The Olympics, Cyber Risk, and Virtual Terror
The Olympic Truce is a tradition established in 7th century BC to ensure safe passage to and from the Olympic Games, as well as safe participation in the Games. Its creators could have had no idea that participation in the Olympics would ultimately transcend the physical realm to include the cyber sphere.
The era of virtual terror in which we are living, wherein cyber risk has had a profound impact on how most of us live and work, remains such a relatively new phenomenon that its impact on institutions that we hold dear continues to evolve. The Olympics is certainly one such institution. Since the beginning of this decade, Olympic hosting nations have had to add the management of cyber risk to the plethora of risks they must contend with. In previous games, the risk was a concern, but not a fundamental issue. That has now changed.
Just as athletes from around the world are put on an even playing field to compete in the Games, governments, groups, and individuals are all placed on an even playing field in the cyber arena. North Korea and Iran can compete effectively in the cyber sphere with the ‘big three’ nations: China, Russia, and the U.S. The fact that the Winter Games will occur in South Korea next month, at a time when global tension with North Korea has reached a boiling point, is actually inconsequential, because high achievers in the global cyber arena (including North Korea) have the ability to strike at any time and at will, because of the invisible, anonymous, borderless, and lawless nature of the cyber sphere.
The nature of the challenges cyber security experts face for an event such as the Olympics is daunting indeed, with a threat and vulnerability landscape every bit as diverse as the competing nations and athletes themselves. So many aspects of the Olympics are dependent upon online connectivity that maintaining security in all aspects of the Games at all times appears to be a nearly impossible task. From the transportation that takes athletes to and from venues, to their housing, to venue entry points, to performance scoring, the threat matrix is so broad and all encompassing that it would truly be a miracle if no functionality associated with the Games were hacked at some point during the two-week period.
Given that infrastructure has become a target of choice among cyber attackers, there is a growing risk that the integrity of sporting venues could themselves be compromised. Consider, for example, heating, air conditioning, or lighting systems, all of which are dependent upon digital communication to operate. Many of the venues at the Olympics are similarly dependent upon third party service providers – and the inviolability of their own cyber security – for everything from food and transportation to physical security. Should any of these service providers be hacked, it could provide hackers with immediate access to central control systems at the Olympic venues.
Another consideration is the vulnerability of Android-operated smart phones, which comprise approximately 85% of the world’s phones today and account for more than 95% of all phone-based hacking. If a hacker were to successfully introduce messaging that induced panic among Game attendees, it is not inconceivable that pandemonium could break out, interrupting the games and possibly causing injury or death among individuals attempting to flee a make-believe emergency. Doing so could also prevent people from wanting to attend specific events, for fear that a threatened terrorist attack may occur.
Olympic competition has transcended conventional concerns such as athletes consuming performance enhancing drugs. Hacking has become so sophisticated that the sanctity of the scoring process may itself also be at risk. Referees rely on their own eyesight, but they also rely on instant replays and boundary detection systems (which can determine whether athletes were within the legal physical bounds of a competitive space). Hackers already have the ability to manipulate such data, with speed and accuracy.
The Seoul Games will be a real test for the degree to which tech-savvy South Korea has taken such risks into consideration. Given the threat mosaic, if heightened cyber security is not in force and effective there, it raises question about whether it can be effective anywhere. While acknowledging that it is not possible to be 100% effective in guarding against cyber attacks from such an elusive and capable enemy, Game planners no longer have the ‘option’ of factoring cyber risk into security planning.
The cyber world leaves no margin for error. It will take every ounce of risk agility to anticipate where the vulnerability points are and deploy the right tools to counter the growing number of threats. Going forward, Olympic organizers must consider whether Game hosts have the cyber security capability to warrant hosting the Games, for cyber risk has become a top risk facing the Olympics. As was the case with the 2016 Rio de Janeiro Games, when the Rio state government ran short of funds to complete all venues as anticipated and even had to modify the opening ceremony to account for the cash shortfall, prospective host nations that cannot guarantee top notch cybersecurity should be removed from consideration. Establishing and maintaining the very best cybersecurity at the Olympic Games is no longer a luxury, it has become a necessity.