In his office on one of the upper floors of the headquarters of the Paris Olympic organizing committee, Franz Regul has no doubts about what is coming.
“We will be attacked,” said Regul, who leads the team responsible for protecting against cyber threats against this year's Summer Games in Paris.
Companies and governments around the world now have teams like Regul's operating in spartan rooms equipped with banks of computer servers and screens with indicator lights that warn of incoming hacking attacks. In the Paris operations center there is even a red light to alert staff of the most serious danger.
So far, Regul said, there have been no serious disruptions. But as the months until the Olympics turn into weeks and then days and hours, he knows the number of hacking attempts and the level of risk will increase exponentially. However, unlike companies and governments, which plan for the possibility of an attack, Regul said he knew exactly when to expect the worst.
“There are not many organizations that can say they will be attacked in July and August,” he said.
Concerns about security at major events like the Olympics have generally focused on physical threats, such as terrorist attacks. But as technology plays an increasingly important role in the development of the Games, Olympic organizers increasingly see cyber attacks as a more constant danger.
The threats are multiple. Experts say hacking groups and countries such as Russia, China, North Korea and Iran now have sophisticated operations capable of disabling not only computer networks and Wi-Fi but also digital ticketing systems, credential scanners and even event timing systems.
Fears about hacking attacks are not just hypothetical. At the Pyeongchang 2018 Winter Olympics in South Korea, a successful attack nearly derailed the Games before they could begin.
That cyberattack began on a frigid night as fans arrived for the opening ceremony. The signs that something was wrong came all at once. The Wi-Fi network, an essential tool for transmitting photographs and news coverage, suddenly went down. At the same time, the official Olympic Games smartphone app, which contained fan tickets and essential transportation information, stopped working, preventing some fans from entering the stadium. Broadcast drones were grounded and Internet-connected televisions meant to show footage of the ceremony at all venues went blank.
But the ceremony went ahead, as did the Games. Dozens of cybersecurity officials worked through the night to repel the attack and fix the flaws, and the next morning there was little sign that a catastrophe had been averted when the first events began.
Since then, the threat to the Olympic Games has only grown. The cybersecurity team at the last Summer Games, in Tokyo in 2021, reported that faced 450 million attempted “security events.” Paris expects to face between eight and 12 times that number, Regul said.
Perhaps to demonstrate the magnitude of the threat, Paris 2024 cybersecurity officials freely use military terminology. They describe “war games” intended to test specialists and systems, and refer to feedback from “Korean veterans” who have been integrated into their evolving defenses.
Experts say a variety of actors are behind most cyberattacks, including criminals trying to hold onto data in exchange for a lucrative ransom and protesters who want to highlight a specific cause. But most experts agree that only nation states have the capacity to carry out the largest attacks.
The 2018 attack in Pyeongchang was initially blamed on North Korea, South Korea's antagonistic neighbor. But experts, including agencies in the United States and Britain, later concluded that the real culprit (now widely accepted to be Russia) deliberately used techniques designed to shift blame.
This year, Russia is once again the focus of attention.
Team Russia has been banned from the Olympics following the country's invasion of Ukraine in 2022, although a small group of Russians will be allowed to compete as neutral athletes. France's relationship with Russia has deteriorated so much that President Emmanuel Macron recently accused Moscow of trying to undermine the Olympic Games through a disinformation campaign.
The International Olympic Committee has also flagged attempts by Russian groups to damage the Games. In November, the IOC issued an unusual statement saying it had been the target of defamatory “fake news publications” after a documentary featuring an ai-generated voiceover purporting to be actor Tom Cruise appeared on YouTube.
Later, a separate post on Telegram (the encrypted content and messaging platform) imitated a fake news broadcast by the French network Canal Plus and conveyed false information that the IOC was planning to exclude Israeli and Palestinian teams from the Paris Olympics. .
Earlier this year, Russian pranksters, posing as a senior African official, managed to speak on the phone to Thomas Bach, the president of the IOC. The call was recorded and published earlier this month. Russia took advantage of Mr. Bach's statements accuse Olympic officials of engaging in a “conspiracy” to keep their team out of the Games.
In 2019, according to Microsoft, Russian state hackers attacked the computer networks of at least 16 national and international sports and anti-doping organizations, including the World Anti-Doping Agency, which at the time was about to announce punishments against Russia related to its status. endorsed doping program.
Three years earlier, Russia had attacked anti-doping officials at the Rio de Janeiro Summer Olympics. According indictments of several Russian military intelligence officers brought by the United States Department of JusticeThe agents in that incident spoofed hotel Wi-Fi networks used by anti-doping officials in Brazil to successfully penetrate their organization's email networks and databases.
Ciaran Martin, who was the first chief executive of Britain's national cybersecurity centre, said Russia's past behavior made it “the most obvious disruptive threat” at the Paris Games. He said areas that could be attacked included event programming, public broadcasts and ticketing systems.
“Imagine if all the athletes arrived on time, but the system that scans iPhones at the gate doesn't work,” said Mr. Martin, who is now professor at the Blavatnik School of Government at the University of Oxford.
“Will they go ahead with the stadium half empty or will we be delayed?” he added. “Even being in that position where you have to delay it or having world-class athletes in the biggest event of their lives performing in front of a half-empty stadium, that is absolutely a failure..”
Regul, Paris's cybersecurity chief, declined to speculate on any specific nation that might be targeting this summer's Games. But he said organizers were preparing to counter country-specific methods that pose a “strong cyber threat.”
This year, Paris organizers have been holding what they called “war games” alongside the IOC and partners like Atos, the Games' official technology partner, to prepare for attacks. In those exercises, so-called ethical hackers are hired to attack the systems used for the Games, and “bug bounties” are offered to those who discover vulnerabilities.
Previously, hackers have targeted sports organizations with malicious emails, fictitious characters, stolen passwords and malware. Since last year, new employees at the Paris organizing committee have been trained to spot phishing scams.
“Not everyone is good,” Regul said.
In at least one case, a Games staff member paid an invoice to an account after receiving an email posing as another committee official. Cybersecurity staff members also discovered an email account attempting to impersonate the one assigned to Paris 2024 boss Tony Estanguet.
Millions more attempts are coming. Cyberattacks have typically been “weapons of mass irritation rather than weapons of mass destruction,” said Martin, a former British cybersecurity official.
“At worst,” he said, “they have been weapons of mass disruption.”
