CYBERSECURITY: The Greatest Hurdle of the 2016 Olympic Games INTRODUCTION
1 Every two years, the world turns its collective attention to an event that has come to epitomize “International Olympic Committee Marketing Report: London 2012,” a rare moment in international co-existence. Underneath jerseys and face paint indicating Olympic Committee, 2012. Link national allegiance is an appreciation for talent and hard work, regardless of state origin. Amid the fiercest competition in the world emerges a sense of humanistic unity in both athletics and beyond. For seventeen days this August, Olympic fervor will begin all over again.
Preparing for an event that attracts 7.5 million ticketed spectators and 3.5 billion television viewers1 is no small feat for any city, even for highly industrialized hosts such as London and Beijing. As the first South American country to host an Olympic Games, Brazil carries the reputation of an entire region on its shoulders. Amid this pressure, Brazil is also faced with a host of internal issues. Rampant corruption, economic collapse, and the Zika virus threaten to launch Brazil into utter chaos.
Amid these immediate and pressing challenges, however, lies a more covert concern. Brazil’s insufficient cybersecurity infrastructure, coupled with the world’s attention, make the 2016 Rio de Janeiro Olympic Games a perfect target for cybercriminals.
graquantum.com � info�graquantum.com This paper explores Brazil’s existing cyber landscape, including its status both regionally and globally.
It will begin by examining the history of cybercrime in Brazil and its existing Internet infrastructure.
It will then contextualize Brazil’s unique cyber landscape in the context of the Olympic Games, including comparisons with previous and future host countries, and efforts to secure Brazil’s cyber architecture specific to the games.
Finally, it will provide recommended “next steps” for what can and should be done to ensure the future security of Brazil’s evolving cyber landscape.
Ultimately, this paper illustrates the ways in which a multitude of cyber threats may prove to be the greatest hurdle of the Summer 2016 Olympic Games.
3 graquantum.com � info�graquantum.com MAPPING BRAZIL’S CYBER LANDSCAPE
2 Despite its size and regional status, Brazil faces relatively few external geopolitical enemies. “Hackers target Brazil’s World Cup for cyber attacks,” Reuters, The government has therefore had little incentive to develop its cyber defense capabilities.2 26 February 2014. Link Moreover, in the face of widespread traditional crime, poverty, and social inequality, government
3 resources have been allocated elsewhere. In fact, cybersecurity programs in Brazil were “Brazil and Cybersecurity in the virtually non-existent until 2013, when the Snowden leaks sparked a cybersecurity dialogue Aftermath of the Snowden Revelations” Link that had been absent from earlier discourse.3
4 Cybercriminals are no stranger to Olympic-size breaches. The official site of the London “Hackers target Brazil’s World Cup for cyber attacks,” Reuters, Olympics was hacked more than 2.2 million times in 2012. Most of these attacks were ticket 26 February 2014. Link fraud or denial-of-service attacks; more than 700 of these attacks warranted thorough
5 investigation. In all, French information security company ATOS detected approximately “Beaches, carnivals and 255 million “security events” during the London Games.4 cybercrime: a look inside the Brazilian underground,” Kaspersky Lab, 11 November The potential to cause a disruption on the Olympic stage is only furthered by Brazil’s internal 2015. Link economic and social circumstances. The country’s threat landscape reflects both Brazil’s inadequate financial infrastructure, as well as its ongoing internal unrest. These factors combine to create one of the most unique cyber landscapes in the world—one that can only be understood by assessing Brazil from the inside out.5
4 graquantum.com � info�graquantum.com Brazen Hackers & Vulnerable Wi-Fi
Brazil’s financial sector has been and will continue to be its most vulnerable industry. Online 6 “Kaspersky Security Bulletin banking is hugely popular in Brazil, with more than 50 million Brazilians using Internet-based 2014. Overall statistics for banking systems daily. In all, 40 percent of all bank transactions occur online. Hackers have 2014,” Kaspersky Lab. 8 December 2014. Link taken notice. Nearly 300,000 Brazilian users suffered from financial malware in 2014, making Brazil the most dangerous country in the world for financial cyberattack.6 These numbers 7 “Beaches, carnivals and are on the rise; bank fraud increased in Brazil by 40 percent in 2015.7 cybercrime: a look inside the Brazilian underground,” Although tourists are unlikely to utilize Brazil’s online banking systems while in country Kaspersky Lab, 11 November 2015. Link for the Games, the prevalence of financial crime largely defines Brazil’s landscape. In all, cybercrime constitutes 95 percent of all losses sustained by Brazilian banks.8 8 “Cybercrime Scheme Uncovered in Brazil,” The New York Times, 2 July 2014. Link
9 These numbers are on In all, cybercrime “3.75 Billion ‘Boleto’ Fraud in Brazil Exposes the Rise of the rise; bank fraud 40% 95% constitutes 95 percent Global Cybercrime Threats,” increased in Brazil by of all losses sustained Association of Certified Financial Crime Specialists. Link 40 percent in 2015.7 by Brazilian banks.8
Without deterring legal consequences, cybercriminals feel free to flaunt their cyber loot online. Without fear of punishment, Brazilian hackers post photographs of their earnings, exchange “best practices” on online hacking forums, and even upload videos bragging about their hacking skills. One prominent video, entitled Rap dos Hackers, has received over 200,000 views. The hacker proclaims:
“I’m a virtual terrorist, a criminal On the internet, I spread terror Have nervous fingers I’ll invade your PC, so heads up You lose playboy Now your passwords are mine.”9
5 graquantum.com � info�graquantum.com Network Attack
10 Wi-Fi networks in São Paulo “Data Are at High Risk of Theft Via Wi-Fi, Europol Warns,” The Wall Street Journal, 7 March 2014. Link Completely Could be hacked in open networks a matter of minutes 11 “Cybercriminals Ramp up Activity Ahead of 2014 World 26% 12% Cup,” SecurityWeek, 11 June 2014. Link
12 “Pineapple: An overview of Wi-Fi Pineapple Mark V,” Volkan Paksoy Blog, 25 February 2015. Link
Spectators looking to document their Olympic experiences online must also be wary of network attacks. Due to the cost and relative inaccessibility of 3G networks in Brazil, visitors typically depend on Wi-Fi. Popular applications such as WhatsApp and other Wi-Fi-dependent, international messaging applications will also encourage tourists to turn to Wi-Fi when in Brazil.
After searching for a connection, spectators are likely to connect to the first open network they see. However, public Wi-Fi connections—such as those available at coffee shops, hotels, and restaurants—are typically unencrypted, enabling cybercriminals to access a victim’s device with minimal effort. A hacker needs only a simple, inconspicuous, and inexpensive device to intercept signals from a victim’s computer or install malware. All information accessed on an insecure network, including passwords and credit card numbers, is fair game. This information may then be used to perpetrate offline crime, such as identity theft or credit card fraud.10 The headache associated with the aftermath of these crimes is only exacerbated when abroad.
Vulnerable Wi-Fi networks are prevalent everywhere, and Brazil is no exception. A Kaspersky Lab assessment of Wi-Fi networks in São Paulo found 26 percent of networks are completely open, while an additional 12 percent could be hacked in a matter of minutes.11 Perhaps most insidious is the creation of fake Wi-Fi networks, often designed to resemble hotel or airport networks. In order to carry out what is often termed a “man-in-the-middle attack,” a hacker needs only a device known as a Wi-Fi pineapple. The pineapple effectively fools wireless devices into connecting to the pineapple ahead of existing, legitimate networks. The unsuspecting victim therefore believes he or she is connecting to a reputable network, but instead relays his or her personal information directly to the hacker.12
6 graquantum.com � info�graquantum.com Cybercriminals can obtain a Wi-Fi pineapple with relative ease, and may place the pineapple 13 “DarkHotel: A Sophisticated New at a café, hotel, or business with public Wi-Fi in a matter of seconds. Once the pineapple is Attack Targets High-Profile in place, the cybercriminal has the ability to install malware on a victim’s computer or dump Hotel Guests,” WIRED, 10 November 2014. Link the victim’s hard drive. If the victim visits online banking sites or enters a password, that information is readily accessible, too. When a user joins public Wi-Fi via a pineapple, he or she hands the keys to his or her personal information directly to a cybercriminal.
Spectators looking to regale their Olympic experiences to friends and followers online must remain vigilant. While the Rio 2016 Olympic Committee has made private Wi-Fi networks available at Olympic venues, Brazil’s other attractions remain vulnerable. Brazil’s beaches deployed free and public Wi-Fi ahead of the World Cup, and the same infrastructure will be in place for this summer’s Olympics. As tourists bask in Brazilian sunshine between volleyball matches, they may be in inadvertently sharing personal data with malicious actors.
Even the confines of a luxury resort are not safe. For example, a 2014 Kaspersky Lab report revealed that an attack known as DarkHotel had compromised the personal data of international executives at five-star hotels around the world for at least seven years.13 With millions of preoccupied tourists set to descend on Rio, cybercriminals will undoubtedly take advantage of the influx of lucrative and easy-to-access data.
7 graquantum.com � info�graquantum.com Hacktivism
14 Brazil has long been a major target for prominent hacktivist group Anonymous. In 2012, “Beware the activist: Securing files against hacktivism threats,” Anonymous successfully infiltrated and shut down prominent financial institutions across GlobalSCAPE Blog, 9 July 2014. Brazil, including Banco de Brasil. Two years later, the group waged a large-scale attack known Link as “Operation Hacking Cup” during the World Cup to protest social injustices stemming 15 from the event. The group targeted both the Brazilian government and the World Cup’s “Brazil 2016 Summer Olympics: Hacker group Anonymous corporate sponsors, including Adidas, Budweiser, Coca-Cola and Emirates Airlines.14 attacks feared,” International Anonymous waged hundreds of Denial of Service (DDoS) attacks in an attempt to Business Times, 16 March 2016. Link overwhelm websites.15
16 To carry out a DDoS attack, thousands of users access a designated website at the same “Hackers Target Brazil’s World Cup for Cyber Attacks,” Reuters, time in an effort to overwhelm and temporarily shut down the site. These attacks are 26 February 2014. Link simple, cheap, and effectively propel Anonymous–and their political or socioeconomic
17 position—into the mainstream media. When an Olympic-size magnifying glass descends “#OpHackingCup – on Rio de Janeiro, the effects of a DDoS attack will make headlines worldwide.16 Anonymous,” Pastebin, 5 June 2014. Link Anonymous also posted more than 300 documents obtained from the Foreign Ministry’s network online as part of Operation Hacking Cup. In a manifesto published during the World Cup, Anonymous wrote:
“How many billions of dollars from public funds were spent to build and reform the stadiums that will host the Cup?...We can’t accept pacifically [sic] any more the violations on people’s basic rights practiced because of this event….The eyes of the world will be turned to Brazil.”17
8 graquantum.com � info�graquantum.com These concerns continue to manifest themselves in cyberspace as Brazil prepares for the 18 “Brazilian officials evict families Olympics. As was the case in the lead up to the World Cup, Brazil has made international from homes ahead of 2016 headlines for displacing residents in favor of building roads to and from stadiums. The Rio Olympic Games,” The Guardian, 28 October 2015. Link de Janeiro city government reports that 334 families have been relocated since 2009 to make way for Olympic infrastructure. Bus lines shuttling Rio’s commuters from one side of the city to another have been shut down, forcing thousands to work from home or find alternative and often more expensive means of transportation to critical infrastructure in the city. As Brazil rushes to complete its Olympic infrastructure, tensions continue to bubble over between the government and Brazil’s working class. Anonymous has all of the ammunition it needs to launch similar hacks and DDoS attacks this summer.18
Twitter accounts associated with Anonymous cited so-called “resettlement” last year; attacks are expected to continue as the games approach. Given the prevalence of DDoS attacks at the Cup, Anonymous is likely to wage similar attacks in August.
9 graquantum.com � info�graquantum.com COUNTERING CYBERCRIME: CDCIBER
19 Brazil’s cybersecurity agency, the Cyber Defense Center (CDCiber), is operated by “Why Brazil Put Its Military in Charge of Cyber Security,” approximately 100 members of the Brazilian Armed Forces. International cybersecurity Defense One, 13 January 2015. experts are split as to whether or not military control is best suited for Brazil’s cybersecurity Link needs. While some argue that the prevalence of cybercrime in Brazil warrants military 20 thinking and strategizing, others suggest the nature of Brazilian cybercrime, which is “Deconstructing Cyber Security in Brazil: Threats and waged largely by private Brazilian citizens rather than external state actors, is ill-suited for Responses,” Igarapé Institute, military jurisdiction.19 Across Latin America, only Colombia’s armed forces are similarly December 2014. Link involved in cybersecurity.20 21 “Deconstructing Cyber Since it became fully operational in 2011, CDCiber has received a multitude of criticisms Security in Brazil: Threats and Responses,” Igarapé Institute, from domestic and international cybersecurity experts. CDCiber was criticized in 2013 December 2014. Link when it used its military-grade resources to create social media monitoring programs in order to track civilian protests.21 This surveillance is indicative of the larger mismatch between CDCiber’s military framework and Brazil’s greater cybersecurity needs.
CDCiber’s first major test came in 2012 when Brazil hosted the United NationsConference on Sustainable Development (Rio+20). Since then, CDCiber has overseen cybersecurity measures for the 2013 FIFA Confederations Cup and 2014 FIFA World Cup. Hosting sporting events on an international scale has created a sense of urgency within CDCiber to amp up cyber precautions.
10 graquantum.com � info�graquantum.com CDCiber cites Brazil’s 2014 FIFA World Cup as a model for its Olympic preparations; officials 22 “Brazil’s Armed Forces Grapple note they will not make any “profound changes” to the cyber procedures that governed with Cybersecurity Challenges,” the Cup. This model included a focus on hacktivism, cyber espionage, terrorism, and cyber Dialogo, 29 October 2012. Link warfare. Largely absent from this plan, however, was a focus on financial cybercrime. Financial 23 malware attacks increased throughout May and June 2014, which coincides with the timing “Brazilian Armed Forces Prepare Strong Cyber Defense Strategy of the World Cup. During this timeframe, the number of computers attacked by financial for 2016 Olympics,” Dialogo, 22 malware rose from 250,000 to 350,000 per month. December 2015. Link
24 To prepare for the Olympics specifically, Brazil will host Argentina in virtual defense training “Japan to deepen ranks of network sessions aimed at securing major events. CDCiber also purchased $3.3 million worth of defenders with eye to Olympics,” Nikkei, 16 July 2015. Link cyberattack simulation software, capable of replicating 25 different cyberattack scenarios.22 CDCiber has also emphasized the security of assets related directly to cybersecurity and defense, with (understandably) undisclosed plans to protect Area Defense Coordination Centers, the Integrated Center for Regional Command and Control, and CDCiber itself.23
Although CDCiber has received more resources and training in the lead-up to the Olympics, these efforts pale in comparison to Japan’s preparation for the 2020 Tokyo Games. While CDCiber doubled its staff of cyber specialists to 200 ahead of the Olympics, Japan plans to train 50,000 cybersecurity professionals. Japan’s Ministry of Internal Affairs and Communication has also requested 20 billion yen, or $161 million, in cybersecurity funding. Japan has been hosting hacking simulations since last year, identifying and recruiting “white hat hackers” well in advance of the Tokyo Games. Japan has also utilized its private sector by hosting forums in which companies and government agencies can exchange cybersecurity best practices. 24
11 graquantum.com � info�graquantum.com CYBER LEGISLATION: SLOW AND INSUFFICIENT
25 Given Internet proliferation rates and the magnitude of cybercrime in Brazil, its lack of cyber “Brazil Aims to Bring Order to Lawless Cyberspace,” Reuters, legislation is particularly stark. While there have been some signs of progress in recent years, 26 February 2013. Link there is significant room for legislative improvement.
26 Hacking was not formally classified as a crime in Brazil until 2012 when a hacker leaked “After 13 years, Brazil approves two cybercrimes laws at once,” intimate photographs from Brazilian soap opera star Carolina Dieckmann’s computer.25 Linha Defensiva, 7 November 2012. Link “Lei Dieckmann” criminalizes violations of digital security mechanisms as well as editing, destroying, selling, or otherwise distributing the information obtained from this violation.26 27 “Beaches, Carnivals, and Additionally, the Carolina Dieckmann Act makes counterfeiting credit and debit cards a crime. Cybercrime: A Look Inside the Brazilian Underground,” In practice, however, the Carolina Dieckmann legislation has proven woefully insufficient. Kaspersky Lab, 11 November 2015. Link Brazil’s judicial system is not equipped to handle the country’s rate of cybercrime; according to Kaspersky, cybercriminals are frequently arrested and released without being charged 28 “Brazil’s Cybercrime Problem,” multiple times.27 Punishment for cybercrime also remains relatively lax in Brazil. While a Foreign Affairs, 17 September convicted hacker in Brazil will serve just three months to one year in prison, a criminal 2015. Link convicted under the United States’ Personal Data Privacy and Security Act (H.R.3990) can be sentenced to up to five years in prison. If sentenced under the US Computer Fraud and Abuse Act (H.R.4718), a cybercriminal may face up to ten years in prison.28
12 graquantum.com � info�graquantum.com 29 While a privacy protection bill has been in the “draft” phase for several years, there is currently “Data Protection in Brazil: Overview,” Practical Law, 1 no legislation geared specifically to the protection of personal data. The initial draft of the November 2015. Link Protection of Personal Data introduces a definition for personal data,29 one which is still formally lacking from the Brazil Constitution. Additionally, there is no legislation in place 30 “Japan to Train Thousands on requiring businesses to report data breaches. The public is therefore kept in the dark as to Cyber-security Ahead of 2020 Olympics,” SC Magazine, 22 whether or not their information has been stolen, reeking of a lack of corporate accountability. July 2015. Link Cybersecurity experts across Brazil believe these legislative deficiencies stem from an 31 institutional lack of knowledge about the complexities of cybercrime. However, the Olympics MEPs give green light to Europol-Brazil deal to fight may just serve as a catalyst for change. As an official from the 2012 London Olympics told crime and terrorism,” European Parliament News, 12 April 2016. SC Magazine, the international scrutiny that comes with the Olympic spotlight can serve Link as a catalyst to build out much needed cybersecurity initiatives.30 For Brazil, the stakes have never been higher.
Fortunately, Brazil has utilized international partners in order to shore up security ahead of the games. The European Police Office, or Europol, has partnered with Brazil to fight a variety of criminal and terrorist activity, including cybercrime.31 This agreement signals a recognition among Brazilian and international officials that the Olympics provide an ideal venue for both traditional and cybercrime, but also room for transnational partnership on an issue of global importance. LOOKING FORWARD
Hosting an event of this magnitude has been critical in generating an elite discussion about Brazil’s cybersecurity. However, security is the responsibility of all peoples. In order to reform Brazil’s cyber landscape, its citizens must be educated about their own cyber hygiene, including remaining vigilant of financial and network attacks. Instigating a public discourse about matters of information security and privacy is critical in both securing the Olympics and securing Brazil in the long term.
Brazilian cybersecurity officers must also be wary of narrowing their focus to military-grade cyber attack. Military jurisdiction of Brazil’s cybersecurity represents a fundamental misunderstanding of Brazil’s cyber threats. Brazil’s cybercrime is perpetrated by private and internal actors, rather than malicious, government-backed hackers. Cyber officials operating in a military framework approach cyber with a mind attuned to war rather than innovation. In order to keep up with the ever-evolving tactics employed by these hackers, officials should utilize private sector resources. A public-private partnership would be better suited to addressing the kinds of cybercrime that plague Brazil on a daily basis. Collaborating with domestic and international organizations across the private sector will fuel the innovation necessary to overhaul Brazil’s cyberspace.
Moreover, the alarming rate of financial cyber attack in Brazil—among the highest in the world—cannot be overlooked by those charged with ensuring the security of Brazilian institutions and businesses. Financial attack has the capacity to hurt an already limping Brazilian economy.
In the context of the Games, spectators and tourists should must remain wary of a multitude of vulnerabilities. In order to ensure a safe, secure, and positive stay in “the Marvelous City,” Olympic goers should not connect to public Wi-Fi, ensure their mobile devices are equipped with the most up-to-date operating systems, and leave devices containing sensitive data behind.
With the Olympics fast approaching, Brazil’s multitude of internal problems is only growing. From mounting concerns about the Zika Virus to a presidency on the verge of ruin, Brazil’s internal problems are escalating. Cybersecurity must remain a part of this discourse, both for the security of the Olympics themselves and to ensure the security of a future Brazil.
14 graquantum.com � info�graquantum.com SOURCES
Abdenur, Adriana Erthal. Brazil and Cybersecurity in the Aftermath of the Snowden Revelations. Konrad Adenauer Foundation. 2014.
Assolini, Fabio. Beaches, Carnivals and Cybercrime: A Look inside the Brazilian Underground. Publication. Kaspersky Lab.
Buchanan, Elsa, and Jason Murdock. “Brazil 2016 Summer Olympics: Hacker Group Anonymous Attacks Feared.” Editorial. International Business Times, March 16, 2016. link.
Diniz, Gustavo, Robert Muggah, and Misha Glenn. Deconstructing Cyber Security in Brazil: Threats and Responses. Publication. Vol. 11. Rio De Janeiro: Igarapé Institute. December 2014. link.
Douglas, Bruce. “Brazil Officials Evict Families from Homes Ahead of 2016 Olympic Games.” Editorial. The Guardian, October 28, 2015. link.
Drinkwater, Doug. “Japan to Train Thousands on Cyber-Security Ahead of 2020 Olympics.” Editorial. SC Magazine, July 22, 2015. link.
Garnaeva, Maria, Victor Chebyshev, Denis Makrushin, Roman Unochek, and Anton Ivanov. Kaspersky Security Bulletin 2014. Overall Statistics for 2014. Kaspersky Lab. SecureList. December 8, 2014.
Guzman, Daniela. “$3.75 Billion ‘Boleto’ Fraud in Brazil Exposes Rise of Global Cybercrime Threats.” ACFCS.
Hulse, Janie. “Brazil’s Armed Forces Grapple With Cybersecurity Challenges.” Editorial. Dialogo Americas, October 29, 2012. link.
Israel, Esteban. “Hackers Target Brazil’s World Cup for Cyber Attacks.” Reuters. February 26, 2014. link.
Kovacs, Eduard. “Cybercriminals Ramp Up Activity Ahead of 2014 World Cup.” Editorial. Security Week, June 11, 2014. link.
Muggah, Robert, and Nathan Thompson. “Why Brazil Needs a Digital Crackdown.” Editorial. Foreign Affairs, September 17, 2015. link.
Muggah, Robert, and Misha Glenn. “Why Brazil Put Its Military in Charge of Cyber Security.” Editorial. Defense One, January 13, 2015. link.
Paksoy, Volkan. “Beware the Pineapple: An Overview of WiFi Pineapple Mark V.” Editorial. Volkan Paksoy Blog, February 15, 2015. link.
Perlroth, Nicole. “Cybercrime Scheme Uncovered in Brazil.” Editorial. The New York Times, July 2, 2014.
Soares De Aquin, Tiago, and Simone Lahorgue Nunes. Data Protection in Brazil. Report. US Practical Law.
Zekaria, Simon. “Data Are at High Risk of Theft Via Wi-Fi, Europol Warns.” Editorial. The Wall Street Journal, March 7, 2014. link.
Zetter, Kim. “DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests.” Editorial. WIRED, November 10, 2014. link.
“After 13 Years, Brazil Approves Two Cybercrime Laws at Once.” Editorial. Linha Defensiva, November 7, 2012.
“Beware the Activist: Securing Files against Hacktivism Threats.” Editorial. GlobalSCAPE, Inc, July 9, 2014. link.
“Brazil Aims to Bring Order to Lawless Cyberspace.” Editorial. Carbonated TV. link.
“Brazilian Armed Forces Prepare Strong Cyber Defense Strategy for 2016 Olympics.” Editorial. Dialogo Americas, December 22, 2015. link.
“Japan to Deepen Ranks of Network Defenders with Eye to Olympics.” Editorial. Nikkei, July 16, 2015. link.
Marketing Report: London 2012. Publication. Lausanne: International Olympic Committee, 2012.
“MEPs Give Green Light to Europol-Brazil Deal to Fight Crime and Terrorism.” Editorial. European Parliament News, April 12, 2016.“MEPs Give Green Light to Europol-Brazil Deal to Fight Crime and Terrorism.” Editorial. European Parliament News, April 12, 2016. link.
“#OpHackingCup - Anonymous.” Editorial. Pastebin, June 5, 2014. link.
15 graquantum.com � info�graquantum.com [email protected] GRAQUANTUM.COM