The news is not good out of the Middle East. The Islamic State (IS), otherwise known as “ISIS” or “ISIL,” has not been defeated by a U.S.-led coalition of nations. Their particular strain of apocalyptic Salafi Islamism, which evolved out of al Qaeda, continues to spread as new followers throughout the world are recruited. This problem may seem distant from our nation or the food production and processing systems, but the days of “Fortress America” are long gone in this age of multinational globalization and instantaneous communications.
Agroterrorism first became a major concern after the 2001 anthrax attacks but has gradually faded from the public mind as other events moved center stage. This is unfortunate, given the times in which we live. I spent years investigating how al Qaeda dabbled in agroterrorism, and fortunately, their capability to deliver attacks has degraded. ISIS is, however, in many ways a very different adversary—smarter, more skillful and, yes, actually meaner than al Qaeda ever was. Attacking a food corporation hurts Americans directly by causing loss of life, but also potentially causes them to lose confidence in the safety and security of our food system. That would be a huge propaganda win, which ISIS regularly seeks.
Corporations need to consider the evolving security environment as their first priority. Nothing remains intact once security has been breached, including brand integrity and the bottom line. An attack, whatever its origin and wherever it might occur, whether at the farm, processing plant or transportation hub, can ruin a brand quickly. If the consumer loses confidence in the company’s ability to maintain food safety, a corporation can lose tens of millions—or even hundreds of millions—of dollars as security events cascade.
For the last 3 years, I have temporarily put aside my professorial hat and worked with the government and military on national security issues, as I have on occasion over the last 35 years. What I have seen in this particular round clearly indicates to me, as well as to other national security experts in the government and the military, that ISIS has successfully expanded out from the Middle East and is moving into the United States, Europe and Africa.
Because of this, it is important to think about ISIS as not only a highly organized group, which it surely is, but also as a movement. ISIS has, in effect, become a very diffuse world problem with the potential capability of affecting both U.S. citizens and multinational corporations. But even that is not the whole story, which is far more complex. The states that border the Gulf of Mexico (Texas to Florida) are the major entry points into the United States for organized criminal enterprises trafficking illicit and counterfeit drugs, humans (both sex and undocumented workers) and illegal weapons from Mexico, South America and the Caribbean. The big concern today is that the various enterprises (i.e., ISIS and criminal gangs) might converge, working together to provide both funding streams and access to the U.S. for launching terrorist activities.
Evidence of ISIS sympathizers in the southeast U.S. is not hard to find. One example is the tragedy caused by the 24-year-old Kuwaiti-born gunman who opened fire on a military recruiting station and military site in Tennessee, killing four Marines and a sailor in July 2015. A month later, a Mississippi couple was arrested when they attempted to board a plane on their way to Syria. Then in September, a 15-year-old Alabama youth was arrested after posting a video where he brandished weapons (they turned out to be Airsoft replicas), claiming ISIS had recruited him. He also proclaimed his intention of attacking the Birmingham-Shuttlesworth International Airport. Hoda Muthana, a Hoover, AL, resident and a part-time student at the University of Alabama-Birmingham, left her family, became an ISIS bride and is now somewhere in Syria—if she is not already dead.
All of these were so-called “lone wolf” operations. They were not technically directed by ISIS but instead encouraged by ISIS. Lone wolf operations are particularly troublesome, because they make patterns of terrorist activity more difficult to discern, making terrorist events more difficult to predict and prevent. A good analogy for lone wolves is the insidious gas that can seep into an organization, waiting for a spark to trigger the explosion that causes tragedy.
Many federal agencies, including the U.S. Department of Agriculture (USDA), have recognized the threat that terrorists pose to food and agriculture. They have gamed numerous scenarios, beginning shortly after the September 11, 2001, attacks on the World Trade Center and Pentagon. Early efforts rightly concentrated on processing plants and dairy operations, where deliberate contamination could be quickly and widely dispersed through food distribution channels. Both the USDA Food Safety Inspection Service (FSIS) and the U.S. Food and Drug Administration have developed food defense programs to combat these threats, providing both plan development guidelines and training materials for processing plants and transportation systems.
Government ultimately will not be any real part of the solution, however, since National Security Agency resources are reserved largely for time of war and therefore cannot, by law, fix corporate America’s problems. At least for the foreseeable future, corporations must continue to buy tools and expertise from companies specializing in truly remediating cyber threats. In many cases, an outsider’s perspective has proven to be valuable and worth the investment.
I wrote an article in 2014 entitled, “Agroterrorism—Is the Threat Real?” in which I reiterated that the threat is real indeed, and is ignored to the potential peril of both food corporations and their personnel. My professional opinion then, as now, is that a terrorist attack on the food industry would most likely come in a form and direction least expected.
My number one concern today, as it was when I wrote the 2014 article, is a cyber-attack causing the electrical power supply to be intentionally (and remotely) turned off to animal housing, processing facilities, or other corporate facilities. A full-bore attack might be designed to take ransom or even destroy corporate IT capabilities.
A little-known example of the kind of animal catastrophe that can result from an attack on animal housing occurred in the early hours of August 2, 1990, when the Iraqi Republican Guard invaded Kuwait and Iraqi Air Forces bombed Kuwait City. The cut-off of electricity caused the rapid death of hundreds of thousands of chickens as cooling systems in commercial poultry houses failed. Back-up generators were not then commonly used.
A large-scale attack on a power grid likely would affect not just animals, but also people. Imagine the massive financial damage that could result if an entire city or even region were attacked. One need only look back to the several large-scale blackouts that have occurred to understand the costs and human impacts of such events.
Terrorists like ISIS aren’t the only cyber-threat to corporate infrastructure. Such threats could come from any of the adversaries that currently target corporate America. USDA-FSIS is currently developing standards to address these cyber threats. This is a good start, but will take time and will not entirely eliminate risk.
Corporations, like the government, must come to terms with the idea that everything “cyber” cannot be protected. Recently, some corporations have inventoried their systems and prioritized those parts that contain “the crown jewels,” which would dramatically damage the integrity of the corporation if compromised. These are the corporate resources most vigorously defended.
“Cyber insurance” is a relatively recent innovation, but subscribers are finding the services exceedingly expensive and the coverage limited. Even if government regulations are adhered to, civil liability still persists, which calls into question the actual utility of the insurance if an already expensive policy becomes dramatically more so after a cyber breach. Insurance doesn’t prevent breaches, but may in fact lead to a false sense of security. It shouldn’t.
National security is most robust when it starts at the local level. Commercial agriculture and the food processing industry must not be dependent upon the government, which is proving itself less than fully capable of proactive defense. The 1982 Chicago Tylenol poisoning cases, in which seven were murdered, could have ruined both the Tylenol brand and Johnson & Johnson. This did not happen because the company handled the emergency skillfully, eventually recalling 31 million bottles of the product. The case eventually led to the adoption of tamper-proof packaging for over-the-counter pharmaceuticals, and in the case of Tylenol, the temporary substitution of solid tablets for capsules. If the company and industry had anticipated the threat and acted proactively to protect the consumer, however, seven people might be alive today, and the corporation would have saved millions of dollars. Corporations should use the lessons learned to prebuild robust and adaptable emergency response and business continuity plans.
Threats do not come only from the outside; most often they come from inside, in the form of disgruntled employees and criminal activity. Here, too, brand integrity and the bottom line can be massively compromised, perhaps even worse than from an outside threat. The federal government recognizes this and is developing regulations and guidelines to lessen the threats. Laws, however, seldom prevent criminal or terrorist activity, but can be used only to punish the perpetrator, providing small consolation to the corporation that has been hit.
Here again, industry should not grow dependent upon government for protection. Employees are always the first line of defense against threats and should be educated about the nature and variety of threats as well as being empowered and rewarded for speaking up when they see something wrong.
ISIS’ capabilities should never be underestimated, because they are extremely well-financed and have the capability to purchase on the black market any terrorism tools and expertise they might currently lack. ISIS has expressed interest in developing capabilities for weapons of mass destruction, but to date, they have concentrated on using chemical weapons and industrialized chemicals in their fight against Syrian troops loyal to Bashar al-Assad. ISIS is very interested in using radioactive waste to create dirty bombs and is stridently seeking a nuclear weapon capability, by which they could kill hundreds of millions of people in “the largest religious cleansing in history”—a “nuclear tsunami.” Fortunately, those plans have not been realized, and for now are largely wishful thinking and propaganda.
Nevertheless, we live in a rapidly evolving security environment, in a world that grows more dangerous by the day. American corporations are highly visible targets that. If severely damaged through a terrorist event, national security could be affected. We are, after all, in this together. We as Americans and corporate officials have to think faster and be more agile than the enemy. To do anything less could cause everyone to suffer, which is exactly what ISIS and other enemies want to achieve.
For more information on developing robust food defense strategies, contact Robert A. Norton, Ph.D. at firstname.lastname@example.org.
1. Salafism is an ultra-conservative orthodox movement within Sunni Islam.