Dr. Scott J. White, director of the George Washington University Cybersecurity Program. has taught many courses on Olympic security.
Given that China has been something of a lightening rod for controversial issues involving cybersecurity, we sought him out to get his assessment of the threat to the Beijing Olympics, future Games, and other large =scale sporting events. That interview follows.
Question: Why are the Olympics vulnerable to a breach in cybersecurity?
Answer: I don’t believe the Olympic Games are particularly vulnerable to a cyber breach from an outside actor considering the major Advanced Persistent Threats (APT’s) are the state sponsored programs of China, Russia, Iran and North Korea. These governments pose the greatest threats to Americans and other participants at the Games. Individuals that are most susceptible to an attack are Western journalists, Olympic Committees and competitors. These groups are primarily susceptible to the Chinese surveillance state. Any hardware linked to Chinese Wi-Fi (the network), will be vulnerable to monitoring. When you consider the breadth of the Chinese surveillance state and the disregard they have for individual rights; it is safe to assume they will be monitoring all the Olympic Committees and their athletes. And, the American Olympic Committee and its athletes will be the number one target of Chinese espionage.
Q: What makes the Olympics difficult to protect?
A: All participants to the Games in China are required to download an application (app) to navigate their time at the Games. Contrary to the Beijing organizing committee’s assurance that they are compliant with Chinese data security laws and their encryption protocols will protect personal data and privacy; no device is secure. It’s difficult to protect yourself when your host is controlling the threat vector.
Q: What are some of the measures governments should undertake?
A: The American Olympic Committee and its athletes, as well as other nations, should assume that they are being monitored at all times and use the Chinese communications networks judiciously. Individuals should refrain from communicating about such things as: Taiwan, Hong Kong independence or the Uyghurs. At the end of the day, maintaining a low cyber footprint can be the greatest strategy, however, if information and communications technology (ICT) is to be used, one should consider that Chinese government officials are listening in at all times. There are a few things that can be done to protect personal data. The use of stripped-down hardware or burner phones can limit the amount of data that can be exfiltrated. In the best-case scenario, participants should leave their personal devices at home.
Q: What role if any do athletes have in a cybersecurity breach?
A: Athletes are not cybersecurity professionals, and one cannot expect that they will use good cyber-hygiene. Acknowledging this, there can be no expectation of privacy or data security. Maintaining a low cyber footprint can aid in the protection of privacy and data. The use of stripped-down hardware or burner phones can limit the amount of data that can be exfiltrated. In the best-case scenario, participants should leave their personal devices at home.
Q: Do sponsoring companies have any exposure?
A: Sponsoring companies, like any foreign national, are vulnerable to data breaches. Utilizing strong passwords, two-factor authentication or two-step verification, especially for their sensitive data can minimize a company’s vulnerability. Deploying updated antivirus software and configuring browsers to delete cookies can also help. However, it is important to note that these companies are operating in a hostile environment and are up against some one of the best cyber-spies in the world.