CYBERSECURITY AND FOOD DEFENSE

By Robert Norton, Ph.D., Professor of Veterinary Infectious Diseases and Coordinator, National Security and Defense Projects, Office of the Senior Vice President of Research and Economic Development, Auburn University; and Marcus Sachs, P.E., Deputy Director for Research, McCrary Institute for Cyber and Critical Infrastructure Security, Auburn University

Bridging Information Flow Between Business and Government

The most important role of a Food and Agriculture Information Sharing and Analysis Center (FA-ISAC) is to facilitate the flow of information between industry and government entities

Visual effect lighting, Water, Sky, Purple, Entertainment, World, Font, Electricity

Image credit: Outflow Designs/iStock / Getty Images Plus via Getty Images

SCROLL DOWN

In our modern world, where everything is connected, sharing information is extremely important to protect the food and agriculture industries and ensure the availability of a steady and safe food supply. This article is part of a series that discusses the important functions of a proposed Food and Agriculture Information Sharing and Analysis Center (FA-ISAC) in establishing a link between businesses and the government. By focusing on the use of publicly accessible information and intelligence related to national security, we explore how the FA-ISAC can promote "active collaboration," reinforce cybersecurity and other security measures, and ultimately strengthen the ability of the food and agriculture industries to withstand challenges and threats.

Definitions

Before discussing information sharing and business-government collaboration, it is important to establish a few definitions:

  • Active Collaboration is the concept of information sharing between the food and agriculture sector and the government.
  • Publicly Available Information (PAI) is the sum of information and data available to the public without the need for special qualifications, permissions, and/or privileges. Examples of PAI include information available via the internet, media, public government data, professional and academic publications, commercial data, commercial imagery, financial and industrial assessments, and public databases. It also includes "gray literature" such as technical reports or patents, as well as technical data such as IP addresses, public domain name information, or open devices on the internet including Internet of Things (IOT) devices. The amount of available PAI is truly staggering. Estimates now exceed 44 zettabytes, with more data being added every second of every day. (A zettabyte is 1021 bytes. That’s one trillion gigabytes.)
  • Open Source Intelligence (OSINT) is the collection and analysis of PAI and openly available data.
  • Proprietary Information (PI) is that information developed by companies that may be associated with products, business, or business-related activities, including but not limited to financial information, data or statements, recipes and formulas, product research and development, existing and future product designs and performance specifications, marketing plans or techniques, schematics, client lists, computer programs, processes and settings, as well as know-how that has been clearly identified and properly marked by the company as proprietary information, trade secrets, or company confidential information.

Additional definitions will be introduced in this article as needed.

Information Sharing in Perspective

The proposed FA-ISAC serves as a collaborative platform to connect private-sector entities, academia, and relevant government agencies. It consists of various elements such as infrastructure, hardware, virtual components, analysts, and subject matter experts (SMEs). The primary objective of the FA-ISAC is to generate "actionable information" that provides timely insights to support decision-making across all levels of the sectors involved.

Like a highway bridge, the flow of information in the FA-ISAC must occur in both directions. It must also provide a secure environment where sector data and insights can be shared and anonymized, allowing for the development of best practices, problem solutions, and threat intelligence warnings. This collaborative approach enables businesses and government collaborators to proactively address cybersecurity and other security threats and challenges. This is what we call "active collaboration."

The FA-ISAC also acts as a mediator, building trust by bridging the gaps between industry stakeholders, academia, and regulatory bodies like the U.S. Department of Agriculture (USDA) and the U.S. Food and Drug Administration (FDA). Through this role, it ensures the protection of disseminated information and company-specific private information. Additionally, the FA-ISAC promotes cooperation with the Department of Defense (DOD) and various law enforcement organizations and intelligence agencies at the local, state, tribal, and federal levels. Academic collaboration involves engaging SMEs who are trusted third parties, respected by both sectors and the government.

By facilitating communication, sharing knowledge, and promoting cooperative efforts within and between sectors—including other sector-specific ISACs like the Electricity ISAC or the Financial Services ISAC—the FA-ISAC can play a crucial role in educating state and federal policy or rule-makers. It can also assist in the development of sector-specific best security practices. These collective efforts contribute to enhancing food safety, promoting sustainable practices, and improving the financial wellbeing of these sectors as a whole.

Intelligence Activities—Government and Business Related

National security intelligence (NSI) refers to the activities conducted by the federal government to understand, influence, and defend against adversarial entities. These activities ensure the protection of our nation and enable government leaders to make informed decisions in countering threats.

On the other hand, business-related intelligence (BRI) activities are conducted by private entities and corporations, serving similar functions. However, BRI activities are subject to different federal rules and regulations and primarily support decision-makers in the private sector. NSI and BRI are distinct but closely related, as both aim to provide better insights into ongoing and emerging threats, ultimately enhancing the protection of sectors and the nation.

NSI encompasses five types of activities: human intelligence (HUMINT), signals intelligence (SIGINT), imagery intelligence (IMINT), measurement and signatures intelligence (MASINT), and open source intelligence (OSINT).

BRI-related activities can utilize civilian versions of SIGINT, IMINT, MASINT, and OSINT in similar ways. However, HUMINT is largely prohibited in the private sector. Unfortunately, many businesses lack the necessary infrastructure, analysts, subject matter expertise, and technological resources to engage in these valuable activities. This is where the FA-ISAC comes in, providing customized services, reports, and analyzed data summaries to fill these gaps in an economical and efficient manner.

“In addition to the federal laws and regulations found in the Code of Federal Regulations, other federally mandated requirements can potentially protect certain types of information generated within the sectors or by the FA-ISAC.”
Tints and shades, Monochrome photography, Black, Black-and-white, Line, Style
Monochrome photography, Parallel, Black, Black-and-white, Line, White

Federal Protection of Business-Related Information

Compliance with federal laws and regulations is of utmost importance when it comes to information collection and sharing. This is essential to safeguard the users and protect sensitive information.

It is important to note that the following information does not cover all federal laws that may impact information gathering or sharing. Companies should always consult legal counsel before engaging in any interactions or sharing information with state and federal authorities.

Various regulations specified in the Code of Federal Regulations (CFR) can have an impact on information sharing among the government, businesses, and the public. For instance, a portion of 7 CFR 1 is related to the implementation of the Freedom of Information Act (FOIA), which governs the release and sharing of specific information by the government to the public. Certain information originating from the sectors is also protected under the Critical Infrastructure Information Act of 2022 (CII Act) due to their status as Critical Infrastructures.

Furthermore, specific sections of 9 CFR 160 partially govern the sharing of confidential business information acquired by the U.S. Department of Agriculture's Food Safety and Inspection Service (USDA-FSIS). Additionally, 21 CFR 20 contains provisions aimed at protecting sensitive information collected by the U.S. Food and Drug Administration (FDA).

Federal Protection of Business-Related Intelligence

In addition to the federal laws and regulations found in the CFR, other federally mandated requirements can potentially protect certain types of information generated within the sectors or by the FA-ISAC. This information is not intended for regulatory agencies like USDA and FDA, but rather for law enforcement agencies, such as the Federal Bureau of Investigation (FBI), and even intelligence community agencies like the Department of Homeland Security (DHS).

The collection and dissemination of NSI are governed by authorities outlined in Title 10 and Title 50. Title 10 authorities fall under the Department of Defense (DOD). For example, Title 10, Chapter 19 authorizes the collection, sharing, and dissemination of information related to operationally critical contractors and other specified contractors. These requirements include reporting cyber incidents that occur within network or information systems for critical contractors.

These authorities also impact the sharing of information between the private sector and the military, particularly in ensuring the protection of the military food supply, which is crucial during both peacetime and wartime. DOD has additional authorities and specific requirements for vendors outlined in the new Cybersecurity Maturity Model Certification (CMMC). The CMMC is designed to enforce the protection of sensitive, unclassified information shared between the DOD and its contractors and subcontractors. The food and agriculture sectors are strongly advised to familiarize themselves with the CMMC, as these new regulations will significantly affect their business dealings with DOD.

In contrast to Title 10, Title 50 authorities, such as Chapter 15 and Chapter 36, provide authorization for the collection, retention, and dissemination of foreign intelligence information (FII), as well as the sharing of critical infrastructure information, thereby enhancing national security. Relevant agencies holding Title 50 authorities currently include DOD, DHS, the Department of Energy (DOE), and the Department of Justice (DOJ) including the FBI, the Department of State (DOS), and the Department of the Treasury (USDT). An example of information dissemination would be the transmission of FBI threat warnings from the government to the sectors, with the FA-ISAC acting as the intermediary. Additional requirements for information dissemination may be found in Title 50, Chapter 29, which covers national defense contracts related to national security.

The BRI Cycle

The development of BRI-related threat-related intelligence involves seven steps:

  1. Requirements: These are the priority threat problem sets agreed upon by the FA-ISAC constituent members.
  2. Planning and direction: This stage includes taking stock of all sector-related threat data resources and developing a plan for data collection and aggregation. Gaps in knowledge are also identified at this stage, which helps in defining new requirements. These gaps represent the information the sector needs but currently lacks, as defined by the FA-ISAC constituent members.
  3. Collection: Data is gathered and aggregated into a searchable database, which can be accessed by the ISAC's analysts. This is also the stage where information is properly anonymized to protect constituent members from disclosing potentially harmful information to their businesses or to the sector.
  4. Processing and utilization: Data is optimized and organized in preparation for analysis.
  5. Analysis and production: This stage involves the art and science of data analysis, where the collected data is transformed into insights, summaries, and findings. These findings are further utilized in reports and other analytical products, such as charts, graphs, imagery, and geospatial information, to provide additional insight.
  6. Dissemination: Constituent members agree on how and to whom the BRI products, including TRI, should be disseminated. Dissemination may be limited to a single company or a group of companies within the sector, the entire sector itself, or, where appropriate, to law enforcement, Title 50, and Title 10 authority agencies.
  7. Feedback and refinement: This stage allows active collaboration constituents (decision-makers, solution developers, solution providers, etc.) to provide feedback on the usefulness of the analytical products and suggest additions or subtractions to the requirements.

All of these functions are conducted by the proposed FA-ISAC. All disseminated information should be considered protected critical infrastructure information (PCII) by the government, and additionally treated as confidential within the sectors. Since TRI falls outside the purview of regulatory agencies, reports and related products are not disseminated to these entities.

Overall, the dissemination stage ensures that insight products, such as reports, bulletins, whitepapers, charts, and graphs, are transmitted in a timely manner to decision-makers and developers of problem solutions. This feedback-driven process allows for refinement and improvement of the analytical products based on the needs and suggestions of the constituents.

Summary

The FA-ISAC concept enables the food and agriculture sector to meet crucial requirements by producing timely reports and warnings related to threats. Furthermore, by utilizing publicly available information (PAI) and serving as a communication channel between the sector, academia, and agencies with Title 50 and Title 10 authorities, an active collaboration partnership can be established, benefiting all parties involved. This dynamic partnership facilitates the development of valuable insights, best practices, and early warning systems, providing critical information on emerging threats and vulnerabilities. These insights and practices are then utilized to enhance risk management and incident response capabilities, ultimately bolstering the resilience of the food and agriculture sector and ensuring a more secure food supply.

References

  1. Sachs, M. and R. Norton. " An Information Sharing and Analysis Center for the Food and Agriculture Sector." Food Safety Magazine February/March 2023. https://www.food-safety.com/articles/8325-an-information-sharing-and-analysis-center-for-the-food-and-agriculture-sector.
  2. Sachs, M. and R. Norton. "Cybersecurity and Food Defense: Establishing an ISAC for the Food and Agriculture Sector." Food Safety Magazine April/May 2023. https://www.food-safety.com/articles/8488-cybersecurity-and-food-defense-establishing-an-isac-for-the-food-and-agriculture-sector.
  3. Sachs, M. and R. Norton. "What Exactly is 'Information Sharing?'" Food Safety Magazine June/July 2023. https://www.food-safety.com/articles/8670-what-exactly-is-information-sharing.
  4. Food and Ag-ISAC. 2023. https://www.foodandag-isac.org/.
  5. Intersoft Consulting. "General Data Protection Regulation: GDPR." https://gdpr-info.eu/.
  6. Goodspeed, L. "PCI DSS v4.0 Resource Hub." Security Standards Council. March 31, 2022. https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub.
  7. Federal Trade Commission. "Gramm-Leach-Bliley Act." https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act.
  8. Federal Trade Commission. "Children's Online Privacy Protection Rule ('COPPA')." https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa.
  9. U.S. Department of Health and Human Services. "Health Information Privacy." https://www.hhs.gov/hipaa/index.html.
  10. U.S. Department of Commerce. National Institute of Standards and Technology. "Cybersecurity Framework." https://www.nist.gov/cyberframework.
  11. U.S. Department of Commerce. National Institute of Standards and Technology. "Computer Security Incident Handling Guide." Special Publication 800-61, Revision 2. August 2012. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf.

Robert A. Norton, Ph.D., is a Professor and Coordinator of National Security and Defense Projects in the Office of the Senior Vice President of Research and Economic Development at Auburn University. He specializes in national security matters and open-source intelligence, and coordinates research efforts related to food, agriculture, and veterinary defense.

Marcus H. Sachs, P.E., is the Deputy Director for Research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He has deep experience in establishing and operating sharing and analysis centers including the Defense Department's Joint Task Force for Computer Network Defense, the SANS Institute's Internet Storm Center, the Communications ISAC, and the Electricity ISAC.

OCTOBER/NOVEMBER 2023

Font, Line, Text