Securing the Games: Cybersecurity and Cyberdiplomacy Ahead of Glasgow 2026
As the Commonwealth Games return to a compact, budget-conscious Glasgow this July, digital defense has become as critical — and as diplomatically complicated — as physical security
When Glasgow 2026 opens on 23 July, it will do so as a leaner, lower-cost version of the Commonwealth Games: ten sports, four venues clustered within an eight-mile radius, no athletes' village, and a budget shaped by Glasgow stepping in as a late replacement host after Victoria, Australia withdrew. That compactness may simplify physical security, but it does little to shrink the event's digital attack surface — ticketing systems, broadcast infrastructure, venue operations technology, athlete and spectator data, and the reputations of 74 competing nations all remain exposed, and increasingly to adversaries far more sophisticated than the average sports fan realizes.
Who Is Actually Responsible
Securing a Commonwealth Games is never the job of one organization — it's a layered division of labor that mirrors how physical security works, with a cyber overlay bolted on top.
- Police Scotland holds ultimate responsibility for the overall security risk, as the host nation's police force does for any UK-based Games — a role that, as seen in past events like Birmingham 2022, typically falls to the local chief constable.
- The National Cyber Security Centre (NCSC), part of GCHQ, is the UK's lead technical authority on cyber defense and threat intelligence, and has an outsized role this cycle: it hosted its flagship CYBERUK conference in Glasgow in April 2026, months ahead of the Games, bringing government, industry, and international partners into the same city where the Games venues now stand.
- Commonwealth Games Scotland and Commonwealth Sport (the event organizers) carry operational responsibility for venue technology, ticketing platforms, and accreditation systems — the systems most directly exposed to spectators and most attractive to fraud.
- Private technology and security vendors — as at previous Games, likely including network, SIEM, and cloud security partners — handle the day-to-day monitoring of Games IT infrastructure, much as Cisco and Symantec did for the Gold Coast 2018 Games, where nearly 400 million DNS requests were logged and roughly 176,000 pieces of malware were blocked over two weeks.
- National governments of competing Commonwealth nations bear responsibility for their own athletes' devices, federations' systems, and increasingly, for briefing delegations on phishing and social engineering risks while abroad.
That last point is where cybersecurity shades into cyberdiplomacy: a Games spanning 74 nations and territories with wildly different levels of digital maturity means the host cannot simply secure its own systems — it has to coordinate threat information, incident response protocols, and baseline expectations across dozens of governments and sporting federations that don't otherwise work together on cyber issues.
The Issues at Stake
Nation-state interest, not just cybercrime. NCSC chief executive Richard Horne told CYBERUK 2026 delegates that the majority of nationally significant cyber incidents the UK now handles trace back to hostile foreign governments rather than criminal groups, with China described as a "peer competitor in cyberspace" alongside continued threats from Russia, Iran, and North Korea. A high-visibility, globally broadcast event like the Commonwealth Games is exactly the kind of target that offers those actors disruption value, intelligence-gathering opportunities, or a platform for hybrid, propaganda-oriented attacks — even if the Games themselves aren't a geopolitical flashpoint the way an Olympics or World Cup might be.
Ticketing fraud and fake platforms. Major events reliably attract phishing campaigns and fraudulent apps targeting visitors — a pattern seen clearly around the Qatar World Cup, where fake ticketing and travel apps were used to harvest spectator data and payment details. With Glasgow 2026 selling tickets digitally across a global fanbase, the ticketing and accreditation systems are a prime target for exactly this kind of fraud.
AI-enabled security tools cut both ways. Organizers are turning to AI for crowd monitoring, threat detection, and identifying anomalous network activity — tools that can flag an unauthorized attempt to access a ticketing database in real time. But the same NCSC leadership warning about AI-accelerated threat discovery for defenders applies to attackers too: AI is lowering the skill bar for convincing phishing, deepfake-driven disinformation, and automated probing of event infrastructure.
Budget and resourcing strain. Glasgow 2026's scaled-down model exists precisely because of funding constraints, and UK policing more broadly is under acknowledged financial pressure — the Metropolitan Police alone has flagged a substantial budget gap. A leaner Games means a leaner security budget, and cybersecurity, which competes with physical security for the same resources, is rarely the line item that gets protected first when costs are cut.
Coordination across a genuinely global, uneven coalition. Unlike a bilateral or trilateral security arrangement, the Commonwealth spans nations with very different levels of cyber maturity, regulatory capacity, and institutional trust in intelligence-sharing. That makes cyberdiplomacy around the Games less about formal treaties and more about practical coordination: shared threat advisories, incident reporting channels, and briefings for visiting delegations.
What Preparation Has Looked Like This Year
The clearest signal of the UK's cyber posture ahead of the Games came months early. CYBERUK 2026, the NCSC's flagship cybersecurity conference, was deliberately staged in Glasgow on 21–23 April — in the same venues and city that would host the Games three months later — drawing more than 2,500 delegates from government, industry, and academia, including representatives from Google Cloud, Anthropic, and PQ Shield. Alongside the conference, the UK government announced a £90 million funding package to strengthen national cyber defenses and unveiled a new Cyber Resilience Pledge, asking major organizations to commit to treating cybersecurity as a board-level responsibility.
While that announcement was framed around national resilience broadly rather than the Games specifically, the timing and location read as a deliberate show of capability and coordination ahead of an international event that would put Glasgow's digital infrastructure under sustained public scrutiny. It also gave organizers a working precedent: many of the same venues, networks, and local security stakeholders had just run a large-scale, high-profile event before the Games itself began.
Beyond that, preparation has followed the now-standard major-event playbook: venue-level risk assessments, AI-assisted monitoring of ticketing and accreditation systems, and reliance on private-sector security partners to operate security operations centers alongside police and NCSC oversight — the same model used successfully at the Gold Coast 2018 and Birmingham 2022 Games, where cross-agency SOCs proved effective at catching threats no single organization would have spotted alone.
The Diplomatic Undercurrent
What makes Commonwealth Games cybersecurity a cyberdiplomacy story rather than a pure IT-security one is the coalition it has to serve. A host nation securing its own networks is a technical problem. Securing an event that 74 governments, thousands of athletes, and millions of global spectators are relying on — with no unified Commonwealth cyber authority and no binding information-sharing treaty comparable to what NATO or the EU maintains — is a coordination problem. It depends on informal trust, bilateral relationships the UK already has with key Commonwealth partners like Australia, Canada, and India, and the host's willingness to share threat intelligence generously rather than defensively.
Glasgow 2026 will likely not generate the geopolitical drama of an Olympics hosted by a state actively targeted by rival powers. But as a mid-sized, budget-constrained Games run by a country that just spent April showcasing its cyber capability to the world, it's a useful test case for whether resilience investment translates into operational reality — and whether "the Commonwealth" functions as anything more than a ceremonial banner when it comes to actually defending a shared event.
Based on reporting from the NCSC, The Record, The Register, the Law Society of Scotland, IFSEC Insider, Professional Security Magazine, and iTnews, current as of early July 2026.
Member discussion