As I outlined almost two years ago in the weeks prior to the Paris Olympics, preparations have been going on for years. And given the expected global audience and international participation, cybersecurity is at the center of the action. I know of several state CISOs and law enforcement personnel that have been actively involved in planning for the FIFA World Cup, while others have been less involved, generally based on their location.
To dig deeper into this topic, I was delighted to interview Justin Miller, associate professor of practice of cyber studies and director of the MS Cyber Security Online Program at the University of Tulsa. Here's his bio from the school:
“Miller recently completed a 25-year career in the U.S. Secret Service, retiring as a senior special agent. During his Secret Service career, he led several high-profile cyber fraud task force investigations, supervised the North Texas Cyber Fraud Task Force, led critical system protection operations, and was responsible for the training and resourcing of law enforcement personnel in cyber investigations as a coordinator and instructor at the NCFI. Miller is a graduate of the Federal Law Enforcement Training Center, Glynco, Ga., the Secret Service Training Academy, Beltsville, Md., and the Basic Police Officer Training Program, Santa Fe, N.M. He has advanced training in both physical and critical systems protection operations, as well as firearms, defensive tactics and countersurveillance.”
Justin Miller (JM): Large-scale events like the Olympics or the World Cup combine global attention, massive digital infrastructure and intense time pressure, which makes them prime targets for bad actors. When you see fake ticket sites or cyber sabotage, it tells you two things: First, attackers go where attention and money are concentrated; second, these events dramatically expand the attack surface.
You’re not just protecting stadiums; you’re protecting an ecosystem. You’re protecting ticketing platforms, broadcast systems, transportation networks, sponsors, vendors, mobile apps and millions of spectators’ devices. It’s a temporary city built on permanent infrastructure. That complexity creates opportunities for criminals, nation-state actors, hacktivists and opportunists alike.
The challenge isn’t just stopping attacks, it’s maintaining trust. Even small disruptions can undermine public confidence in systems that millions rely on in real time.
If we expand the narrative: What incidents like fake ticket sites and cyber sabotage reveal is that major events operate at the intersection of scale, visibility and complexity. That’s a dangerous combination from a cybersecurity standpoint.
First, global events concentrate economic activity. Fraudsters exploit urgency and excitement, fake ticket platforms, phishing emails and counterfeit hospitality packages because people lower their guard when they fear missing out. That’s classic social engineering amplified by media attention.
Second, these events rely on interconnected digital systems: credentialing, logistics, scoring, broadcasting, access control, transportation, hotel networks and public Wi-Fi. Every vendor and subcontractor becomes part of the attack surface. Protecting the host committee is only one layer; supply chain security becomes just as critical. That’s why organizers must think in terms of both defense in depth and in breadth: layered protections within systems and coordinated security across every connected partner. It’s not enough to harden one network — resilience depends on visibility, segmentation, monitoring and rapid response across the entire ecosystem.
Third, high-profile events are symbolic targets. Nation-state actors or politically motivated groups may attempt disruption not for financial gain but for visibility or strategic messaging. Even limited disruption can create outsized reputational damage.
The broader lesson is this: Cybersecurity for large-scale events isn’t just about perimeter defense. It requires layered security, intelligence sharing between public and private sectors, incident response readiness, and rapid recovery planning. Because in an event measured in seconds, like an Olympic final or a shot on goal in the World Cup, even a short system outage becomes a global headline.
DL: What are the motives for bad actors who want to mess with a large event like the World Cup or the Olympics? Is it profit motives by criminal hackers? Political or ideological motives?
JM: There isn’t a single motive behind cyber activity targeting large global events like the World Cup or the Olympics. Different adversaries bring very different intentions.
For financially motivated criminals, these events represent concentrated opportunity. Millions of fans are searching for tickets, travel, merchandise and streaming access, often under time pressure. That creates ideal conditions for social engineering: fake ticket sites, phishing campaigns, credential harvesting and payment fraud. The objective is access to personally identifiable information, credit card data or system credentials that can be monetized or used for further exploitation.
But not all actors are chasing profit. Major sporting events are global stages. Hacktivist or ideologically driven groups may seek disruption or visibility rather than money. A denial-of-service attack, website defacement or even a short-lived service outage can generate international headlines and amplify a political message far beyond what the group could otherwise achieve.
Then there is the geopolitical dimension. State-linked actors may view these events as opportunities for intelligence collection, surveillance or influence. With heads of state, corporate executives and international delegations present, the objective may be long-term strategic advantage rather than immediate disruption. In those cases, the activity is often quiet and persistent, gaining footholds in devices, communications or networks to enable sustained access rather than dramatic impact.
What makes these events uniquely attractive is that they combine economic opportunity, political symbolism, global media attention, and complex digital infrastructure all at once. That amplifies both the incentive to act and the consequences of even a small intrusion.
DL: What are the best things to keep in mind when trying to safeguard an event like this, when there are so many vendors and customers and different groups involved? What are the big challenges?
JM: When protecting an event of this scale, the biggest challenge isn’t just technical security — it’s coordination. You’re dealing with thousands of vendors, contractors, sponsors, broadcasters, transportation systems, hotels and government partners. Each one brings its own systems, networks and risk profile. That dramatically expands the attack surface.
One of the most important principles is shared visibility. Security can’t stop at the host committee’s perimeter. Organizers need insight into third-party access, supply chain connections, remote logins and data flows across the entire ecosystem. If you don’t know who is connected and what they can access, you can’t defend it effectively.
Another critical element is segmentation and layered defense. Not every system should talk to every other system. Credentialing systems, scoring systems, broadcast infrastructure and payment platforms should be isolated where possible. That way, if one area is compromised, it doesn’t cascade across the entire environment.
But even with strong preventive controls, the assumption must be that something will go wrong. The real differentiator is incident response readiness — rapid detection, clear escalation paths, pre-established communication channels, and the ability to contain and recover quickly. In a live global event, resilience matters just as much as prevention.
The overarching challenge is complexity under time pressure. These events are temporary, high-visibility environments built on permanent infrastructure. There’s no room for extended downtime. Protecting them requires not just cybersecurity tools, but disciplined governance, coordinated planning and continuous monitoring across a very diverse group of stakeholders.
The key things to keep in mind are visibility, segmentation and response readiness. Organizers must understand exactly who is connected to the environment and what access they have. Systems should be segmented so that a compromise in one area doesn’t cascade into others. And perhaps most importantly, there must be a rehearsed incident response plan because prevention alone is not realistic at this scale.
Ultimately, safeguarding an event like this isn’t just about cybersecurity tools. It’s about disciplined governance, clear communication channels across stakeholders, real-time monitoring, and the ability to respond quickly and decisively when something goes wrong.
DL: What else should readers know about the security challenges facing big events like this, and what the risks are?
JM: One of the most important things for readers to understand is that risk at events of this scale can’t be eliminated — it can only be managed. The objective isn’t preventing every minor incident; it’s preventing small problems from cascading into catastrophic ones.
That requires an operational security mindset rather than a purely technical one. Redundancy matters more than perfection. Systems, communications and decision-making processes must assume failure and be designed to absorb it. Rapid detection and response, clear escalation paths, and accurate public messaging are often more important than any single defensive control.
Leadership under pressure is also critical and it is an often-underestimated factor. In a live global event, decisions are made while adrenaline is high and the world is watching. The ability to remain calm, communicate clearly and act decisively can determine whether an incident is contained or amplified. Athletes train relentlessly for high-pressure moments; the same expectation should apply to those responsible for managing large-scale events.
Finally, security isn’t just digital or physical, it’s behavioral. Protective intelligence includes understanding crowd dynamics and human behavior. Calm, visible control and clear authority often prevent incidents more effectively than force. When people sense competence and stability, risk decreases. When they sense confusion or panic, risk spreads.
DL: Any specific thoughts for state and local governments to consider?
JM: State and local governments preparing for the 2026 FIFA World Cup need to think beyond stadium security and treat the event as protection of an entire interconnected ecosystem. The World Cup will place enormous strain on transportation systems, public safety communications, hotels, utilities, healthcare systems, credentialing systems and local networks simultaneously. A disruption in any one of those areas can cascade quickly into broader operational and public safety problems.
A few key considerations stand out:
- Cyber and physical security convergence: Modern major events are no longer purely physical security operations. Police and emergency managers should expect cyber incidents that create physical-world consequences — such as disruptions to transportation, digital ticketing, credentialing, access control, traffic systems or emergency communications. Attackers increasingly target the “soft edges” of an event ecosystem rather than the venue itself.
- Protection of critical infrastructure outside the stadium: Airports, rail systems, traffic management centers, utilities, hotels and municipal networks may become more attractive targets than the match venues themselves. The goal for adversaries may simply be disruption, confusion or reputational damage rather than catastrophic destruction.
- Ransomware and disruptive attacks against municipalities: Local governments should assume heightened ransomware targeting before and during the tournament. Even a temporary outage involving dispatch systems, permitting systems, surveillance infrastructure or public-facing services could create operational strain during high-attendance periods.
- Supply chain and third-party vendor risk: Many systems supporting the World Cup will be operated by contractors, temporary vendors, sponsors, transportation partners or hospitality providers. Security planning needs to extend beyond government networks and include vendor access, credential management and incident reporting procedures.
- Disinformation and social media manipulation: Law enforcement agencies should prepare for online disinformation campaigns designed to spread panic, confusion or false reports regarding threats, crowd violence or infrastructure failures. Rapid information verification and coordinated public messaging will be critical.
- Drone and wireless threats: Unauthorized drone activity, rogue Wi-Fi access points, Bluetooth exploitation and wireless reconnaissance are increasingly realistic concerns at large international events. Agencies should anticipate attempts to map or exploit wireless environments around venues and transportation hubs.
- Cross-jurisdiction coordination: One of the biggest operational challenges will be coordination between federal, state, local, tribal and private-sector partners. The World Cup will require integrated intelligence sharing, unified communication protocols and clearly defined authority structures before incidents occur.
- Training frontline officers in digital awareness: Every officer does not need to be a cyber specialist, but frontline personnel should understand basic digital indicators: suspicious devices, credential misuse, unauthorized wireless equipment, QR-code scams or social engineering attempts targeting staff and visitors.
- Incident response and continuity planning: Agencies should not only focus on prevention. They must rehearse continuity operations: What happens if CAD systems go down? What if a transportation network is disrupted? What if credentialing systems fail on game day? Resilience and rapid recovery are just as important as deterrence.
One of the biggest lessons from modern mega-events is that success is often invisible. If planning works correctly, most people will never see the cyber operations, intelligence coordination, contingency planning or infrastructure protection efforts occurring behind the scenes.
