Schneier on Security
A blog covering security and security technology.
« Microsoft Updates Both XP and Vista Without User Permission or Notification |
| European Parliament Moves to Undo Airplane Liquid Ban »
September 17, 2007
Formula One Racing Spying Scandal
Yet another sports spying scandal, this one from Formula One racing.
Posted on September 17, 2007 at 1:51 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Yeah, but this one's a little more cut and dried than the US football scandal.
Seems the proverbial disgruntled employee (in this case, Nigel Stepney) decided to (allegedly) hand over 800+ pages of Ferrari drawings to an employee of McLaren International.
'But really what's the harm', said McLaren, 'we never actually USED any of the info.'
OK, so it turns out the employee was McLaren's chief designer, and that "excuse" pretty much fell on deaf ears at the World Motorsport Council hearing and McLaren got tagged with a 100 MILLION dollar fine.
McLaren was fined $100 million dollars, and this doesn't knock them out of business. Kind of puts the New England Patriots $500K spying penalty (and in fact the NFL in general) into perspective.
All the so-called "fines" to US teams have been nothing more than slaps in the wrist.
I follow Formua 1, and the most interesting thing to me about this story is how the actions of a few insiders have severely compromised McLaren's team goals.
Case in point is Fernando Alonso, who is arguably a guilty party, whos actions the team has lost the constructor's championship for, yet he personally has immunity, and is likely to win the driver's championship. Without his inside position as a team driver, he would have had no way to hurt the team in this fashion -- and by keeping his actions secret from Ron Dennis (the team principal), made him responsible for things he had no effective control over.
How does one manage that kind of risk? How does one connect the individual competition to the team competition?
McLaren was also stripped off their constructor's points, which means Ferrari is almost guaranteed to be this year's contructor's champion. This probably hurts McLaren a lot more than the monetary fine.
This is happening in nearly ever sport it seems. Just the other day the Chinese were accused of spying on the Danish womens soccer team at the World Cup being held in China. It will not be long before someone is caught spying on Tiger Woods to see how he reads a putt.
What next, Microsoft gets a $2 bln fine for spying on Apple?
I'm italian. I'm not so interested in formula 1, but the story, obviously, has great coverage in my country, and there is only one thing that makes me feel very angry: in this case a british team spied an italian team, and there are viewpoints much different from each other... but what if it was the opposite? I'm sure the entire world would have fingered us and told "here is the usual italian style".
Tutto il mondo è paese...
@dave young: /me imagines the Chinese being sprung with 800 pages of detailed design drawings of Danish females ...
It's not quite as simple as it seems on the surface. The degree of punishment likely has a great deal to do with the fact that at the original hearing in front of the WMSC in July, MacLaren convinced the hearing that the info leak was a one time instance and that MacLaren had not benefitted from it.
The emails from the drivers and Coughlin that was presented at the September hearing shows conclusively that it was not a one time thing and that the information was used on a number of different occasions.
Judges tend to get unhappy when witnesses, errm, "fib" to them.
Don't forget that a number of McLaren folks (as well as Stepney) are now under criminal investigation in Italy because of this situation. If Italian authorities proceed at their historically slow pace on F1 criminal investigations, then for the next few years, whenever McLaren personnel step foot in Italy, they will always have to be concerned that they may be arrested.
And although the WMSC gave Alonso and Pedro immunity in exchange for them producing their tell-tale emails, I did not hear anything that the Italian authorities had given them immunity from criminal prosecution.
What Ferrari, McLaren and us (Information Security Professionals) can learn from this spying story?
Here are some thoughts:
1) Ferrari: evaluate the business impact of someone stealing you secrets and adopt necessary countermeasures (keep better track of the information, how and where can be used and who is using)
2) McLaren: evaluate both the tangible (loss of 100 ML, loss of constructor championship points) and the intangible (business impact to the brand reputation) and factor these in managing your risks such as do not take them if are not necessary (such as letting your chief designer, pursuit competitive information illegally) Adopt the necessary countermeasures (monitor internal team email communication, require encryption of confidential data).
3) information security professionals: secure the information assets, identify the possible threats to the information assets, evaluate the risks based upon business impact and technical impact, devise adequate countermeasures and commit to a risk mitigation strategy that will keep your company business competive without taking unnecessary risks.
I am still trying to figure out what corporate McLaren did wrong. Their internal security had a small loophole that a couple of dishonest employees (along with at least one at Ferrari) managed to exploit for their personal purposes.
But what did the company do wrong to justify the largest fine in the history of sports?
Governments, financial institutions, most especially Hedge funds and their ilk, now many of the most "prestigious" sports. Do you begin to see a pattern? Might there not be something just a little deeper going on?
I just think it's a shame Ferrari gets charged 100 million. Their driver, Alonso, should be fired.
Corporate McClaren is responsible for the actions of its employees. If the employees break the FIA rules then McClaren get fined - that's the same in many walks of life.
Apparently the FIA could have taken away Alonso and Hamilton's driver points as well. They didn't because it's the closest championship for years and they wanted to keep the title race going until the end of the season.
I find it hard to get worked up about this. It may be an infraction of the rules but I can't really see anything immoral in trying to steal secrets from a rival sports team. It's really just a kind of gamesmanship and the only sin is getting caught.
The only security lesson I can see is the obvious one - that once again the biggest risk is from untrustworthy insiders.
The interesting thing about the formula one "judicative" is that they can practically decide as they please. They do not only rule in the interest of "justice", but rather primarily in the interest of the formula one as a whole.
If competition for the drivers' championship wasn't so close, they could easily have removed the drivers' points as well.
They also could have opted for a purely financial punishment, or exclude the team from one or more grand prix, or just remove a few points, or whatever.
The comments over at The Register were interesting. Various commenters there say that what the stolen information was used for was proving that Ferrari's design broke the Formula 1 rules. (I think they got a slap on the wrist for it, in the end.)
As one of the top-people in the F1 org. said: $100M is less than the difference in budget for the two teams. Even though you can buy the 'poorest' team for that money, it is not that high a fine for McLaren.
The reason it is a big deal (within F1), is that in F1 your must design your own car, and may not use one-anothers design. So, you may not have drawings of the internal parts of the engine of another team.
I'm a big F1 fan and a McLaren supporter. (The founder, Bruce McLaren was a NZ, but is a UK team now). $100M is peanuts for the big teams. When it was Williams BMW a year or two back, the R&D budget for BMW was ~Billions. The big teams have budgets that resemble space programs. The real achievement is the small teams keeping up at all.
But no points for the championship. Ouch. "You can play but you can't win". Thats punishment.
I never supported Fernando Alonso, as some of the team (Renault) feelings for him with his first world relationships was more indicative of his "team" spirit. So the fact he is not punished is a problem. But then again. I wonder how well he will get supported for the rest of the season.
Whoever thinks that Ron Dennis, or Mclaren in general, did not know about what was going on is extremely naive. They started by saying nothing was going on, then slowly caving in bit by bit, only as much as was being proven by FIA. FIA probably has proof of further involvement, which they are witholding for a possible appeal. That Mclaren will actually not appeal really supports this - they know they are getting off less harmed than they deserved.
But to blame Alonso that he was particularly the bad guy is stupid. Ron knew, and most likely Hamilton knew too. The whole team was involved period.
Keep in mind the loss of constructors points also puts them in the small garage at the end of the pits with the lesser teams next year and costs them a ton of money in travel expenses. There are a lot of things that go a long with the amount of constructors points you have. 100 million seems pretty steep to me as a fine but Mclaren has been a disgrace of a team this year. In large part due to Alonso's bratty behavior in my opinion. Either way if your operating budget is between 300 and 400 million a year what kind of fine would you dole out in order to hurt them. Needless to say, it doesn't matter if Ron Dennis was involved, if they used the information or any of that. They were in possession of the document and that is crossing the line. Lastley consider the punishment could have been worse. They could have been banned for a few years or been stripped of constructors points hopes for more than just this season.
@dave young: Given the chance, who WOULDN'T spy on the Danish women's soccer team? ;->
@ Alan Braggins
Hehehe. Nice :)
So ... $100M ... where does that money go to, exactly?
Jon Sowden. Fines in general go to the authority itself and are used for funding especially, as I understand it, the developmental side of the different types of motorsport they are responsible for.
Yea because you have all the evidence right. You know exactly what happened.
I base what i said on the information released. Oh and some information is not released. Anyway, lets just see how fast pit stops are for Alonso? Right or wrong, shall we.
Oh and cry me a river for Alonso, how much does he get paid?
My personal belief is that they got caught. This much money on the line, do you really think the other teams aren't doing the same?
Why are you people pointing fingers at Alonso and De la Rosa? Drivers change teams every so often to whoever pays more money. They couldn't care less about a car's improvement for the long run when they'll probably switch to another team by next year.
It's the McLaren owners and technical team, lead by Mike Coughlan, who are guilty of this entire spy scheme. They're *the* interested party who has a lot to gain from spying on Ferrari.
Drivers also want to win. In fact if your not somewhat obsessed with winning, your probably not in F1. They do take a pay cuts if that means they have a better chance of winning.
Yes of course drivers want to win, but that wasn't the point I was trying to make. It was M. Coughlan from the McLaren technical team who did the spying and confidential information stealing... and there's plenty of proof available for that.
What exactly are the drivers accused of and where's the evidence that proves it?
It seems to me there's a lot of finger-pointing going on that has nothing to do with hard facts of the case itself but rather with personal preferences of one driver over another.
Re: Italian judicial punishment
That would just mean Ferrari just picked up the option to hire a 2-time World Champ on the cheap. It's obvious that Alonso isn't interested in staying on at McLaren. Driving for Ferrari and performing as expected is all the immunity from prosecution he needs. The tifosi would hang any judge that let anything interfere with another World Championship for Ferrari. :) It is interesting that they are holding out on punishment for next year until they see the design in Dec.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.