Beijing 2022 Winter Olympics Open, Amidst Boycotts and Cyber and Privacy Concerns
The Beijing 2022 Winter Olympics are officially underway in China following a more subdued opening ceremony on Friday as the nation continues to pursue a zero-COVID policy.
Athletes, coaches, trainers, and media personnel from around the world have flocked to China for Olympics, which will run through 20 February. More than 2,800 athletes from 91 nations are in Beijing to compete in the 109 events across 15 disciplines in seven sports, The Washington Post reports.
Missing from the scene, however, are many prominent world leaders and delegations. Australia, Canada, Estonia, Denmark, Latvia, The Netherlands, Sweden, the United Kingdom, and the United States joined a diplomatic boycott of the games in protest of China’s human rights record and oppression of the Uyghur population.
Speaking to reporters in a briefing in December, U.S. Press Secretary Jen Psaki said U.S. President Joe Biden has “told President Xi [Jinping], standing up for human rights is in the DNA of Americans. We have a fundamental commitment to promoting human rights,” according to ABC News.
China has denied the allegations and called the boycott political posturing by the Western nations. In the opening ceremony in Beijing Friday, two athletes—one with Uyghur heritage—were chosen to end the Olympic torch relay and light the cauldron in the stadium, signifying the official opening of the games.
China implemented a rigorous testing and screening policy for anyone traveling into the country for the Olympics in an effort to reduce COVID-19 transmissions. Athletes will be tested daily, and the entire Winter Olympics operation is being conducted in a “closed-loop system” that will act as a bubble to prevent infections from spreading, according to the International Olympic Committee. The closed-loop is made up of the competitive venues, media centers, athletes’ villages, and hotels that are sealed off from the public and protected by the police.
“The testing in Beijing is robust and is reliable. It is the same type of PCR test that is used the world over,” said Dr. Brian McCloskey, chair of the Beijing 2022 Medical Expert Panel, in a statement. “For the Games, the test is set at a very sensitive level because what we want to achieve is not to get Omicron into the closed-loop system. Extra reagents and different gene targets have been brought in to ensure that, although we set it very sensitively, we can increase the specificity to exclude false positives.”
Each nation, news organization, sponsor, and delegation traveling to Beijing for the Games has also been assigned a COVID liaison officer.
“These people have invariably devoted hundreds of hours to understanding the complex rules and often rapidly evolving procedures created for these Olympics,” according to The New York Times. “The responsibility for Slovakia’s teams, for instance, fell to Zuzana Tomcikova, who was a goalie for the country’s women’s ice hockey team at the Vancouver Games in 2010. She has been overseeing the current teams’ travel and testing arrangements, cycling endlessly through the thicket of paperwork and Excel spreadsheets to keep everything organized—or as close to organized as possible.”
These measures will also help reinforce physical security at the Games, although incidents may occur outside of the Olympic bubble.
“Outside of Beijing, there have been numerous cases of terrorist attacks by groups seeking to draw attention to China’s treatment of Uyghurs in Xinjiang and its involvement in third countries with groups that have enemies who carry out terrorist attacks,” according to a threat intelligence brief from Flashpoint. “While China’s ‘closed loop’ for athletes, coaches, and other Olympic participants will most likely insulate these travelers from most physical security risks, official or unofficial harassment of those outside this bubble may occur.”
Cyber and Privacy Measures
More attention, however, has been on the cybersecurity and privacy threats to individuals in China. In a discussion on Wednesday hosted by Axios, Suzanne Spaulding, senior advisor at the Center for Strategic and International Studies and a member of the Cyberspace Solarium Commission, said that a disruption to the Games via cyber means is less likely because China itself has “no interest in using its skills to disrupt its games and there is a sense that other major cyber powers, like Russia, Iran, and North Korea, have very little interest in angering China and disrupting these Games.”
Insikt Group has a new report on how the hosting of the 2022 Winter Olympic Games in Beijing, China, alters the cyber, information, geopolitical, and physical threats that face the Games. https://t.co/uosCVvYTGD— Recorded Future (@RecordedFuture) January 26, 2022
A threat analysis report from Insikt Group echoed similar sentiments, explaining that due to their close geopolitical relationship with China, other cyber powers are unlikely to use their abilities to disrupt the Beijing Olympics. These actors, however, are more likely to conduct surveillance and cyber espionage.
“We did not observe any notable Dark Web chatter or statements by ransomware groups expressing intent to target the 2022 Winter Olympics, though we did identify advertisements on Dark Web markets for the sale of account details related to the volunteer and media portals of the Games,” Insikt Group wrote. “Financially motivated threat actors will almost certainly opportunistically exploit the 2022 Beijing Winter Olympics, particularly with Olympic-themed phishing campaigns, to target a range of victims, including the Games themselves, associated organizations, and individuals attending or engaging with the event. Further, hacktivists will likely target the Games, including corporate sponsors, in response to China’s human rights abuses. Corporate sponsors are already receiving significant online criticism for being associated with the Games being hosted in Beijing.”
Instead, more concerns have been raised about the potential for cyber and privacy risks for individual attendees at the Olympics. FBI Director Christopher Wray gave a speech on the cyber threat from China earlier this week and the Bureau advised athletes traveling to Beijing to bring burner cell phones with them. It also flagged risks associated with the My 2022 app that athletes are required to download to track their health while in China and to use Web browsers.
Research on the My 2022 app from The Citizen Lab previously found a “devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped.” Researchers also found that personal information, including passport information, demographic information, and medical and travel history, were vulnerable to interception.
Jake Williams, senior instructor at the SANS Institute, says that the My 2022 app is a risk to anyone who installs it. “The flaws described in the Citizen Lab report are a classic ‘bug door,’ basically a backdoor disguised as a software flaw for plausible deniability purposes,” he explains. “The plausible deniability is working as intended because unlike an actual backdoor, there’s no way to confirm malicious intent.”
NEW @citizenlab REPORT:— profdeibert (@RonDeibert) January 18, 2022
Mandatory Beijing Winter Olympic App, MY2022, contains major security vulnerabilities & functionality to report "politically sensitive content"
All athletes, spectators, and journalists must install MY2022 while attending Gameshttps://t.co/R9GBeOV15d
Anyone traveling to China for the Olympics should expect increased electronic surveillance while in the country, Williams says, adding that travelers should consider bringing burner devices and resetting any devices to factory default after returning from the Games.
“Burner devices are highly recommended when traveling to China. This includes not only a phone, but also a laptop if one is needed during travel,” Williams adds. “The purpose the burner device is to ensure that you can easily reset it to factory defaults after returning home. While you could do this with your everyday device, most users are less likely to do so for convenience reasons. When acquiring a burner device, consider carefully which of your everyday accounts you'll connect to the device. If a threat actor compromises your device, assume that they can access any connected accounts.”
While in China, Williams also suggests weighing carefully if using a VPN is advisable. In many instances, it may not be possible to use a VPN because China has taken steps to block them at a national level.
“While technology savvy people certainly can find ways to establish a VPN out of mainland China, that puts them on potentially shaky legal ground,” Williams says. “I can’t imagine this is a good tradeoff for anyone traveling there for the Games.”
And once home from Beijing, Williams suggests—at a minimum—resetting devices to factory defaults.
“For those with significant threat models such as journalists or executives, consider selling or disposing of the burner devices,” he says. “Same malware that infects firmware has historically been able to survive a factory reset.”