If food defense was not already challenging enough, it got more so with the latest revelation of a cyber-borne hack of 150,000 security cameras, associated with a major provider of the technology. The hack included security cameras and related software technology, including facial recognition software. Security cameras are integral elements in most food defense programs. The breach enabled access to security cameras in various locations, including inside corporate facilities, hospitals, and health clinics. More importantly, the video archive and facial-recognition technology were accessed, which could enable the identification of people depicted in the videos.
In this case, those responsible for the breach originated not from a nation-state, but rather from a loose collective of hacktivists/anarchists calling themselves, “Advanced Persistent Threat 69420,” or “APT 69420.” The hackers ostensibly did the deed and then bragged about it in order to decry a mixed bag of anti-capitalist, anti-surveillance complaints. Had it been a nation-state, public disclosure would not have accompanied the hack. Nation-state adversaries and criminal organizations trend strongly toward wanting to remain hidden, or at least doing so until which time they no longer want or need to. By then, it is often too late for companies that have been targeted, and financial damages inevitably follow.
In the coming months, as more information is revealed about the extent of cyber intrusions U.S. companies are experiencing, you will likely hear the term, “scale and scope,” which is cybersecurity-speak meaning, “How bad the damage is.” In the scheme of things, the scale and scope of the security camera hack was limited. These were hacktivists not bent on actual destruction or true exploitation but instead were intent on making a public demonstration of both their skill and outrage against the perceived loss of personal freedom they feel represented by the presence the security camera systems.
Lessons Learned
Does this hack hold any implications to food processing companies? The simple answer is a resounding yes! The details are many and varied, but nuanced, depending on the company, its existing cyber- and physical security posture, and even the kinds of food products being produced. With that in mind, the answers will be broken down in order and importance.
Food Safety and Defense
Food safety and food defense are two sides of the same coin. One cannot exist without the other, ultimately meaning that if one is compromised, so too is the other. The U.S. Food and Drug (FDA) Food Safety Modernization Act (FSMA) was designed to lower the frequency of preventable foodborne illnesses in humans and animals by lowering the probability of contamination, whether accidental or intentional. With the latter case in mind, additional emphasis was placed on the importance of front-line employees, who could be trained to watch for suspicious activity and then be empowered to report it.
It was in the nexus of these two functions (safety/defense) that the intersection of cybersecurity and physical security becomes apparent. Food processing systems are controlled through a cyber means. If a cyber-related problem occurs, food safety could be deleteriously affected. If the cyber-related problem was intentional, the same could be true—food products could be compromised and if not detected, could cause foodborne illness. If a physical security issue occurs, say for instance, an unsecured door blows open, pathogens could inadvertently contaminate food products on the line. If that same physical security breach were intentional, it could give access and opportunity for an adversary to deliberately contaminate food products.
Security camera systems enable plant personnel to monitor food plant facilities, so if uncompromised, are a major plus for to ensure that personnel and outsiders are not present. These systems can also be critical during times of emergency, such as during a fire, major equipment failure, or system compromise. If that same camera system were somehow compromised by an adversary by way of a cyberattack, it could be used as a weapon, which compromises food defense. For example, a breached security camera could indicate to the adversary when personnel are absent from areas sensitive to penetration, such as where key processes occur. Using the example above of the open door, a nonfunctional camera system, could not be used to detect the problem remotely. If the adversary was also working with an insider, the threat is increased even more.
Brand Quality
Food companies know that brand reputation is critical to success, whether the food products go directly to the consumer or ingredients go to others to be added to some other food product. In the current case, the hacktivists sought to embarrass the security camera company that produced them, not the actual companies or facilities that were ultimately spied upon. With other intentions, hacktivists could instead use security cameras to produce videos intending to damage the reputation of a food company. Given this scenario, two important terms to become familiar with include, “Deepfake” and “Truth Decay.”
A “Deepfake” is when a video or other media is digitally altered using artificial intelligence to create a false impression by the viewer or listener. Deepfake technology is proliferating, so that lesser adversaries than nation-states are increasingly able to obtain and create false videos or still images. The technologies could be used against companies, damaging brand reputation. Imagine a video that looks and sounds genuine of a food corporate CEO stating that the food products produced by his/her company are filled with “…cancer causing chemicals.” Or imagine a doctored video of a meat processing or other kind of food processing plant, where real video, gained by hacking into the security camera system is interspersed with Deepfake video.
What can result from the Deepfake technology is more than just a creatively edited video or audio but instead nearly flawless images or audio that looks and/or sounds so genuine that the average person would not be able to discern on first viewing that it was not genuine. If spread in social media or even in the mainstream media, the economic fallout could be significant and very swift. The images or audio might eventually be proven fake, but the corporate response would require an extensive (read expensive to very expensive) public relations campaign. Even when proven fake, some percentage of consumers or potential consumers would never accept that reality, because of the growing problem with cynicism—the attitude that everything is false. In the backward universe of fact and fiction in which we now appear to live, some within the media interpret protestations of innocence as evidence of guilt. Silence can also be interpreted in the same manner, meaning no action is action.
“Truth Decay” is a term used by the RAND Corporation to describe the diminishing role of facts, data, and analysis, which affects how an increasing number of people think, or for that matter, don’t think. Critical thinking skills are rapidly diminishing in the U.S. and in other parts of the world. What is seen or heard is immediately believed. The problem is so acute that educational foundations have been established to counter the growing problem. The cumulative effect is that Americans are increasingly less able to discern truth and facts, making them more susceptible to malign activities designed to obfuscate, confuse, and unduly influence, all of which are proliferating in social media and the mainstream press.
Truth telling and truth discernment have become national security matters that transcends politics, social stability, and consumerism. A less-discerning consumer is not just one that can be better persuaded by advertisement, but also one waiting to fall victim to falsehood. Food corporations, be frightened. Be very frightened! Short-term gains from increased advertising campaigns might be rapidly lost if an adversary or economic competitor were to target food products or company brand(s) with a falsehood campaign.
Proctor and Gamble experienced the problem first hand, when the false rumor was started in the 1980s that the corporation was in league with the devil, as supposedly evidenced by the “fact” that their long-time logo had thirteen stars and a bearded moon with three sets of curls that looked like 6’s—666. What was the market share affected by this wrong information? Proctor and Gamble no doubt knows. They are not alone.
Truth Decay enables disinformation, misinformation, and propaganda to proliferate if the consumer does not have the informational background or insufficiently apply critical analysis necessary to counter wrong information. Disinformation, misinformation, and propaganda have all proliferated during COVID-19, with no abatement in sight.
Both Deepfakes and Truth Decay are clear and present dangers to food corporations and agriculture alike, as well as corporate America in general. Either can ruin the reputation of a company, its products, and thereby damage both its brand quality and bottom line. When combined, the corporate effects can be massive. False claims can be made and quickly spread at the speed of electrons via social media. Once released into the blogosphere, ideas right or wrong are very hard to quell.
Adversaries, including nation-state adversaries are increasingly using both strategies to great effect in many parts of the world. These may not sound like food safety or food defense issues, but they become so when say for instance, a false claim of adulteration is made. Once a false claim is made, the natural business response is to refute with factual information. But wait, facts don’t matter anymore to a growing group of Americans, all of which are also consumers. Remember also the old adage, “A picture is worth a thousand words,” made even more so effective by the internet, if the images spread world-wide look real and are made to maximize the emotional impact. That is propaganda at its best and most dangerous.
Intellectual Property (IP) and Employee Exploitation
There is a long-time game going on now, called global hypercompetition. At the same time, corporate trade secrets are being stolen, and the global consumer is being targeted and influenced through the aforementioned misinformation, disinformation, and propaganda. The long-term goal is to extract all value from every targeted corporation and then eventually put that corporation out of business.
Hypercompetition is a business term that refers to the use of tactics to rapidly disrupt the competitive advantage of a company, a sector, or even a nation. Business competition is one thing. Hypercompetition is on a whole different scale. In the current global environment, a specific food or agriculture corporation (global or domestic) or the U.S. food and agriculture sector in general are the target of hypercompetition.
IP theft is aided significantly if the adversary is able to see into your facilities, in order to watch your systems and your processes. Most food corporations have areas that are particularly sensitive in either an IP/proprietary information sense or because it is a secured area in the sense of food defense. A hacked security camera, particularly if not detected, enables a “persistent stare,” which gives the adversary great advantage of seeing how your corporation works.
Imagine the effect on your bottom line if all of your competitors were allowed to roam freely in your facilities, seeing and watching everything that goes on all of your food production lines. The recent hack brings to bear another important personnel security issue that being their identity. A hacked camera system gives the adversary access to your employees’ images. Once images are gathered, an adversary can use facial recognitions software to identify actual people and then target them directly through some means of further exploitation, such as through stealing their access credentials or even coercion. Food safety and food security personnel hold extremely important positions in food companies. Imagine what might happen if one of them might be targeted for black mail (it’s happened) or other comprise and then actually yield. Imagine further the disgruntled employee and the damage that could be done by someone with access to your system and processes. Do you think this kind of situation couldn’t happen to your company? “Insider threats” are nothing new and are well understood by food corporations, most of which have had to deal with occasional problematic employees. If you want to become more familiar with the issues of insider threats, a good resource is available from the FBI entitled, “The Company Man: Protecting America’s Secrets.
Solutions
Given the sophistication of the adversaries, solutions have to be found that are both rapid and effective, but also offer a good return on investment (ROI). Like food safety and food defense programs, cybersecurity programs have to be considered investments in the brand, IP, and even bottom line security. In this approach, these are not cost centers but potential profit centers, particularly if they maintain business continuity or even enable expansion in the global hypercompetitive market. Because of this, we posit that to be effective, cybersecurity must be linked into food safety and defense programs, whatever the facility or its location. How is this accomplished?
First and foremost, protect your cyber backbone. Think not just about your systems but also the information that is vital to your food safety and food defense programs. Both must be protected. Information assurance is essential to your business continuity. Everything you do in your business has a cyber-nexus, so get more familiar with how your systems work and who protects them. The level of sophistication of threats has increased so significantly that many corporate IT shops are no longer sufficiently robust to address what dangers will come your way. The best advice is to always engage the best cybersecurity firm that you can afford. Engagement is an investment. The ROI is that you will have a company to come back to tomorrow and your information will remain intact. Never forget—companies hit by major cyberattacks often don’t survive. Many people in business don’t know that.
Start with an outside security audit of all of your systems (including security camera systems) AND the credentials of your personnel. Both types of audits are essential because it helps you identify the scope of existing problems and vulnerabilities. Remember that the best cybersecurity program in the world can be defeated by a careless employee, who clicks on the wrong email link. In all likelihood, that has already happened, meaning the adversary is likely already in your systems. Companies will have to learn how to manage that inevitability, meaning that information isolation and protection will need to be prioritized. Perimeter cybersecurity is no longer an adequate protection solution by itself, given the sophistication of the adversary. Again—protect your information!
As we look forward, we as a society must come to terms that there will be no respite in the struggle. We are in a permanent state of cyber war that is already costing fortunes and claiming companies as casualties. Despondency is not an option. Neither is failure! Diligence and awareness must mature into hyperconsciousness in this hypercompetitive world. Corporate survival in the food safety and defense domain is dependent upon people and machines. Both must operate flawlessly, given the adversary will also remain constantly vigilant and continue to probe for weaknesses. Victory is possible, but will require new ways of making decisions and doing business. Good luck in the war!
Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group. He is a long-time consultant to the U.S. military and federal and state law enforcement agencies. He can be reached at nortora@auburn.edu.
DISCLAIMER: Support for Robert A. Norton, Ph.D., and the production of this article was provided by the Alabama Agricultural Experiment Station and the Hatch program of the National Institute of Food and Agriculture, U.S. Department of Agriculture. The article represents the personal opinion of Robert A. Norton, Ph.D., and does not reflect official policy or statutory-related opinion of the federal government, National Institute of Food and Agriculture, and/or the U.S. Department of Agriculture.