NFL Security Chief: Generative AI Threats a Concern as New Season Kicks Off - Dark Reading
2023-09-07 14:27 (EST) - Contributing Writer
Generative AI-enabled phishing attacks and deepfake videos are among the many threats that Tomás Maldonado will be keeping a wary eye on as the Kansas City Chiefs and the Detroit Lions kick off the 2023 National Football League season today.
As the NFLs chief information security officer, Maldonado is responsible for securing the leagues data, systems, and networks against a wide and growing range of threats. This includes guarding potential new attack surfaces caused by the growing digitization of many parts of the NFL operation in recent years — including ticketing and gate access systems and the various points of service for fans inside and outside of NFL stadiums.
Its a task that keeps Maldonados team on its toes, especially during major events like the Super Bowl and the draft, when even a single security fumble could have significant repercussions for the brand, the event, and fans. The last thing they want is for a cyberattack to disrupt operations like a ransomware attack did to San Francisco 49ers on Super Bowl Sunday in 2022 and North Koreas Olympic Destroyer group did to systems supporting the winter Olympics in Pyeongchang.
"At the end of the day, we want to ensure that people are able to enter our facilities, have a great experience [with whats] happening on the field, and then leave that facility without having had any sort of security incidents impact them," Maldonado says. Since taking over as CISO during the 2019 season, Maldonados team has maintained an incident-free record on the cybersecurity front; Maldonados goal is to remain undefeated this year as well.
Deepfakes of NFL Personalities
In preparing for the season, one area that emerged as a concern is attacks enabled by the growing availability of generative AI tools ever since ChatGPT burst onto the scene in November 2022. The NFL, as an entity that manages one of the most popular professional sports in the US, is a particularly target-rich environment for attackers.
The NFL roster is filled with popular, valuable, and widely followed players. Millions of people watch its games weekly in stadiums and via TV. Potential attack points include systems that house player data, fan data, credit card information, player health information, stadium access control systems, and the networks that power the entire infrastructure. Generative AI tools have added to the challenge.
Already there are examples of deepfakes of political personalities, Maldonado notes. "My worry is that this will spread into the sports and entertainment business, where there will be videos and audios put out for some of our key public figures," he says. "Theres not a lot of validation of things that go viral."
Credential theft and other attacks stemming from AI-enabled phishing are another big concern. Generative AI tools allow threat actors to craft phishing emails that are a lot more convincing than the grammatically error-laden missives of the past. So, awareness training for players, coaches, and staff — around matters such as the need to protect identity information and social media accounts with two-factor authentication — has been an important component of security preparations for the 2023 season.
"We work as hard as we can to not have something impact us adversely," Maldonado says. "The threats are changing. They are adapting, and its not only year over year. When we put on big events, its day by day, minute by minute, where we are seeing the evolution of adversaries."
A Team Effort
This year, as in previous years, Maldonados security group worked with counterparts at each of the NFLs 32 teams to grow and mature their security programs.
The focus is on ensuring the teams are paying adequate attention to 10 areas that the league has identified as requiring high-priority focus for security. The priority focus areas include training and awareness programs for all stakeholders, network security, identity and access controls, detection and response, and cyber insurance. The NFLs security group performs risk assessments for the clubs, so they know where they are from a maturity standpoint. They are also audited against the NFLs 10-point security framework, so club ownership has visibility into how the team is faring, Maldonado says.
"The clubs compete on the field because it is the nature of the business," he notes. "But when it comes to cybersecurity, were all in this together. Its a team effort."
Cisco, backed by its Talos threat intelligence service, has played an important role in helping the NFL secure its infrastructure for the past few years. As an official technology partner of the NFL, Cisco started off supporting the NFLs digital backbone but has become more involved in delivering security services as well.
Tom Gillis, senior vice president and general manager of Ciscos security business group, views the mission as not very different from what any enterprise organization must deal with these days.
Securing the NFL network and business means protecting against those seeking to disrupt and damage operations.
"Theres going to be folks looking to just hit hard and to punch directly, square into the face," he says.
And then theres protecting against bad guys sneaking into the network via social engineering scams, especially those powered by AI tools. "Being able to pick this stuff up in the network and stop the attackers from getting in and doing what they are going to do," Gillis says of Ciscos role.
Risk-Based Approach
For IT leaders at NFL teams, such as Brandon Covert of the Cleveland Browns, the NFLs security framework provides a reliable foundation for implementing controls to address various threats. In Coverts case, the mission involves protecting everything from player health data and their personal information and fan data, to securing building automation systems and ensuring physical security for fans in a stadium where everything has become digitized.
A new component to the security challenge is the need to protect biometric data associated with a facial authentication-based, express-access option for entry to the Cleveland Browns Stadium.
User training and awareness programs were a big component of the preparation for the new season, says Covert, who is the Browns vice president of information technology. Business email compromise attacks were an especially big focus area for every employee and staff member that works on the Browns equipment, he says.
As part of an ongoing effort to take a more risk-based approach to cybersecurity, the Browns recently signed up with Binary Defense, a managed detection and response service provider. Among the several things that Covert expects Binary Defense will help with is to enable a better security posture for the team.
As an example, he points to Binary Defense keeping an eye on Dark Web chatter for mention of specific higher-risk profile individuals on the Browns team and staff. "Binary Defense is going to be proactively monitoring threats and will let us know if theres is anything of concern, whether that should be cyber or physical," to individuals in the organization, he says.
