Nevada’s casinos should not be allowed to pay off cybercriminals
It likely started with a phone call.
We’ll never know all of the details of the cyberattack that brought MGM Resorts International down for over a week. The details that are publicly available, however, are convincing enough to explain the size and scope of the outage: A hacker called its help desk and asked for multifactor authentication to be turned off on a highly privileged account. That, in turn, made it possible for the hackers to log into that account, either with a previously compromised password or with a password they successfully reset, without alerting the user of that account.
Once logged in, hackers used that account to seize control of the identity provider — the system used to store the user names and passwords of everyone in the company —thus compromising every other account used by the business. With that information, the hackers then proceeded to log into several systems and brought the company down.
Was the highly privileged account a dedicated administrative account or was it an account used routinely by a high-ranking member of MGM Resorts’ IT team? Did the highly privileged account have access to multiple systems or was it scoped to administer a single system? Why did the help desk, which normally doesn’t have administrative access, have the ability to alter a highly privileged account — an ability that a malicious help desk employee could just as effectively use to hack their employer’s system as the hackers who claimed responsibility for the attack?
The hackers and the MGM Resorts IT team know the answers to those questions but, for a variety of good reasons, we’ll likely never learn them. MGM Resorts understandably doesn’t want the rest of the world to know where its security vulnerabilities are lest another wave of hackers take advantage of the same weaknesses that compromised their business once already.
The hackers, meanwhile, have every incentive to appear invincible and inescapable — or, at the very least, invincible and inescapable enough for a company’s accountants to decide that it would be cheaper to pay a ransom than it would be to clean up after whatever damage the hackers might do.
The amount of damage and money lost by MGM Resorts, in fact, serves as excellent advertising, which is why the hackers are so territorial over claiming credit for the attack. They want future businesses to know that if they refuse to pay their ransom like MGM Resorts did, the same thing will happen to their business.
The damage, by the way, was and likely continues to be considerable. Even though MGM Resorts is now fully open for business, at least from the customers’ perspectives, that doesn’t mean they have fully recovered from the attack. MGM Resorts was still struggling with paying employees days after the company fully reopened. Additionally, a public job post suggested that the company planned to perform recovery activities for the better part of a month following the conclusion of the attack.
That’s why Caesars Entertainment paid tens of millions to those who hacked its network and why MGM’s losses are insured up to $200 million — a successful cyberattack is an extremely expensive and disruptive experience. Paying hackers off so your business doesn’t have to go through one is very tempting in the moment.
The logic behind not paying protection money, however, is every bit as seductive as when the mob shook casinos down after World War II. Sure, they did their work with a more personal touch than a phone call to a remote help desk but the principles remain the same.
What casinos used to understand — what they were forced to understand, in many circumstances, with strong judicial encouragement from federal and state regulators — was that paying ransom money supports the business of asking for future ransoms. If you’re willing to pay multimillion dollar ransoms, whether that’s because someone planted a bomb on your car or because someone undesirable has administrative access to your network and knows how to abuse it, more people are going to be interested in holding you ransom.
Reacting appropriately to that realization, however, requires appropriate incentives.
I don’t say things like this very often but those incentives won’t come from the free market. Caesars paid the ransom and was allowed to remain open for business, all while it quietly swept the leak of customer driver’s license and Social Security numbers into a tartly bureaucratic SEC form. MGM Resorts, by contrast, refused to pay ransom and suffered visible disruptions, ironically enough, during a major information security conference. In the minds of customers who don’t know any better, then, Caesars will seem the safer place to do business of the two.
The past month’s attacks against Caesars and MGM Resorts demonstrate that, in terms of pure market incentives, paying ransoms is a perfectly economically rational call. Break the numbers down far enough and it might even be cheaper to pay periodic ransoms and issue accompanying filings regarding the breach of customer data to federal regulators than it would be to have an acceptably robust information security posture.
Of course, in terms of pure market incentives, if you’re a member of Caesars’ information technology team, you now know your employer pays ransoms. Given your knowledge of your employer’s network and systems — knowledge that hackers usually have to guess at — how much damage could you do with that information? How much might your employer pay to keep you from doing any of it? How much might a criminal be willing to pay you to use that information to your — ah — mutual benefit?
Would a criminal have to pay you to use that information if they credibly knew where you and your family lived?
This is why market incentives alone cannot solve this problem. Instead, the solution must come from the government. Just as Nevada’s casinos aren’t legally allowed to pay off the mob anymore, Nevada’s casinos should not be allowed to pay off cybercriminals. To ensure every casino does the right thing when faced with a cybersecurity attack, regulators must serve as barrier troops — meaning they should be willing and capable of doing more damage to casino owners’ businesses when they retreat from their obligations to protect their customers’ data and pay ransoms than hackers can.
This approach has the added benefit of incentivizing stronger information security measures across the industry. When a casino’s only choices are either facing hundreds of millions of dollars in lost business or losing its license if they pay a hacker off, a casino will be willing to put far more time, money and effort into protecting its customers’ data than it might if it can quietly pay a few million and sweep the problem under the rug.
I, for one, am not interested in living in a world where the loss of my personal data is viewed as a routine cost of doing business. I doubt you are, either. If customers conclude that losing their personal data is viewed as a routine cost of doing business with Nevada’s casinos, doing business with Nevada’s casinos will become far less routine.
Oh, and if you work somewhere that uses Okta, send your IT team a link to Okta’s guidance on securing its product from the sort of attack that befell MGM Resorts. They’ve likely already read it but it never hurts to have a refresher.
David Colborne ran for public office twice. He is now an IT manager, the father of two sons, and a weekly opinion columnist for The Nevada Independent. You can follow him on Mastodon @[email protected], on Bluesky @davidcolborne.bsky.social or email him at [email protected].