The first of this series introduced the concept that the food supply and agriculture would be domains of war in the event of conflict. The construct presented assumed that an adversarial nation state, in this case China, might eventually choose to challenge the United States militarily. In that hypothetical scenario, the conflict between the U.S. and China accompanied a supposed invasion of Taiwan. Further assumptions in the thought exercise included the focused targeting of U.S. critical infrastructures, which caused cascading failures, starting at the points of intersection between critical infrastructures. Agriculture and food, both considered critical infrastructure sectors by the Department of Homeland Security, would be affected in this scenario.
The second part introduced the concept of “War Games” in which corporations could examine the most likely threat scenarios and gauge whether defenses are sufficiently robust. Cyber elements were described as the first likely attack vector for targeting food and agriculture. Part three went on to discuss the importance of operational security or “OPSEC.” Corporations have to learn to protect their own information.
Part four discussed the potential expansion of coordinated attacks through what the Chinese military calls “system destruction warfare.” In this concept, battlefield success includes disrupting the food logistics systems that support U.S. forces on the battlefield. As has been proven countless times during siege warfare, starving soldiers are less capable of sustaining the fight. He who controls the food, controls the battlefield.
The speculative attack described in the first article began with a cyber event that rapidly created a domino effect, starting first in the power grid and then cascading into food and agriculture, water, transportation and banking. The effects included the disruption of the food supply (for days to potentially weeks or months) and cataclysmic damage to the economy.
The duration of the food supply disruption would depend on how thoroughly and quickly companies respond and improvise. Government obviously plays a big role in such an emergency, but it would be the responsibility of the food industry and agriculture to figure out how to repair logistics and replenish the food supply. Sorry to dispel a myth, but government’s purpose is not to protect your company from economic damage.
In times of national emergency, accurate and timely information is the single most valuable commodity, needed by both companies and government. Even better is information that provides a warning, to facilitate adoption of best practices and provide context and insight into the evolving threat before corporate integrity is affected. In the U.S., the Department of Homeland Security has designated 16 critical infrastructures, ranging from the transportation sector to the information and technology sector.
One of them in the food and agriculture sector, composed of an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities. This sector accounts for roughly one-fifth of the nation’s economic activity.
These critical infrastructure sectors frequently develop Information Sharing and Analysis Centers (ISACs), which are clearinghouses for the collection, aggregation, analysis, and dissemination of relevant and timely information across the sector. Unfortunately, today, there are no agriculture and food ISACs.
An agriculture and food ISAC would by necessity cross multiple sectors, including agricultural production, transportation, food processing, warehousing and retail sales, etc. ISACs “…help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.”
ISACs also help coordinate with other relevant ISACs, either directly or through national clearing house organizations such as the National Council of ISACs.
Information flow to and from the government during a crisis is essential. For this information flow to happen during emergencies, communications must begin before emergencies occur. Trusted relationships are essential to foster candor and disclosure. Information developed by the government, however, has to protect “sources and methods,” meaning that all the information possessed by the government cannot be shared with industry.
Likewise, industry should not share all information with the government. When information is shared, the government must assiduously protect any information provided by industry, meaning that Intelligence value always trumps regulatory value. If shared information is somehow used as a regulatory weapon, that betrayal irrevocably severs the bond of trust, ending the likelihood of future information sharing. Trust is likewise severed if the government inadvertently “spills” proprietary information or personnel records, meaning it is released by accident. Trust is hard won, but easily lost!
Two types of information critical to corporate survival include proprietary information (“PI,” such as processing parameters—the settings on your food processing machinery) and personally identifiable information (“PII,” such as personnel records). Often PI and PII link. Although, adversaries target both types of information separately, the combination of the two is the most prized objective.
Who are your company’s subject matter experts (SMEs)? Sophisticated adversaries know your SMEs often possess the “keys to the kingdom,” meaning they are the holders of your corporate secrets. Once adversaries know who your experts are, they can further target them using the tried and true methods of “target exploitation.”
ISACs help corporations develop threat assessments that help protect PI. For example, is the company that says it wants to “partner” with your company legitimate or is it actually an adversary seeking to learn your secrets? This is an important question to answer accurately in a timely manner. ISACs also work with corporations to develop their own information. Often, corporations do not understand the internal information they possess, nor do they know how to leverage the information.
Many corporations, particularly larger ones, have already worked with security companies that perform threat assessments. That is a good thing to do and certainly should not be discouraged. But if any security company comes to your corporation and claims the ability to deliver total security, run very fast and hold on to your wallet.
Why? Because two problems can manifest in this one-on-one approach. First, the corporation is “navel gazing,” contemplating its own specifics but not necessarily becoming aware of problems that may be affecting other companies (maybe even companies you consider competitors). Remember, in matters of security, there really are no competitors, only partners. Everyone is in the same boat. What is happening across the industry is important. Broader information sharing can be facilitated through an ISAC. Intelligence professionals talk a lot about trends and indicators. Both are important to consider. Too “tight” a focus distorts the “picture.” In other words, a narrow view can cause a loss of fidelity in the “ground truth.” Ground truth is the preponderance of facts—the sum of what is really happening, as opposed to that which you think is happening.
The second problem with a one-on-one approach is that company-specific threat assessments may not consider all the ingredients going into the products you produce. In late 2008 and early 2009, for example, executives and managers in a variety of food companies across the country were asking whether ingredients came from the Peanut Corporation of America. A massive, lethal outbreak of Salmonella Typhimurium contamination was eventually linked to PCA.[2–4] This triggered the most massive food recall in U.S. history up to that time, involving more than 360 companies and more than 3,900 different products using PCA peanuts. An adversary could use this outbreak as a model for an intentional contamination event.
Threat assessment across the full spectrum of every single ingredient that goes into a corporation’s food products would be expensive and at best be a snapshot of a given point in time. Threats evolve, ebb and flow. They are dynamic, changing constantly with the influences and capabilities of the adversary. What is true today may not be true tomorrow, next week, next month, or next year. Effective intelligence requires a “persistent stare,” meaning that information gathering and analysis never stops. An ISAC can do that.
Threats to agriculture and food will never go away. That is a fact. Information gathering and analysis will always be required for developing insight, which helps avoid surprises that cause damage to people, places, and things. Can every threat be identified and neutralized? Unfortunately, that is impossible. Fallible humans make mistakes, and dedicated Intelligence professionals fall into that category. That doesn’t mean you stop trying.
Are all ISACs successful in always protecting their constituencies? No, not every time. Some are very good, others less so. All are getting better at making bad surprises less likely. The goal, should the agriculture and food industries stand up an ISAC, should be to make bad events less likely.
Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group. He is a long-time consultant to the U.S. military, federal, and state law enforcement agencies. His blog, Bob Norton’s Food Defense Blog, can be found at aufsi.auburn.edu/fooddefense/blog/. He can be reached at firstname.lastname@example.org or 334.844.7562.
Disclaimer: Dr. Norton and production of this article were supported by the Alabama Agricultural Experiment Stations and the Hatch program of the National Institute of Food and Agriculture (NIFA), U.S. Department of Agriculture (USDA). The article represents the personal opinion of Dr. Norton and does not reflect official policy or statutory related opinion of the federal government, NIFA or USDA.