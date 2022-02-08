Hackers, human beings no less than us, have all sorts of specialized skills at their literal fingertips. Because of their humanity, a status some of my cybersecurity colleagues separate from hackers, they also have all sorts of regularly occurring human foibles. One trait we all tend to share surrounds our egos. We need our egos stoked. We demand attention and recognition. To our own detriments our egos influence and interfere with our day-to-day lives and goings-on.
The hackers have an interesting, self-imposed dilemma when it comes to ego. They seek acknowledgement but all the while maintain anonymity lest they succumb to local, federal, and even international enforcement of security and privacy laws. Being a known “black hat” might result in loss of freedom (imprisonment), funds (fines), and worst of all for most of them the ability to ply their trade. Still, those of them not performing their digital devastation as a pure duty to their country desire to earn merit among their scofflaw peers. They boast, albeit anonymously, within hallowed, secretive community gatherings online. Like any hunter who displays their trophy, it is a point of pride to show off how you breached the otherwise well-crafted defenses of some bank, or hospital, school, government agency, whatever. For many, that is the fruit of labor, not necessarily the data that they then abscond with, though that may pay the bills.
Because of that shared character flaw, whenever something appears on the world stage you can bet your nickel that the hacker community takes note and takes on the challenge.
We have numerous, daily world events occurring. Elections, civil strife, aging monarchies’ milestones, countries on the brink of war, and sporting events such as the Super Bowl, World Cup later this year, and the 2022 Winter Olympics.
Olympics cybersecurity is not a new subject for governments and the industry to contain. As long as the games have begun during our digital age, security has been baked into their planning. Like everything technological, the advances in security threats outpace most social systems’ evolutions, so this year is inordinately important for thwarting cybersecurity risks at Beijing.
The efforts began years ago, and really became evident with lessons learned from the untimely 2021 Tokyo Summer Olympics. All estimates pointed to a successful conclusion of Tokyo’s games, at least as to cyber-risks. The globally relevant Olympics attract massive viewership, and massive hacking temptations. In one of the more credible post-2021 reports, it was claimed that during those few weeks of sport over 450 million digital security incidents were blocked! That’s one of the few sentences in this column where an exclamation point is apt; sometimes they’re hyperbole. Think about that: a half-billion times hackers tried to breach security surrounding the Summer Games.
If that’s not a worthy point to start planning for cybersecurity during the 2022 Olympics, I look to anyone to describe the more meaningful data. Realize, too, that just like Tokyo, the Beijing event is not welcoming of attendees. Imagine adding millions of digital devices into the mix when spectators all converge with smartphones, tablets, and laptops in tow, and all those extra millions of doorways open into the shared network. One factor that does distinguish the successes in Tokyo from the current Olympics is its site. There are two arguments about the China factor. The first is that because of its human rights reputation, its politics, and a whole host of other Chinese characteristics the hacktivists among the hackers will truly be engaged. The other perspective, though, is that China, and all of those traits she bears, is buttoned up well enough on any given day, much less when the whole world is watching, that it’s as hard to crack the armor as anywhere.
Leading up to the athletes’ traveling activities the FBI released some guidance. It asked athletes to leave their personal cellular devices at home. Rather, they advised, athletes should invest in so-called burner phones for the trip. The notion was that security breaches at the Olympics are inevitable, so try to mitigate the damages by using a throw-away smartphone. Once the malware, data theft, and other digital shenanigans become active on Chinese soil, the worst that might happen is that the stand-in tech gets locked up with ransomware. All of the personal, private, financial, social networks stuff most athletes likely have embedded on their own phones stays securely on home soil and out of reach from the bad guys.
Couple to that the IOC’s demands that athletes subscribe to a healthcare tracking app, and in fact required them to enroll weeks ahead of travel, and it starts to get messy. As an athlete, they must download and report sensitive data to said app, and now the FBI as implying that they do that on a phone built to be discarded. Double down on the risks, eh, unless you literally destroy the burner phone before heading home.
The healthcare app, itself, is fraught with security issues. The application is named My 2022 and it was developed in China. It traces COVID-19 information, vaccinations, and such. It also regulates movement around the Games, provides visitor services, and includes a chat channel for communications.
Researchers at the University of Toronto have already exposed numerous security flaws with My 2022, including its tracking of keywords and phrases used in the chat function. It recognizes politically adverse sentiments against the Chinese government. It pings on religious tenets, such as those held by Uyghurs, the Muslim group being persecuted in Northwest China.
From all angles, these Winter Olympics athletes and stakeholders must be on guard. The host country is expected to spy on participants. The hackers are out in full force. The tools required have vulnerabilities to expose. There’s no going back to the ancient Greek games, nor the more modern, analog attuned version. They’re part and parcel evermore.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
