CYBERSECURITY AND FOOD DEFENSE

By Robert Norton, Ph.D., Professor of Veterinary Infectious Diseases and Coordinator, National Security and Defense Projects, Office of the Senior Vice President of Research and Economic Development, Auburn University; Cris A. Young, D.V.M., M.P.H., Diplomate A.C.V.P.M., Professor of Practice, College of Veterinary Medicine, Auburn University and Adjunct Professor, College of Veterinary Medicine, Department of Pathology University of Georgia; Daniel M. Gerstein, Ph.D., Senior Policy Researcher, RAND Corporation and former DHS acting Under Secretary for Science and Technology; and Marcus (Marc) Sachs, P.E., Senior Vice President and Chief Engineer, Center for Internet Security

Avian Influenza, Food Safety Messaging, and Biosurveillance

Companies will need to think more strategically about how food safety assurance messaging must be made complimentary to traditional food safety practices

Working animal, Plant, Fawn

Image credit: STEPHANE ETIENNE/iStock/Getty Images Plus via Getty Images

SCROLL DOWN

Highly Pathogenic Avian Influenza (HPAI), or "avian flu," is a disease generally transmitted by wild and domestic avian species to other birds but also, on occasion, to other animal species. Caused by the avian influenza viruses A(H5) and A(H7), or "IAV," the disease is frequently fatal in birds, but can also cause mild to serious respiratory diseases in mammals and even sporadically in people. From January 1, 2003 to March 28, 2024, a total of 888 cases of human infection have occurred in 23 countries. Of those, death resulted in 463 cases, giving a cumulative mortality rate (CMR) of 52 percent.1 The bulk of these cases were respiratory-borne and due to "…exposure to infected poultry or contaminated environments"1 and, therefore, are not food safety related. 

The U.S. Department of Agriculture (USDA), the U.S. Department of Health and Human Services including the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC), and the Office of the Assistant Secretary for Preparedness and Response (ASPR), as well as state veterinary and public health authorities are currently investigating outbreaks of A(H5N1) that have occurred among a number of dairy herds in multiple states.2 Subsequent to the findings of HPAI in the affected dairy herds, two, possibly three individuals at press time, who worked with affected herds, were diagnosed with mild cases of Avian Influenza, one just in the form of a mild conjunctivitis. At the time of this article, all had been medically resolved with no serious complications. 

FDA, in collaboration with USDA, has begun testing commercial pasteurized milk supplies. Preliminary testing did not detect any live virus in the pasteurized milk. More specifically, FDA stated, "…preliminary results of egg inoculation tests on quantitative polymerase chain reaction (qPCR)-positive retail milk samples show that pasteurization is effective in inactivating HPAI. This additional testing did not detect any live, infectious virus. These results reaffirm our assessment that the commercial milk supply is safe."3   

Raw milk, on the other hand, has been confirmed to contain live HPAI virus, and the risk to humans is specifically unknown. CDC is now posting a dashboard of Influenza A Wastewater Data,4 which represents a useful tool in understanding IAV in the ecosystem and could be an indicator for further specific surveillance. 

Given the primacy of safety and security of the food supply, new and cost-effective solutions are needed. In the current environment of geopolitical complexity and malevolent activities, companies will increasingly find it necessary to think more strategically about how food safety assurance messaging must be made complimentary to traditional food safety practices.  

Technological Solutions 

The authors here advocate the need for new technologies to address current and future food safety needs. In our previously published article, titled, "Bringing New Technologies to Bear for Biosurveillance,"5 we promoted the development of a Biosurveillance Intelligence, Surveillance, and Reconnaissance (BISR) system, which could be used to promote rapid detection and predictive analysis. BISR would consist of a layered and linked array of sensors that could begin on the ground and in aquatic systems and extend into space via satellites and other platforms.  

These sensor arrays would use hyperspectral imagery to seek out volatile organic compounds, or "volatilomes," which are associated with changes that occur previous to and during disease state development in both animals and plants. The analysis could begin with data collected at the producer level and continue through processing, through to the entire food chain, all the way to the consumer. Enabling the analysis and subsequent decision-making would be made possible through properly trained artificial intelligence (AI)-based modeling. The end result would be a safer and more secure food supply.  

“The JBS cyber-attack highlighted vulnerabilities in critical infrastructure and raised concerns about the integrity of food production processes. The fear is that such disruptions could lead consumers to question the safety and security of their food…”
Tints and shades, Monochrome photography, Black, Black-and-white, Line, Style
Monochrome photography, Parallel, Black, Black-and-white, Line, White

Evolving Threats  

Under previously defined priorities, ensuring food safety would have been enough, but no longer. Our nation's adversaries are developing sophisticated cyber weapons and malevolent techniques that could target the proposed BISR system and other food safety systems and databases in an attempt to compromise the data. These same nation-state and criminal organizations and activist adversaries could also directly target food companies, their employees, and even consumers in an attempt to convince them that the food supply is not safe. Coordinated, malevolent efforts could come in multiplicity of sophisticated forms.  

The 2021 cyber-attack on JBS,6 a major global meat processing company, is a stark reminder of how foreign threat actors can and will target the food sector, potentially undermining consumer confidence in the safety and reliability of the food supply. JBS was hit by a ransomware attack attributed to REvil, a sophisticated criminal group with possible links to Russia. The attack led to the temporary shutdown of JBS operations in the U.S., Canada, and Australia, significantly disrupting the meat supply chain.  

This incident highlighted vulnerabilities in critical infrastructure and raised concerns about the integrity of food production processes. The fear is that such disruptions could lead consumers to question the safety and security of their food, as the attack demonstrated the potential for cyber criminals to interfere with food supply chains, potentially leading to contamination or scarcity. The attack also underscored the broader implications of cybersecurity weaknesses in essential industries within the food sector and the need for robust measures to protect against such threats, particularly at times when other food safety and health issues are emerging. 

In another article by the authors entitled, "Malevolent AI: Navigating the Shadows of Technology Advancement in the Food Industry,"7 we discussed how malign actors could use the increasingly powerful tools of AI to target companies. Given the evolving threats, food companies will also need to consider in the present and future how to protect themselves against the newest form of threat from these AI tools—"mind hacking."   

What this means is that in the rapidly evolving landscape of food safety, traditional defenses focusing on compartmentalized biological, physical, cyber, and information security are no longer sufficient. As digital infrastructures become more complex, the threat landscape expands, encompassing not only technical vulnerabilities but also human cognitive processes. Cognitive security, a relatively new frontier, addresses the manipulation of human perception and decision-making through misinformation, disinformation, and psychological operations. Our nation and its critical infrastructures, including food and agriculture, are in the early stages of a "hybrid world war" that, at a minimum, will include, "…mind war [overwhelming your enemy with argument], psyops [psychological operations], and cognitive warfare."8 The resulting cognitive threats can and will have far-reaching impacts, from undermining trust in institutions to influencing public opinion and behavior on a massive scale.  

Coordinated efforts are needed to protect not just our systems and data, but also the minds of individuals who interact with these technologies, including the consumer. By combining robust cyber defenses with strategies to counter cognitive threats, organizations can better safeguard against the full spectrum of emerging modern threats. This holistic approach requires collaboration across disciplines, leveraging expertise in psychology, information technology, and security to develop resilient defenses. Future articles will delve deeper into the mechanisms of cognitive security, exploring its implications and strategies for effective protection of the food industry. 

“Everything within the food supply is interconnected. Disruption in any portion of the food chain causes cascading effects.”
Tints and shades, Monochrome photography, Black, Black-and-white, Line, Style
Monochrome photography, Parallel, Black, Black-and-white, Line, White

Coordination of Efforts Between Business and Government 

Coordination across the biodefense national enterprise must become a top priority. The National Blueprint for Biodefense, published in April 2024 by the Bipartisan Commission on Biodefense, highlights shortfalls and makes recommendations to improve the situational awareness from the federal to the state, local, tribal, and territorial (SLTT) stakeholder community.9 Necessary measures identified in the Blueprint include developing and implementing a national diagnostics plan, having rapid point-of-care diagnostics, and investing in ubiquitous and multiplexed detection capabilities.   

Improving governance across the U.S. national biodefense enterprise also implies having agreements in place regarding the sharing of information. The National Blueprint for Biodefense recommends having a "public health data infrastructure and collection during biological emergencies."9 This recommendation responds to our demonstrated inability to share data efficiently in real time across the stakeholder community during biological emergencies, as evidenced during the COVID-19 pandemic. It includes interfacing effectively and in a timely manner with international authorities and partners.  

Government and industry should coordinate closely on all aspects of biosurveillance. Coordination through the critical infrastructure sector coordinating committees supports the development, planning, and implementation of the preparedness, response, and mitigations for a significant biological event.10 Training and exercises should be used to refine readiness, identify weakness, and take corrective measures. This planning should include identifying the triggers that signify the progression of the biological incident and the responses and mitigations that should be made during the incident.  

Biosurveillance and the sharing of biosurveillance data is inherently a complex issue. The tenth amendment of the U.S. Constitution designates "all government powers not specifically designated to the federal government" to the states and the people.11 Public health is an area not so designated and, therefore, remains the purview of the states.  

As a result,  

"State health agencies collect and analyze information; conduct inspections; plan; set policies and standards; carry out national and state mandates; manage and oversee environmental, educational, and personal health services; and assure access to health care for underserved residents; they are involved in resources development; and they respond to health hazards and crises."11

It is this fact of history that continues to hinder efforts to establish an overarching U.S. biosurveillance system. This means that the federal government must incentivize states to share their biosurveillance data, rather than direct that this data-sharing occurs. Demonstrating the value add of such data-sharing, including incorporating new technologies or concepts for biosurveillance such as BISR, could make data-sharing and participating in a national biosurveillance program more attractive to the SLTT.  

The authors have pointed out in several articles that the food industry needs a robust and comprehensive Information Sharing and Analysis Center (ISAC)12–17 that can serve the entire sector beyond just a handful of the largest corporations. Our adversaries will target all levels of the food supply chain, from growers and producers to retailers and consumers. Everything within the food supply is interconnected. Disruption in any portion of the food chain causes cascading effects. Information-sharing about security and safety issues is not a violation of anti-trust laws and should be encouraged across the sector. A stronger partnership of information-sharing is needed among the government, private-sector businesses, and consumers to better understand the current impact of avian influenza, potential other biological threats, and the probable impact of AI on food safety messaging. 

References

  1. World Health Organization (WHO). "Human Infection With Avian Influenza A(H5) viruses." April 12, 2024. https://cdn.who.int/media/docs/default-source/wpro---documents/emergency/surveillance/avian-influenza/ai_20240524.pdf?
  2. U.S. Department of Agriculture (USDA). Animal and Plant Health Inspection Service (APHIS). "Highly Pathogenic Avian Influenza (HPAI) Detections in Livestock." Last modified May 31, 2024. https://www.aphis.usda.gov/livestock-poultry-disease/avian/avian-influenza/hpai-detections/livestock
  3. U.S. Food and Drug Administration (FDA). "Updates on Highly Pathogenic Avian Influenza (HPAI): Ongoing Work to Ensure Continued Effectiveness of Federal-State Milk Safety System: What's New." https://www.fda.gov/food/alerts-advisories-safety-information/updates-highly-pathogenic-avian-influenza-hpai#new.  
  4. Centers for Disease Control and Prevention. "Influenza A Virus Wastewater Data" Updated May 30, 2024. https://www.cdc.gov/nwss/wastewater-surveillance/Flu-A-data.html
  5. Norton, R.A., C.A. Young, and D.M. Gerstein. "Bringing New Technologies to Bear for Biosurveillance." Food Safety Magazine. April 23, 2024. https://www.food-safety.com/articles/9424-bringing-new-technologies-to-bear-for-biosurveillance
  6. USDA. "Statement from the U.S. Department of Agriculture on JBS USA Ransomware Attack." June 1, 2021. https://www.usda.gov/media/press-releases/2021/06/01/statement-us-department-agriculture-jbs-usa-ransomware-attack
  7. Norton, R.A., M. Sachs, and C.A. Young. "Malevolent AI: Navigating the Shadows of Technology Advancement in the Food Industry." April 10, 2024. Food Safety Magazine. https://www.food-safety.com/articles/9385-malevolent-ai-navigating-the-shadows-of-technology-advancement-in-the-food-industry
  8. Personal communication with a retired government official. 
  9. Bipartisan Commission on Defense. The National Blueprint for Defense. May 2024. https://biodefensecommission.org/reports/the-national-blueprint-for-biodefense/.  
  10. U.S. Cybersecurity and Infrastructure Security Agency (CISA). "Critical Infrastructure Sectors." https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
  11. Institute of Medicine (U.S.) Committee for the Study of the Future of Public Health. The Future of Public Health: "Appendix A, Summary of the Public Health System in the United States." Washington D.C.: National Academies Press, 1988. https://www.ncbi.nlm.nih.gov/books/NBK218218/
  12. Norton, R.A. and M. Sachs. "What Exactly is 'Information Sharing?'" Food Safety Magazine. June 12, 2023. https://www.food-safety.com/articles/8670-what-exactly-is-information-sharing
  13. Norton, R.A. and M. Sachs. "Cybersecurity and Food Defense: Establishing an ISAC for the Food and Agriculture Sector." Food Safety Magazine. April 10, 2023. https://www.food-safety.com/articles/8488-cybersecurity-and-food-defense-establishing-an-isac-for-the-food-and-agriculture-sector
  14. Norton, R.A. and M. Sachs. "An Information Sharing and Analysis Center for the Food and Agriculture Sector." Food Safety Magazine. February 6, 2023. https://www.food-safety.com/articles/8325-an-information-sharing-and-analysis-center-for-the-food-and-agriculture-sector.  
  15. Norton, R.A., M. Sachs., and C.A. Young. "A Future View of AI-Enhanced Biosurveillance and Comprehensive Food Safety Programs." Food Safety Magazine. December 12, 2023. https://www.food-safety.com/articles/9110-a-future-view-of-ai-enhanced-biosurveillance-and-comprehensive-food-safety-programs.  
  16. Norton, R.A. and M. Sachs. "Cybersecurity and Food Defense: Bridging Information Flow Between Business and Government." Food Safety Magazine. October 9, 2023. https://www.food-safety.com/articles/8943-cybersecurity-and-food-defense-bridging-information-flow-between-business-and-government
  17. Norton, R.A. and M. Sachs. "Cyber Threats Impacting the Food and Agriculture Sector." Food Safety Magazine. August 8, 2023. https://www.food-safety.com/articles/8800-cyber-threats-impacting-the-food-and-agriculture-sector

Robert Norton, Ph.D. is a Professor and National Security Liaison in the Office of the Vice President of Research and Economic Development at Auburn University. He specializes in national security matters and open-source intelligence, and coordinates research efforts related to food, agriculture, and veterinary defense. 

Cris A. Young, D.V.M., M.P.H., Diplomate A.C.V.P.M., is a Professor of Practice at Auburn University's College of Veterinary Medicine and an Adjunct Professor at the College of Veterinary Medicine at the University of Georgia's Department of Pathology. He received his D.V.M. from Auburn University's College of Veterinary Medicine in 1994. He completed his M.P.H. at Western Kentucky University in 2005 and is a Diplomate of the American College of Veterinary Preventive Medicine.  

Daniel M. Gerstein, Ph.D.,  is a Senior Policy Researcher at the RAND Corporation, a nonprofit, nonpartisan research institution, as well as a Professor of Policy Analysis at Pardee RAND Graduate School. He formerly served as the Under Secretary (acting) and Deputy Under Secretary in the Science and Technology Directorate of the Department of Homeland Security from 2011–2014.  

Marcus (Marc) Sachs, P.E. is the Senior Vice President and Chief Engineer at the Center for Internet Security. He is a retired U.S. Army Officer and was a White House appointee in the George W. Bush administration. His private sector experience includes serving as the Deputy Director of SRI International's Computer Science laboratory, as the Vice President for National Security Policy at Verizon Communications, as the Senior Vice President and Chief Security Officer of the North American Electric Reliability Corporation (NERC), and as the Chief Security Officer of Pattern Computer. He was also the Director of the SANS Internet Storm Center and has co-authored several books on information security. He holds degrees in civil engineering, computer science, and technology commercialization, and is a licensed Professional Engineer. 

AUGUST/SEPTEMBER 2024

Font, Line, Text