The Dangerous Weak Link in the US Food Chain

Algeier says the IT-ISAC has hosted exercises focused on the food and agriculture sector and that “members can reach out to us 24/7 if needed.”

But the sector needs its own ISAC that can “analyze the threat and provide a true operational assessment,” says Brian Harrell, a former assistant director for infrastructure security at the US Cybersecurity and Infrastructure Security Agency (CISA).

Pfluger says, “Plenty of folks I’ve spoken with think there needs to be a dedicated ISAC.”

Companies also need more support from the federal government.

The US Department of Agriculture, the industry’s sector risk management agency, is “significantly less effective” than other SRMAs, Montgomery says. The USDA doesn’t even have dedicated funding for its security support, which includes biannual sector-wide meetings, weekly threat bulletins, and occasional town halls.

“As the cybersecurity threats and vulnerabilities continue to grow, USDA is unable to conduct these SRMA responsibilities, which could have a significant impact on the safety and security of US agriculture,” the department said in its fiscal year 2024 budget proposal, which for the first time requested $225,000 for this work.

By comparison, the Energy Department requested $245 million for its Office of Cybersecurity, Energy Security, and Emergency Response.

USDA has shown “very little interest” in cybersecurity, says Sachs, who has tried to prod officials into action.

Allan Rodriguez, a USDA spokesperson, says the agency and the FDA work closely with CISA, the FBI, and the private sector. Eric Goldstein, CISA’s executive assistant director for cybersecurity, says his agency is working with USDA and other partners “to improve cybersecurity across the sector and build resilience to cyber disruptions.”

Washington Takes Notice

Fortunately, there’s a growing sense of urgency inside the US government to protect the nation’s tractors, fertilizer, milk, and chickens from hackers.

Pfluger’s bill, the Food and Agriculture Industry Cybersecurity Support Act, would create new federal resources for companies, require improved coordination between government and industry, and launch a Government Accountability Office review of the sector’s situation, including whether an ISAC is necessary. Pfluger says he’s “very optimistic” about the prospect for his bill, which two Republicans and one Democrat have cosponsored.

The White House is also taking action. Last November, President Joe Biden signed a memorandum on “the security and resilience of United States food and agriculture” that ordered up a suite of threat reports, risk reviews, and vulnerability assessments addressing physical and cyber challenges. Agencies have completed an initial assessment that was due in January and are finalizing an interim review that was due in March, according to DHS spokesperson Ruth Clemens.

In the meantime, experts say the government could better use its existing programs to help.

The USDA’s Cooperative Extension Service partners with land-grant universities and community organizations to provide agricultural training and guidance to farmers across the US. Sachs encourages USDA to leverage the trusted relationships that farmers have with their local extension agents to promote best practices on cybersecurity.

Sachs and his colleagues are even considering helping a coalition of land-grant universities launch an ISAC that would both facilitate information sharing and prepare students to enter the food and agriculture workforce with key cyber skills.

Whether or not the sector forms an ISAC, there’s widespread agreement that more must be done to counter the growing array of threats endangering these companies and the hundreds of millions of people who rely on them for basic sustenance.

“One vulnerability and attack,” Pfluger says, “can lead to catastrophe for everyone downstream.”