Anticipate to avoid being overwhelmed : Cybersecurity at the heart of the Games

The Tokyo 2021 Olympic Games were marked by more than 450 million cyberattacks. This unprecedented number shows that, now more than ever, we need to deal with this threat to ensure the smooth organisation of international events. The Paris 2024 Games Committee is expecting figures 8 times higher, according to the Director of Technology in charge of the event, Bruno Marie-Rose. Given the scale of the challenge ahead, the key players are stepping up their preparations, with just eight months to go before this international sporting event.

By Théo Lhen Tallieu

State of the threat: Between cybersecurity and cyberdefence

More than just a possibility, the certainty of being subjected to a large proportion of cyberattacks is shaping the thinking of the organisers, particularly regarding the volume of requests that will have to be dealt with during this edition, given that the number of cyberattacks has multiplied by 20 since the London 2012 Olympic Games. The ubiquitous information systems in place during the event, from tools linked to the broadcasting of live images to the athletes’ accreditation systems, are all windows of opportunity for cybercriminals. Among the most significant risks to the Games, Denial of Service (DDoS) attacks and the compromise of WiFi, 4G and 5G networks are a priority in the preparations. These threats could have serious consequences, ranging from the postponement or cancellation of events in the event of a breakdown in lighting or timing systems. The context will also be an aggravating factor, with increased conflict on a global scale and the resurgence of war on the European continent in particular. At the end of 2023, Netskope noted that the main hostile groups are based in Russia and Ukraine, and that the cybercriminals with the greatest geopolitical motivations operate from China. Paris’ repeated support for Kyiv, illustrated by the repeated delivery of war material, could put the organisation of the Games at risk, as this is an important vector of international credibility for France. Against this backdrop of geopolitical tensions, the types of potential attackers are diversifying. « Firstly, we have groups of cyber-terrorists affiliated to states and geopolitically motivated, with the aim of destabilising a country. Secondly, we have opportunistic, mercenary cybercriminals, tempted by the financial windfall. They bet, for example, on the urgency of the organisers to restore the situation to encourage them to pay the ransoms as quickly as possible. And thirdly, hacktivist groups have ideological and militant demands, and can carry out attacks such as website defacement or denial of service », explains Karim Benslimane, Director of Cyber Intelligence at Darktrace.2 It should be noted that the financial services and healthcare sectors have seen a considerable increase in cybercriminal activity that can be attributed to groups with geopolitical motivations.

With almost 13 million spectators expected, the attack surface will also be increased tenfold by the density of information systems deployed at the time of the competition. It is therefore essential to raise awareness on a massive scale. On 5 July 2023, the French National Agency for Information Systems Security (ANSSI) organised a dedicated seminar for all those involved in the Paris 2024 ecosystem, including information system users, administrators and operators. The national agency recommended that particular attention be paid to visitors, who could have their data stolen. At the top of the list of threats to spectators are online scams that use the timing of the Olympic Games, such as the opening of ticket sales, to set up fraudulent websites. It is a technique popular with hacktivists, who could use the international event to highlight causes such as human rights or the climate emergency. And then there are the state-sponsored hackers. « Given France’s stance on certain international issues, the geopolitical situation and the destabilising actions we are seeing in Africa, certain countries have clearly taken steps to prevent the Olympic Games from being held in 2024. Elements are already circulating on the Darkweb and their intentions are well known. Just as there is a space where data stolen during phishing campaigns and ransomware, which will intensify in the run-up to the Games, will be resold « , explains SaaX, an ethical hacker.

ANSSI presents its priorities

In July 2022, Prime Minister Elisabeth Borne officially entrusted ANSSI with the task of steering the prevention strategy for the Paris Olympic Games. This task is all the more onerous given that the credibility of the national ecosystem depends on it, while since 2020 various parliamentary reports have set out the ambition of « positioning French industry as a world leader in cybersecurity and the security of the Internet of Things« . With the showcase that such an event represents, we now need to give ourselves the means to meet these expectations. In early 2023, the Paris 2024 organisers allocated a budget of €10 million to cybersecurity. This is an opportunity to speed up preparations, as ANSSI gradually devotes a third of its staff to the Games. The agency is providing training and awareness kits to all Paris 2024 stakeholders to better prepare them for cyber threats. In August 2023, the ANSSI specified its priority guidelines : the introduction of an off-line data backup policy, the separation of Internet access from access to critical services, and the active monitoring of threats by the CERT-FR, particularly with regard to the creation of fake ticketing sites. In addition to national perspectives, ANSSI is also focusing on cooperation and the sharing of expertise. It benefits from its agreement with the National center of Incident readiness and Strategy for Cybersecurity (NISC), its Japanese counterpart, enabling a rich exchange based on feedback from the Tokyo Games, held in 2021. The ANSSI is also organising the first scenario-based exercises and training sessions, notably on the theme of the opening ceremony, thereby helping to strengthen interaction between the various players involved.

From the planning to the operational phase

In partnership with the National Coordination for Games Security (CNSJ) attached to the Ministry of Interior, ANSSI had already identified around fifty critical players in the sports infrastructure, transport, energy distribution, hospital and access control sectors. This list was quickly extended to new horizons. « We have identified more than 300 diverse and varied players, explains General Emmanuel Naëgelen, Deputy Director General of the ANSSI. Audits were carried out to assess the level of cybersecurity of each of the parties involved. « The vulnerability analysis stage will enable us to implement clear action plans, the objective now being to stick to the ideal timetable that we have set ourselves, which is to complete these audits by the end of the year and then turn to the technical and operational preparations up to the early spring of 2024. In this area, it will be necessary to strengthen resources according to the needs of each player, for example by deploying additional detection resources, installing new firewalls or reconfiguring the Active Directories », explains Emmanuel Naëgelen. He adds : « From the start of next year, we will be gradually stepping up exercises to fine-tune internal procedures and the resilience of all players in the event of an attack.»

A public-private partnership at the heart of preparations for the Olympics

« The technological security of the Games is a team effort. As organiser of the event, Paris 2024 can count on the support and expertise of several key partners, some of whom have experience of several Olympiads. This is the case, for example, of our direct ecosystem with the International Olympic Committee and its subsidiary OBS for the broadcasting of the events, as well as the International Paralympic Committee (IPC); Omega for the timing and scoring ; and Atos and Cisco, our partners in cybersecurity », explains Bruno Marie-Rose, Director of Technology for Paris 2024. This public-private partnership is all about coordination. Atos’ « Olympic Management System » application suite, dedicated to managing accreditations for athletes, the media and law enforcement agencies, illustrates this direct link through the automated transmission of requests to the National Service for Administrative Security Investigations (SNEAS), linked to the Ministry of Interior. Announced in April 2023, the integration tests are currently underway in the Atos laboratory in Madrid and will last up to two months before the start of the event. This is an opportunity to put the security of critical applications and digital infrastructures to the test, while at the same time boosting the speed of response to requests by drawing on the Tokyo Games data available to Atos. Paris 2024 has also introduced a bug bounty system, rewarding security experts who identify flaws in the Games’ digital infrastructure. Teams from Eviden and Yes We Hack have been mobilised to carry out SQL injection, PXSS and access control bypass attempts. It will also be a question of organising the response in real time at the time of the event. « All the Cyberattack Response Centres (CERTs) and the cyber teams present in the various infrastructures will have to report to ANSSI all the incidents they experience on an ongoing basis. As coordinators, our role will not be to deal with all attacks, given the expected proportion, but rather to study their nature so that we can intervene with the entities we are monitoring, should they not manage to overcome the incident « , emphasises Emmanuel Naëgelen.

Controlling the refereeing support system remotely, manipulating scores and stopwatches or altering the results of anti-doping tests, taking control of entrance gates, interfering with the air conditioning in the athletes’ hotels, compromising the supply chain, interfering with water quality or sabotaging transport – the only limit to the scenarios to be feared is the imagination of cybercriminals. The presence of the refugee team will do nothing to dampen their spirits… The IOC has just announced 10 new athletes with scholarships, bringing the total to 63. Coming from 12 countries, living in 23 host countries and competing in 13 sports, they come from Afghanistan, Venezuela, Iran and Ethiopia.

These are all challenges that need to be addressed. « Beyond the large organisations, it is vital to look at the small groups whose skills are limited but who have a great deal of power to cause a nuisance. Deconstructing the noise that is building up with 8 months to go before the event, and deciphering the weak signal that could turn everything on its head, will be a major challenge, » warns SaaX, adding: « Cybercriminals are already being recruited, and new groups are likely to emerge in the coming months with the motivation of conducting digital raids and carrying out campaigns to discredit the Olympic and Paralympic Games. Botnets and disinformation will almost certainly be the two main areas targeted by cyber-attackers, not to mention the deepfakes that are expected to flood the networks. The repercussions could be far-reaching and should not be underestimated « . The time for anticipation is over, it’s now time for action.