The chairman of the National Indian Gaming Commission announced Wednesday that successful cyberattacks on tribal casinos have dropped dramatically in the past year and credits efforts to boost awareness by his agency and others for thwarting the hacks that have shuttered properties, reduced revenue, and prompted ransomware payouts.
Alarm bells were raised in July 2021 at the Indian Gaming Association conference in Las Vegas when NIGC Chairman Sequoyah Simermeyer announced that cyberattacks were up 1000% since 2019. At this year’s TribalNet Conference & Tradeshow where cyberattacks on tribes was a major focus, he said that there have been only three such reports in the 2022 fiscal year that ends Sept. 30. After a dozen reports of hacking a year ago, the FBI Cyber Division in November issued a warning, stating ransomware attacks against tribal entities had caused damages estimated to be in the millions of dollars. Disruptions from the attacks included temporary shutdowns of casinos, theft of sensitive data like credit cards, and significant financial losses.
In 2021, six of the attacks that were made public occurred in Oklahoma, one was in New Mexico, and one was in Wisconsin.
Tribal gaming regulators and operators manage sensitive data and public-safety infrastructure with networked technology, Simermeyer said. Cyberattacks threaten criminal-history records, player data, and the interoperability for emergency-response measures at likely the largest and most active gathering spaces in many tribal communities – the casino floor.
Simermeyer said the outreach efforts have helped, but he pointed out tribes aren’t required to report cyberattacks and that there’s no guarantee there were only three successful hacks.
“No matter the frequency, there’s still a high risk level,” Simermeyer said. “We’re still mindful of that, but the education and outreach have helped elevate it to the leadership and decision-making level.”
Cyberattacks in tribal gaming are increasingly sophisticated and frequent. Rather than attack gameplay integrity, cyberattacks disrupt a casino’s regulation and operation, Simermeyer said.
“Tribes have taken to heart the importance of having a plan in place in anticipation that an attack could occur,” Simermeyer said.
IT Audit Manager with the National Indian Gaming Commission, Tim Cotton, said there’s been an increase of tribes doing vulnerability assessment for a benchmark to determine what’s needed to protect themselves against cyberattacks – enhancements, procedures, and precautions that can be taken. Education and virtual training have also made a difference, he said.
“That has helped in the minimization of what we’re seeing regarding cyberattacks,” Cotton said.
Simermeyer said they’re approaching the threat going forward by establishing a network across the gaming regulatory community – both tribal and commercial- to effect real-time communication among experts.
The NIGC plans to launch an initiative in October centering on cyber security and promoting collaboration among regulators, operators, and tribal leaders. Tools for dealing with the problem will be unveiled as well.
NIGC officials will be at the Global Gaming Expo in October in Las Vegas to talk more about the issue.
In November, the NIGC plans to hold a national cyber- security summit that will include the FBI and Secret Service.
“Indian gaming has a reputation as a well-regulated and stable industry,” Simermeyer said. “Protecting this reputation is an industry-wide responsibility benefiting many communities, and if not prioritized, harm to the industry’s reputation can result from cyberattacks.”
In addition to the NIGC’s efforts, TribalHub helped form the non-profit Tribal-ISAC (Tribal Information Sharing and Analysis Center) that helps warn, inform, educate, and prevent or mitigate cyberattacks for Native American tribes and all of their enterprises.
Tribal Hub Executive Officer Mike Day said that sharing threat information and cyber-security awareness among tribes has made a difference, despite the ever-increasing threats from nation states like Russia and hackers funded by governments.