China wants to know how the U.S. maintains its economic advantage. It researches how companies are operating, right down to the level of the settings on the equipment that controls your food plant systems and processes. 

In addition to nation-state industrial espionage, companies face a wide range of threats. “Hacktivists” launch attacks for ideological, political, or religious reasons, or simply for the challenge. Criminal organizations attack for profit, trying to extract payment from the victim. In addition, companies sometimes become victims even if they are not the intended target, such as the notpetya attack, which targeted a software company but had much broader impact, including the food and agriculture industry.

It is important to know that nation states and criminal organizations both do target corporations, and this article will provide solutions on how companies can better protect themselves. 

Part 1 of this series talked about the fact that actions disrupting our food and agriculture systems would be considered acts of war (de bello),[1] if they originated from nations that linked them to armed conflict and the attacks were intended to diminish our nation’s capability and public will to respond militarily. The article also discussed food and agriculture as vital critical infrastructures (CIs), whose incapacitation or destruction would harm the country.

“Near peer nations,” which include China and Russia, were described as developing sophisticated technologies that are being used to target CIs, including food and agriculture. Countries are interested in the CIs for two reasons. They desire to explore the functionality of companies in the sectors should they at some point attack, and they also desire the proprietary information belonging to companies. In the first case, this “probing” is a potential act of war (“preparation of the battlefield”), while the latter case is espionage. While Russia and China are the largest near-peers, the cyber-security domain has lowered the bar to entry, affording other countries to enter the fray with minimal economic or time committed.

What Is Espionage?  
When aimed at a competing company, spying is called “industrial espionage.” For nation-state actors, corporations are enticing targets. They have an immense amount of intellectual property (IP) that can be used for military and economic gain. Nation states target these companies directly but also outsource hacking activity to others, often permitting companies they own or that are based within their jurisdiction to hack foreign companies. The Federal Bureau of Investigation (FBI) estimates that U.S. companies lose billions of dollars in IP to foreign actors each year. This includes attacks from nation-state actors and from attacks initiated by overseas competitors.[2]

Nation-state actors and their proxies are methodical, deliberate, and effective. In 2019, the cybersecurity firm CrowdStrike released an intelligence report that details how China successfully coordinated the global theft of IP from leading aerospace industry companies to build its new, state-of-the-art C919 Aircraft.[3] Stealing this IP shaved off years of research and development costs, helping to advance China’s domestic aviation program. Previously, news outlets have reported that China stole designs of the U.S. F35 fighter jet for China’s FC-31 fighter Jet.[4]

Applying this to the food and agriculture industry, one can see why the industry is an attractive target to nation states. Thanks to R&D investments, the industry has seen a significant advancement in technology. This enables the U.S. food and agriculture industry to provide more food to more people, and with fewer farms. In fact, the U.S. Department of Agriculture reports that between 1997 and 2017, the number of U.S. farms declined 8 percent and the amount of farmland declined 6 percent.[5]

Meanwhile, from 1997 to the present, the U.S. population has increased by more than 63 million people.[6] Given the level of poverty and malnutrition experienced by other nations, one should assume other countries would be interested in duplicating this success. The quickest way to duplicate these gains would be by accessing the IP that has enabled it. As the C919 example demonstrates, stealing this IP enables a country to more rapidly advance its own capabilities and goals, with little to no financial investment.

It is common for nation states to seek sensitive information from others or to spy on each other. However, we are seeing a consistent and sustained pattern of nation states—not just China—targeting private industry for sensitive information. Today, private enterprises must be prepared to guard themselves against nation-state attacks. FBI Director Christopher Wray, speaking before the Senate Homeland Security and Governmental Affairs Committee, noted that the Chinese government is “now targeting our innovation through a wider-than-ever range of actors, not just Chinese intelligence officers conducting both traditional and cyber espionage, but people they enlist to help them, like contract hackers, certain graduate students and researchers, insider threat through U.S. businesses, and a whole variety of other actors.”[7]

It is not just the nation-state actors that pose a threat. Cyber criminals and activist groups also target the food and agriculture industry. Business Email Compromise (BEC), where attackers try to impersonate or trick senior level corporate executives in the hopes of initiating a funds transfer to an account controlled by the attacker, is impacting industries across the globe. Another threat is ransomware, which gives a criminal access to a network, encrypts its data, and offers to decrypt it upon payment (usually in cryptocurrency). Several Information Technology-Information Sharing and Analysis Center (IT-ISAC) Food and Agriculture Special Interest Group (SIG) companies consider BEC and ransomware attacks among the top threats they face.

In addition, while criminals and activists often have different objectives from nation states, tools from well-funded nation states are unfortunately leaking into criminal hands. Criminal actors also sell their tools to others. So, even adversaries with limited resources can access sophisticated attack tools.

The food and agriculture industry operates in an extremely competitive and unpredictable environment. Consumer tastes and trends are constantly evolving, and crop production remains highly dependent on the weather. This is driving a digital revolution as smart devices are being deployed to factories and farms to provide more information to producers and farmers alike. There is more and more reliance on internet-connected devices to deliver food from farm to plate. However, as these new smart devices are integrated into networks, the industry is also operating on a lot of legacy technology. This poses additional security challenges—Internet of Things[8] devices increase the attack surface while companies work to secure many disparate technologies.

Security through Collaboration
With an increasing attack surface, a reliance on technology to enable the global food and agriculture supply chain, valuable IP, and a complex set of threat actors targeting the community, the cybersecurity leaders in the food and agriculture industry have a lot on their plate (no pun intended). The cybersecurity challenges facing the industry are too great for any company to effectively address on their own.

Helping companies address these threats collaboratively is the primary function of an ISAC. ISACs are trusted forums for companies in a critical infrastructure sector to collaborate on common security challenges. The ISAC model is now 20 years old and has proven successful across various industries.

Participating in an information-sharing forum provides a force multiplier for member companies. Every company has limited resources. However, participating in information-sharing forums provides companies with access to additional analysts—those in peer companies that are facing similar challenges. Companies are no longer limited to their in-house talent.

Without its own ISAC, food and agriculture companies at first appear to be at a disadvantage. Building an information-sharing organization is a time-consuming and expensive proposition. Identifying companies that would be interested in starting a new group, forming an organization, developing by-laws and operating plans, and procuring technology and staff all take time and money, which no one has in abundance.

However, with the support of leading food and agriculture companies such as Bunge, Cargill, and Conagra, the IT-ISAC has created an ISAC within the ISAC for the food and agriculture industry. The IT-ISAC Food and Agriculture SIG[9] is a trusted, industry-only forum for companies to share information about cyber threats and attacks—including specific indicators of compromise and mitigations—effective practices, and common challenges. Through the SIG, companies gain tactical threat intelligence needed to address specific, immediate threats, as well as strategic information needed to address longer-term challenges.

The Industry Is Stronger Together
To defend against cyber threats, the food and agriculture industry should continue to follow the lead from other sectors, noting that cyber security is not a competitive issue but instead an issue of collaboration. Only together can the “Food be Defended” from a plethora of adversaries.

While it might seem counterintuitive that you can improve cybersecurity by partnering with your competitor, engaging with peer companies amortizes the cost of defense by providing you with access to intelligence, analysts, and expertise to which you would not otherwise have access. It serves as a force multiplier by connecting specialized expertise and analysts from across a diverse industry. This gives your company access to intelligence that will help you understand the threat, which will better enable you to manage risk.

Corporate threats like competition will never go away but will continue to evolve, requiring faster, cheaper and better solutions for companies to remain viable and profitable. Partnering with others experiencing the same frictions makes good business sense, particularly where close margins mean constrained capital for reinvestment. Defend better by working together.

Robert A. Norton, Ph.D. is a professor at Auburn University who consults widely on food defense. He can be reached at nortora@auburn.edu. Scott C. Algeier is president and CEO of the cybersecurity consulting firm Conrad, Inc. and serves as the executive director of the IT-ISAC, among other industry leadership positions. He can be reached at scott@conradinc.biz.

References
1. U.S. Code § 2331 defines an “act of war” as “any act occurring in the course of declared war; armed conflict, whether or not war has been declared, between two or more nations; or armed conflict between military forces of any origin.” www.law.cornell.edu/uscode/text/18/2331.   
2. www.fbi.gov/file-repository/economic-espionage-1.pdf/view.
3. The CrowdStrike Research Report is available at www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf.
4. www.cnn.com/2015/01/19/world/china-us-f35-fighter-denial/index.html.
5. www.nass.usda.gov/Publications/Highlights/2019/2017Census_Farms_Farmland.pdf.
6. www.census.gov/prod/3/98pubs/p23-194.pdf; www.census.gov/popclock/.
7. insidecybersecurity.com/daily-news/fbi-director-web-actors-enlisted-beijing-steal-intellectual-property-larger-ever (subscription required). Director Wray’s full statement is here: www.hsgac.senate.gov/imo/media/doc/Testimony-Wray-2019-11-05.pdf.
8. For more information on the Internet of Things (IoT), see www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#2b4138791d09.
9. For more information on the IT-ISAC Special Interest Group – Food and Agriculture SIG, see www.it-isac.org/special-interest-groups. A FAQ is also available at 130760d6-684a-52ca-5172-0ea1f4aeebc3.filesusr.com/ugd/b8fa6c_b7340ebee6e240e3989b841eae3f90b5.pdf.