World Cup Glory Looms, and So Do Cyber Threats, Microsoft Warns

As the 2023 FIFA Women's World Cup enters the knockout stages of the tournament, Microsoft, which has marshaled a litany of resources to protect its customers involved in previous World Cups, is blowing the whistle on the very real and looming cyber threats at play around the event.

"When we think of sporting events, we think of entertainment, engagement," says Vasu Jakkal, Microsoft's corporate vice president of security for compliance and identity, in an interview with Dark Reading. "We don't think about cybersecurity that often. And we need to."

There is of course precedent for concern. Some will remember when, as lights shone toward the sky, and athletes and performers took the stage to mark the opening of the 2018 Winter Olympics in Pyeongchang, the Wi-Fi in the stadium went out. The telecast, too. The official event website went offline, broadcasters' drones were grounded, and the digital ticketing system broke down, leaving swaths of empty seats in place of the paying viewers who wished to attend.

Olympic Destroyer was a watershed moment, and similar attacks have only become more common since. In February 2022, the San Francisco 49ers were struck with a ransomware attack on Super Bowl Sunday (they were one game shy of participating that year, which might have greatly exacerbated the situation). That November, Manchester United reported its own cyberattack. Major League Baseball and the National Basketball Association have each experienced significant data breaches — in 2021 and 2023, respectively — and the Houston Rockets purportedly lost 500GB of financial and legal data to ransomware attackers.

The Cyberattack Surface of a Worldwide Sporting Event

On Sunday, the United States and Sweden will face off in their first elimination round in the Women's World Cup. At least 8.5 million viewers will likely tune in from the US alone, to say nothing of the audience in Sweden and around the globe. The stadium will play host to 30,000 fans, and perhaps more than a thousand employees.

Each of those fans and employees in attendance will likely carry a mobile phone into the venue with them. These phones will interface with ticketing systems, point-of-sale (PoS) systems at food stands, QR codes and mobile apps associated with the event, and the stadium's public Wi-Fi. All are ripe targets for attack, according to Microsoft.

Even more than the BYOD risk from individuals, there's vendor risk. "These events can come together quickly, with new partners and vendors acquiring access to enterprise and shared networks for a specific period of time," Microsoft noted in its Cyber Signals report for August 2023, published Aug. 3. "The pop-up nature of connectivity with some events can make it hard to develop visibility and control of devices and data flows. It also fosters a false sense of security that 'temporary' connections are lower risk."

Then there are the various systems engaged in operating the event — the television monitors and scoreboards, electronic signage, tracking systems for logistics and medical management, the venue and teams' Web presences, and so on.

The attack surface isn't contained in the stadium, either. For example, "when we were supporting the FIFA World Cup at Qatar, we were also engaged with hospitals. We were able to prevent ransomware activity, to quarantine one of the hospitals that was engaged in the event, and that was really key," Jakkal says.

What It Takes to Secure a World Cup

Securing a World Cup isn't just how much needs to be protected but how quickly everything comes together, according to Microsoft, which offers a deep breadth of lessons learned in its report from securing many prior public sporting events.

"In a typical setting," says Justin Turner, principal group manager for Microsoft Security Research, "we get the luxury of time — to understand the network, understand what the threat profiles are gonna look like. For an event like the World Cup that comes together in a short period, we don't get that luxury."

Combine the motley nature of the attack surface and the speed with which these events come together, and all kinds of unexpected considerations start popping up.

"In the week leading into the actual World Cup, we had worked with the different customers, making sure their tooling and instrumentation is deployed," Turner explains. "But even more important than that was having something simple, like a list of names and phone numbers of the critical people that I need to call at a particular organization. So we spent time building that list. How is information going to flow? Who will act when we need to act? It sounds simple, but it took a little bit of legwork, and it really paid off in the end."

At the end of the day, the scale of cyber defense required for a major sporting event rivals any large organization, or even a small city. For last winter’s World Cup, 24 hours a day in Doha, seven days a week, from Nov. 10 to Dec. 20, 2022, Microsoft alone protected 45 organizations, including approximately 100,000 endpoints, 144,000 identities, 14.6 million email flows, 634.6 million authentication attempts, and 4.35 billion network connections.

Those numbers don't even capture all of the effort by all of the participating organizations — from the broadcasters to food vendors, technology suppliers, and more.

"It takes a village to do great security," Jakkal says. "We believe that security is a team sport — no pun intended."