BETSY COOPER WITH KATIE CHEN, ZOE FEIST, AND CHUCK KAPELKE CLTC OCCASIONAL WHITE PAPER SERIES The Cybersecurity of Olympic Sports: NEW OPPORTUNITIES, NEW RISKS CENTER FOR LONG-TERM CYBERSECURITY 1 THE CYBERSECURITY OF OLYMPIC SPORTS THE CYBERSECURITY OF OLYMPIC SPORTS 1 WHAT SHOULD THE PRESIDENT DO in the first 10 days? THE CYBERSECURITY OF OLYMPIC SPORTS Executive Summary As major sporting events become increasingly digitized, sports officials are increasingly concerned about cybersecurity. From scoring and judging systems to retail transactions and the home viewer experience, many aspects of major sporting events are incorporating new forms of internet connectivity. Along with such new technology comes great opportunity but also great risk. This report is the first to systematically review the cybersecurity risks posed by digital technologies that are being incorporated into major sporting events. Using the Olympic Games as a case study, it lays out a framework for evaluating potential risks posed by digital technologies in sports, and highlights new possible threats that will arise as these technologies are deployed. Overall, the paper points to three key findings: Digital technologies pose an increasingly diverse set of threats to Olympic events, and the newer forms of threat are likely to have more serious consequences. While most hacks today focus on sports stadium IT systems and ticket operations, future risks will include hacks that cut to the integrity of the sporting event results, as well as to core stadiums operations. This study identifies eight key areas of risk for future sporting events: Stadium system hacks Scoring system hacks Photo and video replay hacks Athlete care hacks Hacks affecting the integrity of sports are of special concern because they can be extremely difficult to identify. Especially in sports where referees make many small decisions that affect the result, it is very difficult to detect when a digital system has been compromised. Sporting officials considering whether to introduce a new technology into a major sporting event should weigh the cybersecurity risks posed by such technologies against the opportunities for the broader sporting event they provide. Especially as vendors push out shiny and new digital devices and market them to sports officials, it will be tempting to increasingly digitize major sporting events. Even so, analog devices can often do the same job, and in a more secure way. Organizers should press to ensure that there are tangible benefits to incorporating digital devicesand that significant risks can be mitigatedbefore going forward. Entry manipulation Transportation hacks Hacks to facilitate terrorism or kidnapping Panic-inducing hacks2 2 THE CYBERSECURITY OF OLYMPIC SPORTS Introduction Imagine if, at the 2028 Olympics, the gymnastics all-around final were to be halted mid-event. Several countries file a protest alleging that a new electronic scoring system, using artificial intelligence to gauge the heights of athletes leaps and the number of completed flips, is systematically misjudging their athletes. A cybersecurity firm is called in, and soon uncovers the organizers worst nightmare: the system was hackedand the scores were rigged. Would the event be re-competed on a later date, or re-scored by humans using the television feed? Even in the pre-digitization era, the integrity of major sporting events has come into question. In the 2000 Sydney Olympics gymnastics final, the height of the vaulting horse was improperly set, leading athletes across several rotations to make mistakes before an Australian athlete noticed the incorrect setting. While the affected athletes were allowed to repeat their routine at the end of the meet, several key competitors, including pre-meet favorite, Svetlana Khorkina, had already made additional errors, believing their hopes of winning were over. 1But the digitization of major sporting events poses new vectors of opportunityand risk. On the one hand, there is an increasing supply of opportunities for digital manipulation as sports incorporate new technologies designed to improve athlete training, accessorize the fan experience, and even help officials decide the results. All of these technologies provide tremendous new opportunities to improve how sports are performed and experienced, but they also provide new vectors of attack. Because so many of these systems will be connected to the internet in the future, malicious actors may not need physical access; they can try to disrupt the event from the comfort of their own home. On the other hand, the temptation to manipulate major sporting events may only be increasing. Such events are increasingly popular and increasingly profitable, 2and along with that profitability comes an increase in monetary investment in the surrounding industry. From innovative on-site retailers to new at-home fan experiences, the ways in which the public can engage with sports through technology is ever expanding. Sports gambling in particular poses a threat, because with the growth in “proposition betting” on moment-to-moment events, 3gamblers can profit without the (more heavily scrutinized) final result necessarily being affected. Together, these supply and demand vectors present a tremendous landscape for risk. Consider the sport of tennis. In matches where the technology is present, the Hawk-Eye system (which CENTER FOR LONG-TERM CYBERSECURITY Introduction3 3 THE CYBERSECURITY OF OLYMPIC SPORTS THE CYBERSECURITY OF OLYMPIC SPORTS judges whether a ball is in or out of the tennis court) is the ultimate arbiter for any player challenging a line call. Imagine if that system were to be hacked, such that every fifth Hawk-Eye review favored a particular player. Who would catch the difference? Could a clever gambler benefit from the ultimate result? And how could we know whether this type of corruption is already happening? (Any amateur tennis viewer has certainly watched calls that looked to the naked eye to go one way, yet Hawk-Eye called another.) This paper is meant to tee up important questions about the cybersecurity of sports, 4using as its frame the Olympics movement, and particularly a Summer Olympics Games set to take place roughly 10-15 years into the future. How will sports be different? What new technologies may exist? And how do they provide both the opportunity to change the way we perceive the role of major sporting events, and the risks that come with technological change? The white paper begins with a risk framework (Failure Mode and Effects Analysis) to evaluate the seriousness of attacks on major sporting events. It then reviews historical evidence on hacking of major sporting events such as the Olympics, categorizing them according to the framework. Finally, focusing on the Olympics, and particularly on four summer sports gymnastics, rowing, swimming, and track and fieldthe paper reviews a variety of potential future risks. The paper concludes with recommendations and next steps. 54 4 THE CYBERSECURITY OF OLYMPIC SPORTS A Risk Framework for the Cybersecurity of Sports It is axiomatic that not all cyberattacks are created equal. Yet when it comes to major sporting events, there has been no coherent effort to categorize the risks that are particular to these types of events, and/or to enable officials to prioritize among the various types of attacks. Here, we make a first effort to outline such a framework. For this analysis, we borrow the technique of Failure Mode and Effects Analysis (FMEA), a process generally used to evaluate the ways in which a product can fail and how serious the consequences will be. FMEA has three dimensions: (1) Severity, or how serious the negative outcome could be; (2) Occurrence, or how likely or frequent the negative outcome could be; and (3) Detectability, or how likely it is that the negative outcome will go undetected. 6While not normally used to evaluate cybersecurity risks, the framework provides a useful method to weigh dissimilar cyber events against each other. In what follows, we lay out a theoretical framework for how to measure risks in major sporting events.Severity: We can roughly categorize attacks based on the degree to which a given incident is likely to impede the event from successfully occurring. Most serious would be physical harm caused to the athletes or spectators; in such a case, the event would be overshadowed and likely cancelled as a result of these more serious harms. Disruption to the venue of a major sporting event would also be quite serious, and could prevent the event from occurring altogether. Attacks on the integrity of the sporting event would also be serious; though physical effects are less likely, interference with the outcome could result in a decreased sense of trust that would have lasting impacts on the sport. All three of the previous categories would of course have financial effects; a lesser category of harm would involve purely financial effects that do not otherwise interfere with game or stadium play. Last is reputational loss. Even absent financial or other disruption, cyberattacks can nevertheless sow doubts about the reputation of the sponsoring organization (and its ability to handle disruptions). Note that these effects are roughly additive; an incident that disrupts a sports venue is also likely to have an impact on the integrity of the event, as well as its finances and reputation.Occurrence: The second dimension is occurrence, or the likelihood of a disruption. Again, this varies widely depending on the specifics, but roughly aligns with the number of touch points, 5 5 THE CYBERSECURITY OF OLYMPIC SPORTS THE CYBERSECURITY OF OLYMPIC SPORTS or independent spaces on the attack surface, which the attacker can manipulate to affect the sporting event. All else equal, the fewer touch points upon which an attacker can execute an attack, the less likely such an attack is to occur. Least likely are terrorist attacks intended to cause physical harm, because physical attacks using cyber tools are relatively difficult to execute. Wholesale event disruption is also relatively unlikely because of the difficulty in avoiding backup systems. Somewhat more likely is event result disruption, especially because many different components of the event can be affected, such as individual judge scores or official calls. Even more likely is financial harm, because there are so many financial touch points over the course of a major sporting event. Finally, most likely are risks to reputational harm, because they touch every aspect of a major sporting event; any negative effect of a cyberattack can hurt the reputation of the event.As we reviewed the data in this study, it became clear that, at least in the Olympic sports we considered here, severity and occurrence are closely correlated. The more likely an event is to cause significant harm, the less likely it is to occur. The converse is also true: events less likely to cause significant harm are more likely to occur. While there may be events that are both highly likely and can cause significant harm, we did not uncover any such examples in the course of this study. (There are of course also events that are not likely to cause harm and that are unlikely to occur, but these are not particularly interesting.) One key reason for the severity-occurrence correlation is that the vulnerability of major sporting events is already understood, and as a result, there are already security protocols in place to try to prevent such harms. Long before the advent of digital technologies, it was recognized that sports events posed significant risks: large crowds, high-impact outcomes, and great public interest all play a role in making such events difficult to secure. As a result, sporting facilities developed infrastructuresuch as screening systems, physical barriers, and the like to prevent the most catastrophic outcomes. Because the same outcomes are at play hereall of the five categories of harm above, from physical to reputational harm could occur without any digital technology whatsoeverthere are already infrastructures in place to prevent them. This makes serious attacks less likely. (A good analogy is the risk of flying in an airplane. While there are some risks, such as injury from turbulence, that are relatively common, we have reduced the likelihood of catastrophic loss to the point that it approaches close to zero.) Because severity and occurrence are correlated, we combine them into an additional concept commonly used in risk frameworks: tolerability, or the willingness of event officials to tolerate the risk of a negative outcome occurring. 7All else equal, more frequent but less harmful events are more tolerable cybersecurity risks, while the most serious physical harm events are less tolerable.6 6 THE CYBERSECURITY OF OLYMPIC SPORTSDetectability: The wild card in this FMEA framework is the third category: detectability. An undetectable cyberattack can cause continued harm, exacerbating the baseline effects. Less detectable events can also recur (for instance, a vulnerability that is repeatedly exploited), leading to multiple undesired incidents. Not every undetectable event will be disconcerting; there may be small undetected perturbations that cause limited harm. But because less detectable events are by definition less well known, they can exacerbate damages where some are already set to occur. Another way of putting this is that a lack of detectability can affect how we perceive the severity and occurrence of a cyberattack. An event that is low in detectability may appear to be less frequent or less severe in effects than it actually is. Thus, we need to tread cautiously when evaluating the tolerability of particular harms, to ensure that low detectability is not leading us to underestimate their effects. This is admittedly a rough framework because outcomes vary so widely: a minor event disruption could be less severe than a major financial attack; a certain type of event vulnerability could be more common than expected; and a lack of detectability can change all of the above. Nevertheless, this rough framework does provide a useful way to evaluate which among the many cybersecurity attacks security officials at major sporting events should prioritize. In general, 7 7 THE CYBERSECURITY OF OLYMPIC SPORTS THE CYBERSECURITY OF OLYMPIC SPORTS the less tolerable attacks should be prioritized, because the effects they can cause may be greater. Moreover, given that such attacks are less frequent, it will be easier to combat them than to try to account for the many touch points for less severe attacks.In the remainder of this paper, we evaluate cybersecurity attacks on Olympic events according to this framework