The Intersection of Sport and Cyber

How digitization, evolving threats, and passion combine to create a unique set of risks for today’s sports enterprises

I have had the opportunity to see some of the most well-known digital threats emerge in real-time. Back in 2010, I was the director for cyber strategy at the US department of homeland security and I was the lead responder for the WikiLeaks unauthorized disclosure by Chelsea Manning. After that I went to the White House where I was the lead staffer responding to the unauthorized disclosure by Edward Snowden.

I bring these up today because they provide us insight and a roadmap to what we can expect to see in digital sport over the coming years.

Sport is in a unique place from a cyber risk perspective because of three major factors:

1. The Digitization of Sport

Digital in sport is far reaching, beyond what we could even consider just a few years ago. We have new ways to make athletes more competitive as they train smarter. We have new types of intelligence and new ways to compete at a higher level, we can break boundaries — all enabled through digital means.

We have new ways to engage with fans, through social media. Fans are more engaged more empowered, and feel more of a personal relationship with their teams and athletes. Digital sport is transforming not just the how but who engages in competition.

We have new types of sport entirely; e-sports. The digital world is transforming what it means to compete, to be a fan, and even what it means to be a sport.

With every advantage comes a downside. The digitization of sport also introduces new ways to cheat, to game the system.

In 2015, the St. Louis Cardinals were under FBI investigation for hacking

In 2013, Chris Correa was a scouting director with the St. Louis Cardinals, where he hacked into the database of the Houston Astros. He got access through a former employee who left the Cardinals to join the Astros, and reused the same password. From 2013 to 2015, the Cardinals had access to all the intelligence, plays, strategy and scouting prospects of the Astros. Correa accessed the Astro’s database 32 times. When he was caught, he was sentenced to 46 months in prison on 12 counts of corporate espionage. He had to personally pay the Astros $279k in restitution, and he is permanently banned from baseball. The Cardinals also had to make a $2 million payment to the Astros, and their two highest draft picks in 2017 were awarded to the Astros.

Russian hacking group Fancy Bear has a team specifically targeting sport

In 2018, the International Association of Athletics Federations announced that it had been the victim of a cyberattack, seemingly at the hands of Fancy Bear, a Russian hacking group. The IAAF indicated that the hackers targeted athletes’ therapeutic use exemption applications which, if granted, allow athletes to use otherwise prohibited substances.

The examples continue:

In 2015, performance data with the Tour de France was hacked as part of a campaign to prove the use of performance-enhancing drugs.

In 2014, an English rugby team’s website was hacked by ISIS and FC Barcelona’s Twitter account was hacked by the Syrian Electronic Army.

Lastly, many professional sports teams collect data on recruiting, training and performance evaluations through the use of wearable technology. This data is valuable to a number of attackers, including competitors, gamblers and online “brokers” looking to sell this information to the highest bidder.

2. Threat Evolution

Teams now know this is a problem and they have taken the appropriate steps. So this is not a problem anymore, right?

So wrong.

You may hear that “attackers are getting more sophisticated” — but that is a lie. Attackers are just as sophisticated as they always were — they are just getting new digital tools.

Source: McAfee Labs Threat Report, August 2015

One of the truisms in cybersecurity is that nation-state attacks that were sophisticated last year are common this year.

This is because there is a hacker ecosystem where you can buy the latest attack tools online, for a price. What was once the domain of state-sponsored cyber actors like Fancy Bear shortly became available to hacktivist groups like Anonymous. These tools and techniques are now available to recreational hackers where they can easily get access to them with a low-level of understanding.

Also, the cybersecurity market is an efficient market. For you economists out there, every year the price of exploitation goes down, thanks to advances in technology. What’s more, those prices all get relatively cheaper as Bitcoin and other virtual currency valuations go up. So if you have some Bitcoin that you have held on to for a while, you can buy a much more powerful and expensive tool than you could have bought last year.

2. Passionate Fanatics

Lastly, we have what makes the cyber challenge unique in sport. And that is passion. Fanaticism.

Sport brings us together, but it also pulls us apart

Fans are more engaged with the players and sport on a personal level than they ever were before. They can tweet at their athletes and get a response. They can get updates from their football club and they feel part of the team. New digital technology allows the fans to interact with the game, with the players, and feel like they are part of the action on the field — all through digital technology.

What hasn’t changed is the passion. Fans are passionate about their teams — but now fans have access to tools that previously where the domain of activists and nation-states.

The line between passionate fans and cyber actor is about to be blurred

The line between an activist hacker and a passionate fan is blurring. The line between sport scouting and sport espionage is blurring. The line between competing fairly with digital technology and competing unfairly with a digital edge is blurring.

The Collision

And this is what brings us to today. The intersection of sport and digital brings great opportunities to make sport better, but it also brings new risks.

And this is our charge—new risks emerge at the intersection of the digitization of sport, sophisticated threats, and passionate teams and fans.

When we look at the incidents we know about, we realize they are not extremely sophisticated. They all use common techniques that we should have seen coming, if only we had known where to look.

I’m here to tell you that we now know where to look. We know what’s coming, because we have seen it happen before.

What Can Sport (or Any Organization) Do?

We’re heard the tried-and-true euphemisms in sport; “Keep your eye on the ball,” “skate to where the puck is going,” and so on. But how do we learn from the past and prepare for the events and never-before-seen scenarios in the future?

Approaches like we take at Emergynt—helping organizations modeling new and emerging risk scenarios, assessing them using the best data they have available, and tying them into the bottom-line business impacts, like reputation, capital, and even sport-success—helps organizations see around the corner at tomorrow’s risks. We can learn from the past, but we must keep modeling new risks. Swap out the players, if you will. Ask ourselves, what would happen if a tribally-motivated fan could perpetrate a nation-state-level act? That day is coming sooner than you may think.

Protect your teams, your fans, and yourselves as we go together into this new era of digital sport.

We’re always here to help.

Earl Crane,

Founder and CEO of Emergynt.

For more information on Emergynt and how we can help support your organization, get in touch today.