As IT/Cyber Security Professionals, I guess it’s easy for us to get drawn toward the technological element when considering the aspects of security – but I am wondering, is this a trait which may be leading us toward a preconceived idea of where threats emerge from; and does this, by its very restrictive nature of the imagination deny us of understanding the future of risk, and the associated threats.
As an example of the aforementioned restrictive practices of imagination, I cast my mind back to a conversation I had at an Infosecurity event with a, then member of the CPI Team [Critical National Infrastructure] some 6+ years ago. At that time I was of the strong opinion that the emergence of Cyber War, CyberConflict, and all things posing a technical threat to the UK Boarders were not being taken seriously enough. However, to my amazement at that time, the lady in question commented that the threat was over hyped, and was not of the potential magnitude I was suggesting! But then, this is actually a reflection of my past, for when I was serving in a specialist role, at a sensitive Signals Unit, my first encounter with the computer virus alerted me the futuristic implications of this new way of corrupting software, and the operability of systems. So, given my privileged position to communicate directly with GCHQ/CESG, I sent them an inter-unit signal which outlined my concerns. However, to my surprise, whilst I did receive a response, the content was not what I had anticipated – it said:
“We do not see the computer virus as something we should take seriously” – The CESG signal went on to comment that the computer virus was considered merely a passing nuisance!
Whilst I am not suggesting for one moment that we all think this way, I do believe the two aforementioned experiences tend to suggest that, on occasion, difficult problems are either pushed away because of the economic implications of redress; or they are simply outside the bounds of imagination, until that is, such time they are seen to manifest in tangible form of reality, and threat. However, I have always thought that poachers make good gamekeepers, and that active terrorists would make well enabled Cyber Security Experts – utilising the mind-set of undercover operations, aggressive adversity, to select the next best target – with the valuable attribute on imagination.
Eat, Drink, Sleep
No matter how advanced the society, one obvious common element they have is the Homo sapiens, who have need to eat, drink, and to sleep in order to maintain their biological engines, which is probably why it was the UK food-chain which was targeted by the U-Boats in WW1. In that period, the concerted actions were having a very indirect impact on the war effort, by imposing hunger on the populations of ours, and in fact, in the wider context, all combatant nations. And of course, on top of this, the Agriculture and food distribution suffered from strains imposed by the war and naval blockades which reduced food imports, and this act thus proved to be very effective – so much so, it was announced in the House of Commons that Britain only have a few days to feed the nation from its current stock [food had become an effective inverted weapon].
The knock-on effects of this war took men and horses away from farm work. Imports of nitrate fertilizers were impacted. Reduced agricultural output forced up prices, with impact on the economy, and the growing absence of basics encouraged hoarding. Governments responded by putting price controls on staple foodstuffs. Food queues formed of women and children became a common sight in cities across Europe.
In Russia and Turkey the distribution of food broke down. And let us not forget that the Russian revolution had its origins born out of urban food riots. In Turkey many starved, and Austria-Hungary eventually succumbed to the same calamity.
Along this same path, and getting closer to the subject matter, I also recall reading a book some years ago titled SAM 7 by Richard Cox – a story about terrorism, which was born out of, if memory serves, mechanical failure, leading to widespread contamination, and devastation of the seasonal Russian crop – Fig 1 is the cover of the book.
Fig 1 – SAM 7
Terrorism and the Food Chain
If we are to learn from history [and we should], then I feel we should look at the potential hosted by an attack on the food chain, and understand just what the real world consequences would be – but then around this juncture of the article, the reader may be thinking, what has this got to do with IT/Cyber? Please stay with me, we shall get to that in a moment, and all will become clear.
But are there any recorded cases of acts of terror against the food chain? Consider the case in 1984 when members of an Oregon religious commune—followers of an Indian-born guru named Bhagwan Shree Rajneesh tried to influence a local election by poisoning salad bars with salmonella bacteria to sicken voters. Although no one died, 751 people became ill. Following that incident, there have been a couple of other attempts to deliberately contaminate food with biological agents since World War II, but these have been criminal acts, not terrorism.
Attacks on the Food chain
Whilst the Oregon attack was focused on the selected end-user targets of local restaurants, it is clearly the case that a more effective attack could be mounted at any point between producing farm to consumer. Consider the implications of imported foods being tainted with biological or chemical agents before entering the national borders. Or maybe it could be the introduction of toxins to selected domestic food-processing plants. And not forgetting animal feeds, crops or livestock raised on the land, and again, the very base of plant production – soil itself could be considered a target in the world of unrestricted warfare.
Smart Agriculture and Risk
It was at the Forensic Science Society Digital/Cyber Security event in York on 3 March 2014 where the subject of Smart Agriculture was raised. Plant diving around the fields, tracked, and controlled via computers, and GPS. Automated fertilization, and chemical agents being mixed, and spread under the control of computerization, mixing highly toxic materials to ensure the spread of such treatments is beneficial to the production of crop, and that it does not introduce any damage to the soil, or resident livestock. But, then consider a forced contamination of one of the base raw material which are entering the feed, or fertilizer chain; or maybe even a substitution of chemical A, for agent B. Or maybe the attack does not introduce any new chemicals, agents, or toxins, but is destined to create a manipulating of the mix to contaminate with an excess of a regulated toxic substance – the possibilities are endless.
When we start to look to the new horizons of possible cyber targeting, and areas which I am sure have already gained the attention of Terrorists, State Sponsored Agencies, and those who would seek to exploit the overlooked aspects of security, and the deficiencies in the design phase to conduct criminal-commercial attacks for the purpose of extortion, this must be the next playing field to come under focus. After all, why should anyone consider the elements of Smart Agriculture, and the related components of the food chain to such depths of security? – It’s never happened – Right?
For my over active imagination, these components, spreaders, and tools attached to the automated of production represent Mini-SCADA systems, all of which could be also subject to compromise in their own engineering production lines, either with mechanical adjustments, or more likely, the introduction of a few extra lines of code, or some other back-doored out-of-band connection – or say a Foodie Virus, or piece of Malware which seeks out Agricultural systems in the form of a Foodienet [as opposed to Stuxnet] to compromise the logic of operability and stability. And yes, I admit I suffer from the paranoia of learning, and possibly, my opinions have been malformed with my early interest, and reading of the works of H. G. Wells. However, as time has attested on so many occasions, if a simple person such as I can think of it, I am certain there are many other smart folk out there who have arrived at the very same conclusion that, ‘Food’, and its ancillaries do make a great target.
What do we do NOW?
I believe the future of Digital/IT/Cyber Security, linked to the known, associated security breaches, and incisions are now demanding that we, as Security Professionals must start to think outside-the-box, take a helicopter view – whatever . . And look at every component, tool, piece of code, and market sector, in an attempt to see the future of Cyber Risk before it manifests at the corporate, national, or international front door. It is time to put Cyber Security into context in every chain where there are existing dependence for the public/population. And above all, it is time to evolve a mindset that looks to a Vanilla Sky approach to risk, to see it before it arrives. Think like the aggressor, and not just like the budget holder, for it is time for all of use to push our weight toward the front foot, and look to the future of what security MUST look like in a world of survival and stability.