The Paris 2024 Summer Olympic and Paralympic Games will be the largest event to be held in France since 1900. The figures are staggering: a budget of 7 billion euros, 4 billion television viewers, 12 million spectators, 30,000 volunteers, 10,000 athletes, 206 nations and 40 competition sites to secure, among others. But let’s not forget the figures linked to the cyber issue either: following on from half a billion attacks in 2016 in Rio, the figure rose to... over four billion cyberattacks during the Tokyo Games in 2021. Hence the importance of cybersecurity for this global event.
In recent news, the incidents at the 2022 Champions League football final in Paris highlighted the limits of physical incident management. Combined with the cyber issue and potential IT incidents, they potentially raise such questions as the ability to organise the 2024 Olympic Games. But how does France actually prepare for such an event? What cybersecurity measures are appropriate for Paris 2024? What measures are in place to deal with and protect against cyberattacks?
What cyber risks do the Olympic Games pose?
During such a global event, cyberattacks can appear – and already have appeared – in a variety of forms. Phishing, spoofing, denials of service (DDoS), interceptions of Wifi/4G/5G flows, ATM cash machine compromises... the attack vectors are numerous. Vincent Riou, Avisa Partners' partner in charge of cybersecurity activities and co-author of a strategic paper on the subject, looks at what makes the Olympic Games so attractive to cybercriminals. “For the host country, the Olympic Games are equivalent to organising some 60 World Cups at the same time. This makes them a formidable vehicle for boosting the image of the country that hosts them, generating billions of TV viewers. But it also means that the slightest issue is broadcast to the whole planet.” Because the Olympic Games attract different types of cybercriminals with different motivations.
Karim Benslimane, Director of Cyber Intelligence at Darktrace, detailed a triple cyber threat during a keynote in Lille (France) in 2022: “Firstly, we have states-affiliated groups of cyber-terrorists with geopolitical motivations and the goal of destabilising the country. Secondly, we have opportunistic, mercantile cyber-criminals, tempted by the financial windfall. They bet, for example, on the urgency of the organisers to restore the situation in order to encourage them to pay the ransom as quickly as possible. And finally, thirdly, hacktivist groups have ideological and militant claims, which can carry out attacks such as website defacement or denial of service.”
For the host country, the Olympic Games are equivalent to organising some 60 World Cups at the same time. They are therefore a formidable vehicle for boosting the image of the country that hosts them, generating billions of TV viewers. But it also means that the slightest issue is broadcast to the whole planet.
Vincent Riou, Partner at Avisa Partners – Head of Cybersecurity Activities
For the organisers of this unique event, cyber risks are everywhere. Video capture systems for television or referees, CCTV cameras and alarm systems, badge and ticket readers... every piece of smart equipment represents a potential entry point for cybercriminals. On top of this are issues of logistics and the subcontracting chain, which significantly increase the attack surface. In addition, this Paris edition includes sporting events not just inside sealed-off stadiums, but also at the heart of iconic French cultural sites. Archery at the Invalides, beach volleyball at the foot of the Eiffel Tower, fencing at the Grand Palais, the opening ceremony on the Seine... These open venues in the capital bring their own set of difficulties in securing them. Vincent Riou believes that “holding the Olympics in iconic locations in the city is absolutely incredible for spectators. But providing security is very complex! When you’re dealing with crowds of spectators all along the banks of the Seine, just think of all the different access points. How do you secure them all? Video surveillance cameras, access gates, databases producing badge systems to establish who is allowed in and who is not, television broadcasting... everything is digital, and therefore subject to potential attacks.” Increasing digitalisation and dematerialisation thus suggests a rise in the level of cyber risk for organisers.
Fans, spectators or television viewers are also potential victims here, suffering the impact of cyberattacks that can, for example, bring down television broadcasting systems. But they can also be direct targets of cyberattacks, through phishing campaigns, as Nicolas Caproni – Head of Threat & Detection Research (TDR) Team at SEKOIA.IO – explains: “Cybercriminals will opportunistically exploit the event to conduct phishing campaigns, using themed competitions to increase the chances of persuading users to open messages and click on compromising links. They can also hide malware inside a PDF as part of a scam to sell or resell tickets. They will also try to harvest personal and credit card data that will later be of value on the darknet.” Another threat is the spread of false information. “Some attack groups now specialise in disinformation and fake news. These new weapons can be used to disrupt events by leaking data that should not have been leaked, or falsified data. Because of the complexity of implementing such attacks, most such cases are state-sponsored.”
Finally, threats during the Olympic and Paralympic Games can also target the athletes themselves. Vincent Riou mentions a few examples of possible attacks on athletes: “Hotel access keys, air conditioning, fire alarms, digital scoreboards, stopwatches... everything is digital. Imagine the consequences of tampering with the cold chain on the food supply for certain delegations, or setting off fire alarms in the hotels of certain athletes the day before an important competition.”
Organisers, spectators, fans and athletes are all affected by cyber risks during the Olympic Games.
A decade of cyberattacks on the Olympic Games
Issues relating to cybersecurity at the Olympic and Paralympic Games have been hot topics for the past ten years. Going back to 2004 and the Athens Games, the main risk of technology disruption came from local seismic activity. In 2008, at the Beijing Games, a few dummy sites were set up for selling fake tickets. But cybersecurity only really came to the forefront of organisers' priorities with the attack on the opening ceremony of the London Games in 2012. In 10 years, the number of cyberattacks has increased 20-fold, rising from 212 million at the London 2012 Games to 4.4 billion in Tokyo in 2021.
In 10 years, the number of cyberattacks has increased 20-fold, rising from 212 million at the London 2012 Games to 4.4 billion in Tokyo in 2021.
London 2012 was the event that marked the beginning of cybercriminals’ focus on the Olympic Games. At that time, more than 212 million cyberattacks were recorded on the day of the opening ceremony, marked by multiple offensives such as a distributed denial of service (DDoS) on the electricity infrastructure.
Yet in 2014, at the Sochi Winter Olympics, there were no major cybersecurity incidents. Closed communication from the Russian state? A lack of interest from cybercriminals, or fear of reprisals? The question remains open... A clue to a potential answer may be found in the declarations of the FSB (Federal Security Service) which planned to "ensure that no communication, whether from competitors or spectators, escapes surveillance” by relying on a system for intercepting communications that was stepped up especially for the occasion. This was enough for the US Office of Diplomatic Security to ask its citizens to exercise extreme caution during the Olympics. US athletes and citizens were given awareness training about the issues around disclosing confidential data, including advice to remove the battery from their mobile phones whenever possible.
In 2016, at the Rio Games, numbers went into overdrive, with half a billion cyberattacks reported – or 400 attacks per second. Large-scale DDoS attacks were carried out against the websites of the Olympic partner organisations several months before the opening ceremony. Attacks by the LizardStresser botnet (which had already been in the news following the blocking of the PSN and Xbox Live online gaming platforms) then intensified during the Olympics, including a DDoS campaign of more than 500 Gbps.
In 2018, the phenomenon rose to further public prominence, impacting the opening ceremony of the PyeongChang Games. Some spectators were unable to print their tickets to enter the stadium, there was a problem with the on-site Wi-Fi, the ceremony was not broadcast on the stadium screens, the RFID sensors on the access doors were inoperative, the official Olympic application was not functional (i.e. access to the ticket office, timetables, information on hotels, access cards, etc.) – with consequences that were quickly apparent. The Olympic Destroyer malware was wreaking havoc, in real time, in front of thousands of spectators and journalists. It would take 12 hours of hard work by cybersecurity teams to rebuild the Olympic IT infrastructure from the backups. This extraordinary attack immediately became an issue of international importance. Attributed to Russia, it was supposedly carried out in retaliation for the banning of its flag at this edition, following the doping cases in Sochi.
Ep 77: Olympic Destroyer
With guest @a_greenberg.
The 2018 Winter Olympics in South Korea were attacked. The attackers didn't detonate a bomb though. They digitally destroyed the infrastructure. Who would do such a thing and why? Let's find out.https://t.co/b63St1ofJd pic.twitter.com/pD5eJVUCZn
— Darknet Diaries (@DarknetDiaries) October 27, 2020
In 2021, the Tokyo Olympics, postponed for a year due to a global pandemic, were held behind closed doors. Despite this, this edition would not be free of attacks, with 4.4 billion cyberattacks being launched against the organisers. According to the Nippon Telegraph and Telephone Corporation (NTT), various attack vectors were used, such as phishing emails and fake websites posing as the official Games websites. A senior Japanese official also stated that the Olympics fell victim to a cyberattack that resulted in a leak of personal data for the event's ticket holders and volunteers (names, addresses, bank account numbers). This data was disclosed online.
Finally, in 2022, during the Beijing Winter Games, the official anti-Covid-19 application, My2022, would prove to be controversial due to fears of cyber-espionage. A reverse-engineering study of the application later showed that athletes' conversations were being collected, analysed and saved on Chinese servers. In response to this, the authorities of many countries gave instructions to their delegations, such as the recommendation to carry a disposable phone.
What security preparations are being made for the Paris 2024 Olympic Games?
The Organising Committee of the Olympic Games (OCOG) is using the lessons learned from previous editions in its preparations for cyberattacks. Tony Estanguet, president of the Paris 2024 OCOG, bluntly told the AFP in April 2021: “We have no doubt that we will be attacked, constantly. There must be no loopholes in any possible point of entry, whether for employees, the software, or the ecosystem.” At France’s Ministry of the Interior, Ziad Khoury, Prefect and National Coordinator for the Security of the 2024 Olympic and Paralympic Games (CNSJ), has also emphasised the need for cybersecurity during major events and stated, at a meeting of the Cercle des Assises de la cyber in September 2021, that “each edition of the Olympic Games is a brand-new one, in the sense that it cannot be compared to previous ones: the situation changes, and threats evolve; they are more and more varied, and the attacks are more numerous. We can learn from previous experiences, but most importantly, we must be prepared for the unknown, because some of the threats of 2024 have yet to become known.” Added to this are the geopolitical conflicts in Ukraine and the International Olympic Committee (IOC)’s recommendation in February to ban Russia and Belarus from sports competitions. Nicolas Caproni says, “Ransomware attacks are one of the threats to the Olympic Games. But they are likely to be only a cover for acts of sabotage aimed at disrupting the event and damaging the image of the country and the Olympics. If Russia remains excluded from the 2024 event, we have reason to fear retaliatory tactics.”
We have no doubt that we will be attacked, constantly. There must be no loopholes in any possible point of entry, whether for employees, the software, or the ecosystem.
Tony Estanguet, President of the Paris 2024 OCOG
In response to the ever-increasing number of complex and innovative cyberattacks, the French authorities are getting their act together. For example, the ANSSI cybersecurity agency has signed a cooperation agreement with its Japanese counterpart, the NISC (National center of Incident readiness and Strategy for Cybersecurity). This is an opportunity for increased dialogue and sharing of cybersecurity lessons learned from major sporting events, such as the Rugby World Cup and the Olympic Games. At the same time, the ANSSI is stepping up its communications to make as many people as possible aware of digital hygiene. Many resources are available, such as a travel advice passport, 12 common-sense rules to apply in everyday digital life, and a guide to best computer practice. And France’s Ministry of the Interior claims it is seeking to develop so-called "intelligent" video protection. These cameras are intended to detect suspicious behaviour and crowd movements in real time using artificial intelligence. The use of facial recognition in the public space, which had been abandoned due to a lack of adequate legislation on guarantees over upholding individual freedoms, is back in the spotlight. According to Vincent Riou, quoting the work of the Alliance for Digital Confidence (ACN), “it would be wise to push our own national technologies, as the Olympics represent a magnificent showcase for our French cyber industry – and, more generally, our digital security industry.”
From an organisational perspective, the cybersecurity budget for the Paris edition totals over 17 million euros. It includes a prevention and defence programme with full-scale simulations, secure application code, and an effort to compartmentalise network and server layers when designing infrastructure, security audits and the setting up of SOCs. An awareness-raising programme is also being implemented with training for employees, sponsors, subcontractors, athletes and all stakeholders, and is being accompanied by strict specifications imposed on the entire subcontractor chain. Anne Le Hénanff, holder of the chair in cybersecurity for major events at the University of Southern Brittany, emphasises the key role played by local authorities – who will be welcoming delegations to their local areas – and the importance of involving them in this cyber-issue. Speaking at a conference in February on "the success of the Paris 2024 Olympic Games: a key cybersecurity issue", it raises awareness of the fact that: “although their attention is legitimately focused on issues of physical security and other matters relating to managing the flow of people, local authorities have zero awareness of cybersecurity issues. Increasing their competence in this area is a prerequisite for the success of the Olympic Games.”
In line with previous editions, the major cyber threat to the Paris 2024 Olympic and Paralympic Games is state-sponsored disruption. With the risk of attacks or other internal security problems, cybersecurity should not be considered as a separate entity, but as an integral part of the event's security programme. Vincent Riou believes it is unthinkable to separate physical and cybersecurity issues, and urges consideration of the increasingly hybrid nature of cyber threats. “Some attackers might be tempted to attack certain systems in order to gain access to physical spaces without the appropriate credentials, or force spectators to leave protected spaces and gather outside them, thus facilitating terrorist attacks. In these situations, cyberattacks become facilitators for high-impact attacks. Cybersecurity is not a separate issue: it is an integral part of the overall security system of the Games.”
In the recent report by Senators Meurant and Cardon on cybersecurity, the stated ambition is clearly to “establish French industry as a world leader in cybersecurity and the security of the Internet of Things”. The Paris 2024 Olympics would seem to offer a great opportunity to do just that. The French authorities, the OCOG, partner companies and sponsors and cybersecurity companies are all working together to make this event a secure one, to ensure the festivities can commence. After the (failed) events of the Champions League final, the Rugby World Cup in 2023 in France presents a chance to make up lost ground.
