Securing the Super Bowl

NFL CISO Tomás Maldonado speaks with VentureBeat about defending the high-profile event from adversarial attacks that potentially include weaponized AI, endpoint attacks, deepfakes, and finely tuned social engineering – and require collaboration with the FBI and Secret Service. __ The interview transcript below has been edited for length and clarity. Tomas Maldonado: There's a lot of very passionate fans online and, and you may have like someone tweet out, Hey, I'm going to, you know, do some harm to a coach, to a, to a referee, to, you know, to a player. And that cyber incident right, could very well trickle down into a health and safety issue. I need to have this solution that cannot be off the shelf or, or just, you know, click a few SKUs and I can download the licenses and I can automatically implement it. Louis Columbus: Welcome to VB in Conversation Today I am joined by Tomas Maldonado. He's the Chief Information Security Officer for the NFL, and previously he was the CSO at JP Morgan Chase and he has a fascinating role with the NFL, and we're just honored to speak with you today. Tomas Maldonado: No, thanks for having me. I'm really happy to have this conversation with you, Louis. Louis Columbus: When it comes to securing an event like the Super Bowl, it involves a complex brand of cyber and physical measures. How do you coordinate efforts across teams, venues, and stakeholders to ensure fan safety and an uninterrupted experience? Tomas Maldonado: Louis, you know that that's probably one of the biggest challenges in and of itself, right? We have the game and the event that we're gonna play and we have to worry about securing that. But connecting all of those intricate pieces together is, is a feat in and of itself. And, and I really mean that, right? Because you have, you have local state, you have state, local, national law enforcement agencies that need to get connected. We also look at all of the other. Areas of, of companies that are, that have anything and everything to do with the, with the event. We spend a a lot of time doing tabletop exercises and the like. So we're trying to piece together this sort of 100 piece puzzle. And once it's all said and done, it's a masterpiece. And that masterpiece is yes, an event that goes over so smoothly that it's very boring from a cyber standpoint, but exciting on the field. And that's what we like to keep it. Louis Columbus: And I know you're really passionate about delivering an excellent fan experience. And how do you prioritize security measures to protect their data and enhance the experience without introducing any friction? Tomas Maldonado: Well, we try to introduce friction where it's necessary. I'll go back to the fundamentals of, of, of cybersecurity or information security, right? Confidentiality, integrity, and availability. So we are always focused on those three things, and when we get into that game day. We are very focused on availability of services, so our risk-based approach to prioritizing and protecting critical assets is really geared at ensuring that once we actually are in game day, that fan experience can occur with very minimal friction. And what we do apply friction is because we've already seen a, an active threat, or we need to do, I'll call it a little bit more of step up authentication or, or authorization of access. Louis Columbus: With evolving threats like ransomware, misinformation, and global adversaries, how do you assess and prioritize risks to ensure the most critical systems and experiences are protected? Tomas Maldonado: Yeah, look, risk prioritization is very key and critical to what we need to do to accomplish our mission. You know, we're focused on. At certain points in time of the day, we're focused on either confidentiality, integrity, or availability. Before the game is starts, fans need to have a ticket to enter into a stadium. So the confidentiality right, and the integrity of that ticket is very important. What I mean by that we're trying to ensure that things like phishing emails and the likes are that are geared as stealing or compromising a user's. Devi to take their ticket, right? Because we're moved to mobile tickets, uh, is not occurring not only for our fans, but even our staff. Think about the credentialing system and, and sorry, the credentials that we all wear to get into an actual venue and the likes and all the supporting cast, right? The broadcast partners and everyone else that's actually gonna enter. And, and then once we get towards game time, we pivot and we focus on availability of services. So we may see adversaries trying to attack a specific system and we'll do our standard sort of blocking and tackling, just like they'll do on the football field. We'll do it on the cyber world, right? But we are very focused on availability of the product or availability of the technology systems that are supporting that product. Hey, I wanna buy some merchandise to, Hey, I want to take a picture and post it on social media and say that I'm in this at this venue and they might be using. The wifi in the venue. So our focus is really to prioritize risk with a slant towards the timing of what's happening during the event, and then a pivot around those three fundamental areas of confidentiality, integrity, and availability of services. Louis Columbus: Let's talk about stakeholder collaboration. You've got 32 franchises to coordinate with and, uh, throughout the year and, and coming into this, I, I, you know, you're also dealing with a lot of federal agencies like the CIA, secret Service, FBI. They're so pivotal in this event, such, such a globally visible event. Uh, what best practices can you share with other security professionals that you've developed to maintain alignment and, uh, how do you bring leadership to such a diverse group of. Security professionals all focused on delivering an excellent experience. Tomas Maldonado: Well, I, I'll say right off the top, the Super Bowl itself is a C one event. It's a special event assessment rating of one being the highest. To give you further context, a presidential inauguration is a C one event. An Olympics and happening in the US is considered CO one event. Uh, and, and that rating allows for a lot of resources to be applied to security actual event itself. So collaborating and coordinating with all of those agencies that you mentioned, Louis, it's very interesting, but it's super critical. The other thing we have going for us is we know where the venue, we know where, where the last game is gonna be played, right? Unlike some of my peers in, in the other sports leagues. I know where my venue is usually three years in advance or two years in advance so I can prepare. And in that preparation period is really us spending a lot of time, again, building relationships, critical relationships with those agencies, understanding how we are going to, understanding specifically how we're going to exchange information and communicate effectively around threat intelligence information. Then ultimately we try to work through tabletop exercises to prove out and work through our incident response process. So that way there's no misunderstanding around who's in charge or who's not in charge, and where everyone's sort of jurisdiction falls or starts and ends, if you will. So we have those clear handoffs and we can all operate in, in pretty much in lock step and work through incidents as they arrive. Louis Columbus: Let's talk about real time threat management. You know, on game day, how do you balance the need for real-time threat detection response while ensuring operational continuity? Ensuring the event proceeds with no security interruptions. Overall, Tomas Maldonado: having that threat intelligence information around what's happening is very important for us to be able to make decisions around whether we need to either take down an asset or a resource. You know, if, if it's performing, uh, uh. With some sort of anomalous activity or whether we can deter and delay taking down the resource because we've been able to effectively block and tackle, uh, the cyber threat that we've been, that we've faced. So we're also playing a game as well with our adversaries. Right. So we're, we're just not playing offense, we're playing a lot of defense, a lot, tons of defense. Every minute by minute of, of each quarter is very important and very critical for us. And we definitely lean on our partners, uh, specifically Cisco, to really help us get that intelligence information, get that real time data around what we're seeing and what are those threats that we're facing. Louis Columbus: So how do you adapt these strategies, address emerging threats and ensure. Uh, that any minimal disruption, it is just not even seen by anyone. Tomas Maldonado: What I will say is if you've ever seen a, a swan or a duck or across the water where they look very smooth, right above water and at the bottom, their feet are just pedaling like crazy. That's us, right? That is us. So we've done as much as we can so that we can make sure that it looks so smooth as we're going across the water, or if you will, as we're secure any actual event so that we could, uh, essentially adapt our, our techniques and make those decisions on the fly if need be. If there's a active threat that is going to impact or stop the game of play or have some sort of impact on health and safety. Uh, our goal is to, again, delay. Deter and mitigate risks that we're seeing. Those usually are telltale signs around, uh, giving us the information to arm us so that we can make a decision on how to block and how to tackle a, a specific situation. So that's all I'm gonna say on that topic. Not going any more deeper in that. Louis. Louis Columbus: Well let, appreciate that and appreciate the need. To keep, keep things, uh, safe. You, you've talked a lot about cyber physical convergence as well, and the integration of cyber physical security is absolutely critical in modern venues. How do you approach this convergence to ensure both digital and onsite safety of the fans and staff? Uh, our scale and meet the CIA triad. Tomas Maldonado: So for us that cyber physical convergence is very, very near and in your face. But if you think about the types of incidents that we deal with today, for some reason there's a lot of very passionate fans online and, and you may have like someone tweet out, Hey, I'm going to. You know, do some harm to a coach, to a, to a referee, to, you know, to a player. And that cyber incident, right, that cyber message, right, that short message that went out could, could very well trickle down into a health and safety issue. You go into the venue, you buy, you buy your merchandise, you buy your, your, your food at a concession stand, you go sit down, you're watching the players, you're not worried about anything cyber related. So. That's my job. Right? Our job is to ensure that those systems that you're interacting with and seeing, right? You're watching replays on the video board, you're listening to announcements on a loud speaker. You're, you're, you're going up and down the escalator or in the elevator, you're swiping to get in. Those systems do not get compromised to have an adverse effect that can then trickle down to an health and safety issue. Right? So that's, that's why I say that's when we, when we talk about that sort of cyber physical convergence. I'm loosely trying to give you examples, not trying to inspire anyone, but just trying to give you examples that, you know, protecting something as simple as an elevator system so that when there's passengers in it, it doesn't abruptly stop or drop or what have you. Is are things that we're focused on in the operating technology security and the iot security and in the regular IT security space. Louis Columbus: That's fascinating. I've never realized how, how thorough the preparation is of cybersecurity for Super Bowl. And, uh, let's talk about the emerging threat landscape. Um, I did have a couple other questions for you. So, you know, how do you prepare for these, these challenges that are posed by innovations in ai? And, you know, a lot, lot has been talked about at Adversarial AI and how do you stay ahead of all these and you must constantly be learning. Having a really strong learning centric culture there at the NFL to be able to stay on top of all these emerging threats. Tomas Maldonado: Absolutely. So I use this sort of analogy 'cause I like scuba diving. If you're a fish just in the water and you're stagnant, a big fish is just gonna come and gobble you up. So you gotta constantly stay moving so that you can keep your eyes on what's happening. The same goes with cybersecurity, so we're constantly evolving. The cyber threats are not getting any. Sort of, um, they're not, they're not slowing down, if you will. They're gonna continuously evolve and become greater over time. When I think about AI and how we're looking at ai, we're trying to approach it from a few angles. One, from a pure security standpoint, how can this help me? My team do our jobs more efficiently, more effectively, and connect with our internal stakeholders, uh, for doing simple things like what is the policy for this? Maybe that's a nice little chat bot or a virtual assistant that I could create to have, answer that question to free up some of my analysts time or my policy people's time to do some other, uh, more advanced, uh, items within our world. Or maybe I can leverage AI to piece together a timeline around incident response. Wouldn't it be great to just be able to say, Hey, I know Louis' account got compromised. How did his account get compromised? And have AI just piece together a time window or showing you he clicked on this link. Gave up his access, essentially downloaded software. And that's how the alert came from, uh, the endpoint detection response tool. And, and by the way, it bypassed those controls and this is how it got caught by. That would be great. That would be, that would accelerate our, our speed to not only detect. Recover, respond, but also potentially add on and be able to mitigate those types of risks from happiness. So we're looking at it from that angle as how we're using it internally for, for our security operations. Louis Columbus: Yeah. What's your long-term vision, uh, for scaling the NFL cybersecurity efforts? To meet the growing demands of fans, teams, and global operations. Uh, it's great to see the league expanding globally and getting more fans, uh, throughout Europe and uh, and, and other countries as well. Tomas Maldonado: Being able to adapt our security program for each and every one of these venues internationally has been very key and critical, trusting our partners, working with our, our trusted partners, Cisco, you know, helping us. Take this very specific, tailored solution, and I, and I really mean that it was, it was tailored for us a few years ago out of an idea that I had after the SoFi Super Bowl, and I said, sure, I need to have a partner that can work with me to secure this, this big event called the Super Bowl. I need to have this solution that cannot be off the shelf or, or just, you know, click a few SKUs and I can download the licenses and I can automatically implement it. And I spent time. I, I, like, I spent a lot of time with our, our, our real partners at Cisco to really design the solution that we have for the big event. And now we've also, uh, modeled that for our international games and we're starting to move that internationally as well.