At 9 p.m. on July 24, 2020, as the opening ceremony of the Tokyo Olympic Games reaches its climax, the playing of the Japanese national anthem is abruptly disrupted with the blasting of the prelude to Goerges Bizet’s “Carmen” — and all lights go off and turn the newly built National Stadium pitch-dark. Spectators do not understand what is happening until they see on a big screen a message saying, “Hey Japan, stop killing dolphins!”
This is a totally hypothetical scenario, but the chances of such disaster becoming a reality cannot be ruled out altogether, since cyberattacks against Japan are being launched clandestinely but in growing numbers even today.
It will be perfectly conceivable that Japan may be exposed to cyberattacks from organizations seeking to ruin Japan’s national pride, such as the radical environmentalist group Sea Shepherd Conservation Society, just as the whole world is watching as the Olympic Games begin. It may be equally conceivable for the launch of cyberattacks by forces controlled by North Korea, China, Russia or Islamic extremist groups.
Such catastrophe is not without precedent. The opening ceremony of the 2012 London Olympics came close to a total blackout with some 10,000 accesses per second made to the main venue’s power supply system. In 2014, a pro-Russian hacker group CyberBerkut seized multiple outdoor display systems in Ukraine to exhibit its own propaganda messages. And in 2015, French broadcaster TV5Monde had its programs disrupted by hackers supporting the Islamic State radicals.
It would not be unthinkable for states or organizations hostile to Japan to try to remotely control the power supply and communications systems at the new National Stadium. And what would happen if during the Tokyo Olympic Games hackers resorted to tactics like cutting the power supply, disrupting air traffic control systems at Narita and Haneda airports, or shattering transactions at the Tokyo Stock Exchange? Unfortunately, fundamental measures to prevent such attacks are still in the works.
An official of the Ministry of Economy, Trade and Industry (METI) points out that cyberattacks — whose damage previously focused on data such as theft of private information — are beginning to cause material damage to power plants, oil pipelines and steel mill furnaces in other countries, adding that the expanding use of “internet of things” (IoT) will be making such dangers all the more serious. The use of IoT, which serves to control a variety of industrial facilities through the internet, is increasingly popular since it reduces costs, but it effectively opens the door for hackers to sneak in.
Worried about the situation, METI will create a cybersecurity promotion center next summer with the participation of the electric power, gas and oil industries. It will be staffed with experts recruited from the private sector and use curriculums prepared by Gen. Keith Alexander, the founding commander of the U.S. Cyber Command. But the center will be equipped with a budget of a mere ¥2.5 billion, and will not cover infrastructure sectors like communications, airlines, railways and finance.
In addition, METI will help train experts, but it will be private-sector firms that will be responsible for working out specific measures to combat cyberattacks. A former staff officer of the Self-Defense Forces, who is well versed in cyberaffairs, laments that it would be virtually impossible for private businesses to combat any cyberattacks that may be launched by a foreign military.
Cyberattacks on Japanese firms originating from overseas sources first came to the fore in September 2011, when the Yomiuri Shimbun reported that 83 computers of Mitsubishi Heavy Industries, a major defense contractor, had been subjected to such attacks. Subsequent investigations by the Defense Ministry revealed that similar attacks were also targeted at other leading defense contractors like IHI, Kawasaki Heavy Industries, Mitsubishi Electric and NEC.
The attack on Mitsubishi Heavy was likely just a tip of the iceberg, since most countries that sustain such attacks do not disclose the facts out of fear of negative publicity or reprisals from the hackers. But at that time, many suspected that the source of the attack was China, which experts call “the world’s most biggest cyberpower.” In January, the People’s Liberation Army beefed up its cyberforces, increasing it from 30,000 to 50,000 people. In addition, China is said to have another corps known as “cybermilitia” comprising more than 100,000 hackers.
It would be a miracle if none of these forces refrained from targeting an attack on the 2020 Games in Tokyo. Symptoms of such attacks were already noted ahead of the Group of Seven summit held in the Ise-Shima area in Mie Prefecture in May. In late January, the website of the Chubu Centrair International Airport became inoperative due to an excessive number of illicit accesses, making it impossible to reserve seats or get service information from the site. In June, major travel agent JTB Corp. said it had been hit by cyberattacks in March, resulting in the suspected leak of 7.9 million pieces of personal information from its computer system.
Those two seemingly unrelated cases should be considered in light of two facts: that a large majority of foreign leaders attending the summit were to arrive at Centrair airport, and that JTB was solely responsible for making hotel reservations for officials and others taking part in the summit. The aforementioned ex-SDF officer speculates that these attacks represented China’s “reconnaissance action using the threat of force.” Although the government remains tight-lipped about details of those attacks, an insider has confided that the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was most nervous about possible leaks of information about Centrair airport.
The NISC — the command post for the nation’s information security policy — is operated by four government ministries and the National Police Agency, and works around the clock to monitor cyberattacks on government organizations. Its security operation coordination center uncovers 6.13 million suspicious communications per year, or one every five seconds.
Yet, private companies in infrastructure-related business need to take care of their own cybersecurity. Should a company be hit by waves of cyberattacks from foreign military sources, the Crisis Management Center, located on the basement floor of the prime minister’s office, will come into play.
Though somewhat belatedly, the SDF created a cyberdefense corps under the Joint Staff Office in March 2014 with a 100-strong staff. Even with those working in the ground, maritime and air forces are counted, the total number of SDF members engaged in cyberdefense comes to only about 200 — a far cry from their Chinese counterparts. It is still significant that the SDF has begun playing a role in fighting cyberattacks, but it is not given the mission of protecting the lives and properties of citizens from such attacks, says the former SDF officer. That is because cyberattacks are classified as “crimes” but not as “armed attacks,” which the SDF is authorized to counter — even when the involvement of the military force of a certain country is suspected.
Under such circumstances, one way of drastically reducing the risk of cyberattacks on private companies would be to deploy an SDF cyberdefense corps at three terminal stations of optical fiber undersea cables through which 80 percent of Japan’s internet communications are relayed, and filter suspicious communications. Such a scheme, however, would violate not only the provision in the Constitution guaranteeing freedom of speech but also other relevant laws that permit interception of communications only in cases involving illegal drug transactions and organized crimes with a warrant from the relevant court. Now that cyberattacks have changed the definition of “war” between countries and between military forces, it may be necessary to amend laws in such a way as to give the SDF greater flexibility in its operation.
The new National Stadium is due to be completed in November 2019, just eight months before the opening of the Tokyo Games. Unless a proper information technology system is installed and security drills completed within that period, the type of disaster described at the outset of this column could become a reality and a national disgrace.
Worse still, hackers would not even have to remotely control the stadium’s IT system. Instead, they could use the “ransomeware” virus to render the stadium’s IT system inoperative, and demand ransom money in exchange for a key to unlock the virus.
A senior official of an IT vender asked: “If pirates like Sea Shepherd used the ransomeware three days before the Olympics opening ceremony and demanded ¥10 billion in exchange for unlocking it, would the Japanese government comply?”
If the government did indeed comply, people in Japan would experience a national disgrace of which they will remain totally unaware.
This is an abridged translation of an article from the December issue of Sentaku, a monthly magazine covering political, social and economic scene. More English articles can be read at www.sentaku-en.com
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.