Generative AI-enabled phishing attacks and deepfake videos are among the many threats that Tomás Maldonado will be keeping a wary eye on as the Kansas City Chiefs and the Detroit Lions kick off the 2023 National Football League season today.
As the NFL’s chief information security officer, Maldonado is responsible for securing the league’s data, systems, and networks against a wide and growing range of threats. This includes guarding potential new attack surfaces caused by the growing digitization of many parts of the NFL operation in recent years — including ticketing and gate access systems and the various points of service for fans inside and outside of NFL stadiums.
It’s a task that keeps Maldonado’s team on its toes, especially during major events like the Super Bowl and the draft, when even a single security fumble could have significant repercussions for the brand, the event, and fans. The last thing they want is for a cyberattack to disrupt operations like a ransomware attack did to San Francisco 49ers on Super Bowl Sunday in 2022 and North Korea’s Olympic Destroyer group did to systems supporting the winter Olympics in Pyeongchang.
“At the end of the day, we want to ensure that people are able to enter our facilities, have a great experience [with what’s] happening on the field, and then leave that facility without having had any sort of security incidents impact them,” Maldonado says. Since taking over as CISO during the 2019 season, Maldonado’s team has maintained an incident-free record on the cybersecurity front; Maldonado’s goal is to remain undefeated this year as well.
Deepfakes of NFL Personalities
In preparing for the season, one area that emerged as a concern is attacks enabled by the growing availability of generative AI tools ever since ChatGPT burst onto the scene in November 2022. The NFL, as an entity that manages one of the most popular professional sports in the US, is a particularly target-rich environment for attackers.
The NFL roster is filled with popular, valuable, and widely followed players. Millions of people watch its games weekly in stadiums and via TV. Potential attack points include systems that house player data, fan data, credit card information, player health information, stadium access control systems, and the networks that power the entire infrastructure. Generative AI tools have added to the challenge.
Already there are examples of deepfakes of political personalities, Maldonado notes. “My worry is that this will spread into the sports and entertainment business, where there will be videos and audios put out for some of our key public figures,” he says. “There’s not a lot of validation of things that go viral.”
Credential theft and other attacks stemming from AI-enabled phishing are another big concern. Generative AI tools allow threat actors to craft phishing emails that are a lot more convincing than the grammatically error-laden missives of the past. So, awareness training for players, coaches, and staff — around matters such as the need to protect identity information and social media accounts with two-factor authentication — has been an important component of security preparations for the 2023 season.
“We work as hard as we can to not have something impact us adversely,” Maldonado says. “The threats are changing. They are adapting, and it’s not only year over year. When we put on big events, it’s day by day, minute by minute, where we are seeing the evolution of adversaries.”
A Team Effort
This year, as in previous years, Maldonado’s security group worked with counterparts at each of the NFL’s 32 teams to grow and mature their security programs.
The focus is on ensuring the teams are paying adequate attention to 10 areas that the league has identified as requiring high-priority focus for security. The priority focus areas include training and awareness programs for all stakeholders, network security, identity and access controls, detection and response, and cyber insurance. The NFL’s security group performs risk assessments for the clubs, so they know where they are from a maturity standpoint. They are also audited against the NFL’s 10-point security framework, so club ownership has visibility into how the team is faring, Maldonado says.
“The clubs compete on the field because it is the nature of the business,” he notes. “But when it comes to cybersecurity, we’re all in this together. It’s a team effort.”
Cisco, backed by its Talos threat intelligence service, has played an important role in helping the NFL secure its infrastructure for the past few years. As an official technology partner of the NFL, Cisco started off supporting the NFL’s digital backbone but has become more involved in delivering security services as well.
Tom Gillis, senior vice president and general manager of Cisco’s security business group, views the mission as not very different from what any enterprise organization must deal with these days.
Securing the NFL network and business means protecting against those seeking to disrupt and damage operations.
“There’s going to be folks looking to just hit hard and to punch directly, square into the face,” he says.
And then there’s protecting against bad guys sneaking into the network via social engineering scams, especially those powered by AI tools. “Being able to pick this stuff up in the network and stop the attackers from getting in and doing what they are going to do,” Gillis says of Cisco’s role.
Risk-Based Approach
For IT leaders at NFL teams, such as Brandon Covert of the Cleveland Browns, the NFL’s security framework provides a reliable foundation for implementing controls to address various threats. In Covert’s case, the mission involves protecting everything from player health data and their personal information and fan data, to securing building automation systems and ensuring physical security for fans in a stadium where everything has become digitized.
A new component to the security challenge is the need to protect biometric data associated with a facial authentication-based, express-access option for entry to the Cleveland Browns Stadium.
User training and awareness programs were a big component of the preparation for the new season, says Covert, who is the Browns’ vice president of information technology. Business email compromise attacks were an especially big focus area for every employee and staff member that works on the Browns’ equipment, he says.
As part of an ongoing effort to take a more risk-based approach to cybersecurity, the Browns recently signed up with Binary Defense, a managed detection and response service provider. Among the several things that Covert expects Binary Defense will help with is to enable a better security posture for the team.
As an example, he points to Binary Defense keeping an eye on Dark Web chatter for mention of specific higher-risk profile individuals on the Browns team and staff. “Binary Defense is going to be proactively monitoring threats and will let us know if there’s is anything of concern, whether that should be cyber or physical,” to individuals in the organization, he says.