CYBERSECURITY IN THE Food and Agriculture Sector
WHAT MAKES THE AGRICULTURE SECTOR UNIQUE
Whether it’s wired-up off-road equipment and machinery, high-tech food and grain processing, radio frequency ID-tagged livestock, or global-positioning-system tracking, the agriculture sector depends on information systems to sustain and improve operations, competiveness, and profitability.
Wringing out even more efficient yields is a global and domestic necessity. Population growth and rising living standards will increase future demands for agricultural products. Breadbasket countries like the United States need to find sustained growth in yields and more efficient ways to farm to meet these demands. Without making use of remote sensing and computer science, significant increases in agricultural yields will be impossible.
Embracing technology comes with risks, and the sector finds itself targeted as never before, thanks to its intellectual property being coveted by foreign competitors and hacktivists. Until recently, most food and agriculture companies did not invest in cybersecurity defense and were lax in fortifying their infrastructure and developing sound cybersecurity practices. That’s beginning to change.
The delay in grasping the threat wasn’t limited to the private sector. In 2010, two federal oversight agencies, USDA and FDA, classified cybersecurity as a low priority. However, in 2015, the agencies reversed course.
This past lack of urgency in the agriculture sector was a mistake, as it missed its chance to get ahead of the threats. All sectors of critical infrastructure are interlaced with dependencies, but the biological requirement of food is arguably at the root of them all. An extreme, coordinated cyberattack on agricultural companies would have human and financial consequences.
CHALLENGES FACING THE NEW ADMINISTRATION
Between the seed seller and the supermarket shopper lies a huge, complex, and volatile supply chain, one of the most complex worldwide. Its components are vastly different in size and sophistication and compete in an economy that optimizes for the lowest possible cost. This level of diversity and size, combined with small budgets for overhead, isn’t the best recipe for robust cybersecurity since it results in huge disparities among individual components. As a result, the agriculture sector will be confronted with the same weakest-link problem facing other sectors.
Agricultural production and operations will only increase dependency on software and hardware applications vulnerable to cyberattacks. Smart farm machinery will handle many of the labor-intensive and repetitive jobs still requiring manual work. Smarter, more robust automation will expand into food processing as machines become more apt to deal with irregular size, shape, and quality-control problems.
This new level of connectivity creates vulnerabilities that the sector hasn’t fully contended with, especially not in the operational environment. Foreign nations are trying to illegally get ahold of American agricultural technology, particularly data on genetic engineering, improved seeds and fertilizer as well as information related to organic insecticide and irrigation equipment. While most recent cases of intellectual property espionage were done the old-fashioned way, it’s naive to assume cyber espionage will not become a major element of commercial espionage.
Prospects of agroterrorism also concern the sector. A sophisticated terrorist attack could wreck America’s status as a trusted food exporter and undermine domestic confidence in the food supply chain. The sector’s growing digitization brings with it new opportunities for terrorists to attack places that previously have been too remote or difficult to strike. Cyber terrorism is a relatively low-cost venture with high payoff potential, making the risks of agroterrorism too large to ignore.
RECOMMENDATIONS
INCREASE AWARENESS
Neither branch of government gives food and agriculture cybersecurity the attention it demands. While new regulations from the federal government are not necessary, agencies that interact with the sector should recognize cybersecurity for the priority issues it has. The FDA and USDA should start educational programs promoting good cybersecurity practices among sector industries.
There is no congressional subcommittee charged with food and agriculture cybersecurity oversight or deals with communication technology’s new dominant role in the sector’s growth. Committees within the full House and Senate agricultural committees must be assigned this task.
DEFINE WHAT CONSTITUTES A NATION-STATE ATTACK AGAINST THE AGRICULTURE SECTOR
Despite widespread attacks by foreign powers, the federal government has yet to define at what point a cyberattack constitutes an act of war or what type of defense it will offer against such attacks. Nor has it updated and adjusted its defense spending in light of this modern threat.
INCENTIVES
Increasing cybersecurity will cost money, and finding the additional funding will not be simple for the sector since it is governed by tight margins and faces a highly competitive world market. Federal involvement in correcting food and agriculture market failures goes back to the New Deal, and this is a new market failure that need correction. Loan forgiveness or grants tied to cybersecurity practices measured against benchmarks such as the NIST Cybersecurity Framework should be implemented, as should new or modified incentive programs for standards, practices, and technologies that are not cost effective but necessary for national security.
IMPROVE INFORMATION SHARING
Agricultural cybersecurity information sharing lacks a center. The sector needs a dedicated cyber-threat information-sharing mechanism, designed for chief information security officers at large corporations, industry associations, and agricultural cooperatives. For smaller, individual enterprises, this mechanism should provide the option of automated updates to threat-protection software. There are plenty of data exchanges dedicated to various threats, such as food-borne illnesses or crop diseases, but cyber gets lost.