In a recent press conference, Vincent Strubel, head of France’s national cybersecurity agency (ANSSI), said that the “unprecedented” level of cyber threats surrounding this year’s summer Olympics should lead us to expect just about everything. Said Strubel:
“There will be cyberattacks during the Games and the Paralympics...Some won’t be serious. Some will be serious but won’t have an impact on the Games. And perhaps there will be some that are serious and liable to have an impact on the Games.”
In other words, come prepared. How are French anti-cybercrime units doing just that, and what does it mean for threat actors at the Paris Olympics?
What Are the Cyber Threats to the Paris Olympics?
Attacks are sure to come from all angles as the world watches online from a tantalizing number of devices. Here are some possible ploys defenders will be watching out for this summer in Paris:
Amateur Criminal Hackers
With the advent of the as-a-service cybercrime economy, it has become easier than ever for novice threat actors to launch more sophisticated attacks than their skillsets allow. This means more attacks overall considering the lowered bar for entry.Thrill-Seeking Cybercriminals
The size of the opportunity presents a tempting stage for “rebel without a cause” types who just want to try their hand at some cyber troublemaking, or “teenage showoffs” looking to take advantage of security weaknesses in the websites or booking sites purposed for the event, among other things. Beware of common website security attacks like cross-site scripting, SQL injection, and DDoS attacks — as well as more advanced exploits, as expertise has no minimum age limit.Hacktivists
World events of this stature are sure to draw political or social ire from any number of activist groups with a solid set of criminal hacking chops.Financially Motivated Black Hats
Perhaps one of the obvious and common causes for cybercriminal activity at the Paris Olympics will be the desire for financial gain. Beware of phishing attempts in the form of unsolicited emails about the Games, lodging, tickets, or information followed by “helpful links” to learn more. Once you click and offer any personal data, chances are that it can and will be used against you or your bank account.Nation-State Actors
This will be a huge world stage on which global powers can send unmistakable signals to countries, governments, and the world at large. As noted in the Associated Press, “Among the most threatening cyber-adversaries are countries who might want to embarrass and exact costs on France and the International Olympic Committee with proven offensive hacking chops.”
Which Cybersecurity Precautions Are Being Put in Place?
Events of this size and scope are a threat actor’s dream, and French cybersecurity authorities are doing everything in their power to ensure those dreams don’t come true.
They just can’t tell us exactly what, though. This makes sense as it would constitute an obvious tactical advantage in giving away the element of surprise to curious, blog-reading Black Hats. However, what we can know is:
Ethical Hackers
Ethical hackers were hired by ANSSI to test all Olympic websites in preparation for an attack. Said Strubel, “There are 500 sites, competition venues and local collectives, and we’ve tested them all.”Artificial Intelligence
AI is being used to test for multiple threats across their IT system and websites. Said Franz Regul, managing director for IT at Paris 2024, “AI helps us make the difference between a nuisance and a catastrophe.”Physical Security
Transportation, supply chains, and surveillance systems are additional items of potential compromise and have been put firmly on the Paris 2024 cybersecurity preparations radar.Past Olympic Cyber Expertise
Paris cybersecurity teams are drawing on the knowledge and experiences of consultants who worked in Pyeongchang during the 2018 Olympic games, during which malware dubbed “Olympic Destroyer” famously disrupted the opening ceremonies.Unprecedented Preparation
"The Games are facing an unprecedented level of threat,” explained Strubel, “but we’ve also done an unprecedented amount of preparation work so I think we’re a step ahead of the attackers.”
Regul, head of the cyber team responsible for Paris 2024, expects the number of security events this year to be “multiplied by 10 compared to Tokyo (in 2021).” There is a need to keep an exceptionally tight attack surface and tie up any loose ends like SSL misconfigurations, open ports, and privacy issues such as cookie consent violations.
The good news is that ANSSI, France’s central cybersecurity agency, has been in preparation for the past two years, engaging in extensive penetration tests, security awareness campaigns, a bug bounty program, and numerous war games with technology partners at the International Olympic Committee. And there’s no question of why: stated Regal in the Times, “We will be attacked.”
[Hope], but Verify
Jérémy Couture, who helms the official cybersecurity hub of the Paris Olympic games, expressed perhaps a universal sentiment when he stated, “My dream for the Olympics is that technology and cybersecurity aren’t talked about, because that will mean it was a non-issue.”
Let’s hope so. But in the meantime, Strubel’s words belie a deeper truth: “We are preparing for everything.”