In the May 2020 edition of Logic Magazine, I published an article entitled “Attacking Agriculture” which provided a basic overview of the increasing risks of our connected food supply chain.
It includes discussions of the expansion, scope, and financial incentives of building (and exploiting) new agricultural technologies.
Here, I wanted to include just a little more context about the national security risks inherent in this tech.
Historical Context
From the proverbial “salting of the fields” to contamination of drinking water to sieges and embargoes, food has often been used as a weapon in war and peace. The U.S. has always understood this, and has strategized as such both offensively and defensively. U.S. agricultural surpluses has been a tool of foreign policy through the Food for Peace program since at least World War I, the ancillary result of which often served to increase external dependencies of nations at the expense of local markets and industries. At one point in 1973, then-Secretary of State Henry Kissinger proposed tying food aid to mandatory population controls in select countries.
These agricultural tools of economy and aid were bolstered by physical plans. As early as the 1940s the Department of Defense (DoD) began to envision ways to manipulate the climate, and by the Vietnam War the DoD was able to initiate Project Popeye, which was intended to prolong the monsoon season and disrupt supply routes by cloud seeding. Tests of project Popeye (which were conducted in Laos), were considered “too successful”- a generous euphemism for the fact that once seeded, the DoD had no control over the volume of chaos they would create. The DoD project eventually evolved into the infamous Strategic Defense Initiative “Star Wars” and HAARP (High Frequency Active Auroral Research Program) — the now shuttered research project which was the subject of a vast-number of conspiracy theories. Many nations (and perhaps a billionaire or two) have the capability to slightly modify the weather through physical mechanisms such as cloud seeding, but the Air Force soon began to believe that virtual manipulation was as important as actual modification.
In a 1996 document entitled “Weather as a Force Multiplier: Owning the Weather in 2015”, a section entitled “Applying Weather-modification to Military Operations” stated:
Offensive abilities could provide spoofing options to create virtual weather in the enemy’s sensory and information systems, making it more likely for them to make decisions producing results of our choosing rather than theirs. It would also allow for the capability to mask or disguise our weather-modification activities.
When it comes to agriculture in modern times, war is increasingly virtual.
Preparing for the Inevitable
In 2004, the Department of Homeland Security (DHS) began working to establish a national policy to defend the U.S. agricultural system against terrorist attacks and major disasters, but infrastructural attacks and biological strikes were at the time considered the greatest threat.
But by 2016, the FBI released a joint memo with the USDA warning farmers adopting precision agriculture tools that they were increasingly at risk of having their data held for ransom, of hacktivists coming after those using GMOs, or of bulk data theft for the intent of market manipulation. In 2017 the United States Navy conducted a series of War Games designed to train servicemen to protect key sectors against malicious state and extremist actors. Key amongst those was Food and Agriculture, where agents were trained primarily to deal with cyber-incursions: remote tampering of autoclave temperature readings, altering of audit data, and ransomware attacks. By 2018, DHS dropped a report which outlined the collapse of boundaries between the physical and the virtual: In all likelihood, the greatest infrastructural and biological incursions would now be generated from cyberattacks.
The DHS report noted that threats in the agricultural sector are “consistent” with that of other linked industries, but
Precision agriculture is unique [] because it took a highly mechanical labor-intensive industry and connected it online, dramatically increasing the attack space available to threat actors. Due to this, otherwise common threats may have unique and far-reaching consequences on the agricultural industry.
Of particular concern is smart irrigation systems. Smart irrigation systems can infect individual clients with malware to analyze traffic (useful information for many parties!), or empty entire reservoirs. But irrigation systems don’t just apply water — they also are used to directly apply fertilizer and chemicals. This application is touted as being more precise and efficient — but there are concerns about environmental and health externalities. Hacking of these dual systems could be used to poison land, and contaminate watersheds and groundwater. At a presentation on cybersecurity for CGIAR (formerly the Consortium of International Agricultural Research Centers), Agricultural Commodity trader VB Kasi described irrigation systems as the “the next big cybersecurity weapon of devastation.”
This is already happening. In May, Israel reported that Iran had conducted a cyberattack on water and sewage facilities. They expressed shock and surprise — which is somewhat surprising considering that they had accused the Syrian Army of doing the exact same thing as early as 2012.
Even technologies developed by the military or enterprise-grade organizations are vulnerable. The European satellite navigation system Galileo had a mass outage for over a week in July 2019. While there are redundancies built into these systems, farmers near military bases (and elsewhere) already speak of problems with satellite-reliant platforms like GPS or GLONASS. Boats transporting commodity payloads may find their piloting systems misdirected, as is already happening with transport ships in the Black Sea — something that is likely occurring as a result of GPS-spoofing devices, which can be deployed with relative ease.
Another tool of concern is unmanned autonomous vehicles (UAVs or drones), which are being heralded as a revolutionary addition to the agricultural industry. But drones are both an incredibly lucrative market and a known vulnerability. Drones are often either produced in China or by defense contractors, making them of interest to the security and hacking communities and potentially tools of espionage. They can be hijacked, tampered with remotely to return false data, utilized as a mobile entry point for networks, and can be used to jam wireless (or cellular) networks.
Increased Likelihood of Attack
As competition for resources increase — as environmental crises spike — we can anticipate that hacking and manipulation of environmental sensors to happen in parallel. Water usage meters could be manipulated to seem as if less water is drawn than in reality, or smart systems could be used neighbor against neighbor to eliminate competition (the existing sabotage occurring in the United States poultry tournament system, or the reported seeding of infected feed through drones in China, provide evidence of the likelihood likelihood of such cutthroat activities).
Similarly, as environmental regulations increase, government entities may find their monitoring systems spoofed to fool standards. This is happening in other arenas already: in 2019 the South China Post reported that their country’s “green efforts” were being thwarted by companies changing surveillance camera footage, remotely deleting undesirable data in a sealed automatic monitoring system, and altering automatically collected data.
The value of these manipulated data sets increases with the size of the operation. The largest farm in the world is a dairy in China, with just over 22 million acres; the largest field operation (soy, in Brazil) tops out at just over 500,000. Information being collected on those farms — or the aggregate of just a few of those farms — can move commodity markets or provide valuable insight into the economy of a nation. The security of the data is only as strong as their weakest unsecured IoT device, the easily manipulated worker who clicks on a phishing link on a company computer, the veracity of their Agricultural technology platform (ATP) software, or the integrity of that company’s workers.
These are not hypothetical situations. The Department of Homeland Security has reported that at least one ATP has been approached to sell their data to commodity brokers. Verizon, which has an “end-to-end” agriculture program, identified around a dozen breaches of their agricultural clients in their past few Data Breach Investigation Reports. A vague report of criminal hacking of “critical infrastructure” organizations — including agriculture, was reported in Russia in 2018. A former Monsanto subsidiary (Precision Planting) was hacked in 2014, and the company itself believes that the hacking of the agricultural sector is inevitable. Monsanto (now owned by Bayer), and associated farmers and partners, are particularly expected to be targets of cyber attacks due to its ties with GMOs. As a company that has always been the target of those trying to steal intellectual property, its resignation is perhaps both understandable and disturbing: it is not the corporations that would most suffer should the worst case hack happen in the agricultural sector.
Food In/Security
For the past few decades we have viewed the concept of “food security” to mean access to food. But as former Chair of the National Intelligence Council Dr. Gregory Treverton notes in a paper on the global food system’s intersection at Defense and the Development sector,
U.S. intelligence and defense communities [do not] fully appreciate the importance of considering contemporary structures and functions of the world’s food systems and their implications for U.S. and global security.
Kasi calls agriculture “the weak link in national security”, and this statement is not speaking of any state in particular: all are at risk. Food is both a commodity and therefore something to be extracted, and a necessity: something that can exploited.
As we’ve learned during the Right to Repair fight, corporations — if they sense that farmers are hacking their tractors — can remotely brick their machines. But of course, these lock-downs could also occur through an exploitation of a vulnerability, bringing down a fleet of tractors.
This could disrupt an entire harvest by nations which have been isolated by choice or sanction. Russia, for example, has been on a mission to become self-sufficient in food since the 2000s, and has actually gained traction in that arena since sanctions were introduced in 2014. They also signaled a willingness to play dirty, using “information warfare” to position their own food wares as an “ecologically clean alternative” to the “dirty”, GMO-ridden US agricultural industry.
Chinese state companies are heavily invested in global agricultural arena, through direct investments and acquisitions: as per example Syngenta, the second largest biochemical company the world, or Cofco, the agricultural supply chain company present in over 70 countries. China has infrastructural and land investments all over the world. Such investment may make it seem unlikely that they would play nefariously on a system they are so embedded in, but two points lend pause. First, while China has presence and is heavily invested in other nations’ agriculture, Ag is considered “critical infrastructure” in China. There is little investment in AgTech by foreign companies within China, meaning the advances made in that nation are home-grown and harder to hack. Two, the investments and mergers themselves give the Chinese incredible ability to integrate themselves into networks, giving them access should they decide to do damage, and insights into the yields of rivals useful for manipulating the commodity market.
To be clear: our Ag supply chain is very integrated, and if any nation were to disrupt the free distribution of food it would undoubtedly hurt their population as well. But times are progressively precarious, and we seem to increasingly be playing a zero-sum game with foreign policy.
The digitization and datafication of agriculture is being treated as if it is inevitable, pushed along with all speed in the name of “feeding the world.” But let’s be clear: Every level of the supply chain in agriculture is increasingly vulnerable to cyberattack — but the people who will most suffer the consequences are not the ones creating these technologies. It’s those at the bottom of the food chain.
As I said in the Logic piece:
Hacks are inevitable when we use connected technologies; the more we become reliant upon them to bring in our harvests, the more we can be assured that these systems will be exploited.
Nations must become much more deliberate about taking proactive steps to become more food resilient, and prepare for these inevitabilities.
