The Rio Olympics of 2016 has, at least in sporting terms, been a success with many thrilling events and winners. But the backdrop of social breakdown and protests in the country have also made it controversial and security has been brought into question even if, thankfully, tragedies have been avoided.
But the challenge is not just physical. Ever since the World Wide Web became ubiquitous, these events have been under siege digitally. At every Olympics, football World Cup or other major sporting occasion, attackers try to take down websites, get their messages across, and steal data and identities. To find out if Brazil had been any different I called one of the most plain-spoken experts on cybersecurity today: Thomas Fischer, principal threat researcher at Digital Guardian, a Waltham, Massachusetts-headquartered maker of data loss prevention software.
I started with a moan: at every major sporting event, organisers insist that cybersecurity threats are rising, citing skyscraper growth in the number of attacks they have detected and blocked – is the issue really growing or are we just counting every small, morphing challenge as a new issue?
“It’s familiar territory,” says Fischer with admirable frankness, “but these big events just attract more of it. It’s all a bit of an aspect of today’s society with free WiFi at events and everybody using Snapchat and Facebook. There are tools to make it easier to set up [threats] now you have more users and more devices that have access.”
But what is really different about Rio and forthcoming events is politics, Fischer suggests, and certainly some of the forthcoming hosts are controversial. Vladimir Putin’s Russia, set to host the 2018 World Cup, is again creating a furore; Qatar’s selection as 2022 World Cup host has caused dismay among liberals everywhere; and China won the bid for the 2022 Winter Olympics.
These effectively represent “new threat vectors” because people will have political or ethical motivations to hurt these events and their organisers, Fischer argues.
“There’s a lot of political strife in the background so we’re going to see a lot of hacktivism as [major events] go to places where certain groups [have disagreements with government strategy]. They’re going to want to bring that out.”
If today’s geopolitical environment creates a challenging environment then the laundry list of technical threats add to the challenge. Fischer says that one increasing threat might be compromises aimed at senior figures who have inside information on how systems are designed.
“[Event organisers] have got pretty good teams but if I wanted to make the countries look bad I’d be targeting government agencies and how they organised shortcuts, or how they built the organisation.”
As for today, ticketing scams, intercepting broadcast video streams and attempts to lure users into clicking on what might appear to be attractive content all remain live threats aimed at a huge audience of “more susceptible individuals”, Fischer says. One way to mitigate this is education and Fischer praises the UK for its work in trying to make citizens understand digital dangers. “The UK is one of the few countries in the world where you’re doing some of the cybersecurity awareness. Even in the US it’s pretty weak and you won’t find that in Brazil.”
As phishing attacks and other approaches become more sophisticated it’s hard even for educated users to stay safe. “I regularly get bank phishing attacks where they look like they’re coming from the bank,” Fischer says. “They’re more professional than a few years ago.”
He is partly sympathetic to what might be a growing school of thought: that end-users have to be held accountable for their actions. He says that he was recently on a flight when passengers blithely ignored instructions to turn off cellphones, preferring to continue updating Facebook.
“If you drive drunk you potentially lose your licence - right now there’s no responsibility on the end user. Where should we put the responsibility? To me it’s a combination of the provider and the end user.”
Fischer said a recent plan to automate bank account applications had “sent shivers down my back … it’s going to attract so many fraudulent applications and whose fault is it then?”
And he isn’t optimistic about a finish to the constant stream of security challenges: “Will it end? No, there’s too much money around. We’re running around in circles.”