NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII

The league is working with more than 100 partners to workshop responses to a host of hypothetical cyberattacks on the upcoming Big Game in Las Vegas.

An american football ball against us flag and blue sky
Source: devilmaya via Alamy Stock Photo

The NFL is workshopping game plays for Super Bowl LVIII — of the cybersecurity sort.

Looking to juice up its defense, the league worked with the Cybersecurity and Infrastructure Security Agency (CISA) and Super Bowl LVIII stakeholders during a tabletop exercise that CISA said was meant "to explore, assess, and enhance cybersecurity response capabilities, plans, and procedures" ahead of the big game on Feb. 11, 2024, at Allegiant Stadium in Las Vegas.

The four-hour tabletop exercise brought together more than 100 partners from the NFL, stadium, and government at all levels, according to the announcement on Sept. 21. During the exercise, participants discussed a hypothetical scenario that included phishing, ransomware, a data breach, and a potential insider threat — all with cascading impacts on physical systems.

"This was a safe, low-stress setting to identify any gaps in those plans and ensure we all have a shared understanding of roles and responsibilities. In short, this exercise will help ensure we're ready for any challenges that come our way on game day," said Steve Harris, CISA's deputy executive assistant director for infrastructure security.

The Super Bowl, like the World Cup, is one of the most-watched sporting events globally, and a successful cyberattack disruption would be a major coup for any cybercrime group. In other words, these types of events are the white whales of the target sea.

George McGregor, vice president at Approov, noted that the cyber-threat surface for sports continues to expand as well, as smart stadiums and ever-more-digital infrastructure to support fan and team operations proliferate.

"Such a workshop should be a critical exercise before any major sporting event, to check that security and contingency plans are complete," he said in an emailed statement. "Such events have a highly dynamic cybersecurity attack surface which changes rapidly as multiple partners and vendors, and thousands of fans come together and interact with ticketing systems and points of sale, using stadium Wi-Fi and via mobile devices. As a key part of this exercise, mobile apps which access sensitive information must be verified as being protected from impersonation or manipulation."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights