TOKYO — Japanese companies are waking up to the risks of Tokyo hosting the Olympics this summer and are taking measures to mitigate any cyberattacks that might come their way as the world’s eyes focus on the country for two weeks beginning July 24.
They do not have to go too far back in time to find an example of an Olympic host coming under attack. In 2018, malware almost delayed the opening ceremony of the Pyeongchang Winter Olympics, in South Korea, according to reports. The cyberattack targeted the organizing committee and partner companies, seizing servers and about 300 computers.
With Russia being hit by a four-year Olympic ban, and Japan’s relations with some countries growing tense, 2020 “has turned out to be really bad timing for Japan,” said Yukimi Sohta, a representative of Cybereason, a cybersecurity service provider.
As global tensions rise, so does the potential for cyberattacks.
Already, underground cybercrime campaigns and communities in China are being uncovered as they chatter using terms like “20” and “Tokyo,” Sohta said.
Dawning technologies like the internet of things and trends like working from home are creating additional headaches for Japan and the Olympics.
The threats in April moved the Japanese government to set up a cybersecurity response center to help companies, the Tokyo Metropolitan Government and the Olympic Organizing Committee share information and take action should the need arise. It has also carried out a comprehensive study of electricity suppliers, railways and three other crucial sectors.
But companies themselves have to take their own precautions.
Companies involved with critical infrastructure in recent years have been adopting stronger security measures. Tokyo Electric Power in 2018 set up a cybersecurity center. In December, Hitachi set up a facility where its employees can train and conduct cybersecurity research. Hitachi produces equipment for a lot of the country’s infrastructure and operates some of that infrastructure itself.
During The Games, Tokyo Gas will partner with Israel Electric Corporation, which has experience dealing with attacks.
Companies declined to comment on specific anti-cyberattack measures for fear of clueing in hackers. But official Olympic sponsor Asics said its employees are training under the National Institute of Information and Communications Technology. Sumitomo Mitsui Banking Corp. said it is “undertaking simulations and evaluating its business continuity plan, with several types of cyberattacks in mind.”
According to a report published in 2018 by the Center for Strategic and International Studies and McAfee, an anti-virus software provider, cybercrimes sap the global economy of about $600 billion a year, up from $445 billion in 2014.
Experts say it is now almost impossible to fully prevent malware attacks, and Japanese companies have only begun to wake up to this reality. Kenji Uesugi, senior fellow at the Japan Cybersecurity Innovation Committee, suggests companies focus on mitigating the impact of attacks rather than on preventing them.
“Japanese companies just started becoming aware [of the importance of cybersecurity],” said Norihiko Ishihara of Cybergym, which provides corporate training sessions on defending critical systems.
Ishihara said Japanese companies lag their U.S. counterparts, who have more to spend on cyberdefenses, when it comes to mitigating the impact from attacks.
He also said most Japanese engineers are not battle tested, especially when compared to their counterparts in countries like Israel.
Some companies are trying to catch up, however. Cybergym provides training to about 80 companies in Japan, with each paying up to 500,000 yen per employee. Cybergym says its Tokyo sessions are almost full and that it is planning to open another training center in the city this year.
Tokio Marine & Nichido Fire Insurance said the number of its cybersecurity insurance policyholders increased 30% during the period from April through November compared to the previous year. However, “understanding of risks among small and medium-size enterprises is relatively low,” a company representative said.
In a survey by U.S. cybersecurity company FireEye, 14% of responding managers and executives in Japan said they are not prepared for a cyberattack. It was the highest rate among eight countries, including China, South Korea, Germany and France, that FireEye surveyed.
According to the JCIC, which looked at the stock prices of Japanese companies that reported cyberincidents, shares lost an average of 10% of their value after news of the attacks broke.
There is no such thing as enough preparation, the JCIC’s Uesugi emphasized. “Attacks are evolving,” he said, and “it is impossible to tell how best to deal with them in half a year.”