It’s Not All Fun and Games: Cyber Threats to Professional Sports

It’s Not All Fun and Games: Cyber Threats to Professional Sports

Show Video

- And now I'd like to introduce Joseph Szczerba, he's gonna be moderating a panel on, "It's Not All Fun and Games: Cyber Threats to Professional Sports." - Thank you very much. Is that a good mic? - Here. - Perfect. Hello, RSA. It's great to be with you, I'm Joe Szczerba, I'm a Section Chief in FBI Cyber Division.

We're thrilled that you chose to join us on the field. Okay. (attendants laughing) Especially when country music superstar, Chris Stapleton, is just across the way at this very time with other FBI people, so we really appreciate everyone coming here for this event.

- We're not supposed to advertise the other tribe. - I know, it was a solid panel. I mean, I don't know.

Much like sports, the cyber threat landscape is competitive, ever-changing, and saturated with individuals who are the best at what they do. I'm joined today by three colleagues from some places you might have heard of before, with a lot to say on this topic. So please join me in welcoming our guests. First, on the far side, Steve Grossman, he's a senior vice president and CSO for the National Basketball Association, responsible for all global cybersecurity, spanning fan-facing, partner, broadcast, events, regional office, and corporate systems that support the NBA and its affiliated league, staffs, and teams.

In the middle, I have Tomas Maldonado, he's a CSO at the NFL, he's globally responsible for leading the information security program for the league and all of its entities. Tomas has over 23 years of experience in this area, having led global information security teams and programs across several large international financial and manufacturing organizations. Tomas also just flew in from Kansas City, they have a little event going on out there, I forget what it was. (Tomas chuckling) And then Dave, directly to my right, Dave Monroe, the CSO for the National Hockey League, the NHL, 28 years of experience in internet and information security industries, he started his technology career in 1994 by founding one of the first commercial internet service providers, and has participated in the exponential growth of the internet while responding to many of the nascent internet-based info security threats. All the individuals up here are extremely busy, we have playoffs for two, and the NFL draft for the other. So, from the bureau, and from RSA, extremely lucky, and happy to have you guys here and giving up some of your time during these busy times.

Let's just kick it off. Opening remark, probably a question on a lot of people's minds, what's it like to walk a mile in your shoes? Can you describe a day in the life of your professional organization as a CSO, and how it differs from your experience previously in other sectors? Specifically, how much of an overlap between cyber and physical security do you experience? And I'll start off with Tomas. - Sure. Well, thank you again. As Joe mentioned, thank you, everybody, for showing up and listening to us speak. A mile in my shoes, that's an interesting comment.

What I will say is, it's very, outside looking in, it's hard to really appreciate the amount of stress (chuckles) that comes with the role as being the CSO for the NFL, 'cause you're protecting America's game, wanna make sure that our fans, Bucks fans, or other fans in the audience, are able to appreciate and see their games. But it's different along the lines of the level of concern that I have specifically around my role is really focused on that sort of cyber-physical convergence, if you will. And what I mean by that is, I'm not only ultimately responsible and accountable for cybersecurity and how that impacts us as a business, so all of our broadcasting deals, licensing deals, any sort of material non-public information, but now when you're at a big event, like the Super Bowl, I need to also be mindful of a cyber incident potentially impacting the health and safety of you, as fans, as you're in and around the surrounding areas. So that's probably one of the key distinctions that I'll make from my prior experiences where I was a CSO at a global manufacturing organization where we did chemical manufacturing, and when I was a CSO for one of the lines of business at Chase when I was in financial services.

I don't know many CSOs that have to worry about that sort of cyber physical health and safety, other than maybe us (laughs) here. So I'll say, rest easy, those other CSOs in the room. - Excellent. I appreciate that, Tomas. I'll throw it over to Mr. Monroe,

give us some more thoughts, sir. - Thanks. Sure. You know, as Tomas mentioned, we have a lot of exposure, well, we're trying to be America's game, but I guess we're Canada's game.

(attendants laughing) But we have a lot of attention on us, a lot of focus, and one of the interesting things about the organization that's kind of unlike others is that almost everyone in the organization is a high-profile individual. It's not the situation in a lot of traditional organizations where you're focused on the, you know, C-suite, or the executives, or the top people that are the threats in this case, or focus of the threats, in this case, it's everyone, it's everyone across the organization, it's everyone that's part of the teams. So we have a really big attack surface, if you will, that's human based, right? And that's, I think, where the physical and cyber intersects quite a bit, we have to really protect all of those people.

Even someone who's doing payroll, or someone who's in HR, or something like that, they're all part of the brand, they're all an extension of the brand, and we have to protect them as such. So we spend a lot of time with intelligence agencies, we spend a lot of time with the bureau, and we're very thankful for that partnership, because they can assist us in the other end of that investigation, you know? Pretty much at this point, all cyber investigations end in the real world, they end in the need space. We're not quite to the point yet, I think, where the robots are attacking us, (Steve chuckling) but I, for one, welcome our robot overlords. But we'll see. (Steve chuckling) Right now though, we need the physical world to follow up, or complete an investigation, or protect against an attack.

So having that intersection is super important for us, we spend a lot of time working with our physical security group. Unlike Tomas' organization, we still handle physical and cyber separately, but we work very closely together, and that's what I spent a lot of time focusing on the past couple years, is sharing intelligence, sharing information with the physical security group, making sure we're aligned, they're involved in all our cyber security investigations, and when there's an investigation they're conducting that has any sort of cyber component, we're right there with them and involved. - Excellent. I'll throw it over to Steve as well. - Sure. So, really, from an organizational perspective, we deal with all of the threats that you would see in the media entertainment industry.

You know, for us, a little bit different, we have a pretty large focus international, so we have footprint in Beijing, Shanghai, Hong Kong, London, a new basketball Africa league that we've actually spun up here in the last couple of years. And so, for us, I would say, you know, the unique aspect of maybe what makes this job a bit different, you know, other than some of the things that these two guys have already touched on, is really the aspect of having, you know, 30 teams across 29 venues, really distributed across the country, and dealing with a very significant attack surface when we talk about operational technology, also deal with many different complexities, really, across the lines of delineation between, you know, ultimately what a team would be responsible for, versus what the league would be responsible for, versus what a management company of an arena might ultimately be responsible for. And so for us, in the end, of course, you know, we're beholden to the league, and to our product, and what it is that we deliver, and yet for us to put that product on the court, there's a lot of coordination really and collaboration that needs to happen across other parties that, from a technical perspective, you know, we don't necessarily manage.

So you're dealing with things like setting requirements and standards across those venues, you know, also doing the same for the team-based infrastructure, so that we can make sure, end-to-end, you know, whether it's social media distribution, whether it's video distribution, whether it's live stats that we're continually pushing out, you know, could be as many as 14 to 15 games a night, really just making certain that, end-to-end from a security perspective, everything is aligned and we can securely deliver that product for the fans. - Excellent. I'm gonna keep pulling that string too on the coordination, whether it's with the private sector partners that you described, or state, local, and federal authorities. At the FBI we have a comprehensive view of cyber threats kind of across various entities in the public and private sectors, especially working inside the government with CISA and other key partners, and then, obviously, with the private sector partners we have up on stage, and others. I'm curious, when you speak amongst yourselves, obviously you guys are in a very unique, niche role that you all have in a similar grouping. What are the commonalities in the volume of attacks that you kind of see across, and how can state, federal, and local partnerships really help drive that mitigation? I'll throw it right back to Steve.

- Got it. So for us, certainly from a collaboration perspective, if you look at professional sports, although maybe a bit more of a closed, or close-knit, type of industry, if you really look at what we do from an application profile perspective, from an entertainment standpoint, really what you begin to find is a tremendous amount overlap, really, between what Dave does, and what Tomas does, and what I do. And so there's a really a tremendous amount of back and forth collaboration, really talking about the different types of things we may see, right? We all have, organizationally, very large social media platforms, we all have video streaming and delivery app platforms, very large broadcast environments, and we all really, of course, from a live event perspective, we align very similarly.

So, you know, there are events, the NBA All-Star game, NBA finals, international games that we host, that are league driven initiatives, right? And so from our perspective, I think we share, really, that across the sports leagues, and so, from an overall collaboration standpoint, for me, whether it's product review, you know, whether it's something incident based, there's always an open dialogue I would say, really, across the sports leagues, and as well as, you know, kind of leading into what we're doing with the FBI, right? So from our standpoint, any league rung event is really from a field office perspective with the FBI, we make sure that we're reaching out to the field office, we make sure that we are engaging with CISA, and just making sure that everybody, from an all-hands-on-deck perspective, has visibility into really what's going on in a city where we're hosting a tier one type of event. - Excellent. And Dave, I'll throw it to you for your thoughts as well, sir. - Sure. Yeah. So we have a lot of similar infrastructure, right? We have facilities where a lot of people show up, and gather, and congregate.

We have a lot of activity, high profile individuals, again, that are in those facilities, and there's associate activity around it. So the kind of things we see, obviously, are very similar, and sharing that intelligence, obviously, is very similar. But we also have a lot of similar challenges in terms of how to manage the operations, whether it's physical security, you know, access cards for example, or something like that, or the cyber technologies we wrap around the organization.

And because we do see similar behaviors, similar attacks, we do have similar attack surfaces, I think it does help a lot to collaborate, not only amongst ourselves, but to share that knowledge with the bureau and the other agencies so they can extend that out to the other platforms and areas that they're trying to protect that have the same kind of challenges that we do. - Makes a ton of sense. And Tomas? - Yeah, no, I was gonna say, the other thing that we have, or that we share in common, is the same touchpoints with the networks, right? The broadcast partners that are sort of putting on the show that you end up seeing on your TV or your streaming platform. So it's not the first time we've actually met, right? (panelists laughing) We do have, I'll call it a way to communicate with each other if there is an incident that we see that might be impacting us, and we might say, "Hey, are you guys seeing the same thing on your end?" And we've had probably not as much as we've probably could in the past, but we do for, I'll call it very major, specific, targeted events or incidents that might be specific to our area. And then during the time of year, right? Like if you think about my major time of year, Super Bowl, these guys are on vacation basically, right? (panelists chuckling) You guys are doing nothing, I guess, right? - FBI's not on vacation.

Just for the record. (attendants laughing) - But the point that I'm trying to make is that we have a lot of similar touchpoints, we try to collaborate amongst ourselves, and we do share. We don't have, I'll call it like, you know, like when I was in finance, where we had like the ISACs that we could do, like FS-ISACs, or something like that. There is a sports ISAC, I don't know if you guys sort of participate in that. I know I don't, but I would usually just ping Steve, or ping Dave, or Neil at MLB, and say, "Hey, you know, this is what I've noticed on my environment, are you seeing the same thing?" And then we'll have a conversation around that, and, you know, we'll loosely share indicators of compromise if there's something like that to be shared, or just general conversation around the topic.

So I think that's probably one of the good things that we have in common, because we have so many similar touchpoints, not only with the broadcast networks, but think about the technology that's in an arena, or in a stadium, or on a, what do you call it, baseball field? As a baseball field? - Yeah. - The diamond. (attendants laughing) - I don't know, the diamond.

(panelists laughing) - He's not here, Tom. It's fine. - Yeah. He's not here. I don't know about football stadiums. I dunno. There's a lot of similar technology vendors that provide infrastructure in those environments, right, whether it's the video boards that you're able to see replays on, or what is the SCADAs, industrial control systems that are handling the machinery, right, where there's elevators, HVAC, things like that. So a lot of those commonalities of technology are shared across our leagues.

And so we have to be able to collaborate, and not only collaborate amongst ourselves, and I know, you know, as a nice plug for you, Joe, you know -- - I'll take it. - The FBI is at the core of that, because we're able to share with them, and they're able to dissect and anonymize, and then share with not only other leagues, but other companies within different sporting environments or industries, if you will, not only within the U.S., but abroad as well. So it's good to have a relationship with the FBI, and, you know, I'll probably dovetail into maybe something else that you wanna ask. - Go ahead. - But when I think about the relationship that we have with the FBI for our big sporting events, like the Super Bowl, it's critical, right? It's critical that we're able to start to engage with our FBI counterparts in the state that we're gonna be operating in, start to profile, and create threat profiles around the actual location where we'll be playing our final game. And unlike these gentlemen here, I know that my final game is gonna be played every year, and I can plan for that, 12, to sometimes even 24 months in advance.

So I feel for them. (Steve laughing) I really do. But building that partnership with the FBI, and with CISA, and with the local law enforcement, both at the county level, at the state level, at that sort of local level, because depending upon where the stadium is with respect to what we're playing, it's very critical for us to continue to pass along information that could be detrimental for our game. And I'll give you one example, and then I promise I'll shut up and I'll let Joe ask another question. (Joe and Steve snickering) I'll give you one example, just to connect the dots for you.

We were playing a game in Tampa, and not because the gentleman's wearing a Bucks shirt, but it just sparked the memory, we were playing a game, a small game in Tampa, it happened to be Tom Brady's Super Bowl, and maybe about 10 miles away, there was a water treatment plant that ended up getting hacked or compromised. And the attackers were trying to change the chemical makeup of water. Now you might say, on the surface, ah, that's, you know, isolated incident. But we were about to play a big Super Bowl event maybe two weeks later after that attack actually hit the news, and however long it was there, and for us, that was very important, because that was one of the water treatment plants that fed water into that stadium. So we try to build a good relationship with all of our partners that are connected and have anything to do with the actual stadium that we're gonna play the game in, but also leveraging our federal and government partners to be able to provide us that threat intelligence information so that we could connect the dots and start to piece to what could potentially impact us in our day, and make a bad day for me.

- Yeah, we'll pivot right to Dave and Steve. I mean, Dave, not only do you not know where it is, but it's in two different locations every year. - Yeah. The airlines certainly love that. - Yeah, I'm sure, the bottom line. - It is a challenge to figure out where you're gonna head, and where to send your staff and your crew. But I wanted to just jump on a little bit on what Tomas was saying there.

ISACs are great, it's great to get involved with them, there's a lot of value, but the peer-to-peer connection, I think, is probably one of the most valuable things. And certainly for everyone involved in this business, the peer-to-peer connection is incredibly valuable. I have to give a lot of credit to the FBI for fostering that. The CSO Academy is excellent, Second Chief Ring, Director Ray, you know, Joe, everyone involved, all the staff that get involved in that and have been doing this outreach, have really promoted that peer-to-peer connection.

And that's where I think you get some of the best intelligence, the best information sharing. And understanding, you know, if you're heading into a new location, what to expect, who's there, getting to know the people that are responsible for that environment, the field offices, the vendors, whoever, that support you, having those direct connections, knowing where to pick up the phone and call immediately, and not fumbling, is hugely valuable. So I'm very appreciative and thankful to have that opportunity, but I also am impressed with the level of effort that you guys are putting in in terms of bringing everyone together. And it certainly, I think, brought us closer together as well, because not only was there shared experience, but we had a chance to sit down and talk with others, and various other industries which may have seen some either similar issues, or things that, you know, I didn't consider that they've experienced, or maybe some things that we've experienced that they haven't considered. So that information sharing is super valuable, I encourage it, whether it's an ISAC, whether it's an individual one-on-one, whether it's coming to a conference like this, it's probably one of the best things you can do for, you know, advancing oneself.

- Excellent. I'll throw it over as well to Steve. - Excellent.

So, as Tomas really touched on, the aspect of really not having the visibility into where your games are going to be played from a finals standpoint. And so we really see it on both sides of the fence, because, really, our marquee event, other than the NBA finals, would be the NBA All-Star game. And so for that, we are fortunate where we do get the visibility, you know, we'll know usually 12 to 24 months ahead of time, essentially, where we're headed, and that really gives us an opportunity to plan and prepare, and really, essentially, deal with a very sprawled out event, right? Where essentially, we'll really parachute into a city, you know, we'll bring with us, excluding media, just even NBA staff alone, 700 or 800 people, we distribute them across three or four different venues within that city. We pop up a metro network pretty quickly and tie it all back into our arena so that we could deliver everything from a business perspective. And so for us, from a security standpoint, we need to make sure that we have a good understanding of a network that's going to be built fairly rapidly, we need to make sure, that from a defensive technology perspective, our stack is in place, so that we're getting full visibility into really what's happening, you know, at the arena, as well as really what's happening at each of those venues based upon some of the high profile people that Dave has touched on a little bit, who we'll be bringing out to these events from a celebrity perspective, from a, you know, a sports standpoint, you know, sometimes politicians as well. And so, regardless as to whether, you know, we know 12 months or 24 months in advance, we still have to prepare, right? And so we talk about, you know, the different SCADA systems, and you know, sort of what the vulnerabilities look like in those ecosystems.

I think, from an industry perspective, we're all pretty familiar with what those challenges are. And so for us, as we look at our tournament from a playoff perspective, and cities begin to sort of dwindle down, we actually prepare ourselves, and we start looking at the venues from a playoff standpoint, trying to essentially make certain that the last two cities, from a final standpoint, that we've run the appropriate penetration tests, that we've done the appropriate walkthroughs, that we've contacted the local government officials, that we've contacted the field office from an FBI perspective, and CISA, in order to make sure that everybody has a very solid understanding of really securing, and then ultimately supporting, throughout the scope of that type of event, making certain that things, you know, will go off on time, and really as, you know, things from, it could be anything from a security camera based system, could be issues with crowd control, right, really sort of tied back into the social media. You know, we've seen things just even along the lines of, "Hey, everybody show up here, and we're giving out free tickets to the all-star game." And so, you know, something like that happens, and then you're dealing with the crowd control aspect of how do we diffuse that, right? And kind of crossing over from a physical security perspective, right? So definitely a fair amount of challenges. I would say we have a nimble team who really tries to do in a few weeks, operationally, from an execution standpoint, the same thing as we would do knowing that year in advance, or that 24 months.

So yeah, definitely challenging. - Yeah, if I could just add, I challenge you all to think about your last experience going to any sort of sporting event, right, or any sort of major sporting event, if you've had an opportunity to do so. And just think about all the touch points that you had from when you bought that ticket, when you purchased that ticket online, that's now a mobile ticket, and you decided to maybe rent a hotel room, or take an Uber to the actual venue, or fly to that venue, think about all of those touchpoints, those digital touchpoints. And if you focus in on an All-Star game, or finals, NBA Finals, or hockey finals, you call it playoffs, right? (attendants laughing) Sorry. - Stanley Cup. - Stanley cup. (attendants laughing)

- That's okay. The Canadians can tell him. - It's only the biggest trophy. - They know Edmonton, it's fine. - Or a small game like the Super Bowl, right? Think about all of those touch points. And really what I'm trying to get you to hone in on is that our job is not just what happens in the venue, it also spans what happens from when you bought it, when you purchased the ticket, to how you actually got to the venue, and how you're leaving the venue. If you saw any cyber event impact you from when you purchased a ticket, to when you actually got to the venue, and you made your way back home, you know, chances are, that was a touchpoint that we probably didn't do a good connection with to figure out, well, what happened, or what could have potentially happened.

But normally, you probably went to the venue and came back, and you were happy or sad, depending upon what the outcome was, (attendants laughing) and you weren't thinking about anything digitally impacting your experience, and that's because we were able to do our job in connecting the dots for you to be able to have that experience. So I don't want to call us superheroes, but these guys are superheroes, and our job is really to make sure that you, and your kids, and your family members have a really great experience when you enter the arena, or the stadium, or the diamond, or the hockey ring, or whatever you want to call it, I'm trying to get everybody. - Yeah, very inclusive there. - But anyways, I wanted to connect the dots for you and really force you to think about that. Because that's what we think about, we don't only think about what's happening actually inside the venue, we think about everything else as well. - Yeah, and everything really is network based now, I think we all know that.

Everything that happens in an arena, from buying your products, to the production of the game, especially the production of the game now is incredibly internet-based, so the networks have to be super solid, it's not one of those nice to have, it's a have to have now. And every component that goes into that game, whether it's the lighting, whether it's the management of the temperature, everything has a cyber component to it. And it's almost endless in terms of the threats you think about, and the things you have to manage and consider. And those things can be handled by a variety of different people, right? You may have the arena owners themselves handling some things, you may have us doing the broadcast gear, or some of the game supporting technologies. You may have law enforcement with their technologies.

You've got the municipalities with their technologies. So you've got everyone working together that has a cyber component, and it's incredibly challenging to integrate all of that, to communicate with everyone, and really keep a solid eye on all of that, like Tomas was saying, making sure that end-to-end experience, from when you buy the ticket, to you go, and then you go back home, is safe, all those components are almost endless. - Yeah, and that convergence then happens with physical security, right? So, you know, something as simple as Steve mentioned, you mentioned this earlier, right? Changing the sign, go here instead of going there. Like imagine you're trying to get to the venue, and you have the sign, the little signage that you probably saw when you were going to park your car, it said turn right instead of turning left because somebody hacked it. Now you've got a traffic jam in one location, that could then be something kinetic that could be planned to happen in that location, right? So think about that convergence of cyber and physical. Cyber attack, change the sign, physical attack, set off an explosive device and knock out a good population of people in one location.

Not many CSOs have to worry about that, and that's really what I want to get across to you, is we end up having to worry about those things, but we end up also having to work with our partners so that we can connect the dots so that those things are minimized, or essentially, do not happen at all. - Yeah, and then definitely from the FBI side as well, we're really trying to share more intel early, like Tomas said. I mean those, as intel gets shared, investigations take time to really drive that forward, to really understand, to further refine that. But from the FBI, from CISA, from the USG as a whole, really trying to share that potential threat information as soon as possible, and then allow that investigation and refinement to continue on the back end for any potential threat.

So really moving in towards the second half of this with potential lessons learned from some events that you all had. I'll throw it right back to Tomas. (panelists laughing) - Well, so, lessons learned, they wanted me to talk about specific incidents, and I said, "Eh, we'd never had any incidents." Have you experienced any cyber incidents when you went the Super Bowl? No, of course not, you went to the game, you saw the game, and you left. What are you talking about, Joe? (Joe laughing) It's nonsense. No, look, I'll speak to maybe two general incidents that may have occurred, and you may have seen in the news.

One was 2019 season, was my first season joining the league, we had to deal with a Twitter incident, right? These adversaries decided to take over some team Twitter accounts. And then not so much a focus on the actual incident, but more of a focus on how do we actually handle that, and really, there's two trains of thought, if you will, when you're dealing with an incident. One is your cybersecurity incident response, make sure that you have the right level of communication, right level of partners to feed you proper intelligence so that you can make decisions in a timely fashion, and so that you can get back to operating your business, whatever that may be, whether it's making sure the broadcast plays, turning on the video board, make sure the elevator goes back, or securing the data that you may have potentially lost if it was something like material, non-public information for merchandising, or licensing, for deals, or things like that.

And then the other track is that sort of restoration process, and they almost work in parallel, right? So if you think about it, you have a cyber team really focusing on like trying to contain an incident and work through all of what I sort of described so that you can then prepare that IT restoration group, if you will, so that it can then start to bring back and enable the business to continue to do what they do, which is put on a service or a function. Now try to couple that, those two trains of thought, if you will, couple that with a lot of people potentially looking at a very big event, you could call it the Super Bowl, you could call it the Stanley Cup Finals, or the NBA Finals, and there's a lot of pressure, and really the goal for us is to ensure that we've communicated effectively upwards to our leadership, so that they know what actually occurred, how it occurred, at least to the best of our ability at that point in time, and what are we doing about mitigating the risk, so that we can then get back to playing the game, or whatever it is the service that we're gonna do. And then ensuring that we're connecting with our partners so that we have the right level of information so that we can prevent this from happening again.

And I've sort of overly simplified incident response, so you can, you know, for those incident responders in the room, I'm sure you're gonna say I missed a few steps. Yes, I did, purposely, I've simplified it so that you can think about it in those two trains of thoughts, and really think about it from the perspective of, your leadership is looking to you to be that calm voice in the room, to ensure that they, not to ensure, so that they can look to you, so that you're the one basically directing traffic. And if you're running around, you know, like not knowing what you're doing or what you're focused on, that could be a very bad situation for you during that time period. So those two trains, if you will, and work through that process, is what I'll say.

- Appreciate that, Tomas. I'll throw it to Steve. - So for us, it's really a lot of the preparation aspect. Right, getting as ready as we can, up in front of event really, to try and minimize any incident that we might experience. And so from an operational perspective, you know, we have of course our SOC team monitoring really throughout the scope of the event. We have assistance from vendors as well, and, you know, inclusive of our MSSP.

So just making sure we really have the full visibility that we need. You know, there are many things that we ideally identify upfront before an event which helps that event really go smoothly, right? And so for us, you know, I'll tell you that we almost always find something for every penetration test, you know, that we do leading into these events, right? And the objective really is to make sure that those things are happening, you know, ideally 7 to 10 days before everybody else in the room would be thinking about attending that event. And so, you know, things for us, for example we'll find, and have found, malware installed on security camera servers that are outward facing and utilized by physical security for crowd control. And so for us, you know, we get that visibility, we understand that, you know, we have four days before this event goes off, and, you know, what do we need to do in order to operationally correct that, right? And so you deal with different levels of complexity there, you deal with, you know, a lot of different technical groups, depending upon who actually owns those SCADA systems, you know, within the venue, who owns those security based systems. The more technology we introduce, which is creating the convenience factor for all the fans is really just, the larger the attack surface that is being created.

And so for us, each step that we take, whether it's facial recognition systems, or whether it's an app that you're utilizing inside of the venue, it just creates an opportunity for bad actors, right? And so for us, it's really about understanding what we're gonna do from a business perspective upfront, knowing what it is we need to do on the security side in order to best prepare ourselves, you know, to make certain that the event will go off as cleanly as it can. - Fair enough. Dave, anything to add there, sir? - Sure, yeah,. So these events, especially the playoffs, and especially big time situations, bring out a lot of people, they bring out a lot of passion, they bring out the attackers, they bring out people looking to exploit that situation. And we see, you know, you garden variety attacks every day, right? Phishing, business email compromise, you know, attempts to compromise externally exposed infrastructure, you name it. But we really see that ramp up, especially specifically some of the attacks we've seen around impersonation attempts.

So when playoffs happen, there's usually someone out there either impersonating someone within the organization, or someone related to the game, or related to the event, and trying to take advantage of people. We've even seen recently these attackers going after the individual personal accounts of some of the staff, or some of the high profile individuals, trying to basically trick people into believing that they're offering something, whether it's tickets or access, to get those people's credentials, to get their credit cards, to get their information. But also, as Tomas mentioned, sometimes it might be misdirection, sometimes it might be something that someone doesn't agree with in terms of our philosophies, or statements we've made. Perhaps it's people that have some sort of grudge against, you know, a team, or an official, or something like that. And we really have to watch out, like I said, when these big events happen, because more and more people come out, and we really do see that rise in attacks.

So, getting the information about what's happening in the area, social media is incredibly important in terms of monitoring, 'cause a lot of people actually put what they're doing on social media, imagine that. And collecting that information, collating that information, relaying it to the people that need to get involved for the event, for the onsite physical protective staff, making sure everyone's informed is a very important aspect of what we do. And as, you know, my colleagues mentioned, we spent a lot of time trying to prepare, trying to understand what's going on in the area, getting that information, and making sure that it's as safe as possible for everyone involved. - Excellent.

FBI, United States government's really moving towards this two-way sharing, so we've really brought the people you see up here in as key partners kind of across, and they brought their feedback saying, "Joe, we wanna talk about AI on this panel." So I said, "Okay, I'll make sure I get into it at the end." So I'll say, I'll throw it right to Tomas, and what's the threat of, or the positioning, whether it's AI, whether it's other emerging technologies kind of over the horizon, or near-midterm threats that you see moving forward against. - Yeah, no, it's a good question. And what I'll say is, there's a lot of opportunities with AI, right? Opportunities for innovation, opportunities for better efficiency, opportunities to really connect with our fans and the likes from a business standpoint. On the flip side, there's also a lot of opportunities for our adversaries to use that against us, right? So things like, we have a lot of high profile celebrities, so you know, I have risk of one of you doing this, which please don't do it, you know, you could think about coupling like ChatGPT with like, you know, your favorite sort of artificial intelligence engine that can take video, and you can modify content that's being displayed in video, and have it say whatever it is that you want it to say.

Right? Now you've got an adversary from a different country who doesn't have a real concept of the English, a real context or handle on the English language, and now they can mount a deep fake attack on you, as a company. That's a challenge, right? So that's using the technology that's out there, readily available, arguably very free, and now they can use that against you, which is something that, you know, as we think about our industry, and I know I'll speak for myself, I don't wanna speak for my colleagues here, but I know we all have high profile individuals that are within our organization, and they can move a certain body of people in one direction or the other. And if you can couple this type of technology together and create a video that says something that goes against, you know, your belief, or even your fandom, right? Like, you know, imagine, I love Eagles fans, well there's a bunch of people that don't love Eagles fans. - Most. - I'm looking at most people.

- Most people, yeah. - I'm looking at rows, so I know. (Steve laughing) You know, imagine a video of somebody that you like saying something that doesn't coincide with either your belief, or coincides with your belief. We're in the midst of a society where we react before we actually check and validate. And so, again, the technology is very useful, there's a lot of innovative aspects of it, and to it, and I think it's gonna be very, very beneficial for us as an organization as we start to tap into that. But then the other side, as security practitioners, we need to keep our eye on the ball, because it could be used against us.

- Excellent. Steve, what else do you have to add there, sir? - So, you know, from our perspective, and I'm pretty sure everybody in the room is fairly familiar with ChatGPT, and what some of the issues are, and the fact that people are already using it to write malware, the fact that people are putting private, company-based information into ChatGPT, which can then later be extracted out, because it gets built into that index. You know, for me, when I think about, you know, what are we concerned about, you know, from an organizational perspective, or from a league standpoint, we tend to be very forward facing, and we really strive toward really beating our fans to where it is we feel like they're going to go. And so for us, we're very wrapped up, really, in like NFTs, and Web 3 blockchain. And so for me, I think the real challenge is really what's on the horizon, you know, what are we gonna see, you know, three months, six months, nine months, which is usually sort of the scope that I'm looking at these things, because I feel like if you'd asked me the same question 18 months ago, ChatGPT's not even on my radar, right? And so for us, we try and deliver products for our fans.

You know, last year during playoffs, we did a dynamic NFT minting, and then distribution. And so, you know, one is coming across really just the technical talent who could build that infrastructure and that ecosystem, and really who you're selecting from a partner perspective. And for them, they're really concerned with, "How am I going to deliver this?" Not "How is this going to be delivered securely?" Because, you know, in the end, ultimately, right, it's our brand, right, it's the NBA.

And so a lot of conversations, I would say, you know, really in that space, we're doing things in the metaverse, and AR, and VR, and what does that really look like architecturally, and how quickly can we pivot to really be able to secure those ecosystems before we can light them up for our fans. And so for me, I would say those are probably, you know, my top two or three concerns right now. - Excellent.

Dave, what do you have there, sir? - I think it's a super interesting time right now, as with a lot of things, for those of us that have been around a while and seen certain technologies create a seismic shift in the landscape, this is one of those. And in many ways, it's lowering the barrier of entry to information-gathering attacks. I don't think it's very long before we see these technologies stringing together something almost automatically, which would take a skilled attacker, skilled actor, a while to put together, like chaining attacks together, looking for exploits and ways to get into a system that would take a significant amount of time, or significant amount of recon, is now being commoditized by using a product like this. So it is making it, in terms of the number of people having access to do something bad, a bit easier in many ways. Now, as with most of these powerful technologies, I find it's a double-edged sword.

On the other hand, it's making it easier for us to identify attacks, it's making easier for us to respond to attacks, it's making it easier for us to be more efficient about how we operate. So while it is a concern in terms of how it can be used against us, I'm also looking at the positive side about how we can use it to, you know, defend, or at least improve, or accelerate how we handle and respond to threats. And the march of technology, it's interesting, it's nonstop, we've become a technology company.

You know, we used to be a company that was focused on putting a game on. Now we're a company that's primarily focused on data for the most part. I mean, the game is obviously very important, but it's the data coming out of that game that we're trying to use, and, obviously, AI is an important component of utilizing that data. But that data also has to be protected, it has to be secured, we have to make sure, especially if it comes into the financial realm, now that sports betting is a popular activity, we have to make sure that data is consistent, that it's protected, that it's not used or abused in any way. And having some of these technologies in play to secure that data and to protect the systems that house it and distribute it is incredibly important for us. So while there is some concern about our, you know, is AI gonna take over the world, or our world? I think when it does, it'll make our lives a lot easier, hopefully, I hope it'll improve things for us, and make it easier for us to do our jobs.

- I can't wait for it to respond to emails for me. - Oh, yeah. (panelists chuckling) - Especially the ones that I get from vendors.

(panelists chuckling) - Unsubscribe. - Yeah. (chuckles) - I know we're running low on time here. Just to kind of wrap up for each of you, strategically, where do you see your shops and your brands moving forward, from both the cybersecurity, and the collision with physical security, in the next two to three years to best position yourself to both mitigate threats and drive the brand forward? I'll start over there with Steve right on the end, we'll work our way down. - Excellent. So, you know, I would say, and we've touched a bit on it, I would say, you know, here over the last 30 minutes or so, whatever it's been, the convergence of the physical and cyber aspects.

And so, for us, it's really about simplifying things for fans, it's about, you know, ease of use for our product, it's about giving them that best experience, trying to eliminate lines at concession stands, providing facial recognition for fans as they enter a facility, for example, if you're a season ticket holder. And so really for me, what I see is the growth in that area just increases our attack surface significantly, right? And so, for us, it's really, centrally, how do we manage that risk? You know, what technology do we need to put in place? And then, really, how do we scale up in order to best be able to address those issues? - Excellent. Tomas? - Yeah, so for us, I'll say, organizationally, I actually report to the Chief Security Officer of the league, and my boss reports up to the general council for the league.

So, organizationally, the NFL saw this as something very apparent, if you will, and so for us, that sort of cyber-physical component, and the reason for having my role report up to the head of physical security, is because a lot of what we end up doing is having to protect our fans, right? People within our big locations, whether you're in an office, or in a big stadium. And so we see that convergence there already, we've seen countless of examples that we've been testing for when we do tabletops, and we do pen-tests. We're constantly keeping an eye on how physical and cyber are essentially a converged sort of threat profile for us that we need to protect against from a risk standpoint. So, for us, it's business as usual, if you will.

And then, obviously, I don't want to repeat a lot of what Steve said, there's a lot of components, a lot of leagues are very similar in terms of what we're doing to try to get people in and out, and streamline processes, so we we're doing a lot of stuff that Steve was saying as well. - Dave, final thoughts, no pressure. - Yeah, sure, no problem.

- It's the playoffs. - Yeah, right. The thing I see happening most over the next couple years is a very significant convergence with us between physical and cyber.

As I mentioned in the beginning, it all ends, for the most part, with the physical component. And in the past, those two worlds for us haven't really intersected that much. But as our company becomes much more technology oriented, as I mentioned, there's technology running almost every aspect of the business and the game, and the fans' lives, having that integration is gonna be critical for our future. Not only do we need physical to assist with cyber operations, but physical needs cyber to assist with their physical operations. So the convergence is happening, we'll work with them to, you know, as Steve mentioned, facilitate the experience for the players, for the fans, for the people watching online.

That's gonna be a big shift for us as we look at different ways to get the game out to people. That's a big change in the landscape right now in terms of sports. It used to be, you know, you'd watch TV, you'd have a cable package, whatever. Now we're looking at a lot of different ways to get the game out to people, including virtual technologies, and taking real world information and turning it into a virtual environment.

So we do see a lot of convergence, and I'm looking forward to that. I think it's important to have that level of support across the industry, within the organization, within the different agencies, and that's a major focus. But I think we're also focusing on the rapid shift in technology, and the way we access data, harness it, use it.

So we're gonna be very focused on protecting the data, we're gonna be very data-centric, and also go towards, I think what a lot of people are doing now in terms of, you know, zero trust, and you know, trying to make sure that it's not just the physical side that's secured, but it's the same kind of technologies and ideas you would put around physical, someone coming into the office with a key card, they can't go into every office, they're not allowed to wander, they have to authorize properly, you know, putting those kind of concepts, physical concepts into play in the cyber world is incredibly important. Because in the broadcast world, it used to be, "Hey, just let everything happen." But now, as we move into the internet based world, we have to compartmentalize and take some of those same philosophies and approaches and apply 'em to our technological aspects.

- Excellent. I know we're out of time, but I really appreciate all of the individuals up here, and the organizations behind them, supporting this event. And thank you, everybody, for coming out. (audience applauding) - Thank you very much. - Appreciate it.

2023-06-12 10:54

Show Video

Other news