As I have mentioned in previous articles, my research interests range from civilian security to military/national security matters. Food defense is never far from my thoughts, because every military operation depends on logistics, which includes the delivery of food and water supplies to the warfighter.
In protracted conflicts, he who controls food and water on the battlefield ultimately prevails. Food has been a weapon of war since mankind first started throwing rocks at each other. In nation-to-nation conflict, your company will be at the front lines, since your operations are critical to the welfare of both the warfighter and civilians at home. The enemy must defeat both to prevail.
In a recent series, I explored food and agriculture as domains of war. The gist of the articles was that since agriculture and food are critical infrastructures (CIs), they—like other CIs—will be targeted by adversarial nations should they come into direct conflict (a “shooting war”) with the United States. Targeting is a somewhat charged word but implies “acts of war” (de bello), a broad term used to describe acts associated with armed conflict. Examples in the series were attacks that could occur as a result of a hypothetical confrontation[1] between the U.S. and China, simultaneous with an invasion of Taiwan.
In that scenario, adversarial acts against food and agriculture would be acts of war because 1) they were linked to actual armed conflict and 2) their intent was to diminish our nation’s capability and will to respond militarily. Remember, the original series presented a hypothetical series of events, as a means to foster thought. Planners like to begin with low probability/high consequence (i.e. worst-case) scenarios, because successfully designing response options helps in responding to the more common high probability/lesser consequence scenarios.
The truth is that CIs are already being targeted, but not yet as “acts of war.” The current targeting focuses on theft of trade secrets, criminal activities such as extortion, and espionage—all short of acts of war. Those types of targeting will be discussed in Part II.
Good News/Bad News
A great many things are happening that will impact food defense. On the negative side, our adversaries are well-financed and smart. Their capabilities must not be underestimated, given that they continue to evolve in ways that make food defense both more difficult and more essential to company survival and national security.
On the positive side, the federal government has begun to frame the standards for food defense plans, detailing the processes, procedures, and tactics that lessen the probability of intentional adulteration of food products. The Food Safety Modernization Act[2] framework is a good first step, but only a first step on a much longer journey. It will take time for companies to learn how to manage the requirements to advantage. Companies need to learn how to manage the level of security that is possible and not invest on standards that are unachievable.
Security postures cause adversaries to respond. On the desirable end of the response spectrum, adversaries choose not to attack, simply because defenses are sufficiently robust that the risk to them outweighs the probability of success. Many will go elsewhere to find other victims. In other words, companies with robust and well-managed food defense plans are less likely to become victims than companies with less robust or poorly managed plans.
On the undesirable side are the intractable adversaries who seek to find a means to overcome or bypass the robust defenses. For the sake of this essay, we will consider the vast majority of these persistent adversaries to be sophisticated criminal organizations and nation states, sometimes working in concert.
“Near peer” nations, including China and Russia, are countries whose military technology capabilities are fast approaching those of the U.S. Of the two, China is also an increasingly powerful economic competitor. Beyond China and Russia, other potential adversarial states include Iran and North Korea. None of these nations currently seeks a direct confrontation with the U.S., because if they act alone their current technology and military capacities could not prevail. In the case of China, however, that is rapidly changing. Although, not capable of a toe-to-toe confrontation, these nations are trending toward becoming more belligerent, but staying in the “gray zone,” meaning they avoid the use of guns and bombs.
One way to remain firmly in the gray zone is to target the U.S. indirectly, which can also be an act of war. Our CIs—the sectors without which we cannot function—have been probed for years. China, in particular, is interested in the CIs, both to gain information should they ever attack but also to learn proprietary information. Probing in the former case is a potential act of war (“preparation of the battlefield”), while in the latter case is espionage.
China wants to know how the U.S. maintains our economic advantage, right down to the level of the settings on the equipment that controls your food plant systems and processes. Espionage, in that case, can be confined to seeking economic advantage, which is illegal but not an act of war. Espionage can also be escalated to achieve military/political goals using economic warfare as part of a larger military strategy, which is an act of war.
Critical Infrastructure Systems
CIs are what engineers call a “system of systems” (SoS), meaning “a collection of systems, each capable of independent operation, that interoperate together to achieve additional desired capabilities.“[3] A system is a group of things and processes that comprise a mechanism (e.g., produce food products). Each CI is separate and distinct, but many CIs intersect, meaning they form a larger SoS. The benefit is that intersecting CIs are more efficient and economical. For example, a food processing plant does not create its own power or water; it accesses the power grid and usually a local water utility.
There is some disadvantage to interconnectivity, too. For one thing, all constituent systems must be equally robust and resilient, which is very rare. If they are not, a single point of failure anywhere in a subsystem can cause failures in the SoS. In other words, CI interdependencies can lead to “cascading effects.” Think of a snowball rolling down the hill; disruptions begin in one place (the snowball is made), the snowball moves down the slope (causing subsystem failures), the snowball grows in speed and magnitude (potential destructive force) over time (perhaps seconds), until the final impact—total SoS failure (the snowball crashes into the target). Although there are obvious differences in the interdependent CIs, the common element is cyber. Attacks on CIs, including food and agriculture, predominantly come through the cyber route.
Another element that complicates the mix is the fact that both the military and civilians rely on the same CIs. There is no separate power grid for the military, no separate water utility, and no separate food chain. The military is inextricably connected to the civilian world, at least here in the U.S., and vice versa. Considering the commonality across all CIs—cyber—one can begin to see how an attack could create cascading effects.
Since everything is connected, a point of attack (the “attack vector”) can be used to effect in either direction. An attack on a civilian system can be used to target the military, and an attack on military systems can be used to target civilian systems. That is why I say your company will be on the front lines should war break out.
If these systems are essentially one, who is in charge of protecting the military/civilian cyber SoS, which is perhaps more accurately described as a “system of systems of systems” (SoSoS)? The answer gets a bit murky—and problematic. The federal government’s response to national security cyber concerns has charged the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency with protecting the civilian systems, and the National Security Agency and tangentially the Department of Defense’s CYBERCOM is charged with protecting government/military systems.
Complexity layered on complexity creates vulnerability. So what is the lesson in all of this for food chain related corporations?
• Don’t depend on the federal government to protect you.
• Your security is your problem.
Cybersecurity threats are real, they are expanding, and if left unchecked could seriously damage your corporation’s profitability, and in a worst-case scenario its very survivability. The term “existential threat’ is very frequently overused. It is appropriate here. To conquer the military might of the United States, our adversaries must attack our nation’s CIs, including agriculture and food. He who controls food and water on the battlefield prevails.
In time of war, the U.S. military and federal government will be too busy dealing with the onslaught of attacks on all CIs to worry about your company. The federal government would even sacrifice your company. If your company is so unlucky as to be the entry point of attack for a CI, your systems would be shut down, perhaps forever, if that is what it takes to prevent total CI failure.
If you were the attack vector, you will be subject to litigation from all of the other corporations hurt by the cyberattack even if you survive a massive cyberattack. Again, the federal government will not be your salvation. You might even be held criminally liable. There will be sacrificial lambs.
What should company execs do if they can’t depend on the federal government if attacked? Make the feds your friends now. This sounds like a contradiction, but your best friend right now, before any attack, is the Cyber and Infrastructure Security Agency (CISA).[4] CISA partners with industry and to not only discover cyber threats but also manage risk. To do this, CISA provides access to its National Risk Management Center, which will collaborate[5] with your corporation in planning for threats and threat analysis. These are your go-to federal partners in managing your risks and vulnerabilities – but you have to be working with them NOW.
Your corporation also should partner with a private entity called an Information Sharing and Analysis Center (ISAC). The first priority is to address cyber-vulnerability issues, which represent at least 90 percent of your most pressing risk. You also will have to address issues related to intentional adulteration, which represent some 10 percent of your vulnerability. Fortunately, a cyber-focused ISAC already exists, and development of an ISAC focused on intentional adulteration is currently being discussed by a consortium of food corporations.
In Part II, we will look at the cyber ISAC and how you can become involved.
Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group. He is a long-time consultant to the U.S. military, federal, and state law enforcement agencies. His blog, Bob Norton’s Food Defense Blog, can be found at aufsi.auburn.edu/fooddefense/blog/. He can be reached at nortora@auburn.edu or 334.844.7562.
References
1. U.S. Code § 2331 defines an “act of war” as “any act occurring in the course of A) declared war; B) armed conflict, whether or not war has been declared, between two or more nations; or C) armed conflict between military forces of any origin.” www.law.cornell.edu/uscode/text/18/2331.
2. www.fda.gov/food/food-safety-modernization-act-fsma/fsma-rules-guidance-industry.
3. www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-of-systems.
4. www.dhs.gov/cisa/critical-infrastructure-sectors.
5. “NRMC works in close coordination with the private sector and other key stakeholders in the critical infrastructure community to: Identify; Analyze; Prioritize; and Manage the most strategic risks to our National Critical Functions—the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating impact on security, national economic security, national public health or safety, or any combination.” www.cisa.gov/about-cisa.