In his office on one of the upper floors of the headquarters of the Paris Olympic organizing committee, Franz Regoul has no doubt about what is coming.
“We will be attacked,” said Mr Regoul, who heads the team responsible for preventing cyber threats against this year’s Summer Games in Paris.
Companies and governments around the world now have teams like Mr. Regul’s that operate in spartan rooms equipped with banks of computer servers and displays with telltale lights that warn of incoming hacking attacks. In the Paris operations center, there is even a red light to alert staff of the most serious danger.
So far, Mr. Regul said, there have been no major disruptions. But as the months leading up to the Olympics dwindle into weeks, then days and hours, he knows the number of hacking attempts and the level of risk will grow exponentially. Unlike companies and governments, however, who plan for the possibility of an attack, Mr Regule said he knew exactly when to expect the worst.
“Not many organizations can tell you they’re going to be attacked in July and August,” he said.
Security concerns at major events such as the Olympics have typically focused on physical threats such as terrorist attacks. But as technology plays an increasing role in running the Games, Olympic organizers increasingly see cyberattacks as a more constant threat.
The threats are multiple. Experts say hacking groups and countries such as Russia, China, North Korea and Iran now have sophisticated capabilities capable of disabling not only computer networks and Wi-Fi, but also digital ticketing systems, credential scanners, even the timing systems for events.
Fears of hacking attacks are not just hypothetical. At the 2018 PyeongChang Winter Olympics in South Korea, a successful attack nearly derailed the Games before they began.
This cyberattack began on a freezing night as fans arrived for the opening ceremony. The signs that something was wrong came immediately. The Wi-Fi network, an essential tool for transmitting photos and news, was suddenly interrupted. At the same time, the official Olympics smartphone app – the one that contained fan tickets and basic transport information – stopped working, preventing some fans from entering the stadium. Broadcasting drones ground to a halt and Internet-connected televisions meant to show images of the ceremony throughout the venue went blank.
But the ceremony went ahead, as did the Games. Dozens of cybersecurity officials worked through the night to fend off the attack and fix the glitches, and by the next morning there was little sign that a disaster had been averted when the first events unfolded.
Since then, the threat to the Olympics has grown. The cyber security team at the last Summer Games, in Tokyo in 2021, reported experiencing 450 million attempted “security events”. Paris expects to face eight to 12 times that number, Mr. Regoul said.
Perhaps to demonstrate the magnitude of the threat, Paris 2024 cybersecurity officials freely use military jargon. They describe “war games” intended to test specialists and systems and refer to feedback from “Korean veterans” who have been integrated into their evolving defenses.
Experts say a variety of actors are behind most cyberattacks, including criminals trying to keep data in exchange for a lucrative ransom and protesters looking to highlight a particular cause. But most experts agree that only nation states have the ability to carry out the largest attacks.
The 2018 attack in Pyeongchang was initially blamed on North Korea, South Korea’s rival neighbor. But experts, including agencies in the US and Britain, later concluded that the real culprit – now widely accepted to be Russia – deliberately used techniques designed to shift the blame.
This year, Russia is once again in the spotlight.
Team Russia has been banned from the Olympics following the country’s invasion of Ukraine in 2022, although a small group of individual Russians will be allowed to compete as neutral athletes. France’s relationship with Russia has deteriorated so much that President Emmanuel Macron recently accused Moscow of trying to undermine the Olympics through a disinformation campaign.
The International Olympic Committee also pointed the finger at attempts by Russian groups to damage the Games. In November, the IOC issued an unusual statement saying it had been targeted by defamatory “fake news” after a documentary featuring an AI-generated voice purporting to be actor Tom Cruise surfaced on YouTube.
Later, a separate post on Telegram – the encrypted messaging and content exchange platform – mimicked a fake news story broadcast by French network Canal Plus and falsely reported that the IOC was planning to ban Israeli and Palestinian teams from the Paris Olympics .
Earlier this year, Russian pranksters – impersonating a senior African official – managed to call Thomas Bach, the IOC president. The call was recorded and released earlier this month. Russia seized on Mr Bach’s remarks to accuse Olympic officials of engaging in a “conspiracy” to keep its team out of the Games.
In 2019, according to Microsoft, Russian state hackers attacked the computer networks of at least 16 national and international sports and anti-doping organizations, including the World Anti-Doping Agency, which at the time was poised to announce state-related sanctions against Russia her. supported doping program.
Three years earlier, Russia targeted anti-doping officials at the Rio de Janeiro Summer Olympics. According to indictments of several Russian military intelligence officers filed by the United States Department of Justice, the perpetrators in this incident spoofed hotel Wi-Fi networks used by anti-doping officials in Brazil to successfully infiltrate email networks and databases data of their organization.
Ciaran Martin, who served as the first chief executive of Britain’s national cyber security centre, said Russia’s past behavior made it “the most obvious threat of disruption” at the Paris Games. He said areas likely to be targeted include event planning, public broadcasting and ticketing systems.
“Imagine all the athletes are there on time, but the system that scans the iPhones at the gate is down,” said Mr Martin, who is now a professor at the Blavatnik School of Government at Oxford University.
“Are you going with a half-empty stadium or are we late?” he added. “Even to be put in that position where you either have to delay it or have world-class athletes in the biggest event of their lives playing in front of a half-empty stadium — that’s an absolute failure.”
Mr Regul, Paris’s cyber security chief, declined to speculate on any specific nation that could be targeted at this summer’s Games. But he said organizers were preparing to tackle country-specific methods that represent a “strong cyber threat”.
This year, Paris organizers are running what they called “war games” in collaboration with the IOC and partners such as Atos, the Games’ official technology partner, to prepare for attacks. In these exercises, so-called ethical hackers are hired to attack systems in place for the Games, and “bug donations” are offered to those who discover vulnerabilities.
Hackers have previously targeted sports organizations with malicious emails, fake faces, stolen passwords and malware. Since last year, new recruits to the Paris organizing committee have been trained to spot phishing scams.
“They are not all good,” said Mr. Regule.
In at least one instance, a Games staff member paid an invoice to an account after receiving an email impersonating another committee official. Members of cyber security staff also discovered an email account that had tried to impersonate the one assigned to Paris 2024 chief Tony Estanguet.
Millions more attempts to come. Cyber attacks have typically been “weapons of mass provocation rather than weapons of mass destruction”, said Mr Martin, a former British cyber security official.
“At worst,” he said, “they were weapons of mass disruption.”