Part II: Robust defenses

R.A. Norton, Ph.D.

Part 1 discusses threats posed by the Russians as a potential adversary to the United States and its allies. Part 2 explores how the food and agriculture industries should plan their defenses.

In light of Vladimir Putin’s recent bellicosity (claiming military superiority because of newly developed weapons systems), does Russia pose a real and actual threat to the U.S. food supply and plant and animal agriculture? Simply put, yes, but that answer requires a deeper dive to understand the depth and breadth of the threat. In any assessment of Russia, one must calculate the influences of history. Three important points:

  • Russia well understands hunger as a weapon of war. Russians have lived the realities of hunger wrought by invaders over the centuries and are obsessed (read Leningrad) with its potential effects on their nation.
  • Russia is always bellicose, always the bully and intimidator. That is in part how Russia built the Soviet Union. The strategy actually worked from the end of World War II through the Cold War and up to the last days in 1991 when the Berlin Wall began to fall.
  • Vladimir Putin is a former KGB agent, child of the Cold War and a closet Soviet Unionist who deeply resents the triumph of the West over the Soviet empire. Besides being a likely billionaire, Putin is also an exceedingly dangerous man and holds sway over the real powers in Russia, the military and the main executive government body, the Russian Council of Ministers. No one crosses Vladimir Putin and lives, as several political opponents learned. Russia never claims responsibility when opponents are killed, but the message is very clear.

Potential attack scenarios:

When thinking about possible attacks on U.S. food and agriculture, two scenarios have to be considered. The first and least likely is a Hot War Scenario, in which Russia and the U.S. have actually come to military blows. Military resources would be utilized at almost unimaginable rates by both sides, rapidly depleting Russian capabilities on the battlefield. Neither side would be expected to utilize doomsday intercontinental missiles, since that would lead to the end of the world as we know it. For a variety of reasons, this scenario seems highly unlikely.

Other less catastrophic scenarios must be considered, however. The more probable scenario would result from significant frictions between world powers—not exactly war, but not exactly peace. We are currently in such a Warm War period, characterized by smaller and more indirect clashes creating a façade of plausible deniability. Rightly or wrongly, Russia sees itself as surrounded by hostile forces. Since Russia does not have the ability to sustain military or diplomatic superiority, it has chosen smaller, more “asymmetric” confrontations with the U.S.

What does asymmetric warfare mean to food and agriculture? 

Asymmetric warfare is characterized by attacks on vulnerabilities and weaknesses. If this sounds obvious, it should; it is a characteristic of war since men first threw rocks and spears at each other. The term has fallen out of favor with the military, but is appropriate when talking about critical infrastructures such as food and agriculture and refers to the strategies used to either exploit an existing vulnerability or create a new one. Asymmetry actually refers as much to the opponents as it does the tactics, with one opponent markedly more powerful than the other.

Large-scale Russian chemical or biological attacks on the food supply and/or agriculture are highly unlikely except in time of war, given our ability for attribution and retaliation. In the meantime, Russia could conceivably use a proxy (a third party) to deliver a chemical or biological agent, but would risk identification as the source. Such an attack during peacetime might be limited in scope or target an individual, as was done in the recent chemical attack in the UK. Food and agriculture should prepare themselves for this low-probability but high-consequence scenario by learning about Category A, B and C bioterrorism agents and diseases. A list can be found on the CDC website under “Emergency Preparedness and Response.”

Smaller scale, asymmetric attacks will most likely begin and end in the cyber domain. Food and agriculture businesses, as critical infrastructure, are real targets for the Russian government as evidenced by a recent U.S. Computer Emergency Readiness Team alert describing Russian cyber activity targeting energy and other crucial infrastructure. The alert said that DHS and the FBI characterize this as a multi-stage intrusion campaign by Russian government cyber actors targeting small commercial facilities’ networks. Tactics, Techniques and Procedures (TTPs) used by the Russians included:

  • Spear-phishing emails (from a compromised legitimate account),
  • Watering-hole domains,
  • Credential gathering,
  • Open-source and network reconnaissance,
  • Host-based exploitation, and
  • Targeting industrial control system (ICS) infrastructure.

The alert said the “threat actors”—aka hackers—appeared to have deliberately targeted organizations rather than pursuing them as targets of opportunity. They sought out a great deal of organizational information before launching targeted spear-phishing attempts.

Companies must protect their systems, but also train employees to recognize the telltale signs of a spear-phishing attempt. Employees should not be allowed to do any non-work related web activities, nor should be allowed to use company email systems for personal activities, on or off the clock. Russian hackers are very good at what they do, and are able to make nefarious communications look like they came from the targeted company.

Companies large or small should become members of the Critical Infrastructure Cyber Community, C3 (pronounced “C Cubed”). The C³ Voluntary Program was created to improve the resiliency of companies’ cybersecurity systems by supporting adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and helps by connecting organizations to existing cyber risk management capabilities provided by DHS, other U.S. government organizations, and the private sector.” Companies considering membership in C3 should ask their insurance carriers to determine if adoption of the NIST Cybersecurity Framework will lower cyber insurance rates.

Personnel, particularly those traveling internationally, should stay as anonymous as possible by avoiding ostentatious spending or actions. If threats or even suspicions of threats emerge while traveling internationally, immediately contact the nearest U.S. embassy. Foreign security firms vary significantly in quality, depending on the country. Some will have ties to the Russian government and must be avoided. Therefore, it is imperative that before security firms are utilized they be vetted through private enquiries by other security companies, as well as the State Department and the FBI. Larger international firms, such as those based in the U.S. and the UK, often have foreign assets in place, and these should be used whenever possible, rather than using firms located in the countries being traveled. Security investment costs are high, but economizing on personnel security is not wise. Buy the best and consider it an investment.

Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group (aufsi.auburn.edu/fooddefense). He is a long-time consultant to the U.S. military and federal and state law enforcement agencies and is editor of Bob Norton’s Food Defense Blog (aufsi.auburn.edu/fooddefense/blog/). He can be reached at nortora@auburn.edu or by phone at 334.844.7562.