Cybersecurity tips and tricks for the FA ahead of the 2018 World Cup

Some helpful advice for the FA amidst growing concerns over their cyber safety

Last week the Football Association laid out a new cybersecurity initiative ahead of the 2018 World Cup in Russia. Between the Fancy Bears hack that surfaced private medical data on active footballers last month, Football Leaks revealing various business dealings and contract details, and generalized worldwide anxiety over “Russian hackers” in the wake of the 2016 US presidential election, the FA sees a need to look at their own information security now.

On the surface, it seems like a reasonable thing to do. You don’t want private information or medical data for players or staff members made public. Yet some of their stated concerns, like keeping team selection secret until right before kickoff, seem relatively frivolous. It’s also not totally unreasonable to think the FA just has some dirty laundry it would rather not allow to come out. Like, oh, I don’t know, the details of its investigations into England Women head coach Mark Sampson and how he treated Eni Aluko.

The FA wrote to FIFA to ask what, if anything, the world’s governing body plans to do to protect the World Cup and the competing national teams from hacking. The response: “FIFA has informed the FA that [it] remains committed to preventing security attacks. […] For the purposes of computer security in general, FIFA is itself relying on expert advice from third parties. It is for this reason that FIFA cannot and does not provide any computer security advice to third parties.”

While I am not an expert in infosec, I am a third party. And so, Greg Clarke, I humbly offer my services. Here is some very good and common sense advice for securing your cybers. (No need to thank me. You’ll be receiving my invoice soon enough.)

DON’T: Have players and technical staff communicate over email, phone, or SMS.

DO: Use carrier pigeons instead. Or ravens. Like on Game Of Thrones. Everyone likes Game Of Thrones, right?


DON’T: Use unsecured WiFi networks or similarly open data connections.

DO: Share vital information via an elaborate network of secret hiding places.

DON’T: Store or share teamsheets for an upcoming match on any digital device or network.

DO: Have all 23 of your players on the pitch until five seconds before kickoff, then have all but 11 of them quickly exit the field of play.

DO: Or better yet, let your players sort out the lineup among themselves on the pitch before kickoff. Keep it a surprise for everyone!

DON’T: Use passwords that are easily guessed, like names of friends and loved ones or your birthday.

DO: Let someone else choose your password for you, then retrieve that person whenever you need to log in.

DON’T: Set passwords with personal meaning to you, as these are vulnerable to social engineering.

DO: Set passwords with personal meaning to the hacker. He’ll NEVER see that coming!

DON’T: Download files, access websites, or use storage devices that can infect your computer with malware.

DO: Just use a Mac. Everyone knows Apple products can’t get viruses.

DON’T: Store private or sensitive information in unsecured databases or servers.

DO: Delete all files and shred all documents that could potentially be vulnerable to a subpoena. Gather the shredded paper and use it as kindling for a bonfire. Once the fire is going strong, throw up your arms and lift your shuddering voices in praise to the dark lord Ba’al, He who the Ancients called the Many-Headed Serpent.

DON’T: Discuss team business over the phone.

DO: Call your mother instead. She’s worried about you.

DON’T: Meet with “foreign businessmen” who have not been thoroughly vetted. They could be trying to extract sensitive or compromising information for their benefit.

DO: Oh who am I kidding, you hired Sam Allardyce.

DON’T: Allow individuals access to sensitive data that have not been subject to a thorough background check.

DO: Just tell Roy Hodgson everything, it’s not like he’ll remember in the morning.

DON’T: Ignore signs that a cyber attack may be in process.

DO: Set fire to all devices and servers. Fire is the cleanser.

DON’T: Rely too much on anti-virus software or other commercially available cybersecurity products.

DO: Accept the utter meaninglessness of existence. We are born from dust, and unto dust we shall return once more. (Besides, it’s not like stronger infosec will help you beat Germany.)

Special thanks to Nicolle Neulist for giving a draft of this article a technical sniff test.


Follow James on Twitter @thaumatropia.

{{Privy:Embed campaign=236804}}