There is a whole lot of data being compiled in the agriculture space. In agtech circles, the discussion has typically centered around how to process this data to provide farmers with timely, actionable insights. There’s also over who owns the data. But Dale Meyerrose, the retired US Air Force Major General and president of the MeyerRose Group, is asking another important question: what about the cybersecurity threat in agriculture?
Meyerrose was the first President-appointed, Senate-confirmed chief information officer for the Director of National Intelligence (DNI) following three decades of military service where he cultivated a reputation as a cybersecurity pioneer. Meyerrose has now formed his own company offering consulting and executive training for a wide range of business, government, and academic organizations on strategy, business planning, technology, education, and executive development issues.
Meyerrose is slated to speak at the PrecisionAg Vision Conference on the very issue of how cybersecurity impacts our food production system. We caught up with him to chat about the importance of cybersecurity in agriculture and what agtech startups can do to help the effort.
What cybersecurity challenges do farmers face?
Whenever you use technology to create value, it presents an opportunity for an evil-doer to exploit it for evil purposes. Sometimes we are our own worst enemies. In the cybersecurity business, we are our own worst enemies. Most compromises, data losses, and so on are created by the user’s own behavior. The idea that there are cyber criminals out there who are highly trained and skilled and really smart with computers is more myth than fact. Most cyber security breaches are precipitated through exploiting the behavior of individuals trying to protect their own stuff or by using the individual’s own stuff—social engineering is the primary cause of cyber security issues. The most prevalent challenge is probably some well-meaning soul trying to utilize technology for a benefit, a product, a service, or something like that, who will use it incorrectly. Most cybersecurity breaches are done with a phishing email or from a website.
Cybersecurity in general usually goes with the principal of 80/20. This means that 80 percent of the time cybersecurity issues and basics apply to any sector. The other 20 percent of it is sector-specific. This ends up being the most important 20 percent.
The four areas that present a cybersecurity threat in agriculture are in access to services, personal privacy areas, proprietary information, and IP. As I tell my clients, the trust in the food chain starts in the dirt and ends on the table. While you can probably say that the probability is not zero in any of those categories for any part of the ag business, it is more about the various combinations of these four categories.
When it comes to proprietary matters, you talk about corporations and larger entities. Service is more farmers on the tractors. For IP, you’re talking about folks who are innovating and trying new things and doing research. So, every part of the ag industry has an element of these four things, but in different combinations depending on the purpose of each.
When we do smart agriculture, we smartly use technology. We smartly use the data created by technology and smartly protect the data that we use for that technology. One thing we focus on is creating awareness around cybersecurity. After awareness comes action, and action has to do not only with how you do business and what your business processes are, but also some basic investments, like encrypting data where privacy issues are at play.
Once I help someone become more aware of the cybersecurity threat in agriculture, they often think they have to worry about the security risk behind every tree and every corn stalk. In reality, they need to be worried about how they set up their network, enterprise systems, technology, etc. They also need to be concerned with how they use it, how they manage access, and things that are prevalent in perpetuity in their particular industry.
Does it depend on the scale of their operation and/or on the crops they cultivate?
I think it’s the 80/20 again. Twenty percent of the threats to crops are specific to a particular crop. The type of crop, what it is used for, and what its distribution chains are might be different than with another type of crop. The fruit and vegetable distribution system is different than field corn and soybeans. Size has some degree of effect because the more valuable you are, the more valuable your data will be and the more valuable you become as a target. But, I would also tell you that the evil-doers will take the path of least resistance, meaning that if they can go through a small entity or small farmer and use that access to get into a large agribusiness, then that is what they will do. They will look for a third-party consumer or something like that.
Think about the Target security compromise of 2013. They got into the point of sales stuff through an air conditioning vendor. It wasn’t that there was bad person involved, it was that Target’s HVAC subcontractor did not follow the rules. The evil-doers went through the HVAC subcontractor’s computer system and migrated into more valued access within Target and got to where they could put malware on the point of sale devices. This situation isn’t exactly applicable to the agriculture industry, but it is an easy example for people. Again, this is where the 80/20 rule comes in.
Are there any companies currently innovating in the agriculture cybersecurity space? What’s happening here, if anything, and if nothing is happening yet, why not?
I am not seeing a lot happening. In part, because the idea of precision ag is a fairly new one. The business of using technology to help increase production, add value using fewer people while delivering more product—all fairly new things in the industry. Drones, which are one of the faster-growing ag technologies, have only really started happening within the last few months and years, not over the past decade or so.
What can agtech startups do to address these challenges?
The precision ag industry is trying to work on training, awareness, and education. The PrecisionAg Vision conference features a variety of speakers like big data experts, tech experts, and so on who are trying to help industry come to grips with how you use tech to do the art of the possible while at the same time avoiding the fear of the inevitable. And so the purpose of cybersecurity is not cybersecurity, the purpose is to make agriculture better.
I don’t think there is anything like an optimal solution. I don’t believe in buying a product. Cybersecurity is something you do, not what you have. There are all kinds of techniques that are available that maximize the productivity of your applications, your tech, your system and minimize your risk. In agriculture, we are very used to doing risk management when it comes to things like crop development, seed development, weather climate, planning cycles, and so on. We are also really good about applying risk calculations and analysis to that. But now, we need to become just as sophisticated in providing this analysis to an element of our data, technology, and cybersecurity.
I think there is plenty of flight space for other startups to innovate. Let’s say I am a startup and I want to make my name in the cybersecurity business. A startup company that concentrates on the threats that are peculiar to agribusiness, I think there is a lot of flight space–almost an open field–in which they should find lots of traction. If they do it right, the problem will be controlling their growth.
What do you think? Is cybersecurity a concern for your agtech startup? Email [email protected].