Food Company Proprietary Information: A Target for Cyber-based Adversaries
By Robert A. Norton, Ph.D.
Food defense is a complicated set of processes, each responding to threats ranging from cyber vulnerabilities to secure food processes. Food production and processing decision makers may think of their companies in terms of the products they produce, which is a reasonable way to judge success: more products, more profit. They may also think in terms of the brand, essential for generating return customers. A good brand is a selling dividend—the best advertising investment available. A damaged brand yields only grief in terms of profitability and company wellbeing. Adversaries can target both products and brand and regularly do so, as most corporate security professionals would quietly attest.
In the age of cyber-based threats and persistent threats, an important new security consideration is the need to protect proprietary information. Proprietary information is the stuff that enables the corporation to produce the food and agriculture products that in turn are identified with the brand. Proprietary information—whether the settings on your equipment or the detailed processes or recipes, secret ingredients, etc., used in creating products—is highly valuable and, in a real sense, the foundation for all corporate assets and profit. Lose proprietary information and your company could lose its competitive edge or, or in a worst-case scenario, cease to exist.
The news on the issues of proprietary information is currently a mixed bag. The good news is that the U.S. Government increasingly views corporate espionage as a serious threat to market competitiveness and, ultimately, national and economic security. Prosecutions are increasing, but not enough to discourage adversaries. “Persistent threats” are named that for a reason—they are not likely to diminish in the foreseeable future. The bad news is that technological threats are emerging far more rapidly than we are able to develop defenses. Bad actors are also more agile at exploiting technology than the government, which is bogged down by bureaucratic and legal constraints. Our adversaries are not. So how, potentially, could new technologies be exploited by persistent threat actors to target proprietary information?
A Hypothetical Case in Point
This discussion will be circumspect and short on specific details, because we must adhere to the highest standards of operational security (OPSEC), meaning we don’t want to give adversaries any exploitable ideas.
Engineers at the University of Washington’s Sensor Laboratory and the Delft University of Technology have developed an amazing miniature device they call “WISP” (Wireless Identification and Sensing Platform). Combining the capabilities of a sensor and a computing chip, the device requires no onboard power source (e.g., battery), instead converting radio waves to electricity. Similar to an RFID (radio frequency identification device) reader, the device has the capability to act as a sensor, gathering data and then transmitting it to a remote receiver. Although the device can’t yet be programmed wirelessly, that improvement is coming and will make it possible to use the device in hard-to-reach, restricted or dangerous environments and to control the device remotely. When wireless programming capability does come, the device could be and extremely valuable part of future food defense and food safety programs.
So how could this marvelous technology be exploited to steal proprietary information? Think of this device as just a miniature computer, capable of gathering information on equipment settings or processes and then transmitting that data to another remote device. Adversaries, persistent and otherwise, know well how to use computers to get what they want from corporations. Chances of detection diminish dramatically if an adversary can deliver a small device that defies detection. Even if detected, the remote device would be exceedingly hard (though not impossible) to trace.
This is the kind of device at the center of countless spy movies and real espionage programs. Has the technology matured to the point it could actually be used in an espionage program designed to steal proprietary information? Not at the moment. This device—and others with capabilities beyond anything currently imagined—will eventually fall into the hands of adversaries, just as happened with computers and smart phones. The bad actors will attempt to exploit (and likely succeed) the technology, using its capabilities for ill purposes, rather than good.
So what is a food defense or food safety manager to do? The simple answer is to think like the adversary and counter potential threats by hardening defenses, making them strong enough to make the adversaries’ cost of doing business (stealing from you), not worth the effort. In other words, harden your defenses so the adversary goes elsewhere.
How is this accomplished? Again, think in terms of OPSEC. In general, protect your information by making it exceedingly hard to find and access remotely. Think about new technological advances and the newly evolving threats that will undoubtedly accompany the realization of the “Internet of Things,” whereby devices will be able to transmit operational information to users (or exploiters). Then act accordingly to minimize or neutralize the threat.
Future technological advances will likely give us significant opportunities for improvement in efficiency and profitability, while accompanied by some degree of risk. The important message here is to prepare for the future by planning to manage risk by guarding that which is essential to your corporation. First priority—start with guarding proprietary information.
Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group (aufsi.auburn.edu/fooddefense). He is a long-time consultant to federal and state law enforcement agencies and is editor of Bob Norton’s Food Defense Blog (aufsi.auburn.edu/fooddefense/blog/). He can be reached at firstname.lastname@example.org or by phone at 334.844.7562.
1. A “persistent threat” is the term used by the U.S. government and military to describe specific countries that continually target information based in business, academia, government and the military through large collection efforts, most cyber related. Collection of proprietary information enables these adversarial nations to gain business advantage with little or no investment, making them more competitive in the world market.