The organisers of the April 2018 Gold Coast Commonwealth Games have a huge task on their hands regarding the protection of the high-profile sports event from cyber-attacks.
With an expected TV audience of over a billion people and millions more watching events live in HD from every venue through an app, sharing videos of their favourite events and tracking their friends from their mobile phones will be an essential part of the fan experience. With 1.1 million ticket sales and 84 million web-page views, the sheer scale of the event will make it a popular target for hackers and cyber criminals.
Major sporting events are a prime target for cybercrime due to the worldwide attention and visibility. In Brazil during the summer of 2016, for example, there was a sustained 500Gbps DDoS attack targeting Brazilian networks. Probing and test attacks started months before the international sporting event, and once it started, the real attacks did not cease until the event was over. In 2008 in Bejing, they were subject to around 12 million attacks online per day and in 2012 London faced a total of 156 million security-related events, six of which were major cyber-attacks.
Attacks have also been seen in recent years on Formula One, Wimbledon, English Premier League, NASCAR and the Euro Soccer Championships and the problem is not getting better, in fact, it is getting much worse. Fortunately, the attacks on most of these sporting events were halted through having the right security processes and technology in place, including practising worst-case scenarios.
There are literally thousands of journalists sharing video and photos with global media, 6600 athletes and officials will be attending, millions of people watching the numerous sporting events via numerous devices. All of these people require secure network connections, all of them require 24/7 availability. Being responsible for the event’s network and infrastructure is no mean feat.
Full-scale activities will build up from March and into April, when the IT fleet will grow from 350 desktops to 1650 and website traffic will ramp up to an estimated one million visitors per day. It’s therefore essential in the lead up to the Games that the organisers monitor intelligence from a large variety of sources and analyse games systems and infrastructure for vulnerabilities and check for the presence of malware in its largely Microsoft-based IT environment.
The Games Technology Department incorporates the following areas, all of which are at risk to cybercriminals:
- Games Management Systems
- Technology Infrastructure Services
- Technology Results Services
- Technology Communications Services
- Technology Planning and Delivery
- Venue Technology Services
While cyber-attacks targeting sports events, organisations and athletes is not a new phenomenon, hacker motivations are varied and they unfortunately can be just about anything. From notoriety, financial gain, competitive advantage, protest, the motivations are extremely varied.
However, data is a number one target for hackers and it has now become the secret opposition in modern sports. On the field, technology like wearables are used to harvest game and athlete data, analysing how fast a serve is, to showing how far a soccer player has run in a game. If hackers were to get their hands on this valuable data, the hacker could use it to win big at the bookies.
For rival teams, data can show where weaknesses lie and help them to win games – which could be the difference between winning a gold medal at the Games and finishing last.
It’s clear that every country’s team or any individual athlete data could be a target for extortion or fraud, in addition to sports betting and helping rival teams gain an edge over competitors. However, it’s not just all about the high-profile athletes competing, the fans in the stadium are also a key target for cybercriminals.
The Games will also have the challenge of protecting against cybercriminals who just want to disrupt, and the attacker who aims to cripple the event management system, that is at the heart of the IT environment, can cause major headaches for the results systems, communications services and ticket sales. The motivation behind these disruptors that launch DDoS attacks is to embarrass the organisers or raise the profile of their own political agenda.
Encryption, key management and two factor authentication are just some of the measures that can mitigate the risk of an attack. When developing an app, all teams and events should have TLS encryption and secure coding at the very least.
Critical infrastructure for the Games must be considered a target, especially for the electrics and water supplies. Any disruption to the power and lighting would seriously harm the success of the event and would cause significant reputational damage to the organisers and Australia as a nation.
Never has it been more vital to get the basics right when it comes to cyber security in the sports industry. The cyber threat landscape is changing, evolving, and it’s not a matter of if, but when an attack will occur.