Could the NFL draft be hacked? Virtual draft poses new cybersecurity challenges

Whenever Baltimore Ravens coach John Harbaugh would come across an article about video-conferencing platform Zoom, and the security issues related to it, he'd send a link to his team's information technology staff — perhaps as something of a warning.

Sure, Harbaugh acknowledged to reporters earlier this month, he has some concerns about whether his private information is being protected online.

"(Our IT staffers) assure me that we are doing everything humanly possible," Harbaugh told reporters, "and I remind them that that's what Wells Fargo and all those other places said about our private information."

Harbaugh is not alone. And as the first virtual iteration of the NFL draft approaches Thursday night, coaches and team executives who have long been paranoid about protecting their playbooks and player evaluations must now confront a new possibility: That their private draft-night discussions could be intercepted, interrupted or otherwise hacked.

In an interview with 105.7 The Fan in Baltimore, NFL executive vice president of football operations Troy Vincent dismissed the notion of anyone hacking the NFL draft. ("Coach Harbaugh, no one is going to hack into your system, stop it," he said.)

But experts told USA TODAY Sports that some of the cybersecurity concerns related to the draft are valid.

"It’s such a high-profile target," said Dave Levin, a faculty member in the Maryland Cybersecurity Center at the University of Maryland. "You could compromise it to send out a message. You could shut it down just for (kicks) and giggles. There are myriad reasons (to want to attack this)."

NFL DRAFT: 32 things we've learned heading into first round

GETTING NOTICED: COVID-19 wrecked pro days, so NFL draft hopefuls turned to 10-hour drives, bags of ice and vegetables

WHEELING AND DEALING: Which teams could shake up first round by trading up or back?

The NFL conducted a mock draft with representatives from each team Monday to test their draft-night systems, and ensure that team personnel were comfortable using the technology.

League spokesperson Brian McCarthy told USA TODAY Sports that each team is responsible for setting up its own communication channels, while the league is working with its partners — including Microsoft and Verizon — to make sure everything runs smoothly.

"We are not disclosing our cybersecurity measures other than to say they are comprehensive and thoughtful," McCarthy wrote in an email.

He also confirmed that the league will use Microsoft Teams as one of its communication platforms — and, notably, that Zoom will not be used "for league-to-club or club-to-league communications" during the draft.

"That's a smart choice, I believe," said University of South Carolina professor Chin-Tser Huang, citing security issues related to Zoom's use of servers in China.

Levin, the Maryland professor, said potential cyberattacks during the NFL draft would more or less fall into three buckets: Attacks that target confidentiality, authenticity or availability. 

A hacker could try to obtain confidential Teams messages and eavesdrop on sensitive conversations, for example. Or perhaps attempt to impersonate one team employee and essentially forge communications to someone else.

But given the prevalence of virtual private networks and end-to-end encrypted messaging services like Signal, both of those possibilities seem unlikely, Levin said.

"You put yourself in the shoes of the attacker, and try to think, ‘What would I try to do?'" he said. "The single greatest disturbance I think you could have would be to make it so that they can’t make their pick, to cut off their availability. … Maybe they just try to disrupt things, either for personal gain, just for the fun of it, or maybe for profit."

(McCarthy told reporters on a conference call last week that the NFL can pause the draft if a team is experiencing technical issues.)

Part of the unease with a virtual draft stems from the physical strangeness of it all. Rather than gathering in-person in a stereotypical "war room," coaches and executives will instead be scattered in home offices around the country.

"When you are in a room with people and you have debugged it, it’s easier to believe nobody is listening in," Cincinnati Bengals director of player personnel Duke Tobin said.

But from a cybersecurity standpoint, experts said, the use of hundreds of home networks rather than one centralized hub doesn't pose a dire security risk. Especially if normal security precautions are taken.

Huang noted that by simply using Microsoft Teams and a VPN connection, team personnel could provide two separate levels of encryption for their communication on draft night. 

"That (alone) will largely reduce the risk of being compromised," Huang said. "Now, we cannot say it’s 100% secure — but I believe there’s nothing we can say that’s 100% secure."

Levin acknowledged there's probably a greater risk of an NFL general manager accidentally unmuting his line on a leaguewide conference call and letting some proprietary information slip than a sophisticated attacker hacking into his system to get that same info.

"The (cybersecurity) concerns are absolutely valid," Levin said. "But it’s reasonable to assume with proper steps, taking proper precautions, this can be done in a secure, reliable manner."

Contributing: The Cincinnati Enquirer's Bobby Nightengale.

Contact Tom Schad at [email protected] or on Twitter @Tom_Schad.

Source: Read Full Article