Midwest Agriculture is a Prime Target for Theft of Intellectual Property and Cyber Attacks
Cybersecurity is not just a big-city problem. "Here in America’s Heartland, you are producing a valuable product that adversaries want. It is why they are and will continue targeting you," says John P. Carlin, assistant attorney general, National Security Division.
Carlin, along with Eric Sporre, the FBI's deputy assistant director cyber division, was part of the Iowa Intellectual Property Protection & Cybersecurity round table held at Iowa State University recently. The pair addressed the issues agriculture faces and how the U.S. is defending against these intrusions.
“Our entire nation, including Iowa, is under constant attack from foreign adversaries and competitors who try to steal trade secrets and other intellectual property – at the expense of our economy and national security,” says Carlin. “When certain foreign entities eager for sensitive and valuable information can’t buy it, they may take another approach; they try to steal it. Corporate theft can occur through insiders employed by a company, or it can occur remotely through cyber intrusions that exploit a vulnerability present in a company’s networks. Companies must be ready for all of these vectors of vulnerability.”
Addressing these topics in Iowa is fitting. Agricultural and food production, renewable energy, biotechnology, and advanced manufacturing are integral parts of the country’s economic engine. Between 2002 and 2011, Iowa’s agricultural production grew over 200%. In part, growth in this space is attributed to the innovation taking place. According to one government study, agricultural biotech accounts for $80 billion of a $260 billion biotechnology sector.
“You are revolutionizing the way America grows crops. You invest in biotechnology research to develop higher yielding, drought-resistant crops. You rely on data from sophisticated soil sensors, satellites, and drones to optimize the use of water and pesticides,” says Carlin. “But while you spend your days innovating, others spend their days on campaigns to steal the fruits of Americans’ labor.”
Too close to home
In 2016, Mo Hailong, a lawful, permanent resident and employee of a China-based seed company, was convicted for his role in a long-term conspiracy to steal trade secrets from Iowa-based DuPont Pioneer and Monsanto and to provide that technology to China.
“Hailong and his coconspirators brazenly stole inbred corn seeds from production fields,” says Carlin. “Although he knew this technology was the valuable and confidential intellectual property of DuPont Pioneer and Monsanto, he stole it for the benefit of his China-based company.”
This type of threat is serious, and it has the potential to cost our economy billions. In fact, some estimate that the U.S. loses more than $300 billion from theft of intellectual property annually.
“They reduce the profit that American firms make from research and development, which, in turn, reduces the incentives and resources for innovation,” he says. “The activity undermines the trust between countries and companies that is necessary to do business in a globalized economy.”
As companies move to digital storage, economic espionage increasingly occurs not only through insider threats but also through cyber activity.
“As a result of the proliferation of technology – and the myriad ways to exploit it – we face a changing world order in which lone hackers, organized crime syndicates, and nation states are all increasingly able to harm our shared networks and our livelihood,” says Carlin.
They have also devised a system that holds a company’s assets for ransom. Carlin cites a case he is currently working on.
“This company saw a loss of a relatively small amount of personal, identifiable information. It wasn’t a particularly sophisticated attack. As it tried to boot the person off of its system, it received a request to pay $500 through bitcoin. If the ransom wasn’t paid, the hacker threatened to embarrass the company by releasing the information. Most companies today don’t report this type of attempt,” says Carlin. “They either try to handle it themselves or simply pay the $500. While we’ve made progress, this scenario is fairly common today, but I still think most companies would not report it.”
If the company had chosen not to report the intrusion, the truth about where the personal, identifiable information ended up would not have been exposed.
“It would have never known that on the back end, there was an individual originally from Kosovo who had moved to Malaysia and was using the broadband infrastructure there to conspire to conduct this hack,” says Carlin. “Once he took that information, he was passing it on to one of the most notorious terrorists in the world. That notorious terrorist was culling through that stolen, personal, identifiable information for government employees. When he found that information, using Twitter and other American services, he pushed that information back out to the U.S. with a call to kill those people.”
Technology that was supposed to afford businesses in the Midwest nearly instantaneous communication and the opportunity to go global has put those businesses on the front line of a national security threat. It’s an issue they have never had to deal with before.
“As a country, we invested an enormous amount of time, ingenuity, and money to move almost everything we value into a digital space. According to one study, in almost 20 years we’ve moved from about 98% analog storage to about 98% digital storage,” says Carlin. "We did so using a protocol that was fundamentally designed to communicate quickly and not to be secure. What we didn’t do is think through what we needed to secure the most, how much we were investing on the security side, and whether it was worth having this in a digital form that was connected to the internet.”
Because of that, we are now playing catch-up. “It’s a battle we have to fight together,” says Sporre.
The changing landscape of recruiting
Technology has also changed the shape and size of hackers, as well as the strategy they use to steal intellectual property.
“Instead of the Al-Qaeda strategy where they recruit and train individuals who deeply believe in their brand and want to commit large-scale, spectacular attacks, they are taking advantage of a fundamental change in technology – the boom of social media. They blast out very sophisticated, high-quality propaganda that looks like a video game ad or a military recruitment ad, and they portray it as an adventure in paradise,” he says.
For example, one ad is of a handsome looking terrorist who is handing out cotton candy to children. Another is of a terrorist holding a kitten in one hand, a gun in the other, and saying come join us.
“They changed their message and said no passport or travel is required – kill where you live. It is the threat we are dealing with today,” says Carlin.
Last year, over 20 cases they dealt with were with individuals in the U.S. who wanted to commit a terrorist attack here.
Adding to this issue is the fact that the younger generation is used to meeting and trusting people online. It used to be that potential recruits wouldn’t walk down this path unless they met in the real world. That bond is now being formed over the internet.
“Linked to the fact that social media is involved is the age of the defendants being prosecuted,” he says. “Over half are 25 and under. Most troubling is that a third are 21 or under. We have never had an international terrorism problem like this in the U.S. before.”
At the farm level
For farmers, an intruder who breaches or manipulates their data is unsettling.
“Many rely on new farm-management services that collect information on soil content and past crop yields to generate planting recommendations,” says Mary Kay Thatcher, senior director of congressional relations for the American Farm Bureau Federation. “Ag companies have already been hacked, and we tell people that. It will happen, and farmers need to know that.”
Yet, few are prepared if a breach does occur.
According to an October 2014 Farm Bureau survey, 87% of farmers do not have a response plan if a security breach should occur at a company holding their data. Of those surveyed, only about one in 20 say companies managing their information had presented a security-breach plan.
In the end, it takes all of us to combat terrorism in agriculture. Agribusinesses must speak up if something doesn’t look right.
“We must strip the veil of anonymity that the internet offers and close the door before an attack occurs,” says Sporre. “If you see something, say something. No business is too large or too small to be a victim.”