After a devastating cyberattack, the Eastern Band of Cherokee Indians became a technologically advanced nation
On a narrow, twisting road in the Great Smoky Mountains, a young woman lost control of her small car in the middle of the night. Her Ford Fiesta careened off the pavement and smashed into a tree.
Despite wearing a seatbelt, the woman was severely injured by the impact and needed urgent help. She was only about 10 minutes from her home in the valley town below, Cherokee, North Carolina, where word of the crash soon reached paramedics.
But there was a big problem in Cherokee, capital of the Eastern Band of Cherokee Indians (EBCI), a federally recognized tribe of more than 16,000 members.
Hours earlier, a ransomware attack against the tribe’s IT infrastructure had knocked the EBCI network offline – including 911 dispatch and the geolocation system used by paramedics and police officers.
As a result, first responders from Cherokee were forced to spend an extra 18 minutes searching for the driver and her car. By the time they reached her, the woman had died from her injuries. She was 23.
“Would that person have survived (without the delay)? Perhaps. We don’t know,” recalls Richard Sneed, principal chief of the EBCI. “But the reality is, when there’s an emergency, every minute counts. And when you’re delayed 18 minutes, that’s somebody’s life.”
The attack on Dec. 7, 2019 was the result of vulnerabilities exploited by Russian cybercriminals to encrypt all tribal data. The hackers also left a text file in the victims’ computers, demanding that a ransom be paid to recover the data.
Digital forensics work led tribal police to arrest a former employee, who was alleged to have played a role in increasing those vulnerabilities. A jury later found him guilty of misusing tribal property, a felony. Prosecutors chose not to pursue other charges, including charges specifically related to the 911 outage. He served 454 days in jail.
Some justice was served but the breach inflicted a heavy price. In addition to slowing the search for the injured driver, the EBCI lost a library of irreplaceable Cherokee language audio and video files. Tribal members worked for eight months to fully restore all core services.
Ultimately, the EBCI’s cyber-insurance carrier paid the Russian cybercriminals several hundred thousand dollars in ransom to decrypt the data.
“It was surreal from start to finish,” Sneed says. “Very much like a movie script.”
Prior to the cyberattack, the EBCI had established a business relationship with Microsoft, but the tribe had implemented only Microsoft Outlook at that time.
The hack prompted EBCI leaders to reevaluate their entire IT infrastructure – two banks of on-premises servers. After several conversations with Microsoft, they moved their IT system to Microsoft Azure to fortify data security and better prevent future attacks.
To achieve that cloud migration – and start reestablishing 911 dispatch and other services – EBCI leaders invited Microsoft cloud solutions architect Elliot Huffman to work onsite at tribal headquarters in Cherokee. He arrived in March 2020.
“An absolutely beautiful place,” Huffman says. “It’s a bustling community with small shops and the best views.”
The foothills town in Western North Carolina inhabits traditional Cherokee homelands. Once part of the far larger Cherokee nation, the Eastern Band descended from about 800 Cherokee who resisted joining the Trail of Tears – forced federal displacements of some 60,000 indigenous peoples between 1830 and 1850.
Those EBCI ancestors remained on the original Cherokee homelands, hiding in the North Carolina forests and foothills. During the 1870s, they purchased that same stretch of land, which became known as the Qualla Boundary. Today, the EBCI homeland spans more than 50,000 acres.
The tribe is federally recognized as a sovereign nation with its own laws, elections and governing institutions. But the sophisticated cyberattack decimated that foundation, taking an entire nation offline in one night.
Immediately after the hack, EBCI leaders declared a state of emergency. They contacted the U.S. Cybersecurity and Infrastructure Agency, or CISA, part of the Department of Homeland Security. Meanwhile, the FBI and the North Carolina State Bureau of Investigation helped conduct a criminal investigation.
Still, months of work lay ahead to rebuild the tribe’s IT functions.
“When I got there,” Huffman recalls, “they were basically screaming for help: ‘We lost everything.’”
The hacker had encrypted every computer with a different key. Those keys were sent back to a command-and-control structure managed by the hacker’s counterparts in Russia. Simply put, the bad guys possessed a database listing of every machine, workstation and server on the EBCI network.
With that database, the criminals built a universal decryption tool, which could be used to reverse the effects of the attacks. After the ransom was paid, EBCI leaders received access to that decryption tool, then went machine by machine to retrieve most of their data.
But one irreversible loss involved the audio and video files of tribal members speaking the Cherokee language. The EBCI had invested 15 years collecting those recordings, which demonstrated the proper enunciation and inflection of Cherokee words, Sneed says.
“There is a way to speak the language and we’ve only got 160-some fluent speakers left,” Sneed says. “That data is lost and gone forever. It’s priceless. It carries a long-term cultural impact that I don’t think most people give thought to. It matters.”
The EBCI’s move to the cloud, Sneed says, will help preserve other crucial pieces of tribal history and culture.
In the spring of 2020, Huffman began working side by side with the tribe’s IT employees at the EBCI emergency operations center. They dug into system repairs and, soon, cloud migration.
“We scrambled to get everything together,” Huffman says.
Their immediate priorities: revive both 911 dispatch and the tribe’s financial system. Twice each year, every EBCI member receives a disbursement of several thousand dollars – an amount based on revenues from two tribally owned casinos. The cyberattack had delayed those per-capita payments.
Huffman logged about 10 to 12 hours each day on the restoration effort. At night, he stayed at a nearby hotel. Each weekend, he commuted home to South Carolina. During his stay, he learned selected Cherokee words, such as “Sgi,” which means “thank you.”
“We got their most critical things operating first. Then we started tackling other multiple workloads,” Huffman says.
One project was a full tech refresh on the workstations of EBCI government staffers. The tribe purchased $2.1 million worth of Microsoft Surface laptops for its employees and equipped each with Microsoft Teams. That enabled employees to work remotely and securely weeks before the COVID-19 pandemic forced social distancing.
“After Elliot arrived, we spent some time talking with him and, at that point, we decided we’re all in on the cloud,” recalls Bill Travitz, the tribe’s previous IT director who held the position at the time of the cyberattack. “Once we made that cloud decision, we never looked back.”
Travitz, a 37-year IT veteran, is a true evangelist for zero trust architecture.
That set of principles is rooted in the doctrine that data security is not merely a perimeter defense but must be viewed in terms of people, services and the movement of data, Travitz says. Under the zero trust umbrella, data is always authenticated and authorized at all available data points, including user identity, location and device health.
In the spring of 2022, Travitz penned an article in TribalNet Magazine, titled “The Holy Grail of Modern Security,” reflecting on the EBCI’s zero trust journey in the Microsoft cloud ecosystem.
“Having zero trust is such a comfort,” Travitz says. “We know our security posture is modern. I’m not going to say we’ll never get hacked – that’s a fool’s errand. But in terms of the damage they could cause, it’s so limited in scope. Now I sleep better at night.”
With the tribe’s IT system hosted in Azure, and further secured by Microsoft Sentinel, which sees and helps stop threats before they cause harm, the EBCI tech team has “full visibility into who’s doing what, when and where,” Travitz says.
“There’s not a soul in that organization who would ever go back to the way it was,” he adds.
After the cloud migration, Travitz often received calls from IT leaders at other U.S. tribes. They asked how the EBCI achieved zero trust architecture. Travitz told them: “It was our partnership with Microsoft and Elliot being able to build those things out.”
Says Huffman: “They’re now one of the most technologically advanced sovereign nations and mature governments on the planet from the point of view of cybersecurity and cloud implementation.” He continues to work with the EBCI as needed.
Not long ago, Sneed took his first vacation in about six years, traveling to Mexico for some R&R. Along with some beachwear, the chief took along his laptop to monitor his work emails during the getaway.
But when he tried to read those correspondences, the tribe’s Azure-based IT system stopped him cold.
“At first, I was mad. But then I was like, ‘Hey, this is good.’ I was trying to log in from another country and it would not let me access the network, period. I understood the reason why,” Sneed says.
“This crisis laid bare all the areas we thought were secure, all the shortcomings. Many people probably thought, just like I had, that it would never happen to us.”
Photos by Madison Long.