On December 7, 2019, the Eastern Band of Cherokee Indians (EBCI) fell victim to a malicious ransomware attack. The cyberattack infected the tribe’s IT infrastructure and encrypted their data, impacting essential tribal services such as the 911 dispatch system and local government networks. Roughly two weeks later, the community’s IT networks were back online, and a tribe member and former IT employee for the EBCI government was under arrest for his involvement in the attack. The disruptive nature of the cyberattack served as a wake-up call for the tribe, prompting leadership to ramp up their cybersecurity efforts.
To get a firsthand account of this severe attack, we spoke with the Principal Chief of the Eastern Band of Cherokee Indians. In this interview, Richard Sneed shares how this cyberattack impacted his tribe and inspired him to implement stronger cybersecurity measures. Also captured by Microsoft, this is his story.
(Edited for brevity and clarity)
DPN: Tell us about yourself.
RS: My name is Richard Sneed, and I am the 28th Principal Chief of the Eastern Band of Cherokee Indians. I’m in year seven of my second term. Previously, I was a business owner, entrepreneur, schoolteacher, and youth pastor. Now, I do this. I am also a Marine Corps veteran.
Tell us about the Eastern Band of Cherokee Indians.
The Eastern Band of Cherokee Indians is one of three federally recognized Cherokee tribes. The descendants of the Eastern Band are Cherokees who resisted removal. Through a great deal of political maneuvering and strategy, we were able to procure land, which is the Qualla Boundary today, located in western North Carolina. We have a little less than 60,000 acres of land and roughly 16,000 tribal citizens.
We are a gaming tribe that games under the Indian Gaming Regulatory Act passed in 1988. We have two Indian casinos and recently moved into the commercial gaming space. We also are joint partners with Caesars in a $650 million project in Danville, Virginia. We have a lot of other gaming opportunities in the pipeline right now. That’s a little bit of our background.
Walk us through the day of the cyberattack.
On a daily basis, I receive many emails. On a bad day, I’ll get up to one hundred. It can be a bit psychologically overwhelming to stay on top of them. If I happen to be gone for a few days, once I click my inbox, there can be 300 to 500 emails waiting for me.
On the morning of the attack, I was going through my inbox. I noticed an email written in broken English that said my data was held hostage. I figured it was just spam, you know? I thought it was one of those early 2000s Nigerian prince scams. So, I thought it was best to delete it and not risk clicking any links. Then, another email came. I deleted it again.
Later, I got a phone call. The hacker told me that this was not a joke, and this was not a drill – this was real.
Describe the moment you discovered the ECBI was targeted by a ransomware attack.
I was overwhelmed by a sense of helplessness. What do you do? Who do you call? There’s certainly no manual on what tribal leaders should do when they’re under cyberattack. We immediately convened a meeting amongst the leadership team, but we were all sitting around dumbfounded. Some employees ran around and unplugged everything. They disconnected all the cables, but it was too late.
Our saving grace was that our Secretary of Treasury had a deeper understanding of these threats. Since he worked in finance, his work was a prime target for these attacks, so he knew what we needed to do.
Before the attack, the Secretary actually got an insurance policy to protect us against this type of situation. I didn’t even know there was insurance against cyberattacks. If I can give one piece of advice to every large organization, get it! It’s a necessary expense.
When the severity of this attack became clear, what was your biggest concern?
My primary concern was if we still had a functional emergency dispatch system. Do we have a way to receive emergency calls, then dispatch police, fire, or EMS services? Unfortunately, my biggest fear became a reality.
Because we are in a very rural part of the state and our tribe has the capacity, we have a mutual help agreement with the National Park and surrounding counties. So, whenever there is an emergency, the tribe is contacted, and we dispatch service workers to help with the efforts.
In this case, there was a car accident that occurred in the National Park area that ended in a fatality. With our IT shut down, it took close to thirty minutes to get people dispatched. By the time emergency service workers arrived at the scene, the person had succumbed to their injuries.
How else did it impact the tribe?
Our entire tribal operation shut down for just under two weeks. Everything we do is digital. It’s all connected to the network. At the time of the attack, some departments had their data in the cloud, but that was it. Everything else we owned was now encrypted, and we had no access to it.
But, in business time, that’s an eternity. Imagine a business not having access to emails, not sending anything to human resources, or not processing anything through the finance department. However, we work with the federal government, the state government, the county governments, and other tribal governments. Obviously, the interdepartmental traffic across the network is huge. A massive amount of data and transactions are required daily. And just like that, everything is still. Believe me: two weeks is an eternity.
Did you contact the authorities?
We contacted the insurance company, and they brought in their hostage negotiation team. I guess that’s an accurate description because the hackers wanted a ransom for our data. Once the insurance company got involved, there was a great sense of relief because they handle situations like this on a daily basis. They know what to do next. At that point, they told us not to engage with the hackers anymore. They took over the entire operation from there. We were just taking guidance from them. I felt like I was in a movie.
Can you explain how this ransomware attack disrupted your personal and professional life?
This experience impacted me more on a psychological level than anything else. And, as the principal chief, I’m used to pressure. There’s constantly some potential threat to either one of our citizens or the tribe as a whole. These threats come from individual bad actors or from the federal government itself. Yes, we still deal with foolishness from the federal government in 2022. So, pressure is a constant in this job.
However, this cyberattack was a massive thing that impacted our entire operation and our people. It was a heavy burden and a great deal of not knowing. There’s no doubt that it impacted everyone. The leadership team. The tribal nation. Understanding how widespread this attack hit my community caused the most psychological pressure.
Have you discussed this experience with friends or family?
Absolutely. In fact, now my wife and I go to tribal conferences where I speak about cybersecurity.
Post ransomware attack, I spent a lot of time thinking about cybersecurity. So, I go to these conferences to learn more and help raise awareness. You can say I’m the biggest cheerleader for tribes to care about cybersecurity. Things like zero-trust models and network security are not at the forefront of tribal leaders’ minds.
I was at this one particular conference, and maybe there were 150 tribe members in the room. A presenter started asking questions. The first question he asked was, “Show of hands – how many of you use the cloud?” I assumed the majority of hands would go up. Instead, there were only four or five hands raised. Two of those were my IT director and me. So, two of those hands represented the same tribe. That’s it. The second question he asked was, “How many have implemented a zero-trust security model?” The same people raised their hands. I was absolutely shocked. I’m speaking at a conference next month, and I will use this anecdote to demonstrate that cybersecurity is not a priority for tribal leaders. When I talk about it to friends, family, members, or other tribal leaders, they are horrified because they know ransomware attacks happen all the time.
What was the most concerning aspect of this experience?
When you go through a situation like this, you realize how inextricably connected we are to data and devices. Our lives are now digitized. Our whole lives now are out there, and they are vulnerable. Since I’ve been educating myself on these issues, cyber threats are at the forefront of my thinking. I can understand why some people lie awake at night and worry about cyberattacks.
One night, a thought crossed my mind. In the same way law enforcement completes extensive background checks on individuals before giving them a badge and a gun, shouldn’t companies conduct extensive background checks on individuals before providing them access to entire networks? Some may view this as extreme, but you are literally giving someone the keys to the kingdom. That person is capable of a lot of damage in a short period.
How much did you know about cyberattacks and/or cyberwarfare before this occurred?
Almost nothing. Honestly, I don’t know if I even heard the term ransomware before this experience. Maybe during a cybersecurity commercial? I didn’t even know that hackers could lock your data, then sell you the key for a large sum of money. I’m embarrassed to say I was ignorant of it as a person in a leadership role. But I’ve gone from being completely ignorant to being an advocate for a zero-trust model. I’m raising awareness at every opportunity, especially when I meet other tribal leaders. They can make a real difference in their community.
What would you tell people unaware of the threat of cyberattacks and cyberwarfare?
There is probably a little voice in your head saying, “Oh, it’ll never happen to me.” That voice was in my head too. I used to think it could never happen to me, but it did. I hope it never happens to anyone, but it can happen to you too. It’s happened to governments, businesses, and countless people. This malicious activity never stops. It’s constant, and it’s evolving. Regardless of your cybersecurity efforts, bad actors are working on ways to overcome your defenses. With enough time, they will infiltrate your networks and data. We really live in a different world.
What message would you like to provide for others targeted by cyberattacks?
Yes, I would say that you have a responsibility. At least, this is the way I view it. If you’re in a leadership position, you have a duty and an obligation to raise awareness about cybersecurity within your scope of influence. It’s going to take all of us working together to stop these bad actors. We need more people on the good side of this fight. It’s imperative that we tell our story, but not just from the perspective of a victim. It is essential we educate the general public, other organizations, and governments.
I’m concerned that some tribes have actually passed laws against storing data in the cloud. They preferred everything to stay on the premises. I get it – I understand from a tribal perspective. As tribe members, we don’t have much trust. We have no reason to trust, right? Tribal nations have been taken advantage of for hundreds of years. But, as people who have gone through cyberattack experiences, we need to energize others to care about their digital security. We need to get these tribe members in a room with trusted names in the cybersecurity industry. There are trusted firms that have made significant investments in other companies to help protect them against the bad actors. We need to make those connections. We also need to help tribes understand that the threat is real, but there are solutions to minimize the risk. So, that’s what I do now. I’ve become an evangelist of cyber.
Thank you so much for your time.
Have you been personally affected by a cyberattack? If so, we want to hear from you. Let us know by DMing our Twitter account @DigitalPeaceNow.