Is the NFL draft ripe for hackers? It depends which cybersecurity expert you ask
Just like running backs across the NFL like to shake past defenders with juke moves that embarrass would-be tacklers, virtual hackers often take pleasure in skirting technological security measures to cause havoc.
And this week, some believe two distinct worlds — that of football and cybersecurity — are heading toward a collision.
The 2020 NFL Draft, which opens Thursday night, will be the league’s first attempt at conducting its marquee offseason event virtually. With the coronavirus pandemic keeping team executives, league officials and prospects stuck at home, the NFL will run and broadcast the draft through video chat and other technology.
Meanwhile, individual teams have used Zoom video conferences or Microsoft Teams to hold draft meetings that would typically occur at their physical headquarters. Some coaches, like the Baltimore Ravens’ John Harbaugh, have expressed concerns about the security of information under the new circumstances.
Opinions from experts vary on whether the NFL or its teams are at an enhanced risk for hacking during the first round of the draft Thursday.
Alert Logic’s chief product officer Onkar Birk said the publicity surrounding the draft will draw the attention of black hat hackers — or those whose aim to penetrate a technology system to cause disruptions or demand money. A hacker would draw widespread attention by causing problems with draft communications or comprising a team’s information.
“The newsworthiness of it, the scope, is going to attract some people with malicious intentions,” Birk said. “We’re talking football, so they want to try, ‘Can I break into this system and throw a touchdown that everyone will see?’”
Others in the cybersecurity industry aren’t as worried for the NFL. Cybersecurity advisor Joseph Steinberg said it helps that the team can keep the number of people communicating on official channels to a reasonable limit with just general managers, league executives and a handful of others involved.
“Security is not as big an issue as one might think, because there’s a very small number of people actually making decision,” Steinberg said. “It’s not like 10,000 parties are bidding on a player. It’s a small enough universe that there’s probably not going to be fraudulent activity.”
The NFL on Monday underwent a trial for the virtual draft and reports suggested that it went smoothly after some initial glitches. Team executives across the league have set up elaborate workspace in their homes and will send their picks to commissioner Roger Goodell, who’ll announce selections from his home in Westchester, New York.My at-home war room is almost like I’m at the @SAPSports Performance Facility. Thanks to our IT and video teams + our scouts and coaches we’re ready for the #NFLDraft this week. #IGYB pic.twitter.com/ytuZKY9Bk4— John Lynch (@JohnLynch49ers) April 20, 2020
Communication between league and team representatives will occur on Microsoft Teams.
The plans for an online-only draft formed within a month, and such rushed setups can cause openings for breaches of security, some experts say. In most cases, the biggest cybersecurity threat is related to human error, according to those within the industry.
Birk said most hackers search for passwords or links that were sent over email or shared on social media and then use that information to break into otherwise secure systems. Anyone working for an NFL team or the league office should treat out-of-house emails with suspicion and avoid clicking confusing links or sharing meeting details early, experts say.
“The human element is very important,” Birk said.
Four experts agreed that the NFL, individual teams and ESPN — which is broadcasting the draft — will likely have strict security measures in place. But a slipup by an employee with access to meetings and information could cause trouble, according to Agim Mehmeti, a partner at the IT firm Charm City Networks in Baltimore.
“There are steps you can take for protection,” Mehmeti said. “My advice would be [for teams and the league] to not make information available to participants for video call meetings until the last minute. No links until the meeting is ready to start. That way the information isn’t leaked out to the public.”
A few prominent cybersecurity-related issues have affected NFL teams or players in recent years. Hours before the 2017 draft, offensive tackle Laremy Tunsil saw his stock drop when a video that showed him smoking marijuana while wearing a gas mask appeared on his Twitter page. Tunsil said he was a victim of a hack.GM Eric DeCosta checking in with a tour of his Draft room setup: pic.twitter.com/Sqb6GfLY5A— Baltimore Ravens (@Ravens) April 22, 2020
And in January, nearly half of the NFL’s teams had their verified Twitter accounts hacked a week before the Super Bowl.
Jesse Varsalone, an associate professor of computer networks and cybersecurity at University of Maryland Global Campus, said he thinks it’s more likely hackers will compromise a single team’s private information than disrupt the flow of the draft itself.
Varsalone said he’s glad Harbaugh, the NFL’s reigning coach of the year, seems to be extra cautious. During a conference call with reporters earlier this month, Harbaugh said he read stories about hacks into Zoom and immediately sent links to his IT department. He doesn’t want the Ravens’ draft preferences or internal communications slipping into public view or falling into the hands of competitors.
“They assure me that we are doing everything humanly possible” to avoid hacks, Harbaugh said, “and I remind them that that’s what Wells Fargo and all those other places said about our private information.”
Notable hacks like the one against banking giant Wells Fargo serve as a reminder that even heavily-financed operations are vulnerable to cyber attacks. Zoom struggled with security issues when coronavirus lockdowns began last month, Mehmeti said, in part because a user-friendly video-chatting service didn’t foresee a boom in use.
Microsoft Teams had better security barriers in place, Mehmeti said.
“Zoom focused on ease of views and they sacrificed privacy and security because they didn’t think they were at risk before the stay-at-home orders,” Mehmeti said. “They’ve changed some things to address those issues. Microsoft is different because everything they make starts with security — things like two-factor identification codes.”
The NFL told Reuters that it had “comprehensive and thoughtful” security measures in place for the draft, which will run Thursday through Saturday.
Like Steinberg, Varsalone doesn’t view the draft itself as a major risk because black hat hackers would need to work hard to clear significant security obstacles without an obvious financial gain. Disrupting the draft might cause embarrassment for the NFL, but it’s difficult to see where a hacker could invade the system and steal or ask for money.
“Teams are only on the clock for a short time, and they can call in their picks, so I don’t see the reward for them financially, and that’s really the thing,” Varsalone said. “There’s probably going to be some hacking attempts, but I think most hackers will be trying to figure out how to get IRS checks or doing something else. And the NFL should be able to beef up security.”
As for the communication between employees of one team? There’s always a reason to be wary, especially after virtual workspaces moved from team facilities to the homes of executives and coaches. There’s now more room for hackers to hunt for leakage in security systems, Birk said.
If all team and NFL employees remain cautious and cybersecurity professionals are villigiant, most experts think the league should avoid hiccups Thursday night and beyond.
“Most security is security that you need to put on,” Birk said. “Just like with the coronavirus, you need to wash your hands and make sure you don’t touch your face, right? Well, a coach in the NFL shouldn’t open suspicious emails and click the link. Be suspicious by default and you’ll protect yourself.”
Thanks for visiting PennLive. Quality local journalism has never been more important. We need your support. Not a subscriber yet? Please consider supporting our work.
Aaron Kasinitz covers the Baltimore Ravens for PennLive and can be reached at akasinitz@pennlive.com or on Twitter @AaronKazreports. Follow PennLive’s Ravens coverage on Facebook and Youtube.