Authorities are preparing for possible physical attacks, plus a multitude of informational attacks – the latter carried out for financial gain or just to tarnish France’s image.
BY:
Eric De Grasse
Chief Technology Officer
A member of the Luminative Media/Project Counsel Media team
8 May 2024 (Paris, France) — It is unfortunate, but true: we live in a world where some people will commit mass murder to make a point, and the knowledge and means to do so have never been more ubiquitous. However, the knowledge of how to stop them and the will to do so is also robust.
Enter the 2024 Summer Olympics in Paris, France.
In 1972, members of the Palestine Liberation Organization (PLO) kidnapped and held hostage the Israeli athletes at the games in Munich, ultimately leading to a gun battle that left nine Israeli athletes, one German police officer, and five of the kidnappers dead.
Then at the 1996 Olympic Games in Atlanta, a lone actor built a pipe bomb and planted it at Centennial Olympic Park where the city held Olympic-related festivities. The bomb killed one person and injured more than 100. The bomber was not captured until years later.
The Olympics always cause a heightened security posture, and this year will be especially acute. Two separate major regional conflicts present extra danger to Paris and the Olympics.
It’s been 54 years since the Munich attacks, but another Palestinian group – Hamas – attacked Israel in October 2023, igniting the ongoing Israel-Hamas war in Gaza. Hamas has ties to Iran, which has ties to a variety of radical, terror-embracing groups.
Israel faces increased criticism for inhumane conduct as part of its war with Hamas, and while the conflict has sparked skirmishes elsewhere, a broader conflict in the region that was feared has not yet materialized.
But actors such as Yemen’s Houthi rebels, who are disrupting shipping in the Red Sea to protest Israel’s actions, show that other groups are willing to take action and could prove difficult to combat.
Combine that with a spate of knife attacks in France over the last couple of years, many of them motivated by radicalized Islamist beliefs, and security officials have plenty of concerns when it comes to securing an event expected to draw 15 million visitors.
The other conflict that could present danger to the games is the war between Russia and Ukraine after Russia invaded its neighbor in 2022. Like many Western nations, France has supported Ukraine in a variety of ways throughout the war. Russia could have additional motivation to disrupt the games because the International Olympic Committee ruled the country was ineligible to participate in the games because of their actions in Ukraine, though most its athletes can compete unattached to the country. (Russia’s track and field delegation is still ineligible due to state-sponsored doping programs).
Russia would not be expected to sponsor or assist an overtly terrorist action. However, Russia has extensive state-sponsored cyberattack capabilities and harbors many cybercriminal gangs who operate without the threat of official interference. In 2021, the NTT Corporation reported there were 450 million cyberattacks attempted on the Olympic Games in Tokyo. According to U.S. intelligence agencies, Russia was behind successful hacks in 2018 and 2016.
Security at the Paris games was already the subject of headlines in a negative way late last year. An engineer who worked for the city reported that his bag was taken from a storage compartment above his seat on a train. Headlines at the time reported that security plans for the Olympics may have been among the assets stolen. While the worker had notes meant for internal use on public roads and traffic, it was not deemed a security breach.
Paris officials have additional security concerns. Recent strikes and protests from farmers and from workers at the Eiffel Tower are another cause for concern. One effort to combat potential disruptions is the government planning to award bonuses to those working in certain capacities – such as transportation-related areas – through the games.
Earlier this week I was a member of a press/media contingent being briefed on the security precautions for the summer Olympic Games which kick off in Paris on July 26th.
We were reminded of the terrorist attack of January 2015 when masked gunmen charged into the Paris offices of the satirical newspaper Charlie Hebdo and opened fire, killing 12. It is what led Paris’s mayor, Anne Hidalgo, to campaign for the Olympic Games to be in Paris. She had said “the Charlie Hebdo attack left our city angry and heartbroken. We needed something that was very powerful, very peaceful, that allowed us to move forward. We needed to do something that is unifying”.
So, she threw herself into the process to win the 2024 Olympic Games for Paris.
Note to readers: “winning” the 2024 Games was actually a little nuanced because 3 of the 5 cities that had bid for the 2024 Games dropped out after angry voters (seeing huge costs and major disruptions to their city) launched referendums that voted the bids own. That left the rival proposals from Los Angeles and Paris. The International Olympic Committee (IOC), having just gone through the withdrawals by several cities for the 2022 Winter Olympics based on similar factors, feared a pattern was developing. So with a view to securing the future of the Games, they cut a backroom deal: Paris would get the 2024 Games, and Los Angles would get the 2028 Games. Formally, Los Angeles announced it would withdraw from the 2024 bid race and would be the exclusive bidder for the 2028 games. The IOC “welcomed” the double hosting decision.
And so 9 years after the Charlie Hebdo attack, the Summer Olympics are set to open in Paris in July – with France at its highest level of terrorism alert ever, especially after the attack on the Moscow concert hall last month.
Yet for the first time, the opening ceremony will not be held inside the barricaded confines of a stadium. Instead, athletes will float in boats down the Seine River through the heart of the dense, ancient city before half a million spectators packed into stands and leaning out of windows.
Although some say that makes the ceremony an obvious target, French government officials express full confidence in their safety plan. Security experts I spoke with were mixed, with a little over half saying they have faith in the preparations. Frédéric Péchenard, the former head of France’s national police, put it this way:
“Paris will need to be be bunkerized under the current plan for the opening ceremony. The French police and Army will need to spare no expense”.
And this rather bizarre idea for the opening ceremony – to produce a spectacle that was completely new – is said to be heartily approved by French President Emmanuel Macron who said in an interview last week that it would “show France under its best light, show that France can do extraordinary things”.
Even so, the security challenges are obvious and myriad.
The procession will cover 3.7 miles of the river, passing hundreds of historic buildings of different eras, shapes and sizes, including the Louvre and Eiffel Tower. There are more than 1,000 access points, uneven roofs and incongruent windows, and a labyrinth of pipes, tunnels and sewers underneath. Then there is the river, with its own swells, eddies, connections and traffic. Said Bertrand Cavallier, a former commander at France’s national military police training school:
“It will require a very long, very complex security operation that won’t eliminate all the risks”.
But to me the security nightmare is breathtaking. There are thousands or tens of thousands of windows overlooking the July 26th Opening Ceremonies, along that stretch of the Seine through central Paris, where hundreds of thousands of spectators will throng the river banks. It took just one gunman firing from two hotel windows to carry out a massacre at a Las Vegas concert in 2017 that left 60 dead and 413 wounded. So it’s worth asking: can France – scene of the past decade’s two worst terrorist attacks in Europe, including one in Paris that began at the same stadium that will host many of this year’s Olympic events – ensure a reasonable level of safety on a physical scale that has never been attempted at previous Games?
I am told “yes, France can”. Since the 2015 deadly Islamist attacks, France has become sadly accustomed to terrorist threats and to soldiers patrolling its crowded squares and train stations, their fingers resting near the triggers of machine guns. The latest one was in December, killing a tourist and injuring three others.
But Olympics organizers say the potential for terrorism was stitched into the plan for the Games from the start. Over the months of preparation, in response to security concerns, they have adjusted some of the original plans for the opening ceremony – for example, by cutting the number of spectators permitted along the river.
They also point to their experience with big events. For example, in 2016, France hosted the European soccer championships, drawing some 600,000 foreign spectators. Even very public failures, like dangerous crowd control problems at the 2022 Champions League soccer final that were blamed on mistakes by the security services, have offered important lessons, officials say. One security analyst told us that every decision that has been made since 2015 was made through the lens of security. For three years now, they know precisely day by day, site by site, almost hour by hour, the security needs for every venue.
And the broad outlines of the plan have been made public. The areas immediately bordering both sides of the river, stretching miles beyond the ceremony’s course, will be marked as a protected zone that will be closed to motorized vehicles eight days before the ceremony. The 20,000+ people who live and work there will need to apply for a QR code and be screened, and no one without a QR code will be allowed entry. During that time, the river will be closed to navigation.
Note to readers: we have two staffers who live along the Seine, along the parade route. They told me people who work and live there and their guests are being subjected to background security checks. Those affected are being cross-checked against security services’ databases, to see whether they have previously been flagged as suspected Islamist extremists or for other radicalism.
On the evening of the ceremony, the airspace over and around Paris for 93 miles will be closed, with all four nearby airports will be shuttered, including Charles de Gaulle, Europe’s third largest.
And there will be over 75 drone teams stationed across rooftops and along the river route:
ABOVE: A French policeman demonstrates an anti-drone gun during a press presentation of security systems, to be used against potential hostile drones during the Paris 2024 Olympic Games.
Plus:
• The Paris police are securing the underground sewers and tunnels. Subway stations within the perimeter will be closed, as will businesses and restaurants.
• Soldiers will check the boats that bring the athletes down the river in the parade.
• Four helicopters will monitor the sky, with officers trained in tracking and defusing drones.
• Some 45,000 police and military police officers plus 15,000 Army soldiers will flood Paris and its suburbs – about 10 times their typical presence. They will be assisted by 22,000 private security contractors.
• They are also deploying 100s of high-tech surveillance and security solutions, including AI-powered video surveillance, the barcoded checkpoints I noted above for those who live or work near the Opening Ceremony route, anti-drone systems – plus many other security measures that will not be made public.
• There will be some 100 diver bomb specialists inspecting the water.
• Some 650 officers from specialized anti-terrorist units
• Over 700 firefighters specialized in stopping nuclear and chemical attacks
• About 2,000 private security guards securing the areas holding paying spectators
• There will be over 2,500 foreign military and intelligence officers, including many from the United States, many with bomb-detecting dogs. Although one security official confided there will be “many more than 2,500 foreign officers but we just do not want to alarm the public”. No worries, if the above list doesn’t alarm them, nothing will.
In an interview on French television, Ghislain Réty, the head of one of the country’s antiterrorism units, which was formed after the terrorist attack on the 1972 Munich Olympic, said:
“There will be a gendarme or police officer every square meter. There is a huge amount of intelligence work that has been done, that will continue to be done”.
And security drills continue. Members of the various security teams ram into abandoned office buildings in the Paris suburbs using specialized armored vehicles, and then exit from the roof hanging from a helicopter.
The security for this year’s Olympics will be far, far greater than what London had during the 2012 Games – but those were quieter times. One security expert noted:
“We have never seen anything like this before. France’s security apparatus on average foils one planned attack every other month. And while there have been no specific threats against the Olympics, we are monitoring all channels”.
And the athletes and their support staff? To date, there will be 10,500 Olympic athletes and 25,000 support staff. Plus 120 heads of state have indicated that they will be present. The French government considers this a vote of confidence.
The American Diplomatic Security Service, which oversees the safety of U.S. diplomats at large international events, also expressed satisfaction with the arrangements, according to officials with the service, which sent two members to Paris two years ago to work exclusively on the Games. But the U.S. government refuses to divulge the number of security personnel being assigned to protect U.S. athletes.
To address concerns, the authorities have progressively cut the number of spectators who will be allowed to sit in stands along the river and over many of its bridges – to roughly 300,000 down from 600,000. One-third of those will pay for tickets; the rest are nonpaying spectators who must be invited by government officials or the Olympic Committee.
Recent French polls suggest that Parisians are divided over the plans for the opening ceremony, and the Olympics in general. Some are concerned, but many have grown used to living with terrorism alerts and see the Games as just another potential target. They complain more about the commuting nightmares and crowds that the Olympics will bring. But it has been reported that 1,000s have plans to leave the city for the 2+ weeks of the Olympics.
And in an admission of the potential dangers, Macron said that if there were a serious terrorist threat, the government would pull the opening ceremony off the Seine and hold it either at Trocadéro Square or in the Stade de France, the national stadium. There are full contingency plans for that eventuality.
Still, the opening ceremony will be just the first few hours of a 17-day event, followed later by the Paralympic Games – all to be secured by an army of police officers, private security guards and military.
And one major issue. The unprecedented security challenges at a globally tense time has led French officials to admit they are facing a potential shortfall of qualified private security contractors to help protect the Games. One security analyst told me French Olympic officials are over relying on the private security sector, and that sector is facing a worker shortage anyway that makes it hard to meet the French Olympic demands. Which is why the Olympics organizers have struggled to find companies through 4 rounds of contract bidding.
Plus, as one security analyst told us, the Games will take place in late July and early August, when about a third of French security contractors are traditionally on vacation. And many of the country’s certified security contractors don’t live in the Paris region, where the vast majority of competitions will be held. They may not be keen to spend weeks in the capital without their families, working long shifts in the oppressive Paris heat. And the French Olympic officials are not coming up with sufficient money (or even housing) to make it an attractive proposition.
And as for the cybersecurity concerns, that is a whole other nightmare. I had a long chat with one of our long-time cyber contacts here in Paris about those issues. But in the interest of time, here are a few clips from a recent Le Monde article and a recent Reuters France article that puts that puts all of this into perspective. I will follow up in a later post and discuss my chat with our contact, because it went far beyond just the cybersecurity as it affects the Olympics.
Last month, at the inauguration of the Olympic Aquatic Center in Saint-Denis, north of Paris, Emmanuel Macron laid it on the line:
“I have no doubt that Russia will target the Paris Olympics, including in informational terms. The event represents a major challenge in terms of IT security”.
For several weeks, the millions of people expected to attend – athletes, spectators, journalists, officials – will be depending not only on Paris 2024’s technical infrastructure, but also on a multitude of services (transport, health care, etc.) whose smooth operation will be crucial.
In 2018, during the Winter Games in Pyeongchang, South Korea, a worm – a piece of malware designed to infect large computer networks – disrupted the opening ceremony, rendering some systems inaccessible.
The U.S. Department of Justice subsequently named the perpetrators: “Sandworm,” the nickname given to Russian military intelligence unit (GRU) 74455, known for its involvement in numerous espionage and sabotage campaigns.
Said the French security services regarding the Olympic games this July:
“Sabotage operations are the ones that have given rise to the greatest number of scenarios where we’ve devoted a lot of energy. We are not immune to states wanting to damage France’s image, wishing to send messages or even attacking the opening ceremony.”
Preventing any intrusions by State actors represents a major challenge. Armed with powerful resources, they can prepare targeted attacks, taking up to several months to take control of a computer network.
Paris 2024 (the French Olympic organizers) and its private partners, Eviden (Atos) and Cisco, are responsible for securing the critical infrastructure of the Games: in other words, the technology used directly for access control, broadcasting, refereeing and timekeeping, as well as the information systems required for day-to-day operations, such as office automation and human resources.
Cisco’s challenge is to continuously monitor and identify infrastructures and technical indicators used by malicious actors – domain names, but also software – so as to be able to detect and filter them at infrastructure level of the Games. Said Eric Greffier, Cisco’s Paris 2024 Technical Director:
“We have over 100 engineers engaged for the Olympics, a significant proportion of whom are involved in cybersecurity”.
To prevent any intrusions, it is also necessary to identify any compromises within the Olympic teams as quickly as possible. This involves monitoring leaks of personal data and hacked identifiers, sold daily on the black market. So they have analysts who continuously monitor weak signals to prevent intrusions and, in the event of a confirmed incident, to react as quickly as possible.
Weak signals may be a series of unsuccessful login attempts to a user account, or someone trying to use the same password with a multitude of logins. These are alerts that may signify intrusion attempts.
Groups at the top end of the spectrum, such as those specializing in extortion and ransomware – tools that cripple computer networks – are often notorious for not targeting their victims, but acting opportunistically. They buy access obtained by other hackers and attack the targets that appear to be the most profitable, for example, by comparing the sales figures of companies whose networks they can hack.
At the same time, other cybercriminal sectors rely constantly on news and major events to lure their targets. Phishing campaigns, for example, which can be used to steal personal identifiers or infect machines with a virus, may well use the Games to send waves of targeted text messages or emails to spectators or anyone else involved with the event. The news is always a vector for cybercriminals, who have to devise decoys.
And there are several advisories being issued to protect Olympic players from identity theft.
The same applies to scams of all kinds. In 2023, the gendarmes announced that they had detected 44 fraudulent online ticketing sites offering tickets for the events. The cybersecurity teams are well aware of the risks posed by various cybercriminal actors. For example, constant monitoring has been put in place to prevent the use of domain names impersonating the Games. Hardly a day goes by without seeing a reports.
Protection mechanisms have been deployed to safeguard those who have purchased tickets, including extended monitoring of hacked data regularly released and offered for sale on black markets. If the email you used to buy a ticket appears in a third-party data leak, they’ll contact you to warn you.
This is without taking into account another form of potential nuisance, which will undoubtedly make itself felt: the very many denial-of-service attacks expected against both official infrastructures and the sites of peripheral players (e-commerce sites, transport companies, etc.).
Consisting of bombarding a server with connection attempts in order to overwhelm it and render a site or service inaccessible, these attacks are the specialty of several groups. Generally organized around Telegram channels, these groups regularly claim responsibility for campaigns against French targets. Most major online services are well versed in these campaigns, which are inoffensive from a security point of view, as they don’t involve breaking into a network. As an Olympics cybersecurity analyst noted:
“It’s very visible, it mobilizes a lot of attention, but it’s not very serious. However, these operations divert our attention from much more serious attacks. And online disinformation campaigns are another major concern for the authorities in the run-up to and during the event, at a time when French diplomacy is stepping up its public condemnations of digital influence operations attributed to Russian actors”.
Since 2023, Le Monde has observed a multitude of references to the Olympics as part of Russia’s various online destabilization operations. For example, false stories attributed to Agence France-Presse and TF1 were broadcast on pro-Russian channels, arguing that tourists were canceling their bookings for fear of security risks and because of Macron’s offensive statements on the war in Ukraine. In the preceding months, these same propaganda channels had tried to raise fears of attacks during the Games, for example by amplifying photographs of threatening graffiti allegedly made in Paris (which Le Monde was unable to verify) and referring to the 1972 Munich Olympics, during which hostage-taking by a Palestinian group resulted in the deaths of Israeli athletes.
The vast majority of these campaigns had no effect and failed to achieve any real viral momentum. This was the case with operations carried out by “Doppelgänger,” the name given to one of the main Russian online influence networks targeting France. At the beginning of the month, it ran Facebook ads in France announcing the “worst Olympic Games in history.” These were seen by internet users only a few thousand times.
Besides Cisco and Eviden, Paris 2024 has been working hand-in-hand with the French national agency for information security (ANSSI) to limit the impact of cyber attacks. ANSSI will operate from a special cybersecurity operation centre in a Paris location that is being kept very secret.
In another press briefing on security, Vincent Strubel, the director general of ANSSI, said:
“We can’t prevent all the attacks, there will not be Games without attacks but we have to limit their impacts on the Olympics. There are 500 sites, competition venues and local collectives, and we’ve tested them all.
The Games are facing an unprecedented level of threat, but we’ve also done an unprecedented amount of preparation work so I think we’re a step ahead of the attackers. One thing that Paris 2024 has done is pay “ethical hackers” to stress test their systems, some of them using artificial intelligence to help them do a triage of the threats.
AI helps us make the difference between a nuisance and a catastrophe.
And, we’re expecting the number of cyber security event to be multiplied by 10 compared to Tokyo (in 2021). In terms of cybersecurity, four years is the equivalent of a century.
And we are aware of the computer virus dubbed “Olympic Destroyer” which was used in an attack on the opening ceremony of the Pyeongchang Winter Games. While Moscow denied any involvement, or U.S. intelligence partners told us that the U.S. Justice Department indicted six Russian intelligence agency hackers for a four-year long hacking spree that included attacks against the Pyeongchang Games.
We would like to have one opponent but we’re looking into everything and everyone. Naming the potential attackers is not our role, it is the role of the state”.
And so the Games will take place amid a complex geopolitical backdrop not seen before during an Olympics, with the overall security issues simply off-the-charts.