Understanding Security Risks at the 2022 Beijing Winter Olympics: A Practical Guide
Risk apertures and the 2022 Beijing Winter Olympics
In a sign that things are returning increasingly back to a (new) normal around the globe, the Olympics are back as scheduled. Beginning February 4, Beijing will host athletes, coaches, and spectators from around the world for the 2022 Winter Olympics, just six months on heels of the summer games in Tokyo—which itself kicked off a year later than planned because of the COVID-19 pandemic.
Beijing’s winter games come at a period of high tension between China and the international community, and especially the US and Europe, over a variety of human rights, trade, and geopolitical issues that continue to result in tit-for-tat sanctions, boycotts, and cyberattacks. Given this context, security analysts and practitioners whose business overlaps with the Beijing games must anticipate myriad attack surfaces and consider preemptive mitigation measures—because the action surely won’t just be on the slopes.
Best practices to defend against China’s information gathering techniques
When it comes to traveling to and from China, the prevailing assumption should be that one’s personal devices (and being) are under continuous watch by Chinese authorities. An obvious solution, although not the only measure one should take, is to maintain a reserve group of devices for exclusive use in China, each of which is analyzed and wiped after each trip. While it may incur some additional cost, the price of having one’s personal or work device captured and scanned, not to mention if something deemed sensitive is found on the phone, can be much greater.
Related reading: Tokyo Olympics 2020: Tracking the Cyber Threat Landscape
The importance of VPNs
The same caution should be paid to traffic to and from these devices. Consider keeping a policy on these devices that automatically connects to the VPN before the device fetches emails and other web requests. Even with these measures, the assumption should always be that communications inside China are inherently insecure, and sensitive conversations should be held as sparingly as possible.
How China tracks
The severity of this threat is perhaps best illustrated by the application that participants are required to install. The application developed to store athletes’ health information, called “MY2022,” has already been picked apart and called out for having security flaws that could be used by state security agencies to access devices and a feature to censor content deemed politically sensitive.
China has already warned athletes that any political statements it deems critical will result in “certain punishment.” Previous apps were released under the guise of innocuous reasons but were also found to have alternate uses. For example, the China National Anti-Fraud Center App was released by the Ministry of Public Security in mid-March 2021. The app was apparently intended to filter spam calls and more easily enable online scam reporting, but there were reports that the app is being used to track individuals who view overseas financial news sites. And in July 2019, investigations by media outlets disclosed Chinese authorities installing surveillance applications on mobile phones of individuals transiting to Xinjiang, which gathered personally identifiable information (PII) and scanned for content deemed “sensitive.”
Tarnished image: Reputation risks to commercial sponsors
As of this publishing, Flashpoint analysts have yet to identify clear evidence of any planned cyber attacks emanating from the threat actors groups either inside or outside of China. While a majority of Olympic sponsors are state-affiliated, a few major foreign organizations will be advertising during these games and should be aware of reputational and economic risks.
Many sponsors are walking a fine line. One of the risks that sponsors run is from Chinese threat actors who could potentially target the websites of sponsors who are perceived as being critical of Beijing. Some of these multi-national corporations with significant business interests in China have previously spoken out against the genocide in Xinjiang, resulting in severe backlash by a Chinese public that is already sensitive to foreign criticism. On the other hand, these same companies may face cyber risk from groups and individuals who oppose the Chinese government’s policies, including “re-education” in Uyghur internment camps, the disappearance of Peng Shuai, and Beijing’s policies towards Hong Kong and Taiwan.
Misinformation and the COVID narrative
Perhaps one of the biggest misinformation stories of 2020-2021 continues to be COVID narrative wars. Chinese state media and diplomatic twitter accounts, not to mention bots, propagated a variety of tales around the origin of COVID and Omicron. These narratives have heightened diplomatic tensions and may have resulted in increased anti-US sentiment in China.
For the Chinese government, this is part of a wider information campaign centered on a narrative that homegrown China is rising while the West declines. The Olympics will likely afford Beijing a platform to convey a narrative that comports with China’s role as a responsible actor in its handling of COVID, as opposed to how it depicts the west.
Related reading: China’s Hackers to Showcase Zero-Day Exploits at Tianfu Cup
Physical security in China can include large crowds, disease, food poisoning, and a relatively blasé attitude towards public safety issues on sidewalks, streets, and public spaces. There have been cases of security incidents in and around Tiananmen Square, however, those events have historically been limited to Chinese citizens trying to draw attention to grievances. Outside of Beijing, there have been numerous cases of terrorist attacks by groups seeking to draw attention to China’s treatment of Uyghurs in Xinjiang and its involvement in third countries with groups that have enemies who carry out terrorist attacks. While China’s “closed loop” for athletes, coaches, and other Olympic participants will most likely insulate these travelers from most physical security risks, official or unofficial harassment of those outside this bubble may occur.
Protect your enterprise against cyber risks in the APAC region
To see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into threat actors in APAC, and protect critical assets and stakeholders, sign up for a free trial today.