Espionage in sport

In a world where football players earn six-figure weekly wages, and where a racing car costs many millions to design and build – the wheel alone for a Formula 1 car costs £20 000 – information is highly valuable.

When information is valuable, there will always be an incentive to obtain it – and with it a competitive advantage, by fair means or foul.

The highest profile case of sports espionage, in recent times at least, has to be the Ferrari-McLaren scandal that hit Formula 1 in early 2007. Former Ferrari performance director Nigel Stepney was accused of leaking documents to the rival McLaren team.

The case dragged on until Spring 2009, when Italian authorities dropped charges against McLaren staff, including former McLaren chief designer Mike Coughlan. In the meantime, McLaren had been found guilty of breaching Article 151c of the International Sporting Code and was fined £49.2m by the sport’s governing body, FIA.

Hearsay

Claims and counter claims continue about whether McLaren obtained any real advantage from the Ferrari information. The size of the fine, and the fact that McLaren were docked of all points in the 2007 constructor’s championship, however, will serve as a warning to anyone planning to use confidential data to their advantage in sport.

Nor was 2007 the first time that espionage allegations rocked motor racing. In 2002, the Italian courts convicted two former Ferrari employees of stealing information from the team, before taking up posts at rival Toyota.

Formula 1 is not the only sport that has been exposed to accusations of spying. Last year, French authorities questioned sailing specialist Jean-Antoine Bonnaveau, a French national employed by the Oracle BMW Racing America’s Cup team, amid accusations that he had photographed a yacht designed by race rivals Alinghi.
Many more accusations of spying feed the rumour mills of professional sport, but only a tiny number ever make it to court.

Although teams are increasingly adept at deploying counter measures against cloak-and-dagger techniques such as clandestine photography – or even, according to accusations against one yacht racing team, using scuba divers – poor information security could be leaving sports teams more vulnerable to espionage than they think.

Legal reports of the Ferrari-McLaren case point out that the dossier of Ferrari information found at McLaren contained printed emails; a security breach that could easily have been prevented by off-the-shelf data loss prevention technology.

Protect your (team’s) neck

Lack of a unified approach to data protection and information security within many sports teams increases the risk of data leaks, as well as leaving the door open to deliberate attempts at information theft.

“I don’t think that sports teams are especially prone to espionage”, says Graham Cluley, senior technology consultant at Sophos. “Much of the most important information about a rival club will not necessarily be on computer systems, but discussed on the playing field and training ground”, says Cluley. “There are a small number of sports, however, which rely heavily on technology, and the opportunities for computer espionage may be greater here”, he continues.

Reliance on technology is spreading to more and more sports, as teams look to fine tune athletes’ performance. A growing volume of match or game data – and physiological information gathered on the athletes themselves – means that it is not just hi-tech sports such as F1 that generate growing amounts of valuable data.

Sports as traditional as rowing have moved away from their Oxbridge image, and now rely heavily on telemetry information gathered electronically from the boat, and its crew, during practice and racing, in addition to the design of the boat.

Rugby teams – such as the England squad – share data and even match videos on PDAs, and professional football teams have hundreds of hours of detailed match videos on file in order to assess the performance of their own players, and the tactics of their rivals.

It is perfectly reasonable and even necessary for players to have personal performance data and even video on a laptop or mobile device, so they can review it at home, or when they are away on tours.

However, teams and players need to realise that such information is also an important asset, and one that could cause damage in the wrong hands. They therefore need to step up their efforts to protect it.

“If you have athletes, drivers or competitors carrying around laptops, you do have to consider the data that is on them”, says Sean Doherty, senior director in the EMEA security practice at Symantec. “You have to consider theft or loss in locations such as airports, and ensure that any information is encrypted.”

Sporting ambitions, SME structures

According to Symantec’s Doherty, sporting teams are already starting to turn to technologies such as encryption. Many teams, however, are struggling to put in place a comprehensive information security policy to match their conventional, anti-espionage measures.

For all the big-money sponsorship deals and big-money contracts with sporting stars, most clubs are structurally small to mid-sized businesses. Their organisations reflect this: often they have limited central IT expertise, and only a handful of the largest sporting teams will be able to employ a full-time infosecurity expert.

Sporting teams depend heavily too on partners. Whether it is players’ agents, sports medicine specialists, physiotherapists or gyms for athletes, component manufacturers, design consultants, or computational fluid dynamics specialists in motorsports or yachting.

Sports teams need to communicate information with these partners, and often very quickly. The more partners a team has, the more potential there is for information security vulnerabilities. Teams might not have the expertise to employ heavyweight encryption technologies that protect data on the move.

When it comes to event-day data, such as information from a race, the few seconds or even milliseconds’ delay caused by encrypting and decrypting data could be enough to sap a team’s competitive advantage.

As a result, teams tend to rely more on trust and human oversight than on formal policies. Further complicating matters, they do not always have access to the large-scale identify and access management systems employed in industries such as finance or defence.

“Sports teams often have an open culture where they trust people, but that can be incompatible with good security”, says Andrew Jaquith, a security specialist at industry analysts Forrester Research.

“One approach is to ensure accountability, and to ensure that what people are doing is logged. It’s not stopping people [from] doing something, but letting them know that what they do is being watched.”

Protecting data, electronically

A security-aware culture will reduce the espionage threat. The trend towards electronically holding and transmitting critical commercial and sporting information need not make teams more vulnerable to espionage, however. In fact, it could even help.

Sporting organisations need to be aware of the dangers posed by cybercriminals, hackers and rival teams using vulnerabilities in IT systems to gain unauthorised access to their information. It is true that a skilled hacker, or an insider with a smartphone or USB thumb drive, can obtain vastly more information in a few seconds than any industrial spy equipped with a miniature camera.

However, IT systems give teams methods to protect their information that are simply not available for paper records. According to Symantec’s Doherty, sporting clubs are already making extensive use of encryption for records, blueprints and other static information held in databases or other IT systems. The protections available against a casual or opportunistic data theft are far stronger with electronic data than with paper records, photographs, microfilms or tapes.

A further advantage of IT systems is the way they allow sporting organisations to track and monitor who accesses data, and when. As Doherty points out, data loss protection (DLP) technology extends to recording who accesses a particular server, database, application or file, and when.

Role-based access and permissions can control who can read or write to a file, and whether it can be printed, transferred to a USB device, or sent outside the organisation by email. DLP technologies can be set up to search outbound emails or file transfers for tagged sensitive documents, or even for keywords, in a far more efficient way than searching handbags or briefcases.

As these technologies fall in price and become easier to use, the infosecurity industry expects sporting teams to make more frequent use of them.

“If the stakes are high enough, and the losses are big enough, we will see a tightening of controls”, says Forrester’s Andrew Jaquith. “Organisations are raising the bar on security, and not just in sport.”

Even if sports are more prone to espionage, there is only limited evidence that it makes a difference where it counts: on the track or the pitch. Sporting endeavour – and luck – is still what counts.

“Even if secrets of a rival team are discovered through hacking, it won’t necessarily give you any advantage when facing them at an all-important match”, concludes Sophos’ Cluley.