The latest report from the US Tribal Information Sharing & Analysis Center (Tribal-ISAC) examines how an increasingly complex cybersecurity landscape could challenge Tribal governments and enterprises throughout the United States. The findings highlight how tribes are adapting to these new threats and draw attention to the significant vulnerabilities that remain.
Cybersecurity Investments Are Often Insufficient
While the report highlights growing strategic awareness, uneven operational readiness remains a pressing issue. Most tribal entities conduct their technical operations with small IT teams, with over two-thirds reporting zero or just one dedicated cybersecurity staff member. Funding remains a persistent obstacle, as more than 60% of tribes allocate less than 20% of their IT budgets to security.
According to Tribal-ISAC, most investments focus on technology tools, while staffing, workforce training, and incident planning are often treated as an afterthought. Despite these challenges, momentum is shifting, as 73% of respondents expect to increase cybersecurity investment in 2026. However, federal and state resources continue to be underutilized, with 74% of tribes stating they did not receive any grant funding for 2025.
“The findings reflect a cybersecurity landscape at tribes and tribal enterprises that is advancing in strategic intent but still developing in operational execution.”
These fiscal challenges mean tribal organizations must rely on their already limited internal budgets for cybersecurity, diminishing the scope of their improvements. Tribes are also grappling with the rapid adoption of AI. Very few have developed clear policies on AI use, potentially leaving them vulnerable to mismanagement or exploitation and presenting another risk to data security.
Criminals Continue to Develop New Avenues of Attack
The cybersecurity threat environment has grown particularly hostile. Ransomware attacks remain a pressing issue, with nearly one-fourth of tribes reporting actionable threats over the previous year. Among those affected, 75% faced ransomware events, and 77% refused to pay. While the data revealed substantial resilience in the face of such attacks, low reporting levels could mean that some incidents may go undetected or unshared.
Business Email Compromise (BEC) attacks are another significant threat. Criminals increasingly often attempt to bypass conventional security controls by using cryptocurrency laundering, AI-generated deepfakes, and even nation-state tactics. According to estimates, since 2013, BEC scams have cost global organizations over $55 billion, revealing the scope of the threat.
“A proactive, culturally aligned cybersecurity strategy is no longer optional. It is foundational to tribal governance, economic development, and intergovernmental collaboration.”
The report urges tribes to address cybersecurity gaps through a “Resilient by Design” approach that integrates technology, workforce development, and cultural alignment. Tribal-ISAC recommended federal resources such as CISA’s resilience toolkit and the Tribal Cybersecurity Grant Program that can support tribes in developing their capabilities. However, awareness and uptake remain inconsistent, requiring consistent investment and executive engagement.