- By Chez Oxendine
Ransomware attacks have wreaked havoc on tribal governments and enterprises, shutting down businesses and destroying sensitive archives.
As a result, tribes are left to grapple with the new cybersecurity measures necessary to combat the threats from ransomware, in which hackers capture data and hold it behind encryption to demand a fee for its release.
Walter Lamar, founder of security and privacy consulting firm Lamar Associates, said he hears about such attacks nearly every week.
“This is now becoming almost a weekly call that I get, saying this casino has been hit, that casino has been hit. It’s becoming more and more frequent,” Lamar told Tribal Business News. “Across the country, every 11 seconds there’s another ransomware attack. That risk is shooting up every day.”
The latest example can be found in Oklahoma, where six Lucky Star casinos operated by the Cheyenne and Arapaho Tribes were forced to shut down following a ransomware attack that crippled the its computer systems.
Tribal Governor Reggie Wassana said in a statement June 22 that the Cheyenne and Arapaho would not concede to the hackers’ demands.
“Let me be clear: this was a terrorist attack, and we did not negotiate nor surrender,” Wassana wrote. “These criminals have not, and will not, receive one cent from the members of the Cheyenne and Arapaho Tribes.”
Wassana also wrote that casino employees would still receive their pay and full benefits for however long the casinos remained closed.
The closure of the Cheyenne and Arapaho facilities was just the latest in a string of tribal ventures that have been affected by ransomware attacks. As Tribal Business News previously reported, the Nez Perce Tribe in Idaho closed its casinos following a successful cyberattack in October 2020. In that same month, the Yocha Dehe Wintun Nation’s Cache Creek Casino in Brooks, Calif. also fell victim to an attack on its networks.
Another Oklahoma tribe, the Seminole Nation, had to close its casinos temporarily because of a cyberattack in May 2021.
A report from the FBI’s Internet Crime Complaint Center lists more than 2,000 ransomware attacks in 2020 that caused adjusted losses of more than $29.1 million across industries such as gaming, technology, hospitals and even municipal governments.
Tribal targets range from business enterprises to casinos and even government systems. That was the case for the Quapaw Nation of Oklahoma, whose tribal government suffered a ransomware attack eight years ago that wiped out tribal data archives.
“It was difficult to recover from. Luckily, we did have physical backups of everything,” said Quapaw Secretary Treasurer Guy Barker. “We’ve got a better system in place now.”
Harry Jackson III, a partner at law firm Fox Rothschild LLP in Atlantic City, N.J., attributed the rise in attacks not only to more sophisticated technology, but also to the growth in online interactions, which create more vulnerabilities for potential hackers to exploit. Jackson pointed to growth in online betting as an example of those vulnerabilities.
“There are more casinos handling customers’ personal data, personal information, as well as financial information,” Jackson told Tribal Business News. “As more and more casinos are handling that information, they become bigger targets for cyber attacks.”
The advent of COVID-19, which drove many employees to work from home, didn’t help matters, security consultant Lamar added.
“That provides another terrain that’s exposed. Instead of having folks working in a controlled environment, you have a variety of folks working remotely, which significantly increases the security concerns and creates a larger attack surface,” Lamar said.
Ransomware breaches can often cost anywhere from thousands to millions of dollars in either cash or cryptocurrency demanded by the perpetrator. Even once the ransom is paid and the data are returned, the brute-force encryption can leave the information corrupted and unusable, leaving open the possibility of a “double extortion,” Lamar said.
“In terms of double extortion, it’s a matter of having that information and if you don’t pay the ransom, that information will be sold or exposed,” he said.
A tribal operation also has its reputation to consider. While many Native casinos are the only gambling establishments in their areas, tribal resorts in more populated regions stand to lose large portions of their customer base and revenues if customers feel unsafe about using their services, Jackson said.
“If consumers feel like their data is not protected by the tribe, they’re going to go elsewhere,” Jackson said. “Losing your consumers would be extremely painful.”
Jackson recommends that tribes prepare ahead of time to ward off attempted cyber attacks and to respond effectively to successful breaches, although what those preparations look like will differ from tribe to tribe.
“There’s no one-size-fits-all approach for all tribes. Every tribe has a different background, different experience, different access to tribally owned I.T. or data security,” Jackson said. “Each tribe is unique in its own individual needs, but there are things that not only tribes but the gaming industry as a whole is doing to protect itself.”
Jackson pointed to best practices such as developing comprehensive response plans for both attempted and successful breaches, establishing and maintaining insurance on losses incurred during cyber attacks, and training employees to watch out for attempted invasions. Taking preventative measures such as hiring security experts to audit existing systems and developing defenses against common hacks like keylogging malware and phishing attempts would likely save tribes money and preserve their goodwill in the long run, he added.
“The amount of money that you spend preparing for an attack will be minimal compared to the financial damage that will happen both in physical cash or bitcoin, and also the impact on your reputation and consumer confidence,” Jackson said.
In particular, Jackson highlighted employee training on how to spot different phishing attacks as especially important, since employees often accidentally open the doors to hackers looking to break in.
“The first line of defense is employee training, and making sure that those people that have access to sensitive information have regular training procedures that helps them identify those phishing schemes,” Jackson said. “The first breach will occur if someone opens a link that they shouldn’t.”
To that end, the Quapaw Nation extensively trains its 2,600 employees on how to spot phishing scams, but those attacks are ever-evolving in their ability to spoof real emails from internal addresses, said Barker, the tribe’s secretary treasurer. The rapidly evolving nature of the attacks presents a host of challenges when trying to protect the tribe’s four casinos and its “smattering” of tribal businesses.
“It’s certainly like chasing your own tail. It seems to grow and evolve in the same way that the fashion industry does: There’s always something new,” Barker said. “We work to keep ourselves up to date, ahead of the curve. We monitor other issues that other businesses and tribal governments see themselves dealing with and work to stave off what we can. It is almost a daily battle.”
Barker said Quapaw Nation’s cybersecurity division was composed partially of internal tribal employees and external contractors, which was a “necessary step” for a tribe of its size. Moreover, hiring external contractors can provide a crucial look at whether or not a cybersecurity system stood up to outside attacks.
“It’s a blend of the two, and I think that’s going to be true anywhere. We’re not the size of the Israeli government and have our own complete in-house system. I think having outside sources is valuable to test the fortitude of any security measures you put in place,” Barker said. “The hacking community, the ransomware community are very talented technical individuals. You definitely need those outside sources to gain new perspective.”
Avoiding ‘false confidence’
When and if a breach occurs, tribes need to have a team ready to “locate, isolate, and eradicate” the hackers, whether that team is the internally owned tribal I.T. services or external agencies, according to Jackson.
“The first thing you need to do is understand the extent of the breach,” he said. “You need a swift response, and in that response, there needs to be some sort of contact with groups out there who do forensics and crisis communications.”
While few tribes own I.T companies, now might be an opportune time for them to get into the field.
“I do feel that this is a great opportunity for any such firms out there to move into this space,” Jackson said. “Cybersecurity is top of mind for the gaming industry as a whole, so if there are tribally owned I.T. firms looking to move into this space, now is the time to do that and help Indian Country defend itself from these attacks.”
Regardless of how tribes plan to go about addressing their cybersecurity concerns, their efforts should be thorough and attentive, Lamar said.
“I’ve seen firsthand the devastation and tragedy of not recognizing we were a target, or would have been a target. Sometimes, we have a false confidence and a false sense of security, and we can’t have that,” Lamar said. “These cyber attacks are so prolific, so widespread, that we have to be looking carefully and we’ve got to know that we have the right folks at our gaming and hospitality operations protecting our cyber platforms in the right way.”
Want more news about the $130 billion tribal economy?
Tribal Business News publishes thoroughly reported and well-crafted stories about Native businesses and entrepreneurs, growth and expansion strategies, best practices, economic data, government policy and other relevant business news. Tribal Business News is required reading for tribal council members and leaders of Native businesses, as well as state and federal legislators, policymakers, economic developers, entrepreneurs, bankers, lawyers and anyone interested in doing business in Indian Country.
Sign up for our free newsletter to track Native business and the tribal economy. Or sign up for a premium digital subscription ($99/year or $10/month— cancel anytime) to gain full 24/7/365 access to our business news reporting. Megwetch.