The White House similarly advised all companies on Thursday to harden their defenses, including by installing the latest software updates and requiring extra authentication for anyone logging onto their systems.
Meyers, from CrowdStrike, said seriousness with which cybersecurity is regarded varies “depending on who you’re talking to in the ag industry.” He said multinational conglomerates that have intellectual property worth protecting make it a priority, but “as you get down the food chain, so to speak, they probably think about it less seriously.”
The JBS hack “is the big wake-up call for all these small, medium and large businesses. You can’t stick your head in the sand, and hope it’s not going to happen to you because it is,” Meyers said. “You need to be prepared, and you need to get yourself ready to fight. Because if you don’t, you’re going to be paying a ransom and somebody’s going to be eating your lunch.”
A call for Congress to act
Congress may need to step in to help fix the situation, said Crawford, the House member from Arkansas, who reintroduced legislation earlier this year that would establish an intelligence office within USDA. The office would serve as a conduit for the department to keep farmers informed of threats to their livelihood, including espionage and cyber operations by malign actors.
A key reason the industry isn’t prepared against dangers like ransomware is that the U.S. intelligence community hasn’t considered the national security threats to agriculture as much as it should, Crawford argued.
He added that communication must go both ways: Companies need to have their cyber experts share what they see with their government counterparts. No such requirements exist for the food and ag industry.
“What I would advise the private sector to do is be proactive on these things as possible,” according to Crawford, who is organizing a “business intelligence and supply chain integrity” forum this summer that will feature cybersecurity experts, government officials and representatives from the clandestine community to educate local businesses about digital threats.
USDA has not proposed any significant policy changes following the JBS attack, instead asking food and agriculture companies to take voluntary steps to safeguard their IT and infrastructure from cyber threats. Vilsack on Thursday pointed to guidelines from DHS’ Cybersecurity and Infrastructure Security Agency that companies can adopt for their own protection.
There’s no shortage of policy recommendations from experts in the field. Most proposals involve educating industry leaders and employees, setting minimum standards for cyber safety or improving coordination between companies and agencies.
Another step recommended by the Food Protection and Defense Institute: USDA and DHS should work with the industry to create a cyber threats clearinghouse — known as an “information sharing and analysis center” — to collaborate on studying and addressing digital risks.
Other critical industries, including the electricity and financial sectors, already have their own ISACs, but the food industry does not. Instead, some food and ag companies have joined a broader information-sharing group that covers the information technology industry, said Scott Algeier, executive director of the IT-ISAC.
“They wanted to engage with other companies but did not have an ISAC. So they applied to us,” said Algeier, whose organization also provides a threat-sharing forum for the elections industry.
The nonprofit Internet Security Alliance has called for federal grants and other incentives for food companies to step up their cyber defenses.
“Increasing cybersecurity will cost money, and finding the additional funding will not be simple for the sector since it is governed by tight margins and faces a highly competitive world market,” the group wrote on its website.
Helena Bottemiller Evich contributed to this report.