NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII

The NFL is workshopping game plays for Super Bowl LVIII — of the cybersecurity sort.

Looking to juice up its defense, the league worked with the Cybersecurity and Infrastructure Security Agency (CISA) and Super Bowl LVIII stakeholders during a tabletop exercise that CISA said was meant "to explore, assess, and enhance cybersecurity response capabilities, plans, and procedures" ahead of the big game on Feb. 11, 2024, at Allegiant Stadium in Las Vegas.

The four-hour tabletop exercise brought together more than 100 partners from the NFL, stadium, and government at all levels, according to the announcement on Sept. 21. During the exercise, participants discussed a hypothetical scenario that included phishing, ransomware, a data breach, and a potential insider threat — all with cascading impacts on physical systems.

"This was a safe, low-stress setting to identify any gaps in those plans and ensure we all have a shared understanding of roles and responsibilities. In short, this exercise will help ensure we're ready for any challenges that come our way on game day," said Steve Harris, CISA's deputy executive assistant director for infrastructure security.

The Super Bowl, like the World Cup, is one of the most-watched sporting events globally, and a successful cyberattack disruption would be a major coup for any cybercrime group. In other words, these types of events are the white whales of the target sea.

George McGregor, vice president at Approov, noted that the cyber-threat surface for sports continues to expand as well, as smart stadiums and ever-more-digital infrastructure to support fan and team operations proliferate.

"Such a workshop should be a critical exercise before any major sporting event, to check that security and contingency plans are complete," he said in an emailed statement. "Such events have a highly dynamic cybersecurity attack surface which changes rapidly as multiple partners and vendors, and thousands of fans come together and interact with ticketing systems and points of sale, using stadium Wi-Fi and via mobile devices. As a key part of this exercise, mobile apps which access sensitive information must be verified as being protected from impersonation or manipulation."