The NCAA’s Dirty “Little” Secret

michigan_stadium_big_house_2_smallAre you one of the millions of fans who routinely attend NCAA Division I football games?  If you are, this article comes highly recommended.  But if you work in the field of game day emergency management or incident command, this article ain’t optional.  It’s mandatory.

There’s a looming national security threat that nobody’s allowed to talk about.  It’s an existing problem the entire federal government is unwilling to address.  The same dilemma extends to private industry as well… the NFL, MLB, NASCAR and other professional sports organizations.  Regrettably, the NCAA is equally guilty.

The problem I’m referring to is incredibly generic.  Still, most people have never given it any consideration whatsoever.  It’s merely the modern, technological equivalent of shouting “fire” in a crowded theater.  It’s called an “artificially generated stampede.”

Michigan Stadium is pretty big.  So let me pose a question.  Could there be a downside to 100,000+ active cell phones in the largest NCAA football stadium?  Are any of those miniature wireless supercomputers capable of receiving false information while a game is in progress?   And could that real-time information influence the collective behavior of the crowd… potentially resulting in a tragedy?

Let’s extrapolate from a recent incident.

On August 12, 2015, the University of Michigan football and basketball official facebook pages were “hacked.”  Starting around 4 a.m. (and for the next 5 hours) the perpetrator posted a barrage of 26 click-bait articles, mostly featuring female celebrities and sexually provocative content.  By 9:45 a.m. both facebook pages were taken down.  Eventually, the university responded with the following message.

Fans – Early this morning, Facebook accounts for Michigan Athletics, football and men’s basketball were compromised. Thanks to diligent work on behalf of our partners at the University of Michigan and at Facebook, we have resolved the situation and deleted any offensive posts.

We apologize for any inconvenience and appreciate the support of our audiences throughout this issue. We greatly value our connections through social media. We continue to monitor our pages and will work with our partners to expedite all inquiries. Thanks for your patience and ‪#‎GoBlue‬.

Unfortunately for the University of Michigan social media department, the saga was just beginning.  Later in the afternoon, the page was “hacked” again.  Additional sexually suggestive content was posted.  A second official facebook message finally appeared at 8:35 p.m., nearly 12 hours later.

Our partners at Facebook have advised us that our social pages are now stable. Out of extreme caution we will monitor all of our platforms throughout the evening and hope to return to normal operations shortly.

We suggest a computer scan for anyone who has clicked on any third-party link from our Michigan Athletics, football or men’s basketball pages between the hours of 3am and 4pm today. We have no indication that any of our other Michigan accounts across all social platforms have been compromised.

Thanks once again for your continued support and patience. ‪#‎GoBlue‬

In the aftermath, all of the objectionable facebook content was deleted.  So let’s take a look at the official University of Michigan August 12 twitter feed and see if we can make a few observations.

Fans of U-M Athletics: We want to acknowledge that our Facebook pages for Michigan Football, Basketball, and Athletics have been hacked.

Please be patient with us as we work diligently to get this resolved.

Thanks to diligent work on behalf of our partners at @UMich and at Facebook, we have resolved the situation and deleted any offensive posts.

We apologize for any inconvenience and appreciate the support of our audiences throughout this issue. Thanks for your patience and #GoBlue.

At this point, it would appear as though the problem was fixed.  However, the twitter feed continued…

Still working with our partners to once again resolve the ongoing hack situation. We apologize for the disruption. Thanks for your patience.

Facebook has advised us our social pages are now stable. We will monitor throughout the evening & hope to return to normal business shortly.

Thanks once again for your continued support and patience. #GoBlue #BestFansEver

Here are some takeaways from the University of Michigan social media escapade:

Michigan Stadium has an official capacity of 107,601.  On September 7, 2013 a game against Notre Dame drew a record crowd of 115,109.  Commonly referred to as the Big House, it’s the largest stadium in the United States.  It’s reasonable to assume that the overwhelming majority of the fans in attendance are carrying an active cell phone.  This leaves them perilously vulnerable to a wide variety of communications (wireless hacks, opt-in notification abuse, spoofed messages, bulk texts, phone calls and especially the prospect of malicious hoax information posted on decentralized social media platforms).  Yes, I’m referring to phony evacuation orders and bomb threats.  But it could be something seemingly harmless (free food, discounted merchandise, celebrity sightings, etc.).  Anything that might encourage random individuals to move aggressively toward a concourse or fixed location.  Panic, herding instincts, stampedes… these human phenomena go hand-in-hand.

As with other high-profile internet miscues, do not expect a meaningful resolution.  With the vast majority of hacking incidents, it’s exceedingly rare that anyone is ever held accountable.  Because any attempt to resolve the matter invariably results in a public relations nightmare and an ongoing reminder that the company, government agency, or in this case, educational institution, was compromised.  Also, it’s extremely challenging to effectively prosecute cyber-crimes.

Note the university’s general stance on this social media hack.  They seem only concerned about the possibility of accidental downloads and computer viruses.  That is an exceptionally linear and naive view of this matter.  Administration officials and stadium management would never voluntarily acknowledge a scenario that could render a venue unsafe.  It’s considered a slippery slope as they might get “called out” on other sensitive, taboo security issues (drones, IED’s, active shooters, etc.).

There’s also an NCAA league-wide refusal to engage in out-of-the-box thinking.  Just because you believe your venue to be perfectly safe… what if an unexplainable, real-world event transpired in a different stadium?  Hypothetically, what about other Big 10 facilities at Ohio State, Penn State or the University of Wisconsin?  How might a black swan event, such as a human stampede, impact the behavior of fans in other stadiums?  Think about it.  Good news travels fast, but these days, bad news travels much faster (celebrity deaths, airplane crashes, natural disasters, etc.).  Societal communication has changed markedly in the past two decades.  And what’s the most obvious variable that impacts information acquisition in a person’s day-to-day activities?  Answer: wireless technology.

The Michigan Football facebook page has 1.4 million “likes.”  Anyone who uses social media knows what that means.  It means that a wide variety of material related to the University of Michigan Wolverines can “magically” appear in your real-time facebook feed, particularly on game day.  Think beyond how malicious information would directly affect fans inside the stadium.  Consider how a saturation might impact people outside the stadium (in Kalamazoo, Philadelphia, Mexico City, etc.), especially those with friends or loved ones in attendance.  Physical distance is irrelevant.  Timing is everything.  Instead of silly click-bait schemes featuring Kim Kardashian or Miley Cyrus, what if the following information was transmitted?

The FBI has ordered an emergency evacuation for Michigan Stadium, Ann Arbor, Michigan.  Threat level classification — IMMINENT.  Exit the stadium immediately.  Remain calm.

What if the message was less threatening but plainly convincing?

The University of Michigan alumni association is proud to announce a free t-shirt giveaway in the concourse outside the North end zone.  While supplies last.

What if someone made 26 similarly nefarious posts during a game?

The complicated algorithms that govern social media transmissions are not readily available to the general public.  Is it reasonable that facebook would proactively censor information that might lead to a panic?  If so, how far down the line does this procedural mitigation extend?  AT&T, Cisco, Microsoft, Google, etc.?  The FCC, FEMA, DOE, etc.?

It’s called discussing the undiscussable.  Nobody wants to acknowledge the potential for an artificially generated stampede due to concerns about plausible deniability and foreseeable litigation.  And of course, raising the issue itself is inherently a lose-lose proposition.  Hence nobody is willing to be proactive.

Now here’s the crux of the problem.  Solutions grounded in the realm of mitigation are not viable because human stampedes occur spontaneously.  All OODA loops (observe, orient, decide, act) require TIME to make responsible decisions.  In this case, you aren’t afforded the opportunity to react because events play themselves out in real-time.  You can’t just “hope for the best,” and if necessary, try to “neutralize the crisis.”   Think about it.  The University of Michigan required 5 hours to get the hacking situation under control.  Then, it happened a second time.  The expression “time is of the essence” exists for a reason.  Sometimes you don’t get second chances.

So what’s the solution to this mess?  Let me be blunt.  There are an infinite number of ways to manipulate crowd behavior via cellular technology.  This doesn’t require a masters degree in psychology with a minor in communications.  All it takes is a middle school education and a little situational awareness.  Ironically, the younger generation has a better grasp of the problem because they’re generally better acclimated to the current state of technology.  Unfortunately, at the same time, younger people are less apt to find themselves in positions of authority or command.

As I was saying, there is a solution.  But it requires making a fundamental determination to treat fans with a basic level of dignity and respect.  You must willingly divulge the truth — that LEGITIMATE stadium emergency evacuation orders would NEVER be delivered via personal cell phones.  If an evac is deemed absolutely necessary, protocol dictates using the public address in tandem with the video monitors.  You do NOT play texting games with a large, confined crowd in excess of 100,000.  University of Michigan officials and the NCAA security apparatus are aware of this conflicting discrepancy.  It’s not rocket science.

So we’re left with two distinct options.  You either disclose the truth and get ahead of the curve OR you make a deliberately calculated decision to leave fans oblivious and uninformed.  This is not complex.  It’s simple and it’s moral.  It’s simply a moral decision which extends beyond profit.  It’s not about money.  It’s about life and limb.  And until the NCAA is willing to acknowledge the problem, every person in every NCAA stadium will remain at-risk.

If you believe my concerns have merit, feel free to share this link on any social media platform.  Freedom of speech is a hot commodity these days.