There is now just under three years to go until the opening ceremony of the 2012 Olympics takes place in east London. A bird’s eye view of the Stratford site shows that construction is well underway. There are concerns, however, that cybercriminals − or even cyberterrorists − will exploit the Olympics for their own ends.
| "Whilst the government and the organisers of the event are taking physical security very seriously indeed, there are concerns that broader cybersecurity concerns are being overlooked." |
In April, former Home Secretary David Blunkett used the opening keynote address to the Infosecurity Europe conference to warn that the Olympics could be paralysed by a large-scale cyberattack, and cautioned that the government and the Olympics’ organisers were in danger of overlooking the information security risks. (See Infosecurity’s exclusive Q&A with Blunkett at the end of this story for an update on his views).
David Blunkett’s view − that the 2012 Olympics could become a focus for cyberattack− is widely seen as credible in the information security community. Whilst there is little doubt that both the government and the organisers of the event are taking physical security very seriously indeed, there are concerns that broader information security concerns are being overlooked.
Observers point out that the Olympics will be much more dependent on the internet and e-commerce than any such previous events, and that we have few ways of predicting how the wider information security landscape might look in 2012. As a result, the range of plausible information security threats the Olympics organisers need to consider is broad.
A very real threat
One of the lessons learned from the 2008 Beijing Olympics is that the threat of a direct attack against the event’s IT infrastructure is real. The Beijing organisers had to deal with 11 to 12 million IT security alerts each day, although extensive use of automated detection and diagnosis reduced the numbers of threats investigated by the response teams to 80-90 incidents.
| "We expect the Games to be a target for social engineering attacks, from website cybersquatting, from spam or bogus ticket sales." |
| Greg Day |
Even those volumes could be overshadowed by indirect cybercrime events, such as mass spam attacks or the use of false, Olympic-related websites to distribute malware.
According to official statistics from Beijing, the Chinese media alone produced 20 000 items of Olympic coverage a day during the event, a volume that 2012 will almost certainly exceed, and this is impossible to police.
“The bad guys will want their share too, and there will be spam offering the ‘last two tickets for an event’ or saying ‘you have won an Olympic lottery’”, says Candid Wuest, security response engineer at Symantec.
Several security experts approached by Infosecurity Magazine suggested that the London Games organisers could do more to promote the genuine 2012 URL www.london2012.com, to reduce the impact of cybersquatting and spam. The URL is not, for example, part of the current 2012 London Olympics logo.
An impossible task
In their defence, the London Olympics’ organisers face an almost impossible task that they certainly will not accomplish without the help of the wider information security community, says Greg Day, principal security analyst at McAfee.
| "Protecting ourselves is therefore a good way of sending a signal that Britain is a great place, and a safe place, to do business online." |
| David Blunkett |
“We expect the Games to be a target for social engineering attacks, from website cybersquatting, from spam or bogus ticket sales. These are just some of the levers that cybercriminals can use to get information or money from us”, he says.
“It is not fair to assume that the people organising security can make it 100% secure. They cannot buy up every domain name linked to the Olympics. They should however make it clear [to the public] which are the genuine sites, and have mechanisms to help people validate those sites.”
For this reason, CISOs and security officers need to be aware of the likely impact of the Olympics, and have a plan in place to deal with any emerging information security threats even if their organisations are not directly involved.
However, IT security managers should not need to take specific technical measures to protect their own networks during the run up to the Olympics or during the event itself, suggests John Alcock, managing consultant for the security and business risk practice at Fujitsu Services.
“If you have a modern system that is well maintained with patches applied, industry standard firewalls, and up to date anti-malware, you will be protected from most things short of a specifically crafted zero-day attack.”
Shout it loud
A greater danger, Alcock suggests, is that criminal elements might use the Olympics to distribute malware, or as a vehicle for social engineering exploits and spam. In the excitement of the event, internet users hungry for Olympic-related content might well drop their guard, and be duped into visiting untrusted websites or opening suspicious email.
| "Inevitably, the more reliant we are for travel, accommodation, ticketing, access to facilities and security clearance through the internet, the more the risk self-evidently raises its head." |
| David Blunkett |
The best way to reduce the danger, says Alcock, is for everyone in the UK information security community to play their part in raising awareness, even if they are not directly involved in the 2012 London Olympics.
“You have to be a good neighbour and do your bit”, warns Alcock. “Because 2012 is a flagship event, it has to be seen as the best example of how to do things. There can’t be any cutting corners… [how well the Olympics go] reflects on UK PLC as well as on the brand of the Olympics themselves.”
The London Organising Committee of the Olympic Games and Paralympic Games (LOCOG) were approached for comment for this article, but did not respond to Infosecurity’s questions or requests for an interview, stating only that information security for the Olympics is a matter for the Home Office.
The Home Office responded to Infosecurity’s questions with a prepared statement:
“The government has analysed the risk currently posed to the Games by a cyberattack and is planning accordingly. Scoping work is already underway looking at how critical infrastructure for the Games can be protected.
“More generally, cybersecurity is being addressed at a number of levels, involving many agencies including the Centre for the Protection of National Infrastructure, ACPO [the Association of Chief Police Officers] and the Metropolitan Police.
“The Cabinet Office is leading on a cross-Government project to consider the UK's approach to cybersecurity, which looks at reducing risk as well as protection opportunities.”
David Blunkett’s views on 2012 |
|
In April this year, David Blunkett’s keynote speech at the Infosecurity Europe conference forced security for 2012 − and information security in particular − onto the agenda. With three years to go until the London Olympics, the former Home Secretary agreed to answer some further questions on the subject, exclusively for Infosecurity. Infosecurity: How great is the security risk for the 2012 Olympics? David Blunkett: Whilst people correctly and self-evidently focus on physical safety, the security [risk] for the Games in terms of delivery as well as economic impact and global imagery is very substantial indeed – partly because we are dealing with potential for the future rather than known risks from the past. Infosecurity: How do the security threats rank, say, against Beijing or even the 2010 World Cup? Are there particular factors that put the UK and London at greater risk? David Blunkett: Beijing has to be seen in the context of the regime, its control and command over the population and, of course, its very sophisticated and highly developed State facilities relating to internet security and appreciation of both potential and threat. Single sport events are less at risk than the global reach of the biggest sporting event in the world, where, by 2012, cyberspace will have experienced a further sea change in potential for both good and evil. The multi-ethnic nature of London and the historic global reach of the UK is both a plus and a minus when it comes to assessing and dealing with risk. Infosecurity: It's likely that these Olympic games will be the most technology dependent ever. How does that affect risk? David Blunkett: Inevitably, the more reliant we are for travel, accommodation, ticketing, access to facilities and security clearance through the internet, the more the risk self-evidently raises its head. That is why thinking it through and getting it right from here on is not scaremongering, but basic common sense. Infosecurity: Granted there are groups at large who want to attack the UK. But do their skills and motivations point to cyberterrorism or cybercrime as a method they would use? David Blunkett: Not exclusively. But we know just what potentially can be done and we know that people can do it. Taking action, raising awareness and sending the right signals is all about deterring them rather than coping with the results after the event. Infosecurity: You talked about a large-scale blended attack in your Infosecurity Europe keynote. Do you still think that is likely? What gives you that view? David Blunkett: My view is based on the belief that more traditional forms of threat are well covered in UK plans, including those recently published by government. It is a combined and interconnected threat that we need to worry about. Planning for this is much more difficult, but nevertheless essential. Infosecurity: Is there a danger that we are confusing politically motivated action against the UK or the Olympics with something more mundane: fraudsters using a large event to extract money or to mine data? David Blunkett: Both malign attacks and fraudsters pose a threat. In protecting against one, we also help defend ourselves against the other. Large-scale fraud worries me greatly, for the impact it has on individuals and businesses but of course, it also has a major economic impact and hits the standing and credibility of the UK. Protecting ourselves is therefore a good way of sending a signal that Britain is a great place, and a safe place, to do business online. Infosecurity: Do you think the organisers (the Home Office, LOCOG, The Olympic Delivery Authority) have done enough to prepare for information security threats to the 2012 London Olympics? David Blunkett: I think everyone would accept that we’re in the early phase, rather than way down the line. But I detect a much greater awareness, interest and readiness to listen and to take this seriously than I did even six months ago. Co-ordination is crucial and I am aware that both from the Home Office and Cabinet Office (as well as, of course, from Tessa Jowell and the Olympic Committee), there is a determination to use the next three years effectively in getting this right. Infosecurity: Given that the event will have an impact on all of the UK, especially London, even for people who are not involved in or attending the games, are there things individuals should watch out for - in their email, on their PCs, or in the ‘real’ world? David Blunkett: I think as with the advice from Get Safe Online and similar awareness raising efforts, it’s crucial, without frightening people or undermining the profile of the Games, to make people aware. In fact, this is a great opportunity to have a very responsible campaign which will have beneficial outcomes in a much wider sphere than [simply] the Games themselves. |