Food and Agriculture Are Domains of War: Part 2
By Robert A. Norton, Ph.D.
The first article in this series suggested that food and agriculture would be domains of war, should global war break out. The speculative attack begins with a cyber-event, first affecting the power grid and cascading into food and agriculture, water, transportation, and banking. The effects would include disruption of the food supply (days to potentially weeks to months) and cataclysmic damage to the economy. Government obviously plays a big role in such an emergency, but it will be the responsibility of food industries and agriculture to repair logistics and replenish the U.S. food supply.
There is no question; the hypothetical scenario was dire. It was a “what if” question exercise, designed to encourage discussion, not cause panic. To further ease anxieties, assume that this event does not become a nuclear war. Keep saying to yourself, “This is only a game…”
In military jargon, the idea promoted here is that food and agriculture corporations should engage in “war games.” Trying to develop a response strategy in the midst of an actual emergency is always the worst possible choice and may actually increase corporate and brand risk. Ignoring threats does not make them go away.
So…what should a food corporation expect? Cyber is the most likely first portal of entry for any coordinated attack. Chinese or Russian soldiers are not going to show up at your company headquarters like some 21st century version of “Red Dawn.” Frankly, they do not need to, since they may already be “inside your wire”; whether you realize it or not, your company is not an isolated system.
You and your corporation have been and currently are targeted by adversarial nations. If you are a decision maker, they likely know who you are, where you live, possibly even some of your work habits, as well as personal details about you and your family. It is important that you and your company start practicing “Operational Security.” More about that later.
Your cyber system is probably not a self-contained, isolated “intranet.” Most likely, it is attached somewhere, somehow to the intranet. The attachment could be email, portals for updating software, communications, your security system, etc. If hackers can successfully use the control for an aquarium heater to hack into a Las Vegas casino (yes, that actually happened), then a nation state could gain access to your system in an unexpected way.
Although you may have rigid protocols, firewalls, and other hardware limiting web access, adversaries will try and often succeed in somehow tunneling into to your system. And the weakest link is always the human element. You can train people to be vigilant, but one incident of intentional or inadvertent misbehavior can undo all that is good about your cyber security. So what are some possible solutions?
Start with your people to increase the robustness of system: Our nation’s adversaries have been quietly penetrating cyber systems for a variety of reasons, including the possibility of war. So how do you respond to threats you may not perceive? Start with recognizing that these threats actually exist, and then move forward incrementally, but as rapidly as possible. Your company’s survival is not the responsibility of the government—it is yours!
You will need to hire serious cyber experts. If you are a small company, your brother-in-law will not be able to help you. This means engaging with a security company that has real experience with real adversaries. Remember, I am talking about more serious threats than those posed by the average hacker. The threats posed by nation-states or transnational criminal organizations are magnitudes greater in sophistication.
Start with the easy fixes: This includes fixing compromised cyber credentials (the passwords and tokens that enable employees to enter your system). A compromised employee’s access credentials potentially can compromise the whole system. Firewalls do not prevent threats that originate from within your own systems. Scheduled, forced password changes are essential. Consider also varying the forced password schedule to prevent pattern detection by adversaries.
Randomize the changes even further among your employees. Rather than making a given section change their passwords, stagger the changes across the whole enterprise, so that, for example, on Monday, 30 percent of employees change passwords, and on Tuesday, another group changes their passwords. Yes, this strategy is annoying to users, but not knowing how much time before passwords change makes the adversary’s job more difficult, which should always be the goal. Make defenses strong enough that the adversary decides to focus on an easier target.
Your IT department, no matter how good, will not be able to determine the full extent of the problem(s) caused by potentially compromised credentials. They also may not be able provide the full spectrum of solutions necessary for responding to compromised credentials. You will need to ask for proof of expertise and experience. Also, understand clearly—adversaries can exploit compromised credentials, even when those credentials are no longer valid in your systems. Do not engage with a security company, which does not recognize this fact. Adversaries do this by targeting the credential holder by combining them with other types of information. Targeted individuals could be approached with threats of blackmail.
Increase the robustness of defenses for your personnel: The following is not hypothetical. In 2015, a group identifying itself as “The Impact Team” stole massive amounts of user data from Ashley Madison, the commercial website that promoted and enabled extramarital affairs. Sadly, but not surprisingly, some users included their work emails addresses and phone numbers when registering. Putting the ethics and morality aside, the use of company emails was just plain stupid!
The adversaries broke into the servers, enabling them to access specific personal identifiable information (PII), along with email messages, some quite salacious, relayed through the site. Individuals using Ashley Madison as a hook-up site assumed wrongly that their data were safe, and obviously did not their use of the site shared with spouses or significant others. The surreptitious activity created a huge vulnerability for exploitation. Adversaries knew that, and in some cases Ashley Madison users fell prey to exploitation schemes.
The hack weirdly but actually diminished the potential for blackmail by making the information available to everyone. You can’t be targeted with information everyone else already knows. The proverbial jig was up, and many innocent people suffered. The hack managed to ruin careers, destroy marriages and sever relationships. The aftermath was tragic.
Nation-state adversaries have no compunction about using purloined user data as a blackmail tool. That is one of their expressed intentions! Adversaries have done so on many occasions and will do so again. In time of war, be assured that the enemy will seek to exploit both systems and people. Compromised credentials remain exploitable forever, if adversaries possess other connections that users don’t want exposed. Employees who frequent pornography sites are highly exploitable targets, for example, since many of these sites contain malware.
Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group (aufsi.auburn.edu/fooddefense). He is a long-time consultant to the U.S. military, federal, and state law enforcement agencies. His blog, Bob Norton’s Food Defense Blog, can be found at aufsi.auburn.edu/fooddefense/blog/. He can be reached at firstname.lastname@example.org or by phone at 334.844.7562.
Disclaimer: Dr. Norton and production of this article were supported by the Alabama Agricultural Experiment Stations and the Hatch program of the National Institute of Food and Agriculture (NIFA), U.S. Department of Agriculture (USDA). The article represents the personal opinion of Dr. Norton and does not reflect official policy or statutory related opinion of the federal government, NIFA or USDA.