Olympic Officials Brace for Hackers Competition
More than one Summer Olympic Games is starting later this month in London.
The official one, which everybody knows about, is the competition among the elite athletes of the world. The other is one that U.K. officials hope nobody will notice: the competition among the elite hackers of the cyber world, with one side trying to protect the Games' vital computer systems while the other side tries to break into them and make mischief.
As U,K, officials have been saying since 2008, the country is expecting an unprecedented level of attacks during the two-plus weeks of the event.
At the July 3 National Security 2012 conference, the nation's counter-terrorism department director, Richard Clarke, said the possible disruption from cyberattacks could rise to the level of physical threats at past games.
But the good guys say they are ready. And at least some security experts with government experience agree with them.
Joel Harding, a retired military intelligence officer and information operations expert and consultant said, "The security at the 2012 London Olympics is as tight as any Olympics -- ever."
That is the word from Atos, the lead technology company for the summer and winter Games since 2002. Patrick Adiba, Atos executive vice president for the Olympic Games and major events, told David Stringer of the Associated Press that he believes it will be virtually impossible for malicious hackers to achieve what would amount to a gold-medal attack - putting political messages on Olympic scoreboards.
"It is very unlikely, as it all operates on a very secure network. It would be quite complicated to get into this network without being detected," he said. "It can never be 100 percent, but it is close to 100 percent."
Joel Harding agrees. "The Olympics are going to attract a ton of attention, so of course hackers are going to try to put 'Go Our Country!' on the scoreboard," he said, since this would be worth a "lulz," the hacker reward for getting into a system and causing trouble.
"The more attention a hacker can cause, the more lulz and the greater the bragging rights," he said. "But we've already heard that [hacking the scoreboard) is going to be spectacularly difficult, so I tend to doubt we'll see that."
Gary McGraw, CTO of Cigital, said he thinks the worst that could happen would be that kind of "hacktivism." And while it might be embarrassing for the Olympics and cause some celebration among the black hats, "how much damage will it really do?" he asks.
There are bigger threats, Joel Harding said. "There are a ton of other things, such as schedules, transportation systems, water, physical security, telephones -- you name it -- all automated and networked. Those would be great targets and shutting down all the water would shut down the Olympics.
"Since all this attention is on London, however, making the London Eye Ferris Wheel stop or run backwards would be a worthy goal. The London Underground is an attractive target. The entire city is in the crosshairs," he said.
The competition between the white and black hats is expected to be fierce. Atos, which will be in charge of about 11,500 computers and servers across the UK, has done more than 200,000 hours of testing, including mounting simulated attacks, according to Adiba.
Harding said he thinks Atos is taking the right approach -- more risk mitigation than risk avoidance. "They appear to be assuming that hackers are going to get into the system, so the security is oriented towards recognizing malicious behavior as soon as possible and avoiding a serious failure, a meltdown, if you will," he said.
"But, there is always someone with zero-day exploits, vulnerabilities that the computer security organizations of the world are not yet aware, and they will use them. Really elite hackers will attempt to make exploits on the fly, as the system responds and as they recognize new vulnerabilities, these folks will probably collect some lulz, but let's hope the response time for closing those backdoors is world-class also."
Gary McGraw said a better approach is to "do security analysis at the design level. When you build a system, don't design security flaws right into it," he said. "Think about possible attackers. Do a risk analysis and see if it is designed to resist attack. When you really want to be secure, you have to build it in. It does involve some penetration testing, but it doesn't rely only on that."
Joel Harding said he thinks both sides have some advantages. "White-hat hackers are every bit as good as black-hat hackers -- sometimes they're even better," he said. "Many white-hat hackers began their career doing network security, so they understand many of the basics that bad hackers might not."
But black-hats don't worry about obeying the law. "They have access to repositories of code, which are often freely shared to save time when building new tools," Harding said. "They often have access to the latest network monitoring tools, which by their very nature, can be used offensively.
"The really bad news for the defenders is that may well be very nearly overwhelmed with the sheer volume of attempts to penetrate their systems," Harding said. "With all that noise from inexperienced or unskilled hackers, the really good ones will operate quietly and probably not attract enough attention to stop them until it's too late. Those are the dangerous ones. They have experience, patience and skills."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.