兰德保护2020年奥运会和其他重大活动的经验教训网络安全英文20181097页

Olympic-CaliberCybersecurityLessonsforSafeguardingthe2020GamesandOtherMajorEventsCynthiaDion-Schwarz,NathanRyan,JuliaA.Thompson,ErikSilfversten,GiacomoPersiPaoliCORPORATIONiiiPrefaceThisreportprofilesthecybersecuritythreatlandscapefacedbyJapanasthehostnationofthe2020SummerGamesand2020Paralym-picGamesoftheXXXIIOlympiad.Theoverarchingobjectiveofthestudywastoproduceathreatactortypology,basedonariskassessmentoftheTokyo2020threatlandscape.Synthesizingmultiplesourcesofprimaryandsecondarydata,thestudyteamdevelopedavisualizationofthethreatlandscapethatprovidesanat-a-glanceoverviewtoguideOlympicsecurityplanners,computeremergencyresponseteams,andpolicy-anddecisionmakersastheyprioritizeandaddresscybersecuritythreats.Theriskassessmentalsoconsideredthemotivation,sophistica-tion,andpropensityofthreatactorstocolludewithoneanother.ThisresearchcouldbevaluabletoawidevarietyofstakeholdersandwillbeofparticularinteresttostakeholdersinvolvedinplanningandensuringthesecurityoftheTokyo2020Games.Theresearchalsoservesasareferencetoinformongoingpolicydebatesoncybersecuritypreparationsformega-eventsandasabasisforfutureresearch.RANDVenturesRANDisaresearchorganizationthatdevelopssolutionstopublicpolicychallengestohelpmakecommunitiesthroughouttheworldsaferandmoresecure,healthierandmoreprosperous.RANDisnon-profit,nonpartisan,andcommittedtothepublicinterest.RANDVenturesisavehicleforinvestinginpolicysolutions.Philanthropiccontributionssupportourabilitytotakethelongview,ivOlympic-CaliberCybersecuritytackletoughandoften-controversialtopics,andshareourfindingsininnovativeandcompellingways.RAND’sresearchfindingsandrecommendationsarebasedondataandevidence,andthereforedonotnecessarilyreflectthepolicypreferencesorinterestsofitsclients,donors,orsupporters.Fundingforthisventurewasprovidedbythegenerouscontribu-tionsoftheRANDCenterforAsiaPacificPolicy(CAPP)AdvisoryBoard,andconductedwithinCAPP,partofInternationalProgramsattheRANDCorporation.Supportforthisprojectwasalsoprovided,inpart,bytheincomeearnedonclient-fundedresearchandotherdonors.vContentsPreface.............................................................................iiiFigures,Tables,andBoxes.....................................................viiSummary..........................................................................ixAcknowledgments.............................................................xviiAbbreviations....................................................................xixCHAPTERONEIntroduction.......................................................................1CybersecurityThreatsHaveEmergedasaConcernforOlympicOrganizers.....................................................................1ThisStudyAnalyzedtheTokyo2020CybersecurityThreatLandscape...3CHAPTERTWOPolicyContext.....................................................................7“KnowThyself”:TheOrganizationalStructureandStakeholdersInvolvedinSecuringJapan’sCyberspace...................................7Japan’sCybersecurityPreparationsforTokyo2020..........................11CurrentPolicyInitiativestoSecureCyberspaceforTokyo2020...................................................................12CHAPTERTHREETheCybersecurityThreatLandscapeinJapan............................15IntroductiontotheCybersecurityLandscape.................................15HowInternationalExperienceCanInformtheJapaneseCybersecurityThreatLandscape..........................................23SnapshotReviewoftheCybersecurityLandscape:ImportantTrendstoConsiderintheRun-UptotheTokyo2020Olympics.............26viOlympic-CaliberCybersecurityCHAPTERFOURLessonsfromPriorOlympicGames........................................27Vancouver2010WinterOlympicGames.....................................27London2012OlympicGames..................................................31Rio2016OlympicGames......................................................36SummaryofLessonsIdentified................................................40CHAPTERFIVEARiskAssessmentofJapan’sCybersecurityLandscape..................41OverviewoftheRiskManagementProcess...................................41CHAPTERSIXConclusionsandPolicyOptions..............................................53APPENDIXESA.Methods......................................................................57B.InterviewProtocol..........................................................61C.JPCERT/CCIncidentCategories........................................63References.........................................................................65AbouttheAuthors...............................................................75viiFigures,Tables,andBoxesFiguresS.1.Japan’sCybersecurityPolicymakingStructure....................xS.2.CyberThreatstotheTokyo2020Games.......................xiv1.1.ReportStructure......................................................42.1.Japan’sCybersecurityPolicymakingStructure...................103.1.JPCERT/CCOverview:NumberofReports,Incidents,andCoordinatedCases.............................................193.2.J