Protecting the 2018 Gold Coast Commonwealth Games from Cyber-Attacks

By Tim Murphy, Country Manager, Arbor Networks

The organisers of the April 2018 Gold Coast Commonwealth Games have a huge task on their hands regarding the protection of the high-profile sports event from cyber-attacks.

With an expected TV audience of over a billion people and millions more watching events live in HD from every venue through an app, sharing videos of their favourite events and tracking their friends from their mobile phones will be an essential part of the fan experience. With 1.1 million ticket sales and 84 million web-page views, the sheer scale of the event will make it a popular target for hackers and cyber criminals.

Cyber-Attacks Targeting Sporting Events

Major sporting events are a prime target for cybercrime due to the worldwide attention and visibility. In Brazil during the summer of 2016, for example, there was a sustained 500Gbps DDoS attack targeting Brazilian networks. Probing and test attacks started months before the international sporting event, and once it started, the real attacks did not cease until the event was over.  In 2008 in Beijing, they were subject to around 12 million attacks online per day and in 2012 London faced a total of 156 million security-related events, six of which were major cyber-attacks.

Attacks have also been seen in recent years on Formula One, Wimbledon, English Premier League, NASCAR and the Euro Soccer Championships and the problem is not getting better, in fact, it is getting much worse. Fortunately, the attacks on most of these sporting events were halted by having the right security processes and technology in place, including practising worst-case scenarios.

Protecting the Gold Coast Commonwealth Games

At the 2018 Gold Coast Commonwealth Games, there will be literally thousands of journalists sharing video and photos with global media, 6600 athletes and officials will be attending, millions of people will be watching the numerous sporting events via numerous devices. All of these people will require secure network connections and 24/7 availability. Being responsible for the event’s network and infrastructure security is no small feat.

Full-scale activities will build up from March and into April, when the IT fleet will grow from 350 desktops to 1650, and website traffic will ramp up to an estimated one million visitors per day. It’s therefore essential in the lead up to the Games that the organisers monitor threat intelligence from a large variety of sources and analyse games systems and infrastructure for vulnerabilities, and check for the presence of malware in its largely Microsoft-based IT environment.

The Games Technology Department incorporates the following areas, all of which are at risk to cybercriminals:

  1. Games Management Systems
  2. Technology Infrastructure Services
  3. Technology Results Services
  4. Technology Communications Services
  5. Technology Planning and Delivery
  6. Venue Technology Services

While cyber-attacks targeting sports events, organisations and athletes is not a new phenomenon, hacker motivations are varied and they unfortunately can be just about anything.  From notoriety, financial gain, competitive advantage, to protest, the motivations are extremely varied.

The Number One Target for Hackers

However, data is a number one target for hackers and it has now become the secret opposition in modern sports. On the field, technology like wearables are used to harvest game and athlete data, analysing how fast a serve is, to showing how far a soccer player has run in a game. If hackers were to get their hands on this valuable data, the hacker could use it to win big at the bookies.

For rival teams, data can show where weaknesses lie and help them to win games – which could be the difference between winning a gold medal at the Games and finishing last.

It’s clear that every country’s team or any individual athlete data could be a target for extortion or fraud, in addition to sports betting and helping rival teams gain an edge over competitors. However, it’s not just all about the high-profile athletes competing, the fans in the stadium are also a key target for cybercriminals.

Protecting Against Disruption

The Games will also have the challenge of protecting against cybercriminals who just want to disrupt, and the attacker who aims to cripple the event management system, that is at the heart of the IT environment. This can cause major headaches for the results systems, communications services and ticket sales. The motivation behind these disruptors is to embarrass the organisers or raise the profile of their own political agenda.

Encryption, key management and two factor authentication are just some of the measures that can mitigate the risk of an attack. When developing an app, all teams and events should have TLS encryption and secure coding at the very least.

Critical infrastructure for the Games must be considered a target, especially for the electrics and water supplies.  Any disruption to the power and lighting would seriously harm the success of the event and would cause significant reputational damage to the organisers and Australia as a nation.

Never has it been more vital to get the basics right when it comes to cyber security in the sports industry. The cyber threat landscape is changing, evolving, and it’s not a matter of if, but when an attack will occur.