The only certain thing about the Paris Olympics: cyber attacks

In his office on one of the upper floors of the headquarters of the Paris Olympic organizing committee, Franz Regul has no doubts about what is about to happen.

“We will be attacked,” said Regul, who leads the team responsible for defending against cyber threats against this year's Summer Games in Paris.

Companies and governments around the world now have teams like Regul's operating in spartan rooms equipped with banks of servers and screens with indicator lights that warn of incoming hacker attacks. In the Paris operations center there is even a red light to warn staff of the most serious danger.

So far, Mr. Regul said, there have been no serious disruptions. But as the months between the Olympics shrink to weeks and then days and hours, he knows the number of hacking attempts and the level of risk will increase exponentially. Unlike companies and governments, however, which plan for the possibility of an attack, Regul said he knows exactly when to expect the worst.

“Not many organizations can tell you that they will be attacked in July and August,” he said.

Security concerns at major events like the Olympics typically focus on physical threats, such as terrorist attacks. But as technology plays an increasingly important role in holding the Games, Olympic organizers increasingly see cyberattacks as an ongoing danger.

The threats are multiple. Experts say hacking groups and countries such as Russia, China, North Korea and Iran now have sophisticated operations capable of disabling not only computers and Wi-Fi networks, but also digital ticketing systems, credential scanners and even systems timing of events.

Fears related to hacker attacks are not just hypothetical. At the 2018 Pyeongchang Winter Olympics in South Korea, a successful attack nearly derailed the Games before they could begin.

The cyberattack began on a freezing night as fans arrived for the opening ceremony. The signs that something was wrong came suddenly. The Wi-Fi network, an essential tool for transmitting photos and news, suddenly stopped. At the same time, the official Olympic smartphone app – the one that contained fan tickets and essential transport information – stopped working, preventing some fans from entering the stadium. Broadcast drones were grounded and internet-connected televisions intended to show images of the ceremony at all venues remained turned off.

But the ceremony went ahead, and so did the Games. Dozens of cybersecurity officials worked through the night to repel the attack and fix the problems, and by the next morning there were few signs that a catastrophe had been averted when the first events occurred.

Since then, the threat to the Olympics has only increased. The cybersecurity team at the last Summer Games, in Tokyo in 2021, reported having faced 450 million attempted “security events.” Paris expects to face eight to 12 times that number, Regul said.

Perhaps to demonstrate the scale of the threat, Paris 2024 cybersecurity officials use military terminology liberally. They describe “war games” intended to test specialists and systems and refer to feedback from “Korea veterans” that has been integrated into their evolving defenses.

Experts say multiple actors are behind most cyberattacks, including criminals looking to withhold data in exchange for a lucrative ransom and protesters who want to highlight a specific cause. But most experts agree that only nation states have the capacity to launch the largest attacks.

The 2018 attack on Pyeongchang was initially blamed on North Korea, South Korea's antagonistic neighbor. But experts, including agencies in the United States and Britain, later concluded that the real culprit – now widely accepted to be Russia – deliberately used techniques designed to place blame on someone else.

This year too, Russia is at the center of attention.

The Russian team was barred from the Olympics following the country's invasion of Ukraine in 2022, although a small group of Russian individuals will be able to compete as neutral athletes. France's relationship with Russia has soured to the point that President Emmanuel Macron recently accused Moscow of trying to undermine the Olympics through a disinformation campaign.

The International Olympic Committee also pointed the finger at attempts by Russian groups to damage the Games. In November, the IOC issued an unusual statement saying it had been targeted by defamatory “fake news posts” after a documentary featuring an AI-generated voiceover purporting to be actor Tom Cruise appeared on Youtube.

Subsequently, a separate post on Telegram – the encrypted messaging and content platform – imitated a fake news story broadcast by the French network Canal Plus and conveyed false information that the IOC was planning to exclude Israeli and Palestinian teams from the Paris Olympics.

Earlier this year, Russian pranksters – posing as a senior African official – managed to contact Thomas Bach, the president of the IOC, on the phone. The call was recorded and released earlier this month. Russia seized on Bach's remarks to accuse Olympic officials of being involved in a “conspiracy” to keep their team out of the Games.

In 2019, according to Microsoft, Russian state hackers attacked the computer networks of at least 16 national and international sports and anti-doping organizations, including the World Anti-Doping Agency, which at the time was poised to announce punishments against Russia related to its state influence. supported anti-doping program.

Three years earlier, Russia had targeted anti-doping officials at the Summer Olympics in Rio de Janeiro. According to allegations by several Russian military intelligence officers filed by the U.S. Department of Justice, agents in that incident spoofed hotel Wi-Fi networks used by anti-doping officials in Brazil to successfully penetrate email networks and in their organization's databases.

Ciaran Martin, who was the first chief executive of Britain's national cyber security centre, said Russia's past behavior made it “the most obvious disruptive threat” to the Paris Games. He said areas that could be targeted include event programming, public broadcasting and ticketing systems.

“Imagine if all the athletes arrived on time, but the iPhone scanning system at the gate didn't work,” said Martin, who is now a professor at Oxford University's Blavatnik School of Government.

“Do we pass with the stadium half empty or do we delay?” He added. “Even being in that position where you have to delay or have world-class athletes in the biggest event of their lives performing in front of a half-empty stadium – it's absolutely a failure.”

Regul, Paris' cybersecurity chief, declined to speculate on any specific nation that might target this summer's Games. But he said organizers were preparing to counter country-specific methods that pose a “strong cyber threat.”

This year, organizers in Paris conducted what they called “war games” in collaboration with the IOC and partners such as Atos, the Games' official technology partner, to prepare for attacks. In these exercises, so-called ethical hackers are hired to attack the systems in place for the Games, and “bug bounties” are offered to those who discover vulnerabilities.

Hackers have already targeted sports organizations with malicious emails, fictitious characters, stolen passwords and malware. Since last year, new hires at the Paris organizing committee have undergone training to spot phishing scams.

“Not everyone is good,” Mr. Regul said.

In at least one case, a Games staff member paid an invoice to an account after receiving an email impersonating another committee official. Cybersecurity staff members also discovered an email account that had attempted to impersonate the one assigned to Paris 2024 boss Tony Estanguet.

Millions more attempts are coming. Cyberattacks have typically been “weapons of mass irritation rather than weapons of mass destruction,” said Martin, the former British cybersecurity official.

“At worst,” he said, “they were weapons of mass disorder.”

Leave a Reply

Your email address will not be published. Required fields are marked *