According to Olympic cybersecurity head Oliver Hoare, he was awoken at 4:45 a.m. on the day of the ceremony with the news that an attack may be underway. “There was a suggestion that there was a credible attack on the electricity infrastructure supporting the Games,” Hoare told BBC Radio 4. “And the first reaction to that is, 'Goodness, you know, let's make a strong cup of coffee.'”
An attack shutting down the ceremony would have resulted in billions of dollars of losses. Officials said that they leapt into action with contingency plans, launching an investigation and holding an emergency meeting held in the Cabinet Office briefing room, chaired by deputy national security adviser Oliver Robbins. The determination was that any attack could be dealt with, so that systems could be back up online with no more than a 30-second delay. That half a minute, however, would still have been economically catastrophic, Hoare said.
The threat of course never materialized, but the issue highlights a growing concern around the vulnerability of the UK’s critical infrastructure. “Many people may ask themselves why anyone would target a ceremony that by definition celebrates coming together and fair play, but in truth there are a whole range of constantly evolving motivations behind cyber-attacks – ideological hacktivism and vandalism being in the top five motivations for cyber-attacks according to Arbor Networks 8th Worldwide Infrastructure Security Report,” said Dan Holden, director of research at Arbor Networks, in an emailed comment. “Because of that any company or event, including the Olympic ceremony, can become a target.”
Indeed, the concern doesn’t exist in a vacuum – there is precedent for this type of disruption. “Last year’s incident is not the first of its kind,” said George Anderson, senior product marketing manager for enterprise at Webroot, in an emailed comment. “There has been concern about cyber-attacks on the Olympics as far back as 1996, when the US employed a well-known commercial American security company to help defend the event’s communications against disruption. While this may not be a huge shock to the security industry, business and consumers who were likely to focus on the physical threat of terrorism over the cyber threat will undoubtedly be surprised that an attack came close to occurring.”
One could say that the timing of the government’s communique is convenient given the Operation PRISM revelation of widespread US surveillance in the name of national security, but the unveiling of the fears should at least be a cautionary tale for businesses.
“The nature of the threat in these reports isn’t entirely clear, or how much substance there was behind those fears of a direct attack on UK power utilities or the Olympic Games in general, but the business world in general might learn something about risk assessment and contingency planning from this report,” said David Harley, senior research fellow for ESET, emailing Infosecurity.
Anderson added, “It’s important to remember that this is a real risk 24/7, not just when the spotlight is on London. Since there are so many ‘moving parts’ to secure, businesses need to consider everything – starting from network security, through the supply chain which can act as an attack point, to the end-point security installed on PCs and mobile devices. The same applies equally to businesses that are often part of the supply chain and can therefore act as an attack point. [This] news should be regarded as a big wake-up call.”