The New York Times: Cybersecurity team for Paris Olympics knows attacks are Coming

Tariq Panja
The New York Times
Fans watch a cross-country ski race at the 2018 Winter Olympics in Pyeongchang, South Korea, Feb. 10, 2018.
Fans watch a cross-country ski race at the 2018 Winter Olympics in Pyeongchang, South Korea, Feb. 10, 2018. Credit: Doug Mills/NYT

In his office on one of the upper floors of the headquarters of the Paris Olympic organizing committee, Franz Regul has no doubt about what is coming.

“We will be attacked,” said Regul, who leads the team responsible for warding off cyber threats against this year’s Summer Games in Paris.

Companies and governments around the world now all have teams like Regul’s that operate in spartan rooms equipped with banks of computer servers and screens with indicator lights that warn of incoming hacking attacks. In the Paris operations centre, there is even a red light to alert the staff to the most severe danger.

Sign up to The Nightly's newsletters.

Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.

Email Us
By continuing you agree to our Terms and Privacy Policy.

So far, Regul said, there have been no serious disruptions. But as the months until the Olympics tick down to weeks and then days and hours, he knows the number of hacking attempts and the level of risk will rise exponentially. Unlike companies and governments, though, who plan for the possibility of an attack, Regul said he knew exactly when to expect the worst.

“Not many organizations can tell you they will be attacked in July and August,” he said.

Worries over security at major events like the Olympics have usually focused on physical threats, like terrorist attacks. But as technology plays a growing role in the Games rollout, Olympic organizers increasingly view cyberattacks as a more constant danger.

The threats are manifold. Experts say hacking groups and countries like Russia, China, North Korea and Iran now have sophisticated operations capable of disabling not just computer and Wi-Fi networks but also digital ticketing systems, credential scanners and even the timing systems for events.

Fears about hacking attacks are not just hypothetical. At the 2018 Pyeongchang Winter Olympics in South Korea, a successful attack nearly derailed the Games before they could begin.

That cyberattack started on a frigid night as fans arrived for the opening ceremony. Signs that something was amiss came all at once. The Wi-Fi network, an essential tool to transmit photographs and news coverage, suddenly went down. Simultaneously, the official Olympics smartphone app — the one that held fans’ tickets and essential transport information — stopped functioning, preventing some fans from entering the stadium. Broadcast drones were grounded and internet-linked televisions meant to show images of the ceremony across venues went blank.

But the ceremony went ahead, and so did the Games. Dozens of cybersecurity officials worked through the night to repel the attack and to fix the glitches, and by the next morning, there was little sign that a catastrophe had been averted when the first events got underway.

Since then, the threat to the Olympics has only grown. The cybersecurity team at the last Summer Games, in Tokyo in 2021, reported that it faced 450 million attempted “security events.” Paris expects to face eight to 12 times that number, Regul said.

Perhaps to demonstrate the scale of the threat, Paris 2024 cybersecurity officials use military terminology freely. They describe “war games” as meant to test specialists and systems and refer to feedback from “veterans of Korea” that has been integrated into their evolving defences.

Experts say a variety of actors are behind most cyberattacks, including criminals trying to hold data in exchange for a lucrative ransom and protesters who want to highlight a specific cause. But most experts agree that only nation states have the ability to carry out the biggest attacks.

The 2018 attack in Pyeongchang was initially blamed on North Korea, South Korea’s antagonistic neighbour. But experts, including agencies in the U.S. and Britain, later concluded that the true culprit — now widely accepted to be Russia — deliberately used techniques designed to pin the blame on someone else.

This year, Russia is once again the biggest focus.

Russia’s team has been barred from the Olympics following the country’s 2022 invasion of Ukraine, although a small group of individual Russians will be permitted to compete as neutral athletes. France’s relationship with Russia has soured so much that President Emmanuel Macron recently accused Moscow of attempting to undermine the Olympics through a disinformation campaign.

The International Olympic Committee has also pointed the finger at attempts by Russian groups to damage the Games. In November, the IOC issued an unusual statement saying it had been targeted by defamatory “fake news posts” after a documentary featuring an AI-generated voice-over purporting to be the actor Tom Cruise appeared on YouTube.

Later, a separate post on Telegram — the encrypted messaging and content platform — mimicked a fake news item broadcast by the French network Canal Plus and aired false information that the IOC was planning to bar Israeli and Palestinian teams from the Paris Olympics.

Earlier this year, Russian pranksters — impersonating a senior African official — managed to get Thomas Bach, the IOC president, on the phone. The call was recorded and released earlier this month. Russia seized on Bach’s remarks to accuse Olympic officials of engaging in a “conspiracy” to keep its team out of the Games.

In 2019, according to Microsoft, Russian state hackers attacked the computer networks of at least 16 national and international sports and anti-doping organizations, including the World Anti-Doping Agency, which at the time was poised to announce punishments against Russia related to its state-backed doping program.

Three years earlier, Russia had targeted anti-doping officials at the Rio de Janeiro Summer Olympics. According to indictments of several Russian military intelligence officers filed by the U.S. Department of Justice, operatives in that incident spoofed hotel Wi-Fi networks used by anti-doping officials in Brazil to successfully penetrate their organization’s email networks and databases.

Ciaran Martin, who served as the first chief executive of Britain’s national cybersecurity center, said Russia’s past behavior made it “the most obvious disruptive threat” at the Paris Games. He said areas that might be targeted included event scheduling, public broadcasts and ticketing systems.

“Imagine if all athletes are there on time, but the system scanning iPhones at the gate has gone down,” said Martin, who is now a professor at the Blavatnik School of Government at the University of Oxford.

“Do you go through with a half-empty stadium, or do we delay?” he added. “Even being put in that position where you either have to delay it or have world-class athletes in the biggest event of their lives performing in front of a half-empty stadium — that’s absolutely a failure.”

Regul, the Paris cybersecurity head, declined to speculate about any specific nation that might target this summer’s Games. But he said organizers were preparing to counter methods specific to countries that represent a “strong cyber threat.”

This year, Paris organizers have been conducting “war games” in conjunction with the IOC and partners like Atos, the Games’ official technology partner, to prepare for attacks. In those exercises, so-called ethical hackers are hired to attack systems in place for the Games, and “bug bounties” are offered to those who discover vulnerabilities.

Hackers have previously targeted sports organizations with malicious emails, fictional personas, stolen passwords and malware. Since last year, new hires at the Paris organizing committee have undergone training to spot phishing scams.

“Not everyone is good,” Regul said.

In at least one case, a Games staff member paid an invoice to an account after receiving an email impersonating another committee official. Cybersecurity staff members also discovered an email account that had attempted to impersonate the one assigned to the Paris 2024 chief, Tony Estanguet.

Millions more attempts are coming. Cyberattacks have typically been “weapons of mass irritation rather than weapons of mass destruction,” said Martin, the former British cybersecurity official.

“At their worst,” he said, “they’ve been weapons of mass disruption.”

This article originally appeared in The New York Times.

© 2024 The New York Times Company

Originally published on The New York Times

Comments

Latest Edition

The Nightly cover for 26-12-2024

Latest Edition

Edition Edition 26 December 202426 December 2024

Ramps, runs, bumps: Sam Konstas and the teenage debut of the century