Sporting events are only meaningful if we trust the results. But as digital devices proliferate, so will the risks of cybersecurity failures.
Imagine if, at next month’s 2018 PyeongChang Winter Olympics, the women’s figure skating competition were to be halted mid-event. Several coaches file a protest alleging that the International Skating Union Scoring System, the computer-based system that captures and calculates judges’ scores, is found to be reporting false scores. A cybersecurity firm is called in, and soon uncovers the organizers’ worst nightmare: the system has been hacked — and the scores are being manipulated in real time. Would the event be re-competed on a later date, or re-scored by humans using the television feed?
This may sound like fiction, but it is not far off. Security firm McAfee recently reported that hackers are targeting organizations affiliated with the Winter Olympics, including hockey teams and infrastructure providers. With the increased digitization of major sporting events, the risks are only increasing.
Many events at the upcoming Winter Olympics will rely on digital technology as part of competition. Speed skaters start their race at the sound of an electronic smart pistol, wear transponders around their ankles for accurate lap-timing, and have their photo-finishes captured at 10,000 frames per second. Bobsledding teams use wireless sensors to measure speed and angular velocity instantaneously during races, and alpine skiers push off for their runs through a Snowgate, which officially records their start time when the gate reaches a precise angle.
This turn toward technology in sports is not surprising given the many potential benefits of digital scoring systems, which can detect outcomes more accurately, and give officials flexibility to focus on other aspects of the event. But the risks are also significant. Hackers have already tried to use major sporting events to their advantage. Last year, it was revealed that attackers tried to hold NFL player data for ransom. Olympic athletes already know this story all too well; in 2016, Russian hackers released sensitive health care data on many of the top Rio Olympics stars.
Our research suggests that, at the same time the push for digitization is increasing, cyber-attacks have the potential not just to reveal sensitive data, but to threaten the integrity of sporting event results themselves. Gamblers are among those who could benefit from sports-result manipulation, as are nations that draw pride from their teams’ victories. Moreover, because sporting events have so many possible attack surfaces, any incident will breed deep uncertainty.
The concern is ripe precisely because so many Olympic sports are integrating digital systems into scoring. For example, international gymnastics officials have reported that they plan to pilot 3-D laser software as a scoring aid at the 2020 Tokyo Olympics. Meanwhile, both track and field and swimming use digital systems to determine false starts and identify who finishes first; and major tennis matches commonly use the Hawk-Eye system, which allows players to challenge whether a ball is in or out of the tennis court. Importantly, Hawk-Eye is the ultimate arbiter for any player challenging a line call; if the human official and Hawk-Eye disagree, Hawk-Eye’s decision is considered final. (While not yet incorporated into the Olympics, Hawk-Eye’s technology is already being used in professional hockey.)
As digitization of scoring increases, so will the risks. What can be done? One lesson is the need to balance opportunity and risk. The decision to adopt a new technology, especially when the stakes are as high as they are at the Olympic Games, should always be made with potential cybersecurity risks taken into account.
When it is appropriate for a sport to adopt a new technology, some of the most important steps are simple. For instance, over the course of this project, we were able to read sensitive information at three different professional sporting venues using nothing more than a low-end digital camera to zoom in on a computer screen. We also watched officials type passwords into digital systems while spectators were already in the stands, making it easy for a careful observer to gain access.
Duplication is another key principle: Every digital device used at an event needs to have a backup in case of failure, and humans should provide oversight to verify that any digital technology used in competition is producing the correct result. Stopwatches should be used as backup for electronic timers, automated photo finish results should be reviewed by a human, and the raw data fed into Hawk-Eye and similar systems should be continuously validated for accuracy. While this may seem like unnecessary duplication — in the vast majority of cases, the digital equipment will be accurate — it will only take one serious cybersecurity failure to call the integrity of a sporting event into question.
We are lucky that we have yet to see (or at least recognize) a hack affecting the outcome of a major sporting event. Such events are only meaningful if we have trust in the results. A hacked Olympic Games would be a huge loss for everyone.