced plans to use this technology to potentially aid in identifying the faces of athletes, officials, and other personnel who have been authorized to enter restricted areas and to identify individuals who are in areas where they are not permitted to be.

Facial recognition is already commonly used in many areas throughout Japan. Passengers arriving at Terminal 3 of Narita International Airport can pass through customs by uploading photos of themselves to an app that is tied to the facial recognition system. Additionally, both Narita and Haneda airports in Tokyo are implementing a new facial recognition system called Face Express. The system will be used for all international flight boarding, regardless of airline, and will allow passengers to board flights without showing their tickets or passports. The facial recognition procedure will automatically verify passengers boarding the flight and will be done without the need for staff to manually check airline tickets and passports at the gate. Face Express requires passengers to register a photo of their face at check-in. Later, when boarding the plane, passengers will have their faces scanned by a camera instead of having to show their identification documents to airport staff.  The new system is intended not only to expedite the process of boarding the plane but also to provide a contactless experience to limit the spread of COVID-19. 

Along with private security personnel and facial recognition services, autonomous robots will also be patrolling the grounds to identify threats or hazards. These robots have 360-degree video cameras, as well as heat sensors and metal detectors. The robots are also equipped with extendable “arms” that allow them to check garbage cans and bags for suspicious items from a distance. The robots will communicate with people in multiple languages and send alerts to staffed monitoring stations.

Impact of COVID-19

While many prefectures in Japan have lifted full state of emergency guidelines imposed due to the COVID-19 pandemic and moved to a quasi state-of-emergency status, fears over the increase of cases in the country continue to grow, as only 26 percent of the population is fully vaccinated. On July 8, 2021, Prime Minister Yoshihide Suga will finalize any further emergency status guidelines. Thus far, dozens of municipalities in Japan have canceled their hosting arrangements because of virus concerns, and many of them have decided to use those facilities as vaccination sites. 

Currently, Japan continues to enforce strict travel regulations that bar most new foreigners from entering the country. Foreign tourists and non-resident foreign business travelers remain prohibited from entry.  The United States remains on Japan’s entry ban list due to its COVID-19 prevalence. Those individuals who are citizens or residents of Japan may enter the country but must adhere to pre- and post-travel restrictions. These restrictions include a 14-day quarantine and a negative COVID-19 PCR test within 72 hours of flight departure to the country.

Concerns remain over the Olympics’ potential to become a superspreader event, given that roughly 100,000 athletes and others, not including spectators, will be entering the city for both the Olympic and Paralympic Games. As athletes from around the world start to arrive in Tokyo, several cases of athletes testing positive for COVID-19 have been reported upon arrival.  Japan’s National Institute of Infectious Diseases and the head of a government COVID-19 advisory board have urged tighter border controls to detect and isolate infected arrivals at airports to prevent infections from spreading from Tokyo to the suburbs.

On July 8, 2021 the Japanese government and Olympic Committee announced that spectators would be banned from entering Olympic venues in the Tokyo area. The cancellation of this aspect of the games follows increased concern about the spread of the Delta variant of COVID-19 in the Tokyo area. However, for venues outside of Tokyo, the Olympic committee is deferring to prefecture decisions about game attendance in person.

Cybersecurity for Olympic Games: Preparedness and Concerns

While ZeroFox did not identify any planned cyber attacks against Olympic events or Tokyo 2020 sponsors, major international sporting events draw the interest of various threat actors.  With the Games around the corner, Japan has demonstrated high-quality innovations and partnerships to increase security for Olympic Games Tokyo 2020 and has made strides to improve its cybersecurity, particularly protecting its critical infrastructure. In 2020, Japan sought bilateral cooperation with the U.S. and other nations to operationalize its cybersecurity priorities, including a new agreement with the U.S. Department of Homeland Security to improve the sharing of cyber threat indicators between governments to improve its cyber readiness ahead of the 2020 Olympics in Tokyo.

In addition, with Japan being a technology leader and the year-long postponement of this event to 2021, the country likely has gained an advantage by having the time to update its digital infrastructure, further bolstering confidence in the Games’ cybersecurity. The country has established a Cyber Security Council tasked with coordinating efforts to defend and restore systems between different organizations and applying international law as needed during Tokyo 2020. The country’s National Institute of Information and Communications Technology also surveyed over 200 million network-connected devices over the course of 2019, testing for unsafe username/password combinations primarily at public Internet access points and through Internet Service Providers. Furthermore, the IOC also identified cybersecurity as a priority area and invested to provide the best cyber-secure environment for Tokyo 2020. However, the IOC noted that they would not be disclosing the specific details of their cybersecurity plan due to the nature of the topic. 

Cyber threats to the Olympics, however, are not without precedent. The 2018 Winter Olympics in PyeongChang saw the highest level of attacks. Russian hackers carried out attacks on Olympic networks before the opening ceremony, which slowed down the entry of spectators and took Wi-Fi networks offline, affecting portions of the broadcast. Despite this thorough preparedness, any nation-state that is not aligned with Japan may see an opportunity to try to embarrass the Games host through a cyber attack. Japan has already faced multiple threats during the preparations for Tokyo 2020, most notably those allegedly stemming from Russia’s Main Intelligence Directorate (GRU) unit’s cyber reconnaissance activities. While Olympic organizers and government officials have disclosed few details on the specific tactics, techniques, and procedures (TTPs) used by Russia’s military intelligence unit, Sandworm, to attack the Tokyo Olympics, its targets included the Games' organizers, logistics services, and sponsors. Authorities believe Sandworm intended to sabotage the Olympic Games, similar to the cyber attacks the unit carried out against the organizers of the 2018 Winter Olympic and Paralympic Games in PyeongChang, South Korea. It is likely that nation-states will seek to conduct additional offensive operations throughout the duration of the Games. These offensive operations could take the form of data theft and leaks, misinformation, or disruption of systems involved in various sporting events.

As the threat and pervasiveness of ransomware actors has increased dramatically over the last year, a ransomware attack on Tokyo 2020, the IOC, or a third-party vendor that could impact the Games is likely, as cyber criminals might see Olympics-related vendors as prime targets for extortion.  In May 2021, the Japanese Olympic Committee revealed that it was hit by a ransomware attack in April 2021 as part of a breach in which hackers broke into a Japanese government contractor’s data-sharing tool made by technology company Fujitsu. The Olympic vendors will have little tolerance for downtime during Tokyo 2020, which will make them key targets for attack by ransomware actors seeking a quick pay day.

Conclusion

As with any major global event, Tokyo 2020 offers cyber attackers a target and an audience. From cyber risks such as ransomware to physical security concerns, hosts, vendors and attendees should be aware of potential threats, particularly in a year as unprecedented as this one.