Cyber officials wanted a ‘boring’ Super Bowl
Super Bowl 57 may have had an exciting finish as the Kansas City Chiefs took advantage of a late penalty to kick a game-winning field goal and beat the Philadelphia Eagles 38-35. But for the cybersecurity professionals who spent more than a year preparing the logistics and risk management of the Feb. 12 game in Glendale, Arizona, the game was — from their perspectives — pleasantly uneventful.
“From a cyber standpoint, it was as expected to be,” Tomas Maldonado, the National Football League’s chief information security officer, said Thursday during StateScoop and EdScoop’s Cybersecurity Modernization Summit.
As the NFL’s top cyber professional, Maldonado oversees information security and threat intelligence related to every part of the league.
“Cybersecurity is critical in ensuring not only the safety of our information and our players and staff, but also our fans as they take in all that’s being delivered,” he said.
In the case of the Super Bowl, which is classified by the federal government as being in the top tier of special events, planning can begin as much as two years before kickoff.
“We work very early on, not only with the current host state putting on the show, but the future host states and venues,” Maldonado said. “The next few Super Bowls, we’ll have a good 100 people engaged in pre-planning, crisis management, tabletops — we’ll include those partners.”
In the case of this year’s game, Maldonado worked closely with the Arizona Department of Homeland Security, which runs the state government’s cyber portfolio, as well as the local governments in Glendale and Phoenix, which hosted a series of NFL events in the week leading up to the game.
“We had multiple working groups from a law enforcement perspective, cyber perspective, communications,” Arizona Deputy CISO Ryan Murray said during the panel discussion. “Those meetings started in March of last year and continued every month up until week before game day.”
As the game approached, more organizations got involved, including federal agencies, tech vendors, broadcasters and eventually the Chiefs and Eagles organizations.
“We do this every year, so we have a playbook month-by-month,” said Maldonado, who has helped plan four Super Bowls and is already working on plans for the big games in 2024, in Las Vegas, and 2025, in New Orleans. “But it could be a new state we haven’t done before. It’s about understanding key touchpoints. The expectation is for us to put on a show our fans will enjoy and be cyber safe.”
For Phoenix CISO Shannon Lawson, the goal was to make managing the city’s risk during the Super Bowl as normal as on any other day.
“From a cyber perspective, it could be the Super Bowl, Final Four, pick an event,” he said. “We should be ready whether Russia invades Ukraine or the Super Bowl lands in Phoenix. If there’s any support we can lend the NFL or any other agency, great. But our goal is keeping bad guys at bay, responding to incidents like a normal day.”
While Maldonado, Murray and Lawson all watched the Super Bowl from inside their respective operations centers, they reported an incident-free game, as planned.
“It was a very boring cyber game, which is exactly what we wanted it to be,” Maldonado said. “We wanted the excitement to happen on the field.”