• United States



Senior Writer

Security lessons from the 2018 Pyeongchang Winter Olympics

News Analysis
Feb 16, 20185 mins
CybercrimeData BreachMalware

Shiny buttons that go "ping!" considered harmful.

nup 177120 0001
Credit: NBC

Technology races ahead, seducing us with shiny buttons that go “ping!” Meanwhile, security cleans up the mess–or tries to.

Sound familiar? We see this drama play out across industry and government, even the Olympics. A lack of security awareness at design phase incurs massive technical debt, sometimes with catastrophic results when the bill comes due.

As you watch the Olympian efforts of the Olympics’ security team to defend the integrity and availability and confidentiality of the Games, consider the lessons to be learned here, and the teaching moments you can take to management.

Security is not sexy

Security is dry, boring and tedious, and attempts to make it sexy are counterproductive. Risk management is boring drudgery, a modern-day form of due diligence. Like the Olympics, enterprises should think carefully about what risks they can tolerate and which risks are unacceptable under any circumstances.

“The questions that apply to the risk profiles in the Olympics apply to organizations and enterprises more broadly,” Betsy Cooper, executive director of the Center for Long-Term Cybersecurity at UC Berkeley and lead author of a Report on the Cybersecurity of Olympic Sports, says. “You need to evaluate the short-term, medium-term, and long-term risk, and ask, how willing are you to tolerate that risk? Then invest limited security resources to deal with risks you are least likely to tolerate,” she adds.

Nail the basics, like taking inventory of all the hardware and software you’re running, upgrading software whenever possible, and patching in a timely manner. Look at any major breach in the news, and odds are the attackers are using 0ldays.

“We’ve got the whole 80/20 rule in security,” Andrew Hoog, founder of mobile application security company NowSecure, says. “If people simply did the blocking and tackling, if you really focus on the top two or three things, the impact you’ll have is dramatic and the costs are fairly low. The problem is that it’s not sexy, it doesn’t impress people.”

The Olympics might, at first glance, seem to have a unique threat model, as the world’s number one global sporting event. Yet even the Olympics suffer from “shiny buttons that go ‘ping!'” syndrome.

Shiny buttons that go “ping!” considered harmful

The Olympics are moving away from analog scorekeeping, Cooper’s research points out, creating new ways for motivated nation-states to cheat. Countries have been cheating at the Olympics for almost as long as there have been Olympics (1976 East German swim team, anyone?). It’s fair to infer that a nation-state actor that thinks they can cheat and get away with it will almost certainly try, eventually.

“There’s a disconnect between those organizing sporting events and those focused on the security aspects,” Cooper says. “For example, in Tokyo they are planning to pilot a new gymnastics scoring system, using a computer to give scores for certain events. That may provide tremendous benefits but also has security risks.”

The same holds true in the enterprise space, Cooper points out, for product people rushing “shiny buttons and lights” to market with little thought to the security consequences. In a networked world, those consequences affect every aspect of our lives–economically, politically, personally–and the resulting security debt we are accumulating puts us on the road to bankruptcy.

Security debt is the new technical debt

Incurring technical debt when launching a startup is commonplace. Move fast and break things, and when you can afford to fix things, do it later. Far too often later means never, and when that technical debt comes with security issues, catastrophic failure modes threaten security bankruptcy.

“If I stick my head in the sand and ignore these problems, they don’t go away. They get non-linearly more expensive over time,” Hoog says. “Inevitably you suffer the brand risk, the regulatory risk, and the financial risk that comes along with security flaws. Just like technical debt, security debt gets heavier until the house falls down,” he adds.

That’s for the average enterprise, most of which don’t have every major nation-state actor probing their infrastructure. As events of the last week have proven, the Olympic Games have nation-state adversaries willing and able to interfere with the fair and smooth running of the world’s premier sporting event.

The good news is that the Olympic Destroyer malware incident that disrupted the opening ceremonies caused little harm. The benefits of going digital for the Olympics are substantial. Cooper cites online ticketing as an example where the benefits clearly outweigh the risks.

For now, cybersecurity threats do not threaten human life or the integrity of the Games. “We’ve not reached the position where something is so seriously insecure that we should drop it altogether,” Cooper says.

That could change. The Olympics have long suffered from global brinksmanship that violates the peaceful intent of the Games. The tit-for-tat boycotts of the 1980 and 1984 Summer Olympics come to mind. Take that brinksmanship into the cyber domain, and things could get messy fast.

“We’re working with a large critical infrastructure sector firm in Japan, preparing for the 2020 Summer Olympics,” David London, a senior director at the Chertoff Group, says. “The organizations we’re seeing in the Asia Pacific region are bracing for potential risk exposure that comes along with the 2020 Games.”

Let’s all hope we can pay down our security debt before then.

Senior Writer

J.M. Porup got his start in security working as a Linux sysadmin in 2002. Since then he's covered national security and information security for a variety of publications, and now calls CSO Online home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent. He holds a Masters degree in Information and Cybersecurity (MICS) from UC Berkeley.

More from this author