November 20, 2020 A Second Pearl Harbor... To: Ms. Ginger Willson - Attorney for Sen. Ben Sasse Cc: Peter Waldman - Bloomberg News Nebraska Unicameral Senators Agriculture represents one of this nation's critical infrastructure sectors according to the Department of Homeland Security. It's burgeoning embrace of precision agriculture and IT and software automation in every phase of farming is completely dependent on proprietary, closed source OEM software. However, this critical sectors' software dependency is an invisible systemic risk; and like the CDOs from the 2008 mortgage crisis, it teeters on an unseen razor’s edge due to the lack of transparency and independent inquiry about the cybersecurity built-in to the proprietary, closed source, OEM control software now used in tractors combines, harvesters, and vehicle navigation systems. Such dependency represents, in my opinion, and that of others in the farming community, a 'clear and present danger' to the nation's food supply critical infrastructure security. Presuming agriculture OEM software is secure is ill advised for no software, including OEM software, is without weaknesses and vulnerabilities - accidental or intentional. The presumption the Ag OEM Manufacturers’ software is secure ignores the recent painful lessons learned over the past fifty years, and more recently by the FDA, in the medical device market with infusion drug pumps: that the advent of widespread use of embedded systems, requires a 'trust, but verify' methodology as a best practice. For years, hospitals simply trusted, but never verified, the security of infusion pump embedded software. The first step is to adopt proven best practice to investigate and assess whether basic, secure software protocols are in place. Steps in that direction could include, among other things, confirming critical ag equipment software is not and has been shared with or compromised by potential domestic or foreign adversaries. One likely embedded software security threat is technology sharing through partnerships and joint ventures between America ag equipment OEMs and adversarial countries like China who insist on obtaining code access to American software as a condition of trade and ag equipment technology import. However, a FOIA Request to the Office of U.S. Trade Representative to ask about John Deere’s technology sharing agreement with the Chinese government was unsuccessful. An initial request made in 2017, when John Deere announced its joint venture with China, was made by a whistle-blower who attempted to sound the alarm. This request asked whether John Deere had entered into a confidential agreement to give the Chinese government access to its tractor control software. This FOIA request was denied on the basis that a confidential agreement is a private business contract and not a "public government document" and thereby not covered by the FOIA. The U.S. Trade Office could therefore neither confirm or deny whether the Chinese government had access to John Deere embedded control system code. The “whistle-blower” sent an email to Mr. Chris Krebs, at DHS and it was through him an attempt to raise concerns about a private software technology sharing agreement between John Deere and China was made. Mr. Kreb headed up the efforts to secure the nation's voting systems and public infrastructure from foreign manipulation. Unfortunately Mr. Krebs was recently fired by President Donald Trump this week for his truthful, public appraisal of the U.S. voting system's integrity during the recent Presidential election. A political reprisals against a government security expert tasked to protect the nation from cyber threats sends a chilling message to others. Now that Mr. Krebs is gone; this inquiry has been stopped again as are the efforts to get DHS to inquire about potential cyber security threats to the nation's ag equipment software. Billions of dollars in ag and heavy equipment sales and farm exports to China are an additional disincentive to continue to raise questions about John Deere’s technology sharing with China. Efforts to get DHS to inquire about China's access to John Deere software is stalled, not just by politics and a naively willing disbelief, but also by US copyright and the DCMA. Inquiry and inspections to determine whether John Deere software is secure by independent, qualified secure software professionals has been challenged by OEM claims such a code inspection inquiry risks revealing proprietary, intellectual property. Yet it appears no such bar has kept the Chinese from gaining privileged code access. Confirming that access, and the potential cyber security threat it represents, despite Mr. Kreb's recent firing needs to continue. Why can't the DHS raise this issue with the U.S. Trade Representative, albeit under President-Elect Biden’s administration, to open an inquiry into the critical threat such 'code release" presents to American agriculture. John Deere has actively and until now, very successfully, maintained its legal claim any inspection is unwarranted and code release is not a national security threat to the U.S food supply critical infrastructure supply chain. D ismissing legitimate concerns and questions about possible code release allows John Deere to “trade away” the legitimate security interests of American farmers to protect their necessary and indispensable ag equipment from disruption by a foreign adversary. Also, if the Chinese government and John Deere have entered into a private licensing agreement for JD tractor control software that gives the Chinese code access, and this access is NOT now available to American farmers even under a Right to Repair law, then a response, that "nothing is abnormal" begs the question of what is "normal"? Would any American farmer accept this situation as "normal"? How can a foreign adversary get access to his tractor’s control software and he cannot? I assure you this just won’t fly with us Nebraska Farmers! Follow up question: since the technology-sharing and licensing agreement between the Chinese and John Deere is NOT a Federal government document (according to the U.S. Trade Representative),how would a Federal Freedom of Information Act (FIOA) Request succeed in obtaining the terms of a private business agreement? However the critical infrastructure security questions, Isn’t that something Sen. Ben Sasse would want to look into? I’d certainly hope so. Besides DHS, who should know and be keeping an eye on this? It seems that everyone who should have somehow conveniently found a way to have "plausible deniability" if ever asked why no alarms are being raised about the inherent risks of software technology transfer to China. Is it really plausible Nebraska Farmers are not vulnerable to cyber security retaliation attacks directed at thousands of tractors and their embedded software systems? Is it plausible the Chinese will never use their code access to retaliate for trade sanctions by cyber warfare? At present, this John Deere code, as well as the Service Advisor programs that maintain it remains in the sole purview of Corporate John Deere. Why is this OK? Army Colonel William “Billy” Mitchelle warned a complacent U.S. military its battleships could be sunk by airplanes. His foretelling of an air attack against the nation’s Pacific naval bases was ridiculed and dismissed. Pearl Harbor was indeed a day of infamy but because of Colonel Mitchell, it was also a self-inflicted, avoidable surprise . Today, every American farmer knows, “there’s no crops with code”, that every American food source is ‘software dependent’... Please forward to Sen. Ben Sasse and ask if he can dig into this before a lack of foresight about the risks of proprietary agricultural manufacturers’ software becomes our second Pearl Harbor teaching Americans once again, never to dismiss, but to also never to trust and not verify... Kevin Kenney - Farmer Raymond, Nebraska PS: I ‘cc’d Peter Waldman from Bloomberg News on this MEMO to make sure there’s a record saying…’YOU WERE WARNED’. Please recognize one of the American’s most cherished and important strengths is our ability to feed ourselves. A compromise of that historic capability risks crashing the confidence of the vast majority of American’s who have never had to fear hunger. Denial or lack of vigilance to cyber security vulnerabilities of proprietary ‘software defined tractors’ is tantamount to saying ..well, let’s wait till our tractors get ‘hacked’.... Meanwhile, you ‘City Folks’ will get to claim ‘’plausible deniability” this threat was unforeseen and unexpected. References: Critical Infrastructure Sectors https://www.dhs.gov/topic/critical-infrastructure-security Hacker Can Send Fatal Dose to Hospital Drug Pumps https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/ Infusion Pump Improvement Initiative https://www.fda.gov/medical-devices/infusion-pumps/infusion-pump-improvement-initiati ve John Deere expands into China with joint venture https://www.reliableplant.com/Read/10759/john-deere-exps-into-china-with-joint-venture Deere & Company to Build Construction Equipment Factory in China https://www.prnewswire.com/news-releases/deere--company-to-build-construction-equi pment-factory-in-china-111886589.html Assumption-Based Planning: A Tool for Reducing Avoidable Surprises RAND Corporation https://www.rand.org/content/dam/rand/pubs/monograph_reports/2005/MR114.pdf
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-