Cyber security legacy of the London 2012 Olympic and Paralympic Games
14 July 2016
Exercising is good for your long term health: the cyber security legacy of the London 2012 Olympic and Paralympic Games
A recent report has highlighted the poor state of cyber security in Brazil ahead of this summer’s Olympics. Much has been made of the sporting legacy of the London 2012 Olympic and Paralympic Games, but the cyber security legacy the Games left in the UK has received less attention.
Unsurprisingly, cyber was one of the key security risks identified prior to the Games; a risk that was much less familiar to many involved in Games security than terrorism for example. In my role as Head of the Assessment team at the UK Cyber Security Operations Centre (CSOC) I spent 2011 and early 2012 in a seemingly endless cycle of threat assessments, incident management workshops and exercises. Over this period a number of things came together to change the Game in terms of national cyber security response.
Clarity of mission
It’s amazing what can be achieved when everyone is working towards the same goal (the urban legend of the NASA cleaner and JFK is the perfect illustration of this). In 2012 the mission was a “safe and secure Olympics”. It is nearly impossible to get this absolute clarity of mission in a business-as -usual state, when there will always be subtle differences of opinion or nuances of approach that reduce efficiency. Having the eyes of the world on you really does make a difference.
A team sport
Responsibility of cyber security in the UK (as in most countries) is spread across a myriad of government departments and agencies, plus privately-operated critical national infrastructure. Inevitably this leads to duplication and inefficiency. I witnessed a remarkable change in attitudes in early 2012, when genuine joint working became a reality, driven by the clarity of mission. Not only did individuals and teams from different departments and agencies really start working together, the mix of people involved in cyber security (e.g. deep technical geniuses, operational delivery ninjas, Whitehall policy types) gelled in ways I had not seen before.
If you’re running the 100m final, you focus your training towards that event; the same principle applies to cyber security. We had an extensive programme of exercising over the run-up to the Games, which not only ironed out problems in processes, but also allowed everyone involved (from incident responders to senior officials and Ministers) to be comfortable in their roles.
“Cyber security is a Board Level issue” is now a familiar phrase, but in 2012 Olympics security (including cyber security) was the absolute focus of senior officials and Ministers in the UK. Having senior leaders dedicate significant investment towards cyber security, take a genuine interest in outcomes and (really importantly) ask difficult questions really does improve performance.
Thankfully, the Games themselves turned out to be a relatively low-key event from a cyber security perspective, but did this intense burst of effort have any lasting legacy, or was the improvement in performance temporary?
It was always going to be impossible to maintain the focus and operational tempo that ran through 2012 in a business-as-usual setting. Bureaucratic inertia, inter-departmental rivalries, austerity and an increase in the threat from conventional terrorism since 2012 have all taken their toll. But from my perspective (having seen UK cyber security before, during and after the Olympics) I would argue that something fundamental has changed.
There is no single reason for this, but I suspect that such an intense burst of concentrated effort inevitably results in some sort of muscle memory, whether that be with operational incident responders, policy officials or senior leaders. I still feel an intense sense of accomplishment and camaraderie, long after the Olympics and long after leaving public service. Hopefully the formation of the National Cyber Centre will go some way to securing this legacy.