Las Vegas and nationwide casinos continue to come under cyberattack and hackers’ use of artificial intelligence is increasing the risks for operators.
“The gaming industry is always under attack,” said Rick Arpin, managing partner in Las Vegas for KPMG. “It’s a high-visibility target for hackers. We’ve gone through waves of incidents in this industry.”
For Tim Williams, chief information officer for Sahara Las Vegas, the reasons why it keeps happening to the gambling industry, including MGM Resorts International, Caesars Entertainment, and most recently Stations Casinos, are clear.
“The cliché answer is that’s where the money’s at,” Williams said. “That’s the perception. Over the last seven to 10 years, the megaresorts like those in Las Vegas are a city, with a hotel, food and beverage, and entertainment, including the casino. Each is governed by different systems. The landscape the technology teams have to handle is non-trivial and there’s such differentiation and so many points of access. There’s limited resources and it’s a never-ending battle. You can never have a good-night’s sleep, because there is always somebody out there trying to get at you. New technology with AI accelerates it.
“Everything is moving so fast that something that was maybe state-of-the-art two years ago is now passé,” Williams said. “Now, AI-tailored phishing messages are so specific to one individual that they’re hard to tell from legitimate emails.”
Williams said one emerging area in the cybersecurity threat landscape is AI-assisted coding and shadow IT. These occur when people within the company, but outside of information technology, create tools they think will help the operation, but don’t take into account security practices and internal systems. “Those are two different fronts of the same thing that are going to converge and only get more challenging as we go.”
Kevin Kealy, senior vice president and global chief information security officer for Light & Wonder, joked that the biggest concern he has is “stupid people doing stupid things for stupid reasons” and artificial intelligence enables that to happen more quickly and efficiently.
“You need some form of AI governance to stop people burning those tokens, running up huge bills, and doing stuff that either doesn’t matter or hurts you,” Kealy said. “We do a lot of development work on products that end up in the hands (of casinos). We’ve participated in the last three to four years in a general effort with the International Gaming Standards Association on the latest security standards to raise all boats across the industry. Banking has gotten their act together and casinos are where the money is now. This is where the hackers will turn to next and with AI accelerating things, it’s a terrible situation to be in. For the last four years, we’ve been working hard to raise that tide and as a result, every product we develop before it goes out the door for certification, we pin test it.”
Kealy said they’ve leaned into a tool called APE, AI Pin Test Engineer, in which products like a casino management system, slot machine, card shuffler, and others are tested by an engineer before any code gets released.
“Each iteration used to take us six weeks,” Kealy said. “We sent it off to GLI or BMM to do the pin testing and send us back the results. Then fix any problems and put it back out again. We’ve gone from six weeks, plus whatever time to remediate and resend, to one hour and 34 minutes, thanks to our APE. Instead of spending multiple interactions and months of testing, we can now get product certified, secure, out the door, and in the hands of customers, knowing we’re not going to be the problem. Yes, AI can be used for good.”
Arpin said one of the risk factors that has increased with AI is that some people have lost critical thinking and healthy skepticism. “The systems are becoming more advanced and the hackers are using more advanced systems. At KPMG, we’ve been tracking that the humans are even more important in terms of one of the lines of defenses in cybersecurity,” Arpin said.
Kealy said humans are the biggest opportunity and biggest threat. Some 80% of breaches start with a human element, and he cited cases on the Las Vegas Strip where people were socially engineered and handed over credentials.
Kealy called employees the front line of defense and it’s important to give them the training, tools and trust, but with a safety net underneath.
“The ultimate role that our individuals play is important, especially those who have responsibility for accounts receivable and payable,” Kealy said. “That’s why we have several multi-step authentications in place — to make sure no single person can authorize a payment or change payment details. The biggest thing we can give our users is trust. We make sure we have lots of tools in the background that are invisibly helping them make the right decisions and if they make the wrong decision, we hope to catch it and contain the blast radius.”
Williams said casinos can patch their systems and update everything, but that’s not enough.
“The days of once-a-year compliance training with a little bit of a cyber element to it are in the rearview mirror,” Williams said. “For us, it’s a constant approach. Monthly trainings are adaptive and take on a person’s proclivity for things they shouldn’t be doing. Then they get training for that.”
As systems are more vulnerable than ever before, Arpin said the concern with AI centers around keeping control of data and not allowing it to fall into the hands of others. “Some people may be thinking maybe the cloud isn’t so good and maybe we should put our systems back on the premises.”
Dale Smythe, area vice president for retail and hospitality at Workday, said the operative word is “noise,” and it’s been a noisy market since the advent of ChatGPT. In reality, customers don’t want to take on the responsibility, cost, and complexity in the age of AI of bringing their data back and securing it.
Williams said they recently moved to some cloud-oriented applications and one of the selling points and benefits of doing that was how they could supplement IT and cyber teams with an outside dedicated team, since they don’t have a large staff.
