The Next Frontier of Baseball Cheating: The Cloud
WHY YOU SHOULD CARE
Because a baseball hacking scandal could change the game.
By Ray Glier
The conspiracy committed by the Houston Astros to win games is nothing compared to what is coming to Major League Baseball. The more ruthless pirates, not the ones in Pittsburgh, understand there is something more valuable to steal than signs:
- Position-specific player development data that makes losers into winners
- Salary data and related emails on negotiating strategy
- Proprietary data on nutrition, developed at great expense
- Advance scouting data for deadline deals
- Networks in MLB stadiums that run various systems
The coronavirus pandemic is providing more opportunity for thieves because players, managers, coaches, scouts and analysts are spread out at their homes around the country and have a laptop open. Baseball personnel are checking in daily with each other, perhaps through popular meeting platforms, or just email.
MLB is prepared for intrusions, right?
We can’t be sure. Just ask the question of scouts and assistant coaches in the minor or major leagues: “Are you trained in cybersecurity?” The answer is usually a muddled “kinda, sorta, yeah, some.” Personnel are forbidden to talk to media about such things, so we’re withholding names here.
The threat doesn’t just come to teams’ internal deliberations and data. What about balls and strikes?
So while we are looking under rocks for the next player-inspired hijinks, the cybercriminals are carrying on as usual by stalking ball clubs. They are trying to phish, hack and worm their way into systems. They have done it in Europe, as the emails of a Manchester City soccer official were hacked and put up for bid in February. And more data is being transmitted amid lockdowns, as meetings are taking place via Zoom and Skype, and text messages are flying.
“Any time you have a database online, and they are using a communication tool among their employees — whether it is manager, coaches, players, scouts, etc. — all of those communications are potentially vulnerable to being intercepted and manipulated,” says Nathaniel Grow, an associate professor of business law and ethics at Indiana University, who has studied the cyber threat to professional sports teams with co-author Scott Shackelford, the Cybersecurity Program chair at IU.
Baseball is wise to steroids (it took long enough), and it is vigilant on the intrusions of gamblers, but what about threats to all its intelligence in cyberspace?
With team personnel meetings likely taking place on Zoom, all it takes is the URL to the meeting to get loose, and a foe can listen in. Grow says general managers of big league teams might want to limit certain information to intimate phone calls rather than conference calls. Shackelford points to a Zoom “backlash” that’s come with its exploding use during the pandemic, with reports of software flaws letting hackers hijack Zoom users’ Mac cameras. “It’s also possible to use brute force to guess Zoom room numbers, or to ‘Zoom bomb,’ especially if the host didn’t use all the correct security precautions,” Shackelford says.
Some teams will change passwords to their system every day, but there has to be more security. Coaches, scouts and personnel with several teams said during spring training in March that they had not had major, sit-down instruction on preventing cybercrime.
In recent weeks, however, one person with a big league organization said the alarm had been sounded. There was “a big email to employees,” the person said, from the club on cybersafety. (An official for MLB says the league does not discuss cybersecurity with the media.)
The threat doesn’t just come to teams’ internal deliberations and data. What about balls and strikes? Think a hacker wouldn’t like to get inside that system?
MLB will introduce the automated balls-and-strikes software (ABS) in the Florida State League this summer, if the game ever gets up and running. RoboUmp will tell the human umpire wearing an earpiece behind the plate that the pitch was a strike or a ball, so he can make the call for the crowd and batter.
Atlanta Braves catcher Travis d’Arnaud says an automated system of calling balls and strikes is a bad idea because a digital system could get hacked by, say, gamblers looking to shape the outcome.
An MLB official says it’s not possible because the ABS network is not in the cloud. Shackelford disagrees.
“Many stadium networks are especially vulnerable given how porous they are, [and] given the number of fans who regularly log on during events,” Shackelford says. “This opens up opportunities for hackers to find vulnerabilities and move laterally across the network to attack various systems, like we saw with cyberattackers targeting an HVAC vendor getting access to Target’s 1,800-plus point-of-sale systems.”
That’s called going in through the side door, and there are plenty of side doors open as scouts, coaches and players share data remotely during the pandemic. As we’ve seen in any number of hacking cases, all it takes is one low-level employee opening a sketchy email attachment to blow the doors open.
The result could make the Astros’ sign-stealing look as sophisticated as T-ball.