Tribal bank accounts surged in 2022, as the Indian gaming industry rebounded and tribal governments took in historic amounts of cash from federal funding.
Bennae Calac saw something else on the rise in Indian Country: cyberattacks.
Calac, the president of Pauma Valley, Calif.-based Onoo Po Strategies, said she was speaking last year with a tribal leader who told her the tribe had been hit by a cyber ransom issue, which jeopardized the entire community. As she talked to other tribal leaders, it became clear this ransom attack was not a one-off situation among tribes and their enterprises.
“Everybody’s getting hit, and it was something we needed to address,” Calac, a citizen of the Pauma Band of Luiseño Indians, said.
To help deal with the rising threat of online attacks in Indian Country, Onoo Po forged a partnership with a firm to provide cybersecurity training and solutions to Indian Country. The collaboration with Addison, Texas-based Maxxsure will allow the firms to offer “scalable, affordable” solutions to Native clients who are hoping to lock down at-risk ventures and government functions.
The partnership arrives amid a steady rise in cyberattacks on tribal targets — Native owned casino and Tribal governments, in particular — that were left exposed to rapidly evolving technology-based attack strategies, including ransomware, phishing, malware and social engineering.
“Cyberattacks are daily news,” Srik Soogoor President, and Co-Founder of Maxxsure said in a statement about the partnership. “Maxxsure is dedicating our risk assessment expertise and proven technology to this partnership, now is the time for action, we are ready to deploy, there is no time for complacency.”
Casinos find themselves frequently attacked
Per trade publication Casino.org, a 2021 warning from the Federal Bureau of Investigation put tribal casinos on watch, pointing to a 150% increase in ransomware attacks throughout that year. Thanks to Indian gaming’s meteoric comeback from COVID-19 lockdowns, hackers found newly enriched casinos an attractive target, Calac said.
Prior Tribal Business News reporting highlighted a trio of casino attacks in the wake of COVID-19 lockdowns, during October 2020. During that attack, the Nez Perce Tribe in Idaho shut down two casinos for a weekend because of a system disruption that was later revealed to be an intrusion.
Around the same time, the Yocha Dehe Wintun Nation’s Cache Creek Casino Resort in Brooks, Calif. suffered a closure after an “external attack on their computer network,” per a statement That attack kept the casino offline from Sept. 20 to Oct. 13.
The trend continued into the next year, including a June 2021 ransomware attack that shut down the Lucky Star Casinos operated by the Cheyenne and Arapaho Tribes. Tribal Governor Reggie Wassana called the hack a “terrorist attack” and vowed the criminals “would not receive a cent” from the Tribe.
These disruptions gave intruders access to crucial data, including customer information for increasingly online and digital operations. That opened up tribes to new liabilities as they adjusted to rapidly changing technology, Calac said.
“If someone gets money taken from them through a data breach at your facility, that could mean a lot of trouble,” Calac said. “It could affect your reputation, or it could mean a lawsuit. There’s a lot that could go wrong if that information gets out.”
Ransomware attacks on Indian gaming operations did see a steep drop off in reported incidents in 2022, per a release from the National Indian Gaming Commission. The commission received word about only three such attacks through the organization’s fiscal year ending in September.
NIGC Chairman Sequoyah Simermeyer attributed the drop to improved outreach and awareness through efforts from the NIGC and other agencies, like the Indian Gaming Association, per a report from trade publication CDC Gaming.
“Tribes have taken to heart the importance of having a plan in place in anticipation that an attack could occur,” Simermeyer said in that story. “...the education and outreach have helped elevate it to the leadership and decision-making level.”
Even so, Simermeyer noted that many attacks don’t get reported and that even short shutdowns can cost tribes millions of dollars in revenues.
“Indian gaming has a reputation as a well-regulated and stable industry,” Simermeyer said. “Protecting this reputation is an industry-wide responsibility benefiting many communities, and if not prioritized, harm to the industry’s reputation can result from cyberattacks.”
Evaluating risks
Protecting tribal operations from losses was an important part of preserving success in Indian Country, Calac said. The partnership with Maxxsure is one way to help spread the word about existing vulnerabilities and issues facing all tribal operations — right down to the HVAC system.
“There was a situation in Vegas, the casino that was there was actually hacked via the air conditioning system, because the system was all online, controlled via the web. That's where the attacks came through,” Calac said. “These guys are pretty inventive. All they need is a way in, and that doesn't just mean attacking the establishment itself — it's anybody who is connected to that system.”
Together, Maxxsure and Onoo Po plan to provide tribes with an evaluation of their vulnerabilities and a security standard by which to measure their defenses. Establishing a baseline standard gives tribes and their partners a guideline to follow in shoring up weaknesses in their system, Calac said.
It also allows tribal entities to go to vendors and say, “You’re connected to our system and that’s a vulnerability,” according to Calac. “We take a deep look at the risks each tribe or individual member is facing.”
Those risks include everything from employees using computers to do their jobs to customer data lost in a breach. Even something as simple as using free casino wi-fi from the parking lot could snowball into a tort claim if something goes wrong, Calac said.
Maxxsure and Onoo Po will turn to other partners to help provide further security services, Calac noted; they don’t plan to offer security services themselves. Throughout the relationship, Onoo Po and Maxxsure plan to work together to better integrate their strategy with cultural sensitivity to client tribes.
That’s an important factor in how Onoo Po approaches this new partnership with Maxxsure and their role in Indian Country, Calac said. The group wants to help tribes build solutions that they can use on their own, rather than becoming a longtime vendor.
“Maxxsure wanted to provide Indian Country an opportunity to build something of their own, and that was important to me,” Calac said. “One of the main things that I wanted to do when it came to this partnership was to ensure we were ground cover - to ensure that this was something Indian Country had and could build on this for future opportunities for our peoples.”
“I'm actually a previous tribal leader myself. When I saw the vulnerabilities of my tribe, it looked easy to have control of our system. I want to help secure our people and grow.”