By Audrey J. Adamson, Principal at A2 Strategies, LLC
The U.S. food and agriculture sector is at the crossroads, again. COVID laid bare the complexities, the interdependencies, and the fragilities in U.S. food production and distribution systems. Recent disruptions led to spot shortages of food, destruction of food and agriculture products, and steep price increases for consumers. Washington and the industry are properly focused upon preventing future disruptions.
We have spent hundreds of millions of dollars to ensure that plant and animal pests are kept outside the U.S. mainland and developing options for eliminating them should they land on our shores. While these programs have largely proven effective, a chain is only as strong as its weakest link. We are now poised to spend billions of dollars to support “rebuilding food supply chain infrastructure” and creating “resilience” by targeting government funding to support building capacity across in the chain infrastructure. The weak link here is our defenses against the increasing cyber security breaches seen across the food and agriculture sector.
In its 2021 Notice for Comment on resilience issues in food and agriculture, the U.S. Department of Agriculture focused on expanding meat and poultry packing and processing capacities across the country; growing regional and local food processing; and building distribution infrastructures; and addressing industry consolidation. Little mention was made of the biggest emerging threat, cybersecurity. Recent cyberattacks on varied food and agriculture companies and cooperatives laid bare that weak link. We have seen attacks on companies as varied as JBS; Kaseya; and now Crystal Valley Cooperative.
Cybersecurity should be a major concern for all involved, from the Farm Credit System to crop insurers to farmers and ranchers and the manufacturers and dealers of farm equipment and inputs. As farms and processing and distribution facilities get “smarter” this risk grows exponentially. As labor shortages remain problematic automation increases. Multiple data points of entry—multiple opportunities for attack. At the end of the day, cybersecurity risk is a huge risk for all stakeholders in the food and agriculture supply chain; farmers; processors; transportation; distribution; and capital.
At a recent House Agriculture hearing, Dr. Jennifer van der Ligt, head of the University of Minnesota’s Food Policy Defense Institute (FPDI) testified that increased automation because of labor shortages, consolidation, food safety and public health issues will bring more points of entry for cyber criminals to disrupt and compromise the U.S. food production and processing sector. FDPI research reveals that there is a lack of awareness throughout the food and agriculture sector of the scale of the cyber risks and consequences; there is lack of regulatory guidance and clarity from government and/or industry on how to assess and address threats; there are a lack of standards for cyber security in food and agriculture processing; a lack of focused research and vulnerability assessments or data tools to make evidence-based mitigations; and finally there is a lack of cyber education amongst the operations and IT personnel tasked with ensuring cyber security.
She offered several suggestions which I believe are worth consideration: (1) USDA should take the lead in developing information on technical risks; (2) USDA and FDA should work together on sector specific risk reduction measures at the facility level; (3) USDA should host a series of cyber review technology forums aimed at senior leadership at food and agriculture companies/farms/ processing facilities; (4) USDA should develop a university-based food and ag focused Center of Excellence; and finally (5) USDA should collaborate with DHS to establish an Industry Sector Advisory Committee (ISAC) devoted to food and ag and cyber security.
These recommendations are sensible and self-explanatory. When combined they offer the potential for a pliant “safety net” responsive to emerging threats. Traditionally, food and agriculture set itself apart from most other manufacturing industries. It is different, its products are the result of by biological systems. Its metrics and its risk vocabularies are very different. This is also the case within USDA and FDA. These agencies have successfully focused their efforts on biological threats, however, neither their experience nor expertise are the area of cyber security. Other federal agencies and critical infrastructure sectors that have successfully implemented cyber models that work. USDA should target resiliency funding towards adapting other successful sector cyber models.
So, we are at the crossroads, again. This sector can no longer afford to throw up its hands saying: “this only impacts the global companies” or “this is too complex to manage” or “this was not invented in farm country.” The U.S. food and agriculture sector has become a prime target for cybercriminals. The threats are consistent with other industries; however, the consequences are very different. Federal government support to finance expansion of the food and agriculture supply chain infrastructure and rewriting competition rules without leading change in cybersecurity practices and requirements is just whizzing by the crossroads hoping to avoid the inevitable crash.
Audrey J. Adamson is a Principal at A2 Strategies, LLC. Prior to that she served as Vice President of Public Policy at the National Pork Producers Council.