If hackers follow the Willie Sutton rule — going where the money/data/geopolitical leverage is, then professional sports organizations, or PSOs, represent a kind of perfect storm of motivation.
Hackers Follow the Money—and the Data
Financially motivated hackers have hit major sports teams with ransomware attacks and attempted to compromise their fans’ credit card data. Politically motivated ones have hacked live sporting events. Cyber attacks attributed to foreign governments have even leaked athletes’ drug test data from international sporting events, apparently to advance geopolitical aims.
The Digital Transformation of Sports
Over the past decade, PSOs, like other enterprises, have undergone a digital transformation — moving their operations online and to the cloud. From scoring and judging systems to digital display, retail sales and the streaming/broadcast of games, PSOs are incorporating new forms of internet connectivity, improving productivity and efficiency, but opening a broader attack surface for hackers, online criminals and cyberspies.
Cyber Attack Statistics in Sports
A 2020 report, by the UK government’s National Cyber Security Center (NCSC), The Cyber Threat to Sports Organisations: Ensuring Fair Play Online, found that 70 percent of sports organizations in the UK had experienced at least one incident of harmful cyber activity, more than double the (32 percent) rate across businesses as a whole.
Raising Cybersecurity Awareness
But those risks for PSOs also represent an opportunity, argues Betsy Cooper, founding Director of the Aspen Tech Policy Hub, who points out that getting ordinary people to care about cybersecurity — their own and that of the nation more broadly — is something of a holy grail for cyber policy types.
“Sports is an area in which we can bring cybersecurity to the common people, because almost everybody cares about what happens in their sporting events,” Cooper told CyberWatch.
The Hawk-Eye Vulnerability
She said raising questions about the security of sports technology — whether hackers could shut down the ticketing systems at a large venue; or even alter the outcome of a tennis match by hacking the technology used to determine whether a ball was in or out, was a way to put cybersecurity issues front and center for ordinary Americans.
“This is a way to make the effects of cyberattacks visible to ordinary people,” she said.
Cooper acknowledged that changing the outcome of a sporting event, like other kinds of information operations, was less likely to be successful, the more public attention was fixed on it.
“With so many eyeballs on the Super Bowl or on the U.S Open, I think that [hacking such an event] would be hard. … But I'm more concerned about smaller tennis tournaments. There are large bets being placed on the outcome of the 150th and 250th [ranked] players in the world playing each other.”
Tennis, like many other sports, including the NFL, NBA and MLS uses ball-tracking technology from vendor Hawk-Eye to determine whether a ball landed inside or outside the line.
But uniquely in tennis, Cooper said, Hawk-Eye had the final say. Unlike the way it was used in other sports, in tennis, the Sony-owned technology could not be overruled by a human
“If Hawk-Eye says the ball’s out, it's out,” explained Cooper, no matter what the audience saw. Hacking the system, which combines images from 10 or more cameras around the tennis court using proprietary software, so that it called one player’s shots out more frequently, “would be one way that a gambler, for instance, or just a huge fan of a particular athlete could try to influence the outcome of the game,” she said.
Jake Moore, Global Cybersecurity Advisor for Eset, the cybersecurity firm that protects Hawk-Eye’s technology told CyberWatch they “remain committed to staying ahead of the game by continually improving our solutions.”
“As cybercriminals don’t play by the rules,” Moore added, “Hawk-Eye relies on our robust cybersecurity measures to ensure the integrity and defense of its data and operations.”
Compartmentalizing Systems for Safety
Trying to change the outcome of a sporting event would be one of the most ambitious kinds of hack against a PSO, but they are subject to the full range of cyberattacks, the UK government report found. NCSC cataloged cyberattacks ranging from phishing and credential stuffing to business email compromise attempts and said they came mostly from low-level, financially motivated hackers.
“There are different layers,” of technology that could be attacked, Cooper said, going outwards from the event itself, through the ticketing and access control technologies, digital display and live-streaming devices all the way out to the team’s web presence.
“You have to compartmentalize,” she said, recommending that, at least for large, sophisticated organizations, “There is no reason why your ticketing systems need to be linked to your scoreboard systems, need to be linked to your athlete data systems.”
Smaller, less well-resourced PSOs might need to bring all their systems together so they could be protected by a single security vendor, she said, “But if you're a sophisticated sporting organization that has the flexibility to build out multiple systems, I recommend compartmentalization.”
One Size Doesn't Fit All
Her observation highlights one of the characteristics of sports organizations: Their incredible variability.
They run the gamut, Cooper pointed out, “from the Olympics to my local youth sports team in Napa.” But even the smallest PSO will have data on its players, and maybe fans too, “Everyone needs to be thinking about, do you need this data? Does it need to be stored online? And if so, what precautions can you put into place to try to make sure that that stays safe?”
The Cybersecurity Maturity Gap
But a report last year from UK consultants NCC Group, The Hidden Opponent: Cyber Threats in Sport, found a surprisingly low level of cybersecurity maturity in British sporting organizations.
Few had a Chief Information Security Officer, and in most organizations the IT staff were responsible for cybersecurity “but with very limited financial resources available.”
One IT manager for an unnamed professional soccer team told researchers that the multi-million-pound enterprise had two sides: “You have the playing side which is a big business and then you have a [small business] on the other side running IT with limited staff and budget.”
The report also noted that, despite the willingness expressed by many PSOs to share threat and attack information, there was no formal forum for such exchanges in the UK.
Collaborating to Defend
Although Cooper said she was aware of informal exchanges between the CISOs of major PSOs in the U.S., there was no Information Sharing and Analysis Council or ISAC, for the sector. The 16 business sectors designated by the federal government as critical infrastructure all have ISACs — as do other industries like space and auto manufacturers.
It was a gap, she said.
“The more different organizations are sharing about what they've prevented, what they've seen in the way of attacks, the better able everyone is to defend themselves.”