Click here to read our latest report “30 Years of Trends in Terrorist and Extremist Games”

Objective ‘Golden’ Security: What can be Learned From Paris 2024

Objective ‘Golden’ Security: What can be Learned From Paris 2024
10th October 2024 Paola Testa
In Insights

Introduction

26 July – 11 August 2024. Paris, France, was in the spotlight: swarms of local and international visitors, competing athletes, and the press were drawn to the host city of the 2024 Summer Olympic Games. But they were not the only ones looking. 

This Insight examines the terrorism and cybersecurity threat landscape faced by police and military personnel deployed at Paris 2024, as well as national prevention strategies employed by the French. The main objective is to analyse the outstanding level of security maintained during the 2024 Paris Olympic Games and present this achievement as a case study for governments, law enforcement, and tech companies to draw upon on the occasion of a future large-scale event.

Understanding the French Terrorism Landscape

According to the International Centre for Countering Terrorism (ICCT), the Combating Terrorism Center at West Point (CTC), and Foreign Affairs, the starkest terrorism threats to Paris 2024 stemmed from Jihadism, specifically from the Islamic State (IS) and al-Qaeda. On 22 March 2024, only four months before the Olympic Games, the IS-KP-claimed Crocus City Hall attack in Moscow sent European authorities into a panic. The ‘After Moscow, who is next?’ image (Fig. 1), shared by Al Battar, a pro-IS media outlet, indicated London, Madrid, Paris, and Rome as potential targets for a new terrorist plot. Until then, French security services had mainly focused on the threat historically posed by actors from the MENA region. Now, Central Asia – and precisely Afghanistan, Pakistan, and Tajikistan, where IS-KP is most active – also had to be taken into account. 

Fig. 1: ‘After Moscow, who is next?’ – Al Battar, pro-IS media outlet (translated from Arabic)

As noted by EUROPOL’s ‘EU Terrorism Situation & Trend Report (TE-SAT) 2023’, prior to the 7/10 attack on Israel and the subsequent war in Gaza, Jihadist plots in Europe had been on the decline thanks to the increase of preventive arrests based on suspicion of terrorism. From 2020 onwards, Islamist attacks have chiefly been carried out by lone offenders or remote-led cells equipped with cold weapons such as knives. The threat does not exclusively stem from foreign fighters, (such as those coming back from Syrian training camps) but increasingly from homegrown radicalised individuals. IS-KP operates through cyber-coaching, end-to-end encrypted (E2EE) apps, and social media propaganda to garner more recruits from abroad. This was the expected Islamist modus operandi for Paris 2024, too.

Fig. 2: Terrorist attacks (completed, failed, foiled) and arrests on suspicion of terrorism in the EU, 2020 – 2022 (TE-SAT 2023, EUROPOL)

Alongside Jihadist terrorism, right-wing and left-wing extremism were considered to a lesser extent (Fig. 2). Far-right and far-left affiliates were expected to act as ‘lone wolves’ or through violent protests and rallies, with cold weapons, or disseminating disinformation online.

Cybersecurity Concerns 

As many as 3.5 billion cyberattacks were expected at Paris 2024, almost eight times the 450 million faced at the 2020 Tokyo Olympic Games. According to the latest International Data Corporation (IDC) report, cyberattacks could manifest as ransomware, denial-of-service (DoS), phishing threats, social engineering, data exfiltration, and attempts at exploiting application and service vulnerabilities. Officials were monitoring potential threats by cybercriminals, hacktivists, and even state actors (mainly Russia, Belarus, and North Korea), with the aim of stealing data or spreading fake news and disinformation. Suspects had also been cast on Iran and China, even though their athletes were to partake in the Games. For financial and political reasons, the main targets monitored as high-risk were Olympic infrastructure (operations services and Games professionals and athletes’ personal data) and IT systems (ticketing, press rooms, and stadiums), financial, fixed and mobile networks, transportation services and companies, and hotels.

Why Target Paris 2024?

According to the United Nations Office of Counter Terrorism (UNOCT), soft targets are broadly defined as relatively unprotected physical places, easily accessible to the public, such as stadiums, railways, shopping malls, or open-air areas. On the other hand, hard targets are subject to constant and strict security measures. This is the case of embassies, police stations, and military bases. Because of dense crowds, high-profile figures attending, and the difficulty of properly enforcing large-scale security measures, the al-Qaeda magazine Inspire has infamously deemed sporting events as “very easy” targets. But as more funds are being allocated for security on the ground and in cyberspace, terrorist attacks at sporting events have been on the decline

French Strategies to Counter Terrorism and Cybercrime

Fig. 3: The official map of this year’s Olympic competition venues, published on the website of Paris 2024

Throughout the span of two weeks, more than 9.5 million tickets to Paris 2024 sporting events were sold, shattering attendance records. Ensuring the safety of spectators was no minuscule task. According to Reuters, approximately forty-five thousand police, twenty thousand private security, and fifteen thousand military personnel were deployed each day. Two thousand foreign police staff served alongside them, with EUROPOL and INTERPOL on the front lines. Their efforts, combined with Wintics’ Cityvision AI surveillance camera software, permanently deployed in Paris since 2020, ensured mobility flow management, potential risk zone detection, and the ability to filter data from every corner of the city and from public transportation through relevant criteria. One of the accomplishments of policymakers and the security workforce in Paris 2024 was the ability to render not only the sporting venues (Fig. 3), but the whole city much less vulnerable to terrorist or violent extremist plots.

Fig. 4: The three security levels established for ‘Plan Vigipirate’ (Ministère du Travail, de la Santé et des Solidarités)

For instance, the French security agency Direction Générale de la Sécurité Intérieure (DGSI), the General Directorate for Internal Security, identifies ‘Plan Vigipirate’ as an essential asset to the daily security of France. Developed after the 2015 Bataclan and Charlie Hebdo attacks, the plan consists of three security levels (Fig. 4): 

  • Vigilance law, which entails a permanent daily security stand through the implementation of over one hundred active security measures;      
  • Reinforced security law – risk of terrorist attack, to prepare the state’s response to a very likely terrorist threat through the enforcement of additional case-by-case security measures; 
  • Emergency law – terrorist attack, which is executed either right after a terrorist attack or if a terrorist group has gone into action but has not yet been located. This last security level enables the immediate deployment of staff and resources and is only implemented for a limited amount of time until the situation is under control again. 

The French government developed similar plans after 2015 under the name ‘Pirate’. Today, they are enforced immediately after an attack is carried out. For example, ‘Piranet’ is specifically enforced to combat cyberattacks in information networks. During this year’s Olympic Games, IT agencies such as CISCO, ANSSI, and ATOS cooperated with police forces to attain the highest level of cybersecurity.

Generally speaking, two other fundamental elements that ensure success against terrorism or more broadly, against the most serious offences committed in France are found within the national judicial system: the Fiche-S and the juge d’instruction. The Fiche-S, or S-List, is one of the eighteen categories within the Fichier des personnes recherchées (FPR), the File of Wanted People. Its scope is to identify individuals who may pose a serious threat to the French state or to public order, such as terrorist suspects. CTC argues that half of the thirty thousand persons included in the list in 2018 were considered radical Islamists. In any case, the S-List allows French authorities to be aware of potential threats well before an attack occurs. Secondly, the juge d’instruction, or investigating magistrate, is unique to the French judicial system. Such magistrates are in charge of investigating crimes committed with the goal of disrupting public order ‘by intimidation or terror’. They act as a cross between a prosecutor and an actual judge. Many of them have gone on to specialise in terrorism cases.

Recommendations 

In preparation for a large-scale event, policymakers may first wish to define location vulnerabilities and both physical and cyber threats. Drawing on recent successful case studies, such as Paris 2024, may also prove fruitful when developing specific terrorism prevention and cybersecurity strategies. UNOCT good practices guide, ‘Protecting vulnerable targets from terrorist attacks’, can help policymakers define soft targets and critical infrastructures, if any, and develop a robust communications system that involves collaboration with governmental and non-governmental actors (such as law enforcement, first responders, intelligence agencies, site operators, civil society organisations, other private sector entities, and even users of vulnerable sites) in the planning and implementation process, both in the prevention phase and in case any attack occurs. ICCT’s ‘Handbook of Terrorism Prevention and Preparedness’ outlines thirteen layers of preventive measures (LPMs) for soft target protection. It is not a matter of paying the ‘terrorism tax’: rather, governments should make sure to normalise outlining security strategies while educating the general public and tackling radicalisation, as France does through the Prévénir pour Protéger(Prevent to Protect) plan.

Security in the cyberspace is just as crucial to achieve. Policymakers, law enforcement, and tech companies involved in the decision-making process may wish to refer to INTERPOL’s ‘National Cybercrime Strategy Guidebook’. They must first identify cyber threats and then set their own focus areas, strategic objectives, and action items. Once the policy is implemented, it is just as necessary to continuously monitor and evaluate strategy results and work on eventual adjustments and innovations in consideration of today’s fast-evolving cybercrime landscape. As our security ends up progressively relying on AI software and automated systems, tech companies must also ensure that their products comply with the ‘General Data Protection Regulation’ (GDPR) and, if in Europe, with the recently passed ‘EU AI Act’ and its definition of non-high-risk use. 

Before the Paris 2024 Olympic Games officially opened, civil society organisations all over Europe had signed a public letter expressing their concerns that algorithm-driven video surveillance would violate international human rights law and threaten the right to privacy and data protection, potentially leading to biometric mass surveillance and setting a precedent for other European countries. Governments and involved tech companies must not disregard their ethical obligation to investigate possible violations in their software and offer solutions to ensure that human rights are always upheld and safeguarded.

Paola Testa is a Junior Analyst at Istituto Analisi Relazioni Internazionali (IARI) and a GYL and Y7 Observer (G7 Italy 2024) for Young Ambassadors Society (YAS). She specialises in MENA, with a strong focus on defence and security, humanitarian issues, women’s rights, equality and inclusion. An advocate for the diverse, she has represented the voices of all kinds of people in fiction, on social media, and through geopolitical analysis. X: @pao_la003 LinkedIn: Paola Testa