The government isn’t ready for cyber chaos in the food and agriculture sector

The nightmare scenarios are numerous: Desiccated farms menaced by out-of-control tractors. Meatpacking plants silently overrun by diseased animals. Trucks clogging highways for hours, their cargo areas full of rotting food.

The U.S. Department of Agriculture is supposed to prevent these disasters by helping the food and agriculture sector protect its infrastructure from physical threats and cyberattacks. But in an era of growing digital dangers, USDA is woefully unprepared to play that role, according to policymakers, independent experts and even the department’s own warnings to Congress.

USDA has assigned this critical mission to a small, underfunded office that also handles a range of other tasks. Department leaders rarely discuss the acute cyber threats facing the food and agriculture sector — which accounted for more than 5% of the U.S. economy and roughly 10% of U.S. jobs last year — and it’s unclear if the department has meaningfully reduced those threats.

While other agencies tasked with protecting vital infrastructure have aggressively confronted cyber challenges, USDA has shown little of the same urgency, even as its industry partners grow increasingly worried about their digital vulnerabilities.

Food and agriculture has avoided the cybersecurity spotlight so far because hackers are focused on more valuable targets elsewhere. But that won’t last forever. And the 2021 ransomware attack on the meat-processing giant JBS — which shuttered plants across the country and threatened to jolt beef prices — was a wakeup call to many in the sector about how bad things could get.

“We're dodging a bullet right now,” said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the think tank Foundation for Defense of Democracies. “This sector is currently not the focus of ransomware and cyber-criminal behavior… but their time in the target set is coming.”

And when that happens, he said, “the Department of Agriculture will fail the sector if they don't get their focus on this immediately.”

‘It’d be awful’

The cyber risks to food and agriculture have increased dramatically over the past decade as automation has become more pervasive throughout the industry. With the rise of precision agriculture, GPS signals guide tractors, cloud-connected iPads dictate planting patterns, drones (some of them made in China) scout and spray crops and computers dispense feed to livestock. This automation extends beyond producers to the processors that prepare food and the distributors that bring it to supermarkets.

But these technological advances occurred before cyberattacks on critical infrastructure were commonplace, so the new systems weren’t designed with security in mind — raising serious concerns about the safety of the U.S. food supply.

Cyberattacks on the food system could take many forms. One of the most serious threats involves manipulating food safety data, either to suppress information about a food-born illness or to manufacture evidence of one.

“One of my big fears is that hackers could corrupt crop and livestock health information to mimic a disease outbreak or to suppress [awareness of] a disease outbreak,” Montgomery said. “Either way, the health inspectors would take months to confirm.… We [might] be slaughtering livestock inappropriately. It'd be awful. And food prices would soar, it would impact foreign trade — I mean, it'd be quite the event.”

Hackers could also sabotage a food-processing facility to interrupt the supply of key goods. The JBS ransomware attack highlighted the risks of consolidation in the U.S. meatpacking industry, a problem that exists in many other corners of the food and agriculture sector.

A 2021 ransomware attack on the meat-processing giant JBS shuttered processing plants across the country. Image: Unsplash+/Getty

Cyberattacks could also strike internet-connected combines and tractors, causing them to go haywire and forcing farmers to revert to time-consuming manual operations. Or hackers could tamper with the computers that control seed fertilization and livestock feeding, potentially damaging crops or poisoning animals.

Attacks on trucking logistics software could snarl the food-distribution system by crippling automated route planning, in much the same way that recent air-traffic-control system outages grounded flights nationwide. That kind of attack “would slow down and disrupt the delivery of food to the point of inefficiency and wastage [and] spoilage,” Montgomery said.

Some of these attacks would be obvious right away, but others wouldn't. “If I disrupt the planting cycle in the spring, it could be a few months before we start to see the impact of that,” said Marcus Sachs, senior vice president and chief engineer at the Center for Internet Security, a cyber nonprofit.

So far, the sector has largely escaped unscathed. The recently launched Food and Agriculture Information Sharing and Analysis Center tracked 167 ransomware attacks last year, none of which caused widespread chaos.

But experts don’t credit that to USDA.

Reluctant to embrace a role

Of the government’s nine Sector Risk Management Agencies (SRMAs) that help protect elements of U.S. critical infrastructure, USDA’s investment in this work may be the smallest.

USDA’s SRMA responsibilities fall under the Office of Homeland Security, which has a $1 million budget and 55 employees and is responsible for much more than just the SRMA mission. (USDA shares this mission with the Food and Drug Administration, but the FDA focuses on food safety, not cybersecurity.) That $1 million pales in comparison to the SRMA budgets at the departments of Energy ($200 million), Health and Human Services ($305 million) and the Treasury ($16.5 million).

“I just don’t think they’re properly resourced, I don't think they're properly organized,” Montgomery said. “And while they do have good relationships in areas outside cybersecurity, they haven't leveraged them yet to get cybersecurity right.”

Montgomery blamed USDA for its funding woes, saying its recent budget requests “are really lowballing this problem.” But a Democratic staffer on the House Homeland Security Committee, who requested anonymity to speak candidly, said that “in terms of building up a strong capacity, I don't think Congress has positioned them particularly well.”

The biggest problem, experts say, is cultural: USDA still doesn’t really see itself as an SRMA. “Cybersecurity has just not been one of their big priorities,” Sachs said.

Critics say cybersecurity hasn't been a key priority or funding area for the USDA. Image: JSquish via Wikimedia Commons (CC BY-SA 3.0)

“Frontline USDA staff would love to help with cyber more,” said Stephen Streng, a University of Minnesota researcher who has studied food security, “but agency leadership doesn’t feel cyber is their job… and important enough to spend scarce resources on.”

USDA lags behind other departments in offering services like robust classified intelligence sharing, regular threat assessments and rigorous exercises. “They're not meeting the basic tenets” of SRMA requirements, Montgomery said.

This lack of support is especially glaring because USDA funds a nationwide network of agricultural advisers at land-grant universities who help producers with everything from keeping their pigs healthy to planting their corn straight. Experts urged USDA to incorporate cyber outreach into this program, which is widely trusted by rural producers who might otherwise be leery of advice from Washington. “They're just missing this huge opportunity,” Sachs said.

USDA declined interview requests for this story. A spokesperson said the department is “committed to continuing to enhance and improve our cyber capabilities, promote cyber awareness among the sector, and raise the cyber profile for the industry, despite the lack of funding allocated for this purpose by Congress.”

The department provides biweekly email updates, meets periodically with sector leaders, and organizes threat briefings. Clay Detlefsen, senior vice president of regulatory and environmental affairs at the National Milk Producers Federation, said USDA has helped enlist federal experts to speak at his group’s cyber webinars. And when the government discovered pro-Russian hacktivists targeting the sector earlier this year, Detlefsen said, USDA “brought a couple of my coworkers and myself in immediately to discuss the situation.”

USDA consulted with industry partners this summer on a risk assessment required under a recent presidential memorandum, said Scott Algeier, executive director of the food and agriculture ISAC. “That was a really productive conversation,” he said.

The department is “doing well” in its role as “a policy coordinator and collaborator and convener,” Algeier said, while leaving cyber work to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Growing interest in a fix

As cyber risks metastasize across the industry, government leaders are paying more attention.

In August, more than 400 people attended an FBI conference in Nebraska about cyber threats to farming. In April, the government’s massive biennial “Cyber Storm” exercise focused on food and agriculture for the first time. And in January, bipartisan groups of House and Senate lawmakers introduced the Farm and Food Cybersecurity Act, which would require USDA to conduct threat assessments and exercises.

USDA is “late to the game,” said Rep. Brad Finstad (R-Minn.), one of the House bill’s sponsors. “Agriculture is so much more dependent now than ever before on technology.”

More tasks will require more funding. In its latest budget proposal, USDA requested $500,000 for SRMA work. Without this money, “USDA is unable to conduct these SRMA responsibilities,” the department warned, “which could have a significant impact on the safety and security of U.S. agriculture.” House Republicans have proposed giving USDA $225,000 for SRMA duties.

Nearly two years after President Joe Biden issued a memorandum on food and agriculture security, the White House is evidently concerned about USDA’s readiness. In April, the Office of the National Cyber Director dispatched one of its senior advisers, Stephen Viña, to help USDA build out its capabilities. “They wouldn’t have loaned somebody out from ONCD if they didn't think they needed to be beefing things up,” the House Homeland Security Committee staffer said.

Experts pointed to several SRMAs that USDA could emulate, including DOE, with its senior leadership engagement and robust industry grants, and TSA, with its ambitious digital security regulations. Sachs said USDA’s longtime commitment to food safety offered a strong starting point for focusing on food security.

Everyone agrees that safeguarding the food supply is a national imperative. “Hungry bellies make uneasy people,” Finstad said.

And while criminals and spies may be focused on hospitals and power plants for now, Montgomery said, time is running out for policymakers to step up.

“This is a problem one or two years from now,” he said. “They need to treat this with a significant sense of urgency [and] get the resources onto it.”