Bites & Bytes Podcast
Cyber Resilience in Food and Agriculture: Andrew Rose & Dr. Darin Detwiler (Part 1)
Tue, 17 Dec 2024
In this episode, Kristin Demoranville sits down with AgFuturist Andrew Rose and food safety advocate Dr. Darin Detwiler to discuss why cybersecurity is a growing concern for the food and agriculture industries. Andrew Rose, an advisor to BIO-ISAC and a leader in agricultural innovation, shares his insights into protecting farmers and food supply chains from cyber threats. Dr. Detwiler, a renowned food safety expert, educator, and author, explains why inaction is the greatest cost to our global food systems. Tune in for an eye-opening conversation on resilience, risks, and real solutions for protecting what feeds us all. 🔊 This is Part 1 of a two-part series. _______________________________________________ Episode Key Highlights: (0:00:21) - Introducing Andrew Rose and Dr. Darin Detwiler (0:00:49) - Andrew Rose: Supporting Agriculture Through Cybersecurity (0:01:10) - Darin Detwiler: Food Safety Awareness and Advocacy (0:07:14) - Reflections on the Montreal Conference Panel (0:08:56) - Challenges in Communicating Cybersecurity to Executives (0:11:27) - Differences Between Traditional and Cybersecurity Audiences (0:14:14) - Food and Agriculture as Universal Critical Infrastructure (0:16:42) - Complexity and Fragility of the Food System (0:18:19) - Cybersecurity Adoption Barriers for Small Farmers (0:21:23) - Tech Stacks: Agility vs. Fragility in Food Systems (0:24:08) - Financial Risks and Proactive Cybersecurity Investments (0:27:33) - Cost of Doing Nothing: Ignoring Risks in Food Security (0:30:02) - Corporate Responsibility and Accountability in Cyber Incidents (0:32:11) - Predictions of a High-Profile Food Cybersecurity Attack (0:35:09) - Cybersecurity Awareness and Future Resilience Initiatives _______________________________________________ Show Notes: Nashville Recommendations from Andrew Rose: (Hotdogs) I Dream Of Weenie: https://www.facebook.com/IDreamofWeenie (Ribs) Uncle Bud’s Catfish Chicken & Such: https://www.unclebuds.com/ _______________________________________________ Our panel was at the InCyber Conference in Montreal: https://northamerica.forum-incyber.com/en/home-en/ InCyber Forum USA (new) San Antonio, TX, June 17-18, 2025: https://usa.forum-incyber.com/ _______________________________________________ Cyberbiosecurity Summit February 25-26, Laurel, Maryland: https://www.cyberbiosecuritysummit.org/ Sumitt to a proposal to speak here: https://www.cyberbiosecuritysummit.org/sessions _______________________________________________ BSides ICS/OT Conference 🎉🌟 Feb. 10, 2025, in Tampa, Florida 🌴 (the day before S4x25 Conference) 🔗 https://www.bsidesics.org/ Call for Papers is OPEN till 12/31/24! Registration is OPEN: https://www.eventbrite.com/e/bsides-icsot-tickets-1078099778459 General Admission is $30, and Student/Veteran is $20! Questions or Need more information email: [email protected] _______________________________________________ Bites and Bytes Podcast Info: TikTok Website: Explore all our episodes, articles, and more on our official website. Visit Now Merch Shop: Show your support with some awesome Bites and Bytes gear! 🧢👕 Shop Now Blog: Stay updated with the latest insights and stories from the world of cybersecurity in the food industry. Read Our Blog Audience Survey: We value your feedback! Help us make the podcast even better. Take the Survey
Welcome back to the Bites and Bites podcast, everyone. I am your host, Kristen M. Ranville. Today's episode is part one of a two-part series featuring two incredible guests that you might recognize from previous episodes, Andrew Rose and Dr. Darren Detweiler. We have a bit of a recap of a panel we did together in InCyber Montreal conference this past October.
Then we'll be talking about the fragility of our food systems, the critical role of cybersecurity, and what's at stake if we don't act now. It's a very sobering yet inspiring conversation, so let's get into it. Well, welcome back, everybody. We have some returning guests, but we're also going to talk about a panel that we all recently did together in Montreal.
And this is going to be kind of a continuation of that and a little bit for those who missed it. If you weren't at the InCyber conference in Montreal, Darren and Andrew, thank you for being here. We're going to start with quick introductions because I'm sure everybody needs to remember who you are. So tell me how you help people and why that matters to society. Andrew, you can start.
Sure. I am Andrew Rose. I am an advisor with the BioISAC. I represent the bioagriculture work group there. How we help people is basically to... trying to ensure they have food that they eat in a reliable consistent manner. Who we help are the agricultural community and bringing awareness mitigation response to cyber and related threats that they may encounter.
My role in that is understanding what those threats may be and putting tabletop and field exercises on and I have a particular fascination with agriculture for many reasons.
Darren?
I am a food safety professor and author and advocate, and I help in the areas of awareness, allies, advocacy, and even activism. And specifically, I help people who work in food safety for major corporations where They say, well, we never talk about food safety and I can't get in and the conversation around food safety.
And I say, well, you know, when they're talking about reducing waste and improving upon inefficiencies and maximizing profits and and and, you know, that kind of stuff. That's where you can talk about food safety. When you look at it that way, when you look at the idea of brand reputation and a corporate mission statement, how does food safety relate to that?
How do all these different things relate to that? So I basically help people, I listen, and then I help them reframe the conversation.
Yes, thank you both. And in tradition, since we already know what your favorite food and favorite food memories are based on previous episodes, what is your current food, your favorite food or favorite food fixation and your present or recent food memory?
Andrew, why don't you go ahead first? Sure. I'm happy to take that one as well. And that would have to be pancakes. Every year for my birthday, we get to choose, well, all of us get to choose which restaurant we go to. And mine is always IHOP because you are always going to get a good pancake at IHOP.
And when I was up in Montreal on the way back, I stopped at a little town called Grafton, Vermont, and I got a little thing of maple syrup. So I'm going to sneak down into IHOP next time I go in there and have those pancakes with IHOP syrup on it. But that
not a recent memory that's just more my obsession at this point in time my recent memory it goes back to montreal as well before i got up there a friend of mine had done some consulting work for a company that sold montreal bagels in the united states i asked her so what is a montreal bagel i come from where i went to high school in north jersey we have a certain standard for bagels that we appreciate we look scornfully upon anyone else in any other state that tries to sell something called a bagel so this montreal bagel intrigued me
And when I got up to Montreal, I find out it's not really a bagel at all. It's kind of like a bagel where you chop the top and bottom off and you're left with that little skinny middle part there. And it was difficult for me to find a Montreal bagel that would hold an appropriate amount of anything, meat, cream cheese, lettuce, tomato, anything on there. It's more like thin toast. than a bagel.
And I think that they almost shouldn't call that a bagel at all, but, um, and, and really no offense to the folk, good folks up in Montreal and our friends up in Canada, but I don't think you should really hold that out as a brand of choice for you guys. So that's my recent food experience.
That's great. And obviously you can't see me, but I've been laughing the entire time Andrew's been talking quietly, of course. But yes, I also feel similar to the Montreal bagel, which is very odd to me as well. Sort of reminds me of those thin bagels you can buy in the grocery store that are processed. I always see them and go, why? I don't understand. Anyways, thanks, Andrew. Darren.
Well, first off, on election day, my wife brought me some Boston baked beans. She knows that when I was a kid, I always thought they were like the best medicine in the world. And so there's that. But a funny kind of story is that I was recently in Nashville and And I thought, oh, if I'm gonna be a natural, I wanna get some ribs. And so the hotel, we're like, hey, where's a good place to get ribs?
They're like, oh, go to this place. So we go to this place, we sit down, and then we like, okay, well, there's no ribs on the menu. And the server was like, yeah, we don't sell ribs. We've never sold ribs. Okay, so where should we go? So we went to this other restaurant, and they did sell ribs. So we ordered like a rack of ribs.
And you order a drink and an appetizer, and all of a sudden the server comes back and goes, I am so sorry. We have now sold out of all there is. I'm like, are you serious? So we ended up eating brisket. And then the next day we went to another restaurant. And this, again, definitely had ribs. Everyone recommended it. We took a lift clear across town.
We get there and there's like two freaking buses of basketball players getting off. And we're like, quick, get in quick. Meet the basketball team. We do not want to. Have the two basketball teams eat all the ribs kind of thing. Because it's like, we're not going to miss this opportunity to have ribs in Nashville. We did have ribs. It was good.
And then everyone said, oh, you need to go to this place here. So our last night, we went to this Tex-Mex place and ordered an enchilada and a taco. And the taco meat, my wife, before I was going to bite into the taco, she goes, hey, you might not want to bite into that. Because the taco meat was so undercooked. It was red. Oh. Yeah. Yeah. Yeah.
And I had this conversation with the... Well, let me ask you, was it just undercooked or was it just a piece of offal that's always going to be red anyway?
No, it was very, very, very, very undercooked. And the person in charge tried to give me excuses. And anyway, then offered me a coupon to come back. I'm like, no, I'm not coming back. Wow. Nashville did me wrong.
Well, you did Nashville wrong. I mean, if you were Nashville hot chicken, I mean, you got to go to Hattie B's, stand in line or go to churches and get that scorching chicken. And the only thing that really I think stands out was the banana pudding I got afterwards there.
I did have some banana pudding when we were there. And even not just banana pudding, but banana pudding with a shot of bourbon on top.
They do banana pudding well down there. And two other restaurants of note in Nashville for any loyal listeners that do go there. One in East Nashville is called I Dream of Weenie. It's the best hot dogs. And you want to get the Rebel Yelp with the jalapenos in there. That's a good one. And then, Darren, to your seeking ribs, Uncle Bud's Catfish and such.
That's the all-you-can-eat place over there in, oh, goodness, East Donaldson. Donaldson, I think it is.
I think you've changed the nature of this podcast to a different form.
Well, the fact that you guys are completely talking about bananas freely and I'm massively allergic to them and they make me nauseous just from my smell is like super grossing me out right now. So I've lost my appetite.
Well, they have vanilla wafers in there, too.
Oh, no. See, now you're just making it worse. Like now it's chunky. Like I can't. Oh, my goodness. All right. Well, swinging away from this really fast, I thought I would love to hear your thoughts on how you thought the panel went at the Montreal conference.
And then we'll kind of get into some like follow up questions to to kind of make it a little more spicy that we could have on stage since we had a very limited amount of time. Darren, will you go first and kind of give me your overall thoughts?
You know, walking into the facility, there were so many people that were selling products and services. And then you see this area where we had the stage and the audience. And, you know, there were some great questions from the audience. I think that there was a general, you know, desire of attendees to really kind of focus on some issues and some people coming into this.
You know, it wasn't like, hey, I'm a blank slate and I want to learn about this from before. It was more like I've been dealing with this. Thank God there's someone who's who's talking about this, you know, because everyone I talk to, it's like hitting a brick wall. And now I'm going to talk to these folks about these issues and how does this apply to this and what's an example of that?
And I think it kind of goes back to to what I said in terms of the conversation I had earlier this morning, when people have a hard time talking with the people above them about, like, let's say food safety.
Many times there's a disconnect between the people who make the purchase decisions and the executive decisions when it go down a road, especially when you're looking at the idea of cybersecurity, right? And the people who are literally dealing with the using of the tools and resources and dealing with the day in and day out issues around resiliency.
And I think that there's a bit of an opportunity when we had this conversation there to be like, okay, you know, what are the messages that we can help impart to these people who then are going to take what they learned from our panel to the next level wherever they work in terms of, okay, we need to consider this. We need to talk about it in terms of these terms.
That was my biggest takeaway was it was a it was an audience that was receptive to how can we strengthen not just, you know, cybersecurity resilience, but our conversation with cybersecurity resilience to the people above us and It wasn't like a one shining moment.
It was like every kind of experience from that our panel was along that lines of we're talking to the people who are going to be the change agents within their within within their company, within their corporate sector, whatever.
Yeah, I definitely, I saw the crowd really absorbing and thinking. I don't know how beyond that I can explain it. It was really good to see. I think we got a few laughs and a few aha moments and a few, you know, and, um, It definitely was memorable in that regard.
I think the way they had it set up was interesting, though, because you had like the expo for the for all the vendors in the middle and all the all the different talks out around it. And I liked that they had the headsets if you needed a translation, if you didn't have, you know, new enough English or didn't know enough French, which I thought was really well done.
But I was really surprised how well you could hear because I was always worried that because we were in that loud space, it actually was OK. Like it was it was pretty good. Andrew, what did you think?
Typically, well, I shouldn't say typically. Many times when I'm giving presentations, it's to CPAs, certified public accountants. And they come to see me speak because they get continuing education credits. And it's part of the 40 credits they need every two years to continue their licensure. So they're coming to me because they have to. And typically when I speak, about one third will nod off.
One third will do work. And then one third typically has kind of eye contact. I'm not sure if they're even understanding what I'm saying or not. This was a whole different audience. They were engaged. They made eye contact. They nodded at the appropriate times. They laughed when it was a good line or they were serious when we had other lines, too. I like that a lot.
One thing that kind of stood out for me there, too, I know being inside of a conference space with pipe and drapes separating people and just, you know, all the hard angles for sounds to echo off of and all that. It was a good job and kind of keeping the music where it needed to be. I thought the food was a little bit better than average. You know, we had to figure out where it was coming out of.
And make sure we position ourselves in a place where we got the full trays around the empty trays going back into the kitchen to get refilled. But I think that one day we positioned ourselves really well. They were just putting food in front of us left and right. And I had a lot of really good one-off conversations with people too. Many of them because of your introduction.
So I appreciate that as well. You're welcome. Fantastic people. And I've got several follow-ups I'm working on right now based on that. Good. I appreciate it. I also like the fact that it wasn't just the cyber community, commercial community, the government cyber communities were there.
And I don't normally see that type of representation at events like every once in a while in the US, maybe there's an NSA person or something like that. But here they were full-fledged in uniform, ready, apparent, and wanted to talk. And you saw me, I made a beeline right to them. I'm like, ah, government's here. Thank God. Let's tell them what's going on.
You know, I only ever see people like in public health service. And I noted it wasn't just like a recruiter or a marketing person. There were a lot of people with a lot of different ranks there with the Canadian cybersecurity force in uniform. That wasn't that was something I noticed as well.
I couldn't turn around at any of the social events without standing next to the Montreal or the Canadian ministry of something or other. And every time I get introduced to somebody, it was the ministry of whatever this is I'm speaking to. And I hadn't had that happen in a long time. I mean, when I'm at the food events with Darren, for example,
There tends to be a lot of FDA, USDA, FBI, Homeland Security for the U.S. side. And I randomly run into a new FBI agent every time I'm there. This felt different. It felt more intimate and more intentional, which is for a cybersecurity conference really interesting because that's not normally how it goes. It's usually a lot more vendor heavy.
And I realized that there were a lot of vendors there, but they weren't in your face. I didn't feel that. I didn't feel like there was a little... There were some gimmicky things like... the guy in the pig costume, which I still don't know what he was doing. That was a little weird. My wife laughed at the photo I took with him. I mean, Andrew made me take a photo with him.
No one had to make me do that.
And loyal listeners out there, if any of you have IHOP coupons, I might have a copy of that picture for you.
Oh, don't believe him.
There was some good conference swag there, too.
There was. I really didn't pick any up because, oh, the pen. Yes, I do actually have that. I got the bento box. There was a bento box?
Oh, yeah. There was like a plastic, you know, reusable bento box.
I didn't see any of that. But then again, I kind of don't pick up swag anymore because I have so much of it. Usually it's just the t-shirts if I'm going to pick them up because they squish in the suitcase really well. But generally overarching, this was not a typical cybersecurity conference.
So I want you to know that this was very, felt more elevated and more professional than some of the other ones. So I appreciate that you both were there, but sometimes I've got to feel like I didn't give you the full experience. So don't worry, you'll get it eventually. And hopefully it will be just as much of an annoyance to us as it is to you. But thank you very much for that.
I thought the panel went really well, though. Like, I was really pleasantly surprised. I was a little nervous about how we were going to be received because we were the only group talking about food and agriculture. As they spoke about critical infrastructures at the conference, nobody mentioned food or ag again because...
That's not out of normal, but we definitely represented for our respected industries. And I do think that it brought up a lot of really interesting conversations, you know, in the hallways. And I certainly had some weird interactions I didn't expect and some really amazing ones at the same time.
Perhaps one thing to consider is that, you know, food and agriculture, you know, it's kind of like universal. You know, we can be talking about sports or we could there's so many things we could be talking about that just it doesn't translate as well. Whereas, you know, talking about food and agriculture, because that doesn't just impact people.
If it doesn't impact them in terms of their their specific job and their their sector, it impacts them in terms of, you know, their home, their their their families, their their personal elements. So we can talk about language barriers, but we can talk about how, you know, food is a unified type of a concern that everyone has.
And that some of the specific examples, and Andrew was bringing up some really incredible examples, you know, you could almost talk about how those examples applied in any, you know, any geographic or political location. It's just that we have to talk about it on a bit more of a global scale because, you know, you look at the idea of Let's say we were talking about the 1970s.
Most people, you don't have the internet, obviously. You don't have nearly as much global food distribution and supply. Most of your food comes from, a greater percentage comes from the state you live in, in the United States. And I would imagine even up in Canada, it probably comes from the province you live in more so than others.
Today, though, we have such more global, we have such more impact of technology and cyber attacks and all these different things kind of collide to the point it's almost like you went from a single lane road to a multi-lane highway in front of your house. The inherent risks are just greater.
Doesn't mean your house is different, it just means that you have to think about things differently as opposed to the way it was when it was just that single lane road.
And we created the most complex system on the planet. The food system is one of the most complex systems that we still don't have a full understanding of and still figuring out how it breaks and what happens when it breaks in certain places and how it overflows in other places. And it's very complicated.
And especially when you add more tech to it, it really gets kind of out of control if you think about it. And people are still reactive. They're not proactive. And I think that's what we're trying to constantly say, like, let's do these things so we can be resilient when something happens, whether it's a foodborne illness or a cyber attack or a nation state attack or any of that.
And I really I love that that rang true throughout the whole panel with all three of us because we're all aligned in that regard.
Well, I think, too, that we have to separate the nostalgia, if you will. Right. Look, if I were to eat some of my favorite cereal from when I was a kid, it might bring back memories. But you can't think about it in terms of being the same food that it was back, you know, 50 years ago for me.
There's so many different, you know, ingredients and additives and chemicals and self-stabilizers and dyes and things like that. And a lot of these ingredients come from other parts of the world. Even something as simple as applesauce we're seeing, you know, with the high lead from the cinnamon that comes into it. And I know this isn't cybersecurity, but here's the thing.
We're not just talking about the cybersecurity of the state I live in. We're not even talking about the cybersecurity of the country that I live in. We have to talk about cybersecurity when it comes to our food and agriculture on a global scale because it's like the whole idea of, you know, a chain is only as strong as its weakest link.
Our global food supply is only as strong when it comes to cybersecurity as the resiliency of any of the locations on the planet. That's right.
That's actually a very, very fair point. You couldn't have actually said that any better.
Quick announcement, everyone. If you're interested in ICS OT cybersecurity, whether you're a student, an industry newcomer, or a seasoned pro, B-Sides ICS OT is the place to be. Join us on February 10th in Tampa, Florida, for a day packed with practical learning, real connections, and insights into securing critical infrastructure.
This event is designed for everyone, no matter where you are in your career. B-Sides events are known for bringing people together, and this is the first B-Sides focused on ICS OT security. And for all the women in OT and ICS cybersecurity, don't miss the women in ICS cybersecurity reception that evening. Ready to be part of something impactful?
Visit bsidesics.org for tickets, speaking opportunities, and more. Also, if you were planning on attending S4 in Tampa, it's the day before. Check out the website, and hopefully I'll see you there. Not changing subject, but sort of moving into a little bit of a different direction. Andrew, you discussed how farmers and agribusiness can be resistant to tech.
What are some ways that tech providers or the government or anybody who works in that space can help make cybersecurity more accessible and appealing to small and medium sized farmers? The larger farmers are probably having that handled by their conglomerates. But what are we doing about, you know, the farm down the street from any of us?
Well, there's actually two parts to that question. One is the ag tech adaptation by farmers to begin with, and that's a It's something that a lot of people need to understand, and it boils down to one simple question. How does this make the farmer more money? Not that they'd spend money to save money. How will this adoption of whatever this technology is make them more money behind the farm gate?
Their margins are so narrow right now. As I mentioned in Montreal, most agriculture professionals and farmers get paid once a year. Everything they own is collateral for that paycheck, and it's dependent upon that crop they're growing right now. So they're rolling really heavy dice. Usually it's a multi-generation.
So they not only have their ongoing business and their families to support, they have the weight of all those generations before them that gave them that land to produce something on. So there's a huge psychological weight on that. So when you come along and say, hey, we need to give you a new bolus or a new ear tag or a new mesh system for your farm because it'll help reduce methane.
Or it'll help sequester carbon. OK, how does that make me more money without me spending money to get to that point in time? The cybersecurity overlay into all that technology that plugs into the Internet is a whole different question. And, you know, number one, there's already the resistance to spending a lot of money on technology that may or may not be beneficial. Now, how do you protect it?
Who's responsible for protecting that? Is it the vendor? Is it the John Deere that's selling the tractor? Or is it the farmer? Where does that liability ultimately fall? I know it's a hot potato, but someone needs to figure that out. Because farmers, that's one more headache right now in an over-regulated environment with climatic impacts, geopolitical impacts.
It's just one more thing that's just going to be on their shoulders. So I would love to see us adopt some sort of policy very similar to crop insurance. that can give us some sort of backstop, some sort of reinsurance agent for the agricultural community in the event that these cyber attacks happen. I mean, that's just us sitting back and absorbing these blows.
Again, you know me, I relate to CSGO a little bit more on the offensive side of things too. I think that we have under, our adversaries have obviously dominated the other attack surfaces other than the kinetics, you know, bullets and bombs, they're sabotage, espionage, cyber information warfare. They view those all as domains of warfare. We don't.
And so we're then left to absorb these blows, pass the pain on to the farmers and business owners and others out there. Our cyber community is just under so much stress right now because they're constantly having to put fires out and stomping on moles rather than having the ability for us to slap back a little bit and get some breathing room there.
But again, these are Andrew Rose's opinions, not the BioISAC's opinions.
No, understood. Understood. I just did a talk recently at an ICS conference, industrial control security conference. And I had a gentleman stand up and said, unless it's regulated, I'm not putting security around my product. And everybody was really like, whoa, I can't believe he stood up and said that. But to me, he was being real. Why would he do that if he was not regulated to do that?
So product security is a really complicated thing, ultimately.
And that ties back into something you said before, too. One of the things that I spoke about when I was in Chicago on the future of the food supply chain was that a lot of companies these days do what I call chasing nines. They got 99.999% efficiency, and they're chasing that next nine in there. And they're building these tech stacks on top of tech stacks.
And for me, the more agile you become, the more fragile you become. All it takes is one little piece of that now falling apart and the entire tech stack then collapses. And what is the point? What added benefit and efficiency is that really going to do given how fragile the system is, complicated the system is in a complex world?
Well, you look at CrowdStrike and Microsoft, right? showed us that there was one pillar that everything was standing on. And as soon as that Jenga peg flew out, that was it. And we are one hairpin away from that at all times. I don't think people will realize how fragile the system is. And I don't want our adversaries to figure that out. You know what I mean? That's not what we want.
Because as soon as that happens, then we're in big trouble. And unfortunately, CrowdStrike and Microsoft showed that to us And of course, it's got all of us going, bleh, but also at the same time, we've been saying this. So it's not an I told you so, it's a I didn't want to have to say that moment, you know.
There's another angle of earlier this year, I was in San Francisco at Future Food Tech and And there was a great conversation around, you know, is it regulated? But also there's the economic side of things. When we look at the idea of a venture, so much technology and software and resources, you look at the idea of investors investing.
And the reality is that most investors, if that's where you're getting the funds for technology, whether it's transparency, traceability, digitization, and of course, you can't talk about those three without talking about the idea of securing that information. They want a short return on investment. They want a short term benefit to their investment.
But we're talking about something that's really more long term. And how do you show that? I mean, how do you show that you didn't have a cyber attack? And it's One of those crazy scenarios where you're trying to justify something before it happens.
And from the finance sector of things, it's hard to be proactive in that sense because you can't really put a dollar amount to it in terms of being proactive and investing into it. Now, after the fact, we can say, oh, this breach ended up costing us $25 million. We'll have to pay that bill. But OK, how come it's so quick to say we'll have to pay that $25 million?
But when you ask for $2 million to be proactive, well, how do we know that's really going to work?
Well, Darren, there's a simple answer to that. I mean, we're just following the path that politicians have laid. I mean, most politicians are lawyers, so they're risk averse to begin with. They don't want to get ahead of a known issue that's going to explode on someone's watch until after it explodes. If they get ahead of it, they could be wrong. It could be used against them.
If they wait for that explosion to happen, now they look like a hero. They pour buckets of money on it. and they build regulations around it so it won't happen again. So they're incentivized on paying the price later on rather than, again, we're talking rational sentences here in an irrational world.
I think the thing that's hard is watching security incidents are going to happen. It's not a it's not a if it's a one thing. And over the, you know, the long term couple decades of my career, I have seen way too many that could have been averted. And it all comes down to how are you risk averse? Are you a risk positive? Like, what are you going to do?
And that's what bothers me about the food and ag industry. And I know I've talked about it with both of you offline and online is how many people need to die or how bad does this need to get before people actually start taking a real look at this and dealing with the risk rather than, oh, something happened. So here's a ton of money and we're just gonna fix the problem now.
Why didn't we fix the problem before? It's so ridiculous. It's like the house is on fire, but yet we're still spraying more oil on it. Like, what are we doing?
It's so stupid. Well, that's the bodies in the street kind of approach. The idea of, you know, well, we didn't do anything because there was only one death and only 15 states impacted. So, OK, well, so then what's the threshold? How many states had to be impacted? How many businesses had to shut down? How many people had to die or to be in hospital for this to be of concern?
You know, going back to that idea of that multi-generational, you know, the person who owns the family and being responsible to their family, you know, plot of land and the farmer that's there. You know, we saw this during the pandemic, how many families were, how many family farms, excuse me,
were impacted because, you know, well, no one was going to the restaurants and buying all these different things. So now their onions had no place to go or their whatever it was, had no place to go. And we had to shift the business model to to to adapt during that kind of situation. And did we learn any lesson from that? Because
During that time, those were families that were essentially not making money at the end of the year. And if anything, they were waiting for government assist programs to help them offset their costs. And with the promise of their – your profits will bounce back next year. You can't operate in that kind of a mode. And even though –
a business can have, you know, an economic recovery after an incident, how many families wish that they could have a recovery and a do over after they've been, uh, you know, ridiculously harmed, uh, because of certain failures.
And again, it comes down to, I really like that, that notion of the idea of, is there incentivization to allow it to become a problem for you to deal with it rather than, uh, being proactive. I want to hold out the hope that there are companies that are being proactive, uh, Maybe it's because they've already been stung. Maybe it's because they've seen their competitors be stung.
But we need to look at the idea of across the board, the idea of the entire sector, the entire commodity, not just the one brand or the one company will be impacted by not being as resilient as possible.
We need some champion companies and some champion countries, I think.
Well, I think also reframing that question a little bit. I don't think anyone needs to die. I think all it's going to take, and you've heard me say it many times, if your kid goes five days without food, you're going to break a law. In three weeks without food, the government's going to fall. I mean, you're still technically going to have a pulse in your body. I mean, you'll be dying.
You'll be starving. But, you know, it can happen so fast. So fast. Yeah. that there's no time to even rally around it. And once it stops, it's kind of hard to restart.
You know, you both are talking, we're talking around it, so let's just talk about it. We talked about it on the panel too, but the concept of doing nothing as a high cost. So what are some ways that we can calculate and communicate this cost effectively to justify cybersecurity investment in the food industry?
And we can even take this one step further as how do we tie this into the work that the three of us are doing to push forward, to have those champion moments, to make people realize. And I realize that a lot of times it's grassroots and it's one-on-one and we have to get in front of individuals all the time. But the awareness work that we do is super important.
So Darren, I'm going to have you start because I know the cost of doing nothing has been on top of mind for you.
Yeah. You know, again, it's like we collect data and we look at the, how much will it cost to do this? How much will it cost to do this? But we don't typically calculate that idea of the cost of doing nothing. The cost of doing nothing has to be part of the equation because if we ignore it and then we deal with it reactively, right?
Again, not only do the costs go up, but you got to realize that too, the costs are going to be passed on to the consumer. And in most cases, the consumer doesn't really want to be told that, well, you're paying more because we've messed up. I would rather be told I'm paying more because we're going to make it more resilient and a safer product down the road. I could buy into that a lot more.
There's a lot of things that we can agree to pay more for. But there's also an element in terms of corporate social responsibility. At what point are you not being a responsible executive if you have knowledge but you don't act on that knowledge?
When we look at the responsible corporate officer doctrine that came from a 1975 Supreme Court decision in Parkview, U.S., it didn't say that if bad things happen to you, you will be held strictly and personally liable for those. What it said is that, you know, things happen.
and you deal with it but if you don't deal with it if you have knowledge of these things and you don't act to prevent to mitigate to to to resolve these issues then there is a point where you should be held responsible because you knew better and you could have done something different i think that having these events there's got to be you know i didn't see a lot of people like from major food brands there for instance right i mean this wasn't really a food event but but
Imagine if it was really advertised as to, hey, if you're a corporate executive for major food companies, you should be there.
I know for a fact that there's people that they do gravitate to certain things, but they also avoid certain things because if they've been involved in this conversation for a long time, they can't have that kind of plausible deniability of I just didn't know how bad it was.
And as crazy and conspiratorial as that may sound, that is a bit of reality in terms of, well, we don't want to collect data on this because if we collect data, it could be held against us or it could be used to prove that we knew about the problem all along. I hear this over and over and over again. And I think the same thing can apply here in terms of cybersecurity.
It already has. I mean, chief information security officers are being hauled into committee meetings in front of Congress and having to explain why something happened. It will happen with CrowdStrike and Microsoft. I think it's already started. I mean, Delta's suing them now. So there's a lot... of accountability that has to be taken.
And then it takes into account mental health because nobody wants to be a chief information security officer now because of this, because it's, you know, you're now your livelihood and other things are on the line, uh, in terms of security personnel that are in the food industry, the great people they're doing what they can. A lot of them didn't come out of food production.
They came out of finance or healthcare. They're still learning the ropes, which I think is great that you're learning it on the job. But at the same time, you need to surround yourself with community that knows. And I find that there's a lot of silos there. And that becomes difficult. Even me and my specialization, I sometimes can't get close to them either. So that's... That's hard.
And I hope that breaks eventually that we can have more community in this space, because you could tell that the cyber community was quite interested in what we were talking about. There was definitely interest and excitement around it and good probing questions.
But overarching, it's going to take, I think, quite a bit to get people to start switching their mindset and incorporating a more systems thinking approach to the world that they work in, because most people just do their job and go home. They don't care. But this is why I really love working with both of you and the teams that surround you is because it's personal for all of us.
We definitely take this into our lives in a different way. And we think about the people that are around us. And I'm really grateful that I know that group of people because it gives me the fuel I need to keep moving. So I don't want this all to sound like doom and gloom. There's a lot of really good people doing work on the ground.
And there's going to be even more of us coming down the pipeline as the generations catch on. Andrew, I want to give you a chance to comment on the concept of doing nothing as a high cost.
Sure. I mean, and you also asked, what is it that's going to get us more allocations of cyber resources for the food and ag community? And that's pretty simple. It's an attack. You know, it's a high profile of JBS type of attack. Everyone will come running to us. All the agencies will come running to us. There will be opportunities for grants and other dollars to address things that happen.
And, you know, I'm not being facetious either. For a long time, agriculture and water fought for the bottom of the list of resources available. But some recent attacks in the water...
system have given them some more of the resources they really truly needed so i'm glad that that they're being paid attention to but you know simply put unfortunately it's gonna it's gonna take some some devastation for for folks to react to something like this um but right now there are businesses in the united states that are going naked without cyber insurance because they can't afford it because the questions are too onerous because it's too expensive doesn't pay out what it should pay out relative to what the cost is so i don't know what is the cost of doing nothing we're going to find out aren't we
Kristen, can I make a dark prediction here?
Sure. Go for it. We'll get it on record right now.
I want to preface this by saying that I hope I'm not accurate here. Within the next five years, there will be a cyber attack that impacts our food industry, and it will be referred to as the 9-11 of cybersecurity. And we will see additions to our Department of Homeland Security. We will see perhaps our own new...
kind of like how we just added the space force we'll have our own u.s cyber security force we will have uh federally created jobs much like the tsa but within the the food industry because of cyber attacks and it'll be thought of as this uh this this brand new awakening that we you know we have to do something about there'll be billions and billions of dollars allocated to this
This will be heralded as the, like you said, or like someone said, the corner piece of someone's political legacy for what they did in this and what we do going forward as a nation. And, you know, it'll be almost referred to as the TSA of the food industry, these people that work in those contexts. But it is very likely that something like this will happen. And why can't it happen?
You know, looking at our political state right now, I don't see any reason why it's without of the scope of it happening within the next five years.
I wanted to take a moment to thank all of you who have listened, subscribed, shared, and supported the show over the past year. This episode is the second last of the year and is also the second to last of season one of the show. I am beyond grateful to share also that the podcast was voted the most influential podcast of 2024 at the Cybersecurity Marketing Conference.
After a year of hard work and incredible conversations, this recognition is a true honor, and I have even more planned for season two, so definitely stay tuned. Before jumping back in, I wanted to inform you about an upcoming event, the Cyber Biosecurity Summit of 2025. BioISAC and John Hopkins have joined forces to host the two-day conference in Laurel, Maryland, February 25th and 26th, 2025.
The summit will bring together biotechnology, biosecurity, and cybersecurity professionals to explore the intersection of these critical fields and strategies for building a safe, secure future. The call for speakers is now open. Please submit a proposal if you have insights, research, and engaging interactive ideas to share. The link is in the show notes.
And now let's get back to our conversation.
And, you know, we'll look back on this and go, remember when we talked about cybersecurity and it was just like, you know, an additional condiment on the table at a restaurant, you know, some have it, some don't, some like it, some don't, some go big, some go small, some ignore the whatever. And then you look at the idea of.
30 years from now, so in the year 2060, there'll be a whole crop of people that are like, we've always had this level of cybersecurity and government interest in this because they don't know any better. They don't realize how many people were literally like the three of us talking about these things back in the year 2024.
Well, that sounds like the whole country of Estonia back in 2007. It was the first cyber war that Russia launched. They had their new weapons, new cyber warriors. And Estonia as a country then put cyber hygiene through their higher ed system. In high school, you refight the same cyber battles they fought back then. So it works as making your populace your most secure level of defense.
They actually have fantastic internet there, too.
Remember D.A.R.E.?
D.A.R.E.? To Keep Kids Off Drugs?
Yeah, it'll be like the new D.A.R.E. They still have that, Darren.
It's still in schools. Yeah, it's still in schools. D.A.R.E. is still in schools.
I'm just saying it'll be the new D.A.R.E.
Maybe. I do think that they should teach food safety and cybersecurity to kids. And you have to take a Home X class. They do teach food safety there. They do teach the kids not to wash their chicken and things like that. And I get updates because one of my step-sons is in it. it's fascinating because I didn't learn that.
I, I don't remember, I don't remember cutting chicken in high school, like when I did those classes. So I'm glad to hear that they're teaching at least some life skills that will help you later on to not die. So that's great. Way to go school systems. I think you're being generous, Darren. I think five years is too long. I think it's going to be in the next three.
Uh, I, I just, I know, I know what I know. And my gut instinct is telling me this and, and that doesn't mean I know anything that's like years, but Yes, it is. But I do think you're being generous with five. I do think it's going to be three. And I'm not saying I have any insider information that makes me really smart in figuring this out. I'm just reading the tea leaves.
Andrew, what's your timeline? Yeah, what's your timeline, Andrew?
Oh, it already happened. We just don't know about it.
Yeah, that also could be it. I actually was going to say that caveat. It's already happened. That's the worst part about it because we, again, don't know what we don't know. And there's a lot of that going on right now. I feel like every time I have a conversation with fruit production or ag, it's always, hey, we have this thing. What do you think? And I just go, whoa, hold on. You did what?
What happened? Oh, you know.
On the conservative end of things, when we hear about a recall, it's like the incident at the at the most soonest is six to eight weeks old, if not older. Even with the the recent thing with onions at McDonald's, those, you know, we found out about it on that that that Tuesday after after someone went and played cosplay with French fries at McDonald's. But but
You were talking about people who got sick early the month prior. So it's like, OK, the companies and the government knows about things and then there's a timeline and then the public knows about things. So, Andrew, you know, you're you're you're very likely correct in terms of the fact that something could have happened four or five, six, seven, eight weeks ago.
And, you know, we just haven't heard about it as a as a populace yet.
Yeah, scary stuff. But I will say on a positive, since we're being super gloomy and doomy right now, which is still realistic and everybody needs to hear it. I will say that certain events have triggered certain people to start stepping up and be more proactive. Yeah. I've had the privilege of speaking to a few individuals over the last week or so talking about how they're being more proactive.
Nothing's wrong that they're aware of, but they really want to work on their security posture and their maturity in various different industries within the food sector and the food ag sector. which is really encouraging for me to hear that out of chaos usually comes some sense of peace and moving forward through it.
So I do think that there are some people that are really doing the best that they can and trying to do that bit more. So that's good. We all like that. But collectively, as a group of humans, we need to step it up. We need to step it up bad.
And I think that some people think that we're all these conspiracy theorists and that we're just these crazy people that say all this weird stuff like this on air and whatnot. No, we actually have legitimate documentation to prove this is happening. This is not something that's just we've made up and then we're writing a fantasy novel. We're touching on being more resilient as a theme.
And we did talk about that quite a bit on the panel as well. So what advice... would you give companies and individuals in the food sector about building resilience beyond just basic cybersecurity and food safety and any other things you want to talk about in those spaces? Andrew, you first.
Well, that's a heavy lift right there. I guess I'll share what I shared in Chicago, that our adversaries, whether they're North Korea or Iran or China, and I don't know if Russia's going to be an adversary or ally now with our new administration, but regardless, they view us as their adversary. They view us as already being at war with them.
They view the warfare, like I said, the domains are sabotage, espionage, information warfare, cyber, everything but kinetics like that. If it becomes a kinetic war, one of the first things our adversaries will want to do is blind us by taking out our GPS systems.
So for anyone out there in the food and ag supply chain, if you have drivers or you have trucks or vehicles that are on the road, make sure you've got paper maps and make sure that the person who's driving the truck is under 30. They know how to use a paper map. That's just a good little bit of resiliency there.
wrap on part one of our conversation with Andrew Rose and Dr. Darren Detweiler. And thank you for joining us today. And a big thank you to Andrew and Darren for their invaluable insights. As always, remember, this is just the beginning. Part two is coming soon. So stay tuned. If you joined this episode, please don't forget to like, comment and share the show.
Stay safe, stay curious, and we'll see you in the next one. Bye for now.