By JONAH LOSSIAH
One Feather Staff
After 22 months of hearings and eight dismissed charges, a jury found Benjamin Cody Long guilty of ‘misusing Tribal property’ on the afternoon of Thursday, Oct. 14.
Following the verdict, Long was sentenced to no additional prison time than what he had already served from December of 2019 until he was removed from house arrest. The official ruling from Chief Judge Monty Beck was for Long to serve 454 days, but that included the 454 days that he had previously served.
The lone charge, 20 CR 0465 (In violation of Cherokee Code Section 14-70.42 (c)(1)) was applied in March of 2020 and is a felony charge. Long had initially been detained on two felony charges (19 CR 4505 Felony Tampering with Public Records and 19 CR 4606 Felony Obstructing Government Functions) in connection with the Tribal-wide cyberattack that occurred on Dec. 7, 2019. In March of 2020, a second arraignment hearing was held and brought forth seven counts of ‘misusing Tribal property’.
Leading up to this week’s trial, seven of those nine charges had been dismissed by Tribal prosecutors. Tribal Court did not dismiss these charges with prejudice, however, so the Tribe has the ability to bring them back if needed. On the first day of trial, Oct. 11, one of the two remaining charges was also dismissed. That left Long facing one.
This charge stems from a situation on Dec. 5, 2019. On that day, Long had been suspended with pay by Office of Information Technology (OIT) Director Bill Travitz. Long was placed on investigative leave for ‘unauthorized entry into security cameras, gross negligence for not doing backups, and insubordination’. Prosecutors alleged that Long then proceeded to log into his account remotely and without authorization following his suspension.
The trial lasted four days and saw nine witnesses come to the stand to testify. The defense was led by attorneys Robert Saunooke and Brent Smith. The Tribe was represented by prosecutors Cody White and Shelli Buckner. To satisfy the charge 20 CR 0465, Tribal prosecutors needed to convince the jury of three things.
First, that the Microsoft Azure account was considered Tribal property. Next, that Long was ‘a person in possession of or charged with the safekeeping, transfer or use of Tribal property’. Finally, that beyond a reasonable doubt Long logged into his account at 8:26 a.m. on Dec. 5, 2019.
Tribal prosecutors brought up Agnes Reed to testify to the ownership of the Tribal Microsoft Azure account. They pointed to a receipt of nearly half a million dollars that the Tribe had paid to use Microsoft Office services. The defense pushed back saying that the Tribe did not own Microsoft, and therefore did not own the logs provided by Microsoft Azure. Lead prosecutor Cody White also used the testimonies of Travitz and OIT infrastructure services manager Anthony Brown to strengthen his point. He said that the Azure account was like having an apartment in a larger apartment complex. That you would need proper authorization to enter that specific apartment, and using this analogy stated that the Tribe’s license was Tribal property.
Saunooke argued that the defendant was not ‘the safekeeper’ of the Tribal Azure logs. He said that the Tribe’s Azure logs were recorded automatically and that no one on staff consistently checked those logs until after the cyberattack of 2019. He said that the Azure logs were primarily controlled and recorded by Microsoft, and because of that Long couldn’t be the safekeeper of the property.
The Tribe argued that as the Systems Administrator of OIT at the time of the event, the logs would be under Long’s list of responsibilities. Because he had access to the ‘servadmin account’ and had ‘global domain’ privileges, that he was clearly someone who was ‘charged with the safekeeping, transfer or use’ of the Tribal Microsoft account and the Azure logs.
The largest point of debate came with the third piece needed – tying Long to the incident itself. The Tribe presented Exhibit 3B, which was a piece of the Azure logs from Dec. 5, 2019. They brought Doug Chase, OIT information security officer, to the stand as a witness to explain these logs.
Chase’s interpretation was the user codylong@nc-cherokee.com triggered a Microsoft Azure login at 8:26 a.m. on Dec. 5. That he did so using the Tribal network’s IP local address, a multi-factor authentication method using SMS text, and with a ‘Hello Sign-in’. A Hello Sign-in is a multi-factor authentication method that can use facial recognition or a fingerprint. This is something that was against the Tribal ‘group policy’ at the time, and therefore was not possible to be done using Tribal devices. He said that because of this, Long must have used a personal device to log in.
The prosecution and defense used the testimonies of Travitz, Chase, Anthony Brown, and current OIT systems administrator Josh Oliver to piece together the happenings of Dec. 5, 2019.
Each of the witnesses said that Travitz and Brown held a meeting with Long around 8 a.m. in the director’s office. After about 15 minutes, the three of them walked to Long’s office, which he shared with Josh Oliver. Long turned in his keycard and badge, and his laptops remained in the office. At this point, the testimonies said that Long claimed he did not have his work cell phone with him, and that he would need to go home to retrieve it. The timeline is unclear, but Long then departed from the office around 8:20 a.m.
Before the meeting occurred, Doug Chase testified that he had changed the password to Long’s account on the local servers. He said that he had spoken with Travitz the night before and was awaiting a call to disable Long’s account. Chase said that he had changed the password before 8 a.m. because he was concerned by the sensitivity of the situation. The defense pointed to this as a reason the successful login at 8:26 couldn’t have been Long, as his original password was changed by that time. Prosecutors said that the password was changed locally, but there was still a chance that it was not changed off-site. Therefore, Long could’ve still had access with his personal devices.
Josh Oliver said that following Long’s departure, he went to Chase to retrieve access to Long’s account. Chase gave him the new password, and Oliver went to log into Long’s desktop. He said that he did so to disable ‘TeamViewer’ from Long’s computers. TeamViewer is a program that can be used to remotely control other desktops, and he knew that Long had this enabled on several devices. He did this as a way to secure the Tribal network at the request of Travitz.
Long returned to the office later that morning. Anthony Brown said that Long lived at least 30 minutes away from the office. Saunooke said that this would mean that Long was gone from the office from about 8:20 until 9:30 at the earliest. Brown said that the last thing he told Long after he was leaving for a second time was to stay off of the Tribal network.
The defense also drew into question the credibility of a username. Saunooke pointed out that there was no testimony that stated they saw Long sign in at 8:26 on Dec. 5, 2019. No witness said that they saw Long with his cell phone at that time either. Multiple witnesses said that they always remembered Long having his phone, however. This is something the prosecutors spoke of consistently.
Saunooke also brought up the ‘servadmin’ account, which Travitz called a ‘god account’ in his testimony. Long was one of the members of OIT with access to this account, which gave him ‘the keys to the kingdom’ according to Travitz. However, Saunooke questioned Travitz and Doug Chase about who had access to this account. It turned out, that account had the same password for a minimum of six to seven years. Chase said that it hadn’t changed during his time with OIT, which created that time frame. That means that potentially dozens of former employees knew the servadmin password, and Saunooke pointed to this as evidence that you could not trust log in information on the Tribal network at the time of the event.
The final witness called was Clark Walton, the principal forensics and cybersecurity expert for Reliance Forensics. Reliance is a company based out of Charlotte that specializes in digital forensics. Walton was accepted as a digital forensic expert witness by the Court. His résumé also showed that he has previously worked with the Central Intelligence Agency (CIA) and as an attorney for many years. Walton was hired by the defense for this case.
Walton disagreed with Chase’s interpretation of the Azure log from Dec. 5, 2019. He said that the Application ID that Chase identified as a Hello Sign-in is not specific to that type of login. Walton said that he uses a Hello Sign-in with facial recognition, and after reviewing his own Azure logs the specific code highlighted by Chase was nowhere to be found. He also pointed to the word ‘token’ in the logs. He said that a token is a device that can be memorized for multi-factor authorization, such as a phone. He said that with a token, logins can be automatic and not require another step for multi-factor authorization.
Finally, he said that logging into a desktop that had Microsoft systems running could trigger an Azure login. He said that given the testimonies presented throughout the trial, he would conclude that the login recorded at 8:26 am on Dec. 5, 2019 was triggered by Josh Oliver signing into Cody Long’s desktop computer. He said that that login could’ve triggered an Azure log, and that the timing of the events lined up with Oliver’s testimony.
Following final arguments presented by Saunooke and White, the jury was sent to the jury room for deliberation at 2:35 p.m. on this fourth day of trial. The jury’s foreperson handed in the verdict sheet 90 minutes later, and clerk Denise Hallauer-Fox read the decision of ‘guilty’ to the courtroom. Judge Beck confirmed the decision with each of the six members of the jury, and then excused them of their duty.
All parties agreed that sentencing would be a quick process, and they decided to handle it immediately following the verdict.