A cybersecurity expert gave a somber look at the growing number of attacks against casinos and other businesses, stating that it will be the properties’ customers who end up footing the tab.
Chase Cunningham, a retired Navy chief cryptologist who goes by Dr. Zero Trust, made a gloomy presentation about the cyber landscape when he spoke Wednesday at the World Game Protection Conference at the South Point Hotel Casino in Las Vegas.
“If you think you can spend your way to better cybersecurity compared to others who don’t spend as much, you’re wrong,” Cunningham said. “Organizations spend (millions of dollars) a year on cybersecurity and they all get breached. What does that all mean for us? We should accept the reality that there is no perfect defense. It doesn’t matter what you do. Sooner or later, the very nature of engineering and building something means someone out there can reverse engineer. This is why the bad guys have a lot of reasons to do this stuff.”
Cunningham told attendees to accept that they’ll hacked and there will be a breach. It’s not an admission of failure or that the businesses are losing.
“The thing about cyber now is to move past perfect defense and never getting breached toward resilience in operations and blast control,” Cunningham said. “You’re going to get breached and it’s OK. Have you seen anyone go out of business because they got breached?”
Money continues to be the “root of all evil” as it has been since the beginning of time, Cunningham said. That means venture capitalists are urging cybersecurity vendors to grow by 40% year over year, so they keep innovating with new technology, which he called “lipstick on a pig” from what companies did previously.
Upwards of 4,000 vendors sell cybersecurity solutions and software, growing by 13% a year, Cunningham said. Cyber wasn’t a big issue in 2019, but after the pandemic hit and everyone went remote, it increased the risks.
“It’s not possible to have this many vendors with this much technology and for us not to have a solution to solve the problem,” Cunningham said. “It’s a place for a lot of people to make a whole lot of money – bad guys and good guys. That’s why it keeps growing.
“How can we have an organization with this many vendors that is supposed to be solving these problems, and it still gets worse every year and we keep pumping money into it? In no other market can you do that. We’re going to get it right eventually. AI is not making this stuff slow down at all.”
Firewalls were never meant to be a security technology, but to move packets from one place to another intelligently, Cunningham said. People keep buying more firewalls, even though they won’t stop attacks in the end.
“It’s not keeping up, because no wall is high enough,” Cunningham said. “This is the only market where as we invest more and vendors win more, things don’t get better.”
People buy more technology that is more costly, but breaches increase every year, Cunnigham said. While a breach is inevitable, that’s not a reason for operators to sit around and wait for it to happen. Cyber is a 24/7 operation and he called it a national arms race.
Employees are at the center of the risk companies face. The most popular password in the world is 1,2,3,4,5,6,7,8, Cunningham said. Despite all the training and education, people leave systems vulnerable.
“Hope is not a strategy,” Cunningham said. “It will not work. A freight train is coming your way and AI has made it even worse. You must get ahead of it now. You have to take care of yourself and your organization as best as you possibly can, so you’re the harder target and someone else gets hit.”
The bad guys don’t care what they target and will attack and extort businesses because they exist, Cunningham said.
“If you are on the internet, you are a viable target point blank. End of story,” Cunningham said. “The cyber guys make a lot of money from it. A guy in Russia running an organization held a wedding last year in which the door prize was a Ferrari, because they make that much money. The Mexican drug cartels are now getting involved in cybersecurity, because there’s less risk; it’s more profitable than throwing cocaine over the side of the ship.”
Customers of casinos are seeing what Cunnigham called “cyberflation,” which is worse than inflation. When casinos get hacked, the cost of damage and insurance premiums is passed onto consumers.
“They’re not going to pay the fines and fees, but pass it on to us as consumers,” Cunningham said. “It’s the cost of doing business right now. After the MGM hack took place (in 2023), things got more expensive. We’re the ones assuming that cost, because of cyberflation. From 2020 to 2023, inflation was 15% and in the same time period, cyberflation outpaced it by 10%. It typically sits at 25% year-over-year. After MGM was compromised, they charged 26 bucks for a bottle of Fiji water. They got compromised and to cover costs had to make it up on the back end. MGM Resorts had $100 million wiped out, and they recovered that by passing that on to us. It didn’t hurt their business. This is one organization that got breached and they didn’t lose a penny.”
