A ransomware attack against the world’s largest meat processor is giving a taste of the chaos hackers could cook up with a concerted hack against the agricultural and food sector.
It’s also prompting renewed calls for government to mandate stringent new cybersecurity protections in industries vital to U.S. economic security, such as agriculture, energy and transportation.
The attack against Brazil-based JBS has halted production at all the company’s U.S. meat processing facilities and slaughterhouses across Australia, shutting down about one-fifth of U.S. beef production, Hamza Shaban reports. JBS said it expects to have sufficiently recovered to have most plants operational today, but the shutdown is still threatening a temporary surge in beef and pork prices and roiling an industry already battered by the coronavirus pandemic.
The breach is also stirring memories from just last month when U.S. oil production was severely impaired by a ransomware attack against Colonial Pipeline. In that case, Colonial paid a $4.4 million ransom to the Russia-based criminal group in an effort to unlock its systems and data.
The two hacks offer a dramatic warning about how quickly criminal hackers could send an entire economic sector into a tailspin.
“Everything is connected and everything is vulnerable and it leads us to this place where we can no longer be polite with critical infrastructure and say, ‘If you can get around to it, it would be good to do the basics,’ ” Kiersten Todt, president of Liberty Group Ventures, told me.
“We need to be taking a more assertive position of, ‘You have to do the basics and we’re going to check up on you,’ ” she said.
As with the Colonial breach, the group that targeted JBS is likely based in Russia, White House spokeswoman Karine Jean-Pierre said. “The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” she said.
The FBI is investigating the attack and the Agriculture Department has reached out to other major meat processors, asking them to make up for any production shortfalls.
The government, however, has been slow to embrace cybersecurity mandates for companies.
The Department of Homeland Security is implementing a suite of new cybersecurity requirements for pipelines. But those regulations came only after the Colonial Pipeline hack.
Similar mandates aren’t yet on the table for other sectors — including many, such as agriculture and food production, where cybersecurity protections are mostly voluntary.
Todt led a White House cybersecurity commission that argued against government mandating cybersecurity protections for industry in its 2017 report. That report suggested waiting on mandates to see whether companies would improve their own cybersecurity in response to market pressures.
Four years later, it’s clear the market-driven approach has failed, Todt told me.
“We said if market forces fail, then the government needs to step in. And the reality we have now is that the market is not incentivizing security,” she said. “They’re actually disincentivizing security … It’s kind of stunning.”
But new cybersecurity rules will face backlash from industry.
“A one-size-fits-all regulatory approach probably is not the right model for an industry that is as complex as the food and agriculture industry,” Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center, told me. “The adversaries attacking the networks are creative and agile. Regulations tend to be stagnant and often produce a climate of compliance rather than creative and innovative solutions.”
The IT-ISAC is one of several ISAC groups designed to share cybersecurity threat information between companies and to act as a cybersecurity liaison between them and the federal government. The group focuses on IT firms but includes several agricultural companies among its members.
The extent of the damage to JBS still isn’t clear.
The company said its backup servers were not affected by the breach, and it is working with an outside cybersecurity firm to get back online.
And although this is the most high-profile ransomware attack against a food processor to date, it’s far from the first.
There have been at least 40 such attacks publicly reported during the past year, Allan Liska, senior intelligence analyst at the cybersecurity firm Recorded Future, told Hamza.
The attacks could be especially devastating because the sector is so consolidated.
Bloomberg News's Simon Casey:
Juliette Kayyem, a Harvard University professor and former DHS official:
The attack could also spur copycats who target controversial industries, such as energy and meat processing, because they believe those attacks will draw less public condemnation, Biella Coleman, a McGill University professor focused on hackers and hacktivism, noted.
The keys
The U.S. government seized two websites Russian hackers used when impersonating a U.S. government aid agency.
A judge issued orders allowing the Justice Department to seize the websites just one day after Microsoft and Volexity detailed how hackers used the sites in a campaign impersonating the U.S. Agency for International Development, the department said.
The hackers used the sites to infect the computers of users who viewed an attachment on a fake USAID email. The Justice Department takedown was designed to identify victims who were compromised and to prevent them from being further exploited, the department said.
A hacking group linked to the Russian intelligence service SVR was behind the attack, Microsoft said last week. Many of the emails targeting organizations in civil society were blocked by automated systems, according to the company.
The Commerce Department has been slow to halt exports of sensitive technology to China, a congressional commission said.
The department, which oversees export controls on sensitive technology, has “failed to carry out its responsibilities,” the U.S.-China Economic and Security Review Commission said in a report that was first reported by Reuters’s Karen Freifeld. A years-long lag in producing a list of sensitive emerging and foundational technologies could “exacerbate national security risks,” the report added.
The Commerce Department declined to directly respond to the list, though it said it has been publishing rules on emerging technologies and has added companies to its blacklist, which mostly blocks U.S. technology from being exported to listed entities.
A popular Alibaba Web browser sends sensitive data to company servers even when users want to be private.
The browser, which is the fourth-most-popular in the world, sends data on its users’ browsing habits to servers registered in China and hosted in the United States, Forbes’s Thomas Brewster reports. The data could be tracked back to individual users because the company assigns unique user identifiers, researcher Gabi Cirlig said.
Source: washingtonpost.com