USJI Voice Vol.24
Japan Needs Research on Cyber-Offense Capabilities for and after the Tokyo 2020 Olympic and Paralympic Games
The title of this paper may seem disturbing to a good amount of people. Being a peaceful nation, Japan does not appear likely to carry out cyber-attacks. However, in order to prevent getting attacked, it is essential to conduct cyber-offense research.
Currently, an important issue on Japan’s cybersecurity agenda is the implementation of defensive measures for the Tokyo 2020 Olympic and Paralympic Games (Tokyo 2020 Games). It is estimated that, during the Olympic and Paralympic Games hosted by the city of London in 2012, approximately 200 million cyber-attacks were executed. Depending on what definition is chosen for a cyber-attack, it may not be farfetched to expect a tenfold increase during the Tokyo 2020 Games.
What are the possible types of cyber-attack likely to occur during the Olympic and Paralympic Games? A multitude of scenarios exist. First, a Distributed Denial of Services (DDoS) attack, such as the one implemented during the 2016 Rio de Janeiro Olympics. This kind of attack overwhelms the traffic capacity of a specific website, rendering it unable to serve user requests. During the Olympic Games hosted by the city of Rio de Janeiro, websites with content relevant to the games received 500 Gbps of traffic. Although it is unlikely that DDoS attacks resulted to human casualties at that time, it is more than likely that they did have disruptive impact on the distribution of information.
A second kind of attack could be implemented, aiming to the paralysis of social infrastructure, such as electricity, water, and traffic systems. Air conditioning equipment is probably essential in ensuring the wellbeing of athletes during the games, which will take place during the hot Japanese summer. An interruption in the water supply would not only disrupt the games, but will also disrupt the lives of local residents. The entire city of Tokyo could be in disarray if the train and road systems are put out of service during the morning or evening rush hour, when they will be even more overloaded than usual due to additional passenger volume from visitors to the Olympic and Paralympic Games.
A third kind of attack may consist of circulating counterfeit spectator tickets, widespread fraud involving hotel and/or air travel vouchers and/or railway reservations. In conjunction with this, payment systems may be subject to severe problems, if credit card terminals and the ATMs of financial institutions stop functioning.
A fourth kind of attack could involve rampant distribution of misinformation and fake news, for the purpose of causing social turmoil. Fake news reports concerning earthquakes or nuclear accidents could plunge residents and visiting overseas tourists into uncertainty.
A fifth type of attack may be cyber-espionage, aimed at stealing secret information from Japanese companies or the Japanese government while the world is distracted by the events. Email messages with attention grabbing titles or messages that bear close resemblance to an authentic email may be sent to targets for the purpose of spreading malware capable of establishing unauthorized entry points on compromised computers and thus enabling the attacker to steal internal information.
Other cyber-attack scenarios are also possible. Without an understanding of the methods used in these cyber-attacks, it is impossible to defend against them.
To begin with, most cyber-attacks may be regarded as cyber-crimes. Therefore, in the case of a cyber-attack, it may seem sufficient to conduct criminal investigation and arrest the perpetrator. However, a person that executes a cyber-attack is very difficult to identify; and even if they are identified, in many cases their apprehension is not feasible. Once a data leak occurs, it cannot be reversed. Therefore, prevention by careful examination of cyber-attack methods is paramount.
Japan does not carry out “preemptive” cyber-attacks. To prevent getting attacked, however, it is essential for telecommunications to be monitored. In other countries, an “active defense” strategy is employed, by which monitoring agents infiltrate the systems of suspected attackers and actively observe them in order to prevent attacks that the suspects may be planning. In other words, attack and defense are opposite sides of the same coin in the world of cybersecurity.
Serious cyber-attacks are usually reflective of geopolitical tensions. Brazil, the host country of the Rio de Janeiro Olympics, was not involved in any serious confrontations with its neighbor countries; the domestic turmoil in the country was a more serious concern. However, in the case of Japan, it is unlikely that confrontations with neighboring countries will have been resolved within the three years that remain until the Olympic and Paralympic Games that will take place in Tokyo in 2020. It is not difficult to imagine that Japan may be subject to more severe attacks than those observed During the Olympic Games at Rio de Janeiro.
To counter such attacks, it is essential to share information with the United States, whose role in the architecture of the Internet is central. The Japanese government ought to enhance its response capabilities through joint practice with the U.S. government.
In April 2015, the Japanese Self Defense Force and the U.S. Military announced The Guidelines for the Japan – U.S. Defense Cooperation (http://www.mod.go.jp/e/d_act/anpo/shishin_20150427e.html), which states that “[t]he two governments also will share, as appropriate, information on the development of various capabilities in cyberspace, including the exchange of best practices on training and education.” Here, “various capabilities” should be considered to include both of offensive and defensive capabilities against all types of attack.
The Cybersecurity Strategy (http://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf), announced in September 2015, also states: “the United States is Japan’s ally that closely cooperates at every level, based on the Japan-U.S. Security Arrangements. Japan and the United States also share common values related to cyberspace”.
Article 21 Paragraph 2 of the Constitution of Japan states that “[n]o censorship shall be maintained, nor shall the secrecy of any means of communication be violated.” Up until now, Japan’s telecommunication providers have rigorously protected the privacy of their customers. The Japanese Government has also demanded them to do so. Indeed, Japan has a good track record as far as the protection of its citizens’ privacy is concerned, with regard to telecommunications.
In the context of information sharing between Japan and the U.S., any information recorded from the monitoring of Japanese telecommunications cannot be shared with the U.S. Government, if privacy protection is to be rigorously observed. The various governmental organizations and service providers are monitoring their own telecommunications in order to understand the types of cyber-attacks carried out against each of their facilities; however, it is not easy for them to share this information with other organizations or for government intelligence organizations to access it. The Act on Wiretapping for Criminal Investigation was enacted in 1999, but the application of this law is limited to organized crime and so forth, with less than 50 wiretaps being performed on mobile phones every year. Internet communications are not included as of the moment, therefore, the Act has not been applied to the monitoring and prevention of cyber-attacks.
Research on cyber-attacks requires the monitoring of signals, its originator and the channel through which it is being sent. Moreover, it is necessary to research the types of malware and computer viruses that are being released, as well as the methods used to compromise the security of computer systems. Once these are understood, the methods needed for effectively preventing attacks will also become clear. A Cyber-attacker needs only to identify one vulnerability in the security of a potential target. Defenders ought to remain alert and ready for an incoming attack, from an unknown source, at all times.
The Japanese government should work to improve its own capabilities while cooperating with the United States; studying cyber-attacks is also essential to this purpose. The Tokyo 2020 Games are simply a milestone. Cybersecurity needs to be continuously improved in order to ensure that Japan is defended adequately beyond the conclusion of the Tokyo 2020 Games.
The USJI Voice is a policy-related opinion paper produced by researchers at USJI-affiliated universities. The USJI Voice is written for experts in areas connected to U.S.-Japan relations. Please share with us your opinions and suggestions related to your areas of interest.
The USJI does not take specific political positions. All views and conclusions expressed in the USJI Voice are those of the authors in their private capacity and do not represent or reflect the views of the USJI as a whole.
All text and images in this document are copyrighted by the U.S.-Japan Research Institute or its affiliate universities. It is prohibited to reproduce, alter, or republish the information in this document without written permission from the copyright holder(s) unless it is for private use or quotations.