The NFL draft is slated to start Thursday, and thanks to the COVID-19 pandemic, it will be the first virtual version of the event ever presented. This raises a few cybersecurity concerns, according to researchers and the teams themselves — but the NFL is planning on knocking the security ball straight through the uprights.
Fans and players alike look forward Draft Day every year, when clubs, choosing based on a pre-set order, ask hopefuls looking to play football on a pro level to join their rosters. This year, club personnel, League staff and prospects will all participate from home.
According to the NFL, individual clubs will submit their picks to the league office via Microsoft Teams. For communications between team personnel, Zoom has been approved for use. And, all 58 prospects have been sent a phone and camera set up for broadcast and communication with the League.
“We have spoken individually to each of the clubs about their setup,” a spokesperson for the NFL told Threatpost. “The clubs are ultimately responsible for their communication systems among their staff. We have provided best practices and also ran a successful mock draft yesterday.”
He added that the League is not disclosing specific cybersecurity measures, but that “at the league level, we are working closely with our tech partners to ensure a smooth operation throughout the three days.”
Aside from Microsoft Teams, those partners include Amazon Web Services for hosting and managing the 100+ video feeds that will coming in from prospects, general managers and coaches; and Verizon, which is providing mobile phones and general connectivity.
The digital footprint is, in other words, prodigious. But the most at-risk aspect of course is the data involving the draft picks themselves. Researchers pointed out that this year’s draft introduces unprecedented new opportunities to steal info as teams move discussions out of tightly closed war-rooms and onto online meeting platforms.
“NFL picks aren’t what we traditionally associate with valuable corporate data, however, they could be highly valuable to a malicious actor on Draft Day,” Hank Schless, senior product marketing manager at Lookout, told Threatpost. “Having this data stolen and shared out to the world ahead of that team’s pick could alter the future of their organization.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said that the information could be used in various ways.
“One team’s ability to get intel on a rival team’s strategy and personnel plans could present an advantage on the field, but it could also be an attractive target for cybercriminals to leverage for online gambling,” he pointed out, via email. “NFL teams also have strict deadlines to submit their draft choices. If they miss their window, they lose their opportunity to select that pick. An attacker with the ability to sabotage or disrupt a team’s communications could cost them access to keys players if it causes the team to miss their selection deadline.”
Security researchers aren’t alone in their concerns, with high-ranking personnel weighing in this week on the cyber-aspect of the event.
“They assure me we are doing everything humanly possible and I remind that that’s what Wells Fargo and all those other places said about our private information, so I have some real concerns,” the Baltimore Ravens’ John Harbaugh told Reuters. “I really wouldn’t want the opposing coaches to have our playbook or our draft meetings. That would be preferable.”
The choice of Zoom for inter-team communications has worried some, given that the platform has had its share of security snafus, as cybercriminals shift their focus to target work-from-home platforms.
“How do you make sure your conversations are protected?” L.A. Rams COO Kevin Demoff told NBC Sports. “Someone could hack into this Zoom, and you’re probably not going to learn a lot. Hacking into a team’s draft room on Zoom is probably a lot different. That would be my biggest concern just from an encryption standpoint of, how do you have these conversations confidentially.”
As these concerns go public, this year’s cybersecurity efforts have been “comprehensive and thoughtful,” the NFL spokesperson stressed to Threatpost, with the coaches and scouts for all 32 teams participating in simulations leading up to the event in an attempt to nail down potential weaknesses. In all scenarios, IT teams will be in the spotlight during the event.
#Packers GM Brian Gutekunst on his set up:
-He will draft from his house
-IT department set up went "better than expected"
-He's been impressed with the communication with his staff
-Mock draft with other GM's "went pretty smooth"
— Stephen Watson (@WISN_Watson) April 20, 2020
“[IT departments] are going to be vital – they always are,” Arizona Cardinals head coach Kliff Kingsbury told reporters. “They’re behind the scenes most of the time, they’re a little bit more out in the limelight now with how the draft is going to go and how much we’re depending on them.”
Terence Jackson, CISO at Thycotic, told Threatpost that while the current pandemic has exposed gaps in corporate infrastructures, it has forced organizations like the NFL to showcase cybersecurity as a critical part of normal operations.
“All eyes will indeed be on the NFL draft,” he said. “It appears that contingencies are in place and there has been a dry run; but no solution is 100% secure, that is why we take defense in depth approaches to minimize the failure of any one system. Draft Day will be the best day of some of these players’ lives, and it is up to the IT and security professionals to make sure it’s not marred by a cyberattack.”
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.