A combat veteran and Purple Heart recipient who served in U.S. Army Special Operations prior to shifting his focus to the cyber domain, Jeffrey J. Engle has had a fascinating career path that includes hunting for viruses in Kazakhstan to skydiving with the British Special Air Service.
Now the chairman and president of Conquest Cyber, Jeffrey is also the inventor of a cutting-edge Cyber Resiliency Ecosystem Platform & the CEO of 1st Quadrant Services, a Managed Cybersecurity & Compliance Provider.
One of Jeffrey’s focuses has been his work with Native American tribes to improve their cybersecurity. Recent cyberattacks of Native American tribes — including a 2021 attack on the Mandan, Hidatsa and Arikara Nations that shut down their IT systems — have underscored vulnerabilities to bad actors and highlighted the need for tribes to invest in training and security.
This was a fascinating conversation we’re happy to share with you.
M.R. Rangaswami: What makes Native American tribes so vulnerable to cyberattacks?
Jeffrey J Engle: Tribes are no more or less vulnerable to cyberattacks than any other entity across the United States. What makes them unique and, in turn, subject to increased risk is the fact that tribal nations have a broad and diverse attack surface.
Tribal nations have inherently governmental responsibilities, providing health care systems, law enforcement, community support and housing. In addition, they have business interests that are as varied as gaming and defense contracting. This broad attack surface, coupled with many instances of poor telecommunications infrastructure and access to technology during early years, results in a perfect storm of complexity and resource limitation.
M.R.: How do the complex relationships among tribes, the government and law enforcement contribute to the problem?
Jeffrey: Every tribe operates differently, but considerations like indigenous data sovereignty seem to be a universal consideration for tribal nations. When it comes to law enforcement, the additional consideration of criminal justice information services (CJIS) comes into the fold. Beyond that, any interaction of consequence that makes the news increases a tribe’s risk profile, as adversaries seek to further undermine the challenging dynamic of the shared history.
M.R.: What can tribes be doing now to improve their cybersecurity?
Jeffrey: It is critical that all tribal nations and their interests (e.g. business units or healthcare providers) understand where they are in relation to where they want to be. Using the NIST Cybersecurity Framework to provide a structured approach to determining those coordinates is a smart approach. The NIST CSF is best overlaid with a maturity model to further clarify a point where you are achieving the desired outcome versus being able to count on the outcome being consistently achieved over time.
This allows application of compliance requirements that are industry specific — e.g. HIPAA or DFARS, basic cyber hygiene or prescriptive cyber insurance requirements to get progress started. Once you have a clear picture, we always recommend eliminating the tech or processes you do not need, simplifying the things you do and automating everything you can.
This frees up the team to think, plan and do, rather than just react to the situations that hit them that day.
M.R. Rangaswami is the Co-Founder of Sandhill.com