The 6th Annual TribalHub Cybersecurity Summit kicks off Wednesday led by a keynote address from a former U.S. Secret Service agent warning tribes against the threats they face.
This year’s conference in Jacksonville features three days of expert-led sessions, hands-on training, and networking opportunities dedicated to strengthening cyber defenses for tribes and tribal enterprises, including casinos that have been the subject of attacks.
Cyberattacks against tribal casinos and enterprises remain a big threat, as advancements in artificial intelligence leave them more vulnerable to shutdowns and theft of customer data.
Last fall, the Tribal Information Sharing & Analysis Center released a survey showing what tribes are facing and how they are reacting.
The survey showed that the threat landscape is dominated by ransomware, with nearly a quarter of tribal entities reporting actionable threats. Of those affected, 75% experienced ransomware in the past year and 77% refused to pay the ransom, in what the report said is “an encouraging sign of resilience and alignment with best practices.”
Cybersecurity readiness is progressing, but remains fragmented. Incident-response plans are widely implemented, yet disaster recovery, business continuity, and third-party risk oversight are underdeveloped, the report said.
Michael Levin, the keynote speaker at the Cybersecurity Summit, will speak on “AI, Cybercrime and the Human Factor.” He is the CEO and Founder of the Center for Information Security Awareness, with experience at the intersection of cybercrime, human behavior, and emerging threats like AI-driven attacks.
“Most organizations because of ransomware are starting to realize this, but we have done a really bad job of educating our employees of what to look for,” Levin said. “There are so many bad guys that are coming after casinos and tribal organizations that they have to hunker down and do a much better job understanding the risk and educating their employees.”
Levin said most organizations aren’t prepared on what AI is going to bring to cybercrime and to the risks to their organizations. There’s AI phishing generation, deepfake voice fraud, AI reconnaissance using public data, and automated social engineering and credential harvesting.
“These are all things that are immediate problems for organizations that are going to be coming at them in various ways,” Levin said. “You don’t have to be an expert, but you just have to be aware. The concept is how do we throw all these potential social engineering and problems in front of the employees to get them to be educated and aware of all of these different things.”
Levin said it’s important to frame the problem as “scary” and what tools can employees have to make smart decisions when they jump on the computer.
Tribes aren’t getting attacked more than other enterprises, according to Levin, who has trained tribal employees. Hackers use a shotgun approach to all types of enterprises and if they have success with tribes, that will encourage them to continue to target them and gain more money or get Social Security numbers or credit card information. That’s why the FBI doesn’t want ransoms paid because hackers will come back at them in the future, he said.
“I don’t think every tribe has recognized that employees have been the primary target of these attacks,” Levin said. “It is not the technology or the firewalls that are being attacked. It’s the employees, and we need to harden that target through ongoing training. A lot do training just once a year or once a quarter they send a phishing test to employees and if employees fail they may need to do training. The training never teaches the employees the ‘why’ because that’s what’s going to get them to buy into the program. If they don’t understand why, we have a big problem.”
In the case of the hack of MGM Resorts International in the fall of 2024, it was about social engineering of an employee to provide information to hackers that enabled the systems being crippled, Levin said.
“The weak link there was the employees and one of the things we like to say instead of saying the employees are the weak link, we want to go with how the employees are the biggest target,” Levin said. “They are the attack vector hackers are using to get into your system. A lot of organizations spend money on hardware and software solutions, and they forget to train their employees.”
Toni Pepper, an ISAC steering-committee member and CEO of Pepper Consulting, said infiltrations into computer systems via employees clicking on hacker emails continues to be a major problem. As much as they’re trained, the messaging has gotten so sophisticated, so it’s harder to identify.
“There will always be concerns because this is a never-ending challenge we all face together,” Pepper said. “The introduction of AI has presented a whole new level of risk for organizations. The bad actors are embracing that technology, and it’s a new platform to address and figure out how to leverage to the best of our ability to keep fighting the good fight.”
Pepper, without getting into specifics, said there continues to be cyberattacks occurring in Indian Country, and Tribal ISAC continues to reach out to tribes to help prepare them.
Levin said it’s important for the country as a whole because critical infrastructure is being attacked daily by nation stations and other adversaries, and people aren’t educated enough about the risks.
“Most people wake up everyday, and they have the same garbage emails and go through all of them and click on all of these links and attachments,” Levin said. “We have to break that muscle memory and change the way we do business.”
This year, the conference added a non-technical track for CEOs and Chief Financial Officers, Pepper said. That way, it shows the whole organization the importance of cybersecurity and not just the technical staff, Pepper said.
“It continues to be an ever-evolving landscape that will always be top of mind,” Pepper said. “We like to remind people that cybersecurity is not only an IT responsibility, but everyone’s responsibility, so we encourage those at the executive level and department heads of all flavors to pay attention, get involved, be active, educate yourself and join forces.”
