America’s Food Supply Has a Cyber Problem

Fine-tuned sensors let farmers know which fields need more water and which crops need more fertilizer. But today, a hacker halfway around the world, working as a criminal actor or paid by a foreign government, could use that same technology to disrupt American food production and destabilize U.S. public health and economic security for months. The industry that supplies American food is vulnerable in cyberspace.

Precision technology is constantly making agriculture more efficient and cost-effective, but as farming uses more data and more intricately connected technologies, the cyber risks grow. And it is not just ransomware attacks that could disrupt production. American food production depends on clean data. If hackers could falsify or corrupt crop and livestock health information to mimic a disease outbreak, the economic disruption could be catastrophic. Farmers and health inspectors might need months to confirm whether or not there is indeed an outbreak. In the meantime, herds might be decimated, food prices would soar, and foreign trade would halt.

Luckily, Congress is paying attention. The new bipartisan Farm and Food Cybersecurity Act, introduced by Reps. Brad Finstad (R-MN) and Elissa Slotkin (D-MI) and Senators Tom Cotton (R-AR) and Kirsten Gillibrand (D-NY), seeks to strengthen the resilience of U.S. agriculture infrastructure. First, the bill directs the U.S. Department of Agriculture (USDA) to conduct a biennial study on cyber threats and vulnerabilities for critical food and agriculture infrastructure. Second and most important, it requires the department to conduct an annual, cross-sector exercise on food-related emergencies or disruption. Recognizing that expertise on the sector and the cyber risks it faces does not reside solely in the federal government, the bill requires the department to incorporate input from experts, stakeholders, and practitioners from the sector itself as well as from the public health, emergency management, transportation, energy, water, and cybersecurity fields.

The bill authorizes $1 million each year to conduct the studies and exercises. This funding will be important because, as a Cyberspace Solarium Commission 2.0 report highlighted last year, inconsistent or non-existent federal resourcing for the sector risk management agencies (SRMAs) tasked with working with the private sector to mitigate risk — such as the USDA — has severely limited the efficacy of this public-private collaboration. Without adequate funding, federal agencies cannot fulfill their responsibilities to their industry partners to work together to secure critical infrastructure.

The contents of this legislation would clearly advance important policy goals, but there is much more work to be done. Last year, the USDA Office of Homeland Security requested $2.4 million to prepare for and respond to emergencies and threats as the SRMA for the food and agriculture sector. This investment, while an increase over the previous year’s budget, is not enough to secure a more than $1.2 trillion industry that includes more than two million farms across the country. Responding to the president’s annual budget request, Cyberspace Solarium co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI) urged their colleagues on the appropriations committee to provide an additional $750,000 for food and agriculture sector support.

Three years ago, Congress clarified that federal agencies designated as SRMAs are responsible for six tasks: supporting sector risk management, assessing sector risk, managing sector coordination, facilitating information sharing with other federal entities, supporting incident management, and contributing to emergency preparedness efforts. The Farm and Food Cybersecurity Act would support some of these key responsibilities, and the USDA should approach the cyber threat study and cross-sector simulation through this lens.

Biennial threat and vulnerability studies would support sector risk assessment and facilitate information sharing among government entities. The cross-sector exercises should improve incident response planning, while also enhancing sector coordination and information sharing among industry stakeholders. Reviewing vulnerabilities and developing refined collaboration practices for emergency preparedness would prepare both government and private entities to prevent or mitigate cyberattacks on the food and agriculture sector.

These efforts should be expanded further. In addition to its own biennial studies, the USDA could create programs to help critical infrastructure owners and operators perform their own threat assessments. The department should regularly work with the Cybersecurity and Infrastructure Security Agency and other federal partners to share information beyond an annual exercise. Only with proper funding and effective interagency and public-private collaboration programs can the USDA and industry partners secure American food supply against cyberattacks.

Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. He directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he previously served as executive director. Follow him on Twitter @MarkCMontgomery. Sophie McDowall is an Intern with the Foundation of Defense for Democracies.