As tribal governments and casinos continue to face cyber infiltrations, TribalHub will host its fourth annual Tribal Cybersecurity Summit on March 7. The virtual conference is free for tribes and enterprises owned by a tribe.
It runs from 8 a.m. to 2 p.m. Pacific Time, with breakout sessions that last from 30 to 45 minutes, including some geared to the size of the tribes. You can register and see the sessions here.
TribalHub, a community of tribal leaders coming together to stay current with technology trends, helped form the non-profit Tribal-ISAC (Tribal Information Sharing and Analysis Center), whose mission is to warn, inform, educate, and prevent or mitigate cyberattacks on Native American tribes and all their enterprises. Tribes have made headway in protecting themselves against cyberattacks that ramped up coming out of the pandemic, shuttering some properties and leading to ransomware payouts.
The virtual conference will bring together tribal-gaming CEOs, general managers, finance executives, regulators and gaming commission members, and risk managers with chief information officers and technology directors. Attendees will learn about preparing and protecting tribes from cyberattacks: investments in cybersecurity; costly mistakes that put tribes at tribe for being targeted; and tribal best practices. They will also make connections with peers, industry experts, and federal entities.
TribalHub CEO Mike Day said cybersecurity is in the news constantly and tribes continue to talk about it. This has especially been true since the attacks last fall against MGM Resorts International and Caesars Entertainment.
“It’s getting bigger every year,” Day said of the summit. “Close to 400 people are registered, probably 150 more than we’ve ever had a week out before. Last year, we had more than 400, so this year could be significantly more than that. This will be the largest gathering of cyber brain power from tribal organizations ever.”
Different about the summit this year is that no one is afraid of the word “cybersecurity” as they were four years ago when the summit launched, Day said.
“People understand a bit more of what we’re talking about when we discuss cybersecurity. This year, we’ll delve deeper into the how-tos and best practices and spend less time explaining the basics of cybersecurity. We were remedial in the first few years, trying to bring people up to speed. A lot of people are aware of the things they need to be doing. Now they want to know best practices and what other tribes are doing.”
This year’s sessions are broken down into different groups to address the varying sizes of tribal cybersecurity personnel. In some tribes, one person is dedicated to cybersecurity, while larger tribes have two to five and the largest have five or more, Day said. “Four years ago, almost all cybersecurity departments would have been considered very small and now we have a pretty good mix.”
This is the first time the summit has formulated breakout sessions based on size, resources, and budget compared to larger organizations. It will have more meaning to tribes that participate. “As you get into more detail, you have to take into account the different types of organizations, so they can take something from each session,” Day said.
Last fall’s cyberattacks against two large commercial casino operators generated more awareness among tribes, making it easier for cybersecurity staff to stress the importance of protecting tribes.
“It highlighted the different routes the two companies took. One paid a ransom and the other didn’t. It brought some awareness that there’s even a choice,” Day said.
Although there haven’t been the headlines about tribal casinos attacked and shut down like in 2021, Day said attacks have actually increased over the last four years. The difference is tribes are spending more and putting defenses in place.
“The threats are constantly getting more sophisticated, but the whole point of cybersecurity awareness, education, training, and creating groups like Tribal ISAC is to keep in front of what’s happening,” Day said. “Even though you’re not seeing the massive events, lots of little ones are happening all the time. None of them will be on the news, because they didn’t shut down entire operations.”
Tribes are doing a better job with awareness training for their entire organizations. They understand it’s an organizational issue and not a technology issue.
“They’re spending more on people having resources and on third-party services, whether it’s penetration testing, vulnerability management, or tools continuously scanning the network,” Day said. “The vast majority of organizations have made investments that didn’t exist before.”
Some sessions will be aimed at technical staff and understanding what they can do, others at executives and their roles, and some at both.
“They all lead to the understanding that this is an organizational problem and if you are not all in, it doesn’t matter what technology you put in place,” Day said. “If your employees aren’t on board and still click on phishing emails, or answer the phone incorrectly, and share information they shouldn’t, you’ll still get hacked.”
Hackers are using a lot of AI today. It used to be easy to pick off phishing emails, with all their errors. But cyberattackers are now sending emails that are more professional.
Greg Pitts, director of information security at the Cache Creek Casino Resort who will speak at the summit, said non-technical leaders are encouraged to attend in order to gain valuable insights from fellow practitioners on how to implement practical security measures for their organization.
“I believe in leading by example, so you want to get some of your organization’s leadership in the mix,” said Paul Wirszyla, security analyst with the Sycuan Casino and Resort. “There will be topics for everyone, technical and leadership. While you may want to send your IT team to a cybersecurity summit, there are many benefits to having non-IT members join. Cybersecurity is a team effort. We’re a niche community and meeting peers is always great.”
Bishal Thapa, information security officer for the Fond du Lac Band of Lake Superior Chippewa, said he expects one of the most popular topics to be a session on “Securing the AI Revolution.”
“The rapid rise and popularity in generative AI technology, the potential for misuse by threat actors, and the lack of AI-use policies and procedures all introduce risks to the tribes,” Thapa said. “This session helps address some of the concerns that revolve around AI safe use.”
There will also be discussions on resources available for tribes from the Department of Homeland Security and Federal Emergency Management Agency and Cybersecurity and Infrastructure Security Agency.