JBS Cyber-Attack: The Hackers Come For Our Beef

Employees walk around at the JBS USA meat packing plant in Greeley, Colo., April 8, 2020. (Jim Urquhart/Reuters)

On the menu today: The hackers come for our beef; Joe Biden is disappointing the folks who thought he would be tough against Vladimir Putin; a look at what your support of NR enables; and the contrast between how progressives talk about China and how they talk about Israel.

We Should Be Concerned about Cyber-Ransom Attacks
As Andrew Stuttaford summarizes, “First Fuel, Now Beef.” With each passing cyberattack that temporarily cripples a portion of a key industry, it gets harder to shrug off cyber-ransom attacks as just another price of living in an Internet-wired, globalized world. Who the hell are these techno-malcontents in Russia, and why are they able to disrupt life in the United States with increasing regularity?

Hopefully, there’s something going on behind the scenes to impede and deter this growing threat; for now, the public line from the Biden administration is that we’re going to tell Vladimir Putin and the Russian government that they’re being irresponsible.

In a short briefing aboard Air Force One en route to Tulsa on Tuesday, White House principal deputy press secretary Karine Jean-Pierre told reporters that, “JBS notified the administration that the ransom demand came from a criminal organization likely based in Russia. The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.”

Yeah, that’ll work.

The good news is that it sounds as if the disruption to the meat-supply chain will be pretty quickly resolved:

Andre Nogueira, JBS USA CEO. “Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow.”

In the U.S. today, JBS USA and Pilgrim’s were able to ship product from nearly all of its facilities to supply customers. The company also continues to make progress in resuming plant operations in the U.S. and Australia. Several of the company’s pork, poultry and prepared foods plants were operational today and its Canada beef facility resumed production.

The bad news is . . . you don’t see anything along the lines of, “We didn’t pay the ransom” in that statement, now, do you?

If the Colonial Pipeline attack and this new JBS hack feel qualitatively different than previous breaches — the ones that got you a replacement credit card mailed to you every few months or so, it seemed — contemplate this assessment from Hitesh Sheth, CEO at Vectra AI, an AI cybersecurity company:

The JBS attack is one more signal of a disturbing shift in cyberwar strategy. On the surface it looks like another ransomware attack, but what’s really telling is the choice of targets. This is an important global supply chain moving essential goods to 100+ countries.

Such attacks on critical infrastructure create a higher form of chaos. Disrupting vital food and fuel supply chains is bigger than stealing credit card numbers or holding health records for ransom. Consider the JBS attackers’ intent; clearly, it’s more than just a pay day; clearly, they don’t care that much about meat.

On an almost weekly basis, we’re now confronting the real vulnerability of our essential systems. The motive now runs deeper than ransom – attackers want people, not just businesses, knocked back on their heels.

Over at Capital Matters, Cale Clingenpeel, formerly a special adviser to President Trump and his Council of Economic Advisers, notes that the CEA tried to calculate the cost of these ransom attacks back in 2018: “After taking into account firms’ underreporting of cyberattacks, spillover effects to other firms, and private costs incurred alongside the costs to publicly traded firms, the CEA estimated that the total cost posed by malicious cyberactivity to the U.S. economy in 2016 was as high as $109 billion (roughly 0.6 percent of 2016 GDP). These estimated costs are very likely to have increased since 2016.”

Also, did you notice that even with the Colonial Pipeline restored, gas prices are still really high?

Biden Wimps Out on Russia — Again
Speaking of Russia, I don’t want to put words in Garry Kasparov’s mouth, but as he criticizes President Biden’s early moves on Russia in the Wall Street Journal, do you get the sense he’s starting to feel like the victim of a bait-and-switch?

The day after the [Belarus] hijacking, Mr. Biden’s national security adviser, Jake Sullivan, met with his Russian peer, Nikolay Patrushev, to lay the ground for the summit. They talked about “normalizing,” a euphemism for appeasement. Normalizing relations with a dictatorship only normalizes dictatorship. Yes, as Biden supporters are quick to say, even Ronald Reagan met with the Soviets. But he did so with concrete national- and global-security demands and from a position of strength. So far there is no such agenda for a Biden-Putin meeting.

Ten years ago in Moscow, Mr. Biden had the nerve to talk tough to Putin, but he lacked authority. Now he commands the full power of the presidency and must prove he hasn’t lost his nerve.

I can’t remember who said it on Twitter, but Democrats are “reverting to factory settings on Russia.” Back in July 2020, Biden made this promise regarding Russia’s election meddling:

Today, I am putting the Kremlin and other foreign governments on notice . . . I will direct my administration to leverage all appropriate instruments of national power and make full use of my executive authority to impose substantial and lasting costs on state perpetrators. These costs could include financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption. A range of other actions could also be taken, depending on the nature of the attack. I will direct our response at a time and in a manner of our choosing . . . If any foreign power recklessly chooses to interfere in our democracy, I will not hesitate to respond as president to impose substantial and lasting costs.

Somehow Biden has shifted from “I will impose substantial and lasting costs” to trying to “normalize” our relationship with Moscow?

What Your Support of NR Enables
Yup, that’s me asking for your support on the home page today. Yesterday brought a good example of what I am able to do because National Review is supported by the generosity of readers like you.

Over the weekend, I started wondering about other laboratory accidents in China, not related to COVID-19, in the years before this particular pandemic. I knew about the two accidental releases of SARS from the Chinese Center for Disease Control and Prevention, but how many other laboratories — not just virology labs, but university labs, chemistry labs, any labs — had significant accidents? I would contend that the notion that Wuhan Institute of Virology staff were too diligent or careful to ever make a mistake is already proven to be a laughably unrealistic assertion, but just how good, or bad, are laboratory-safety standards in China? (We’re supposed to tell the editors what we’re working on, but I don’t like to tell them, “I’ve got a story on X” until I’ve looked into X enough to know that I’ve got a story.)

The short answer is that China has had quite a few fatal accidents and explosions in laboratories in the last 17 years, and well into Monday’s digging through science journals and medical journals, I found this:

September 2019: Yuan Zhiming, deputy director of the Wuhan Institute of Virology, offered an assessment of the state of biosafety in Chinese laboratories in general in the Journal of Biosafety and Biosecurity:

. . . biosafety measures and practices are vital in daily laboratory operations hence a highly qualified, motivated, and skilled biosafety supervisor is needed not only for overseeing solid containment but also in laboratory risk management. Currently, most laboratories lack specialized biosafety managers and engineers. In such facilities, some of the skilled staff is composed by part-time researchers. This makes it difficult to identify and mitigate potential safety hazards in facility and equipment operation early enough. Nonetheless, biosafety awareness, professional knowledge, and operational skill training still need to be improved among laboratory personnel.

Now, this is not a smoking gun. And Yuan Zhiming is not explicitly expressing concerns about the Wuhan Institute of Virology. Then again, he doesn’t explicitly state that the Wuhan Institute of Virology doesn’t have these problems, either. His language is reminiscent of the memo from Jamison Fouss, the U.S. consul general in Wuhan, and Rick Switzer, the embassy’s counselor of environment, science, technology, and health, who repeatedly visited the Wuhan Institute of Virology and in January 2018 wrote a memo to Washington articulating their concerns: “During interactions with scientists at the WIV laboratory, they noted the new lab has a serious shortage of appropriately trained technicians and investigators needed to safely operate this high-containment laboratory.”

Anyway, it’s another piece of the puzzle that suggests a lab accident in Wuhan in late 2019 was easily within the realm of possibility. After a 2015 explosion in a Beijing university chemistry lab, one professor decried the “systematic negligence of safety in our labs” while another lamented, “compared with labs in the U.S., Chinese labs generally have poor safety and less sophisticated safety equipment.”

All of this information was out there, just waiting for someone to find it. But for whatever reason, other media institutions either didn’t look that hard, or were apparently never that curious about previous laboratory accidents in China leading up to the outbreak of COVID-19.

ADDENDUM: Our Dan McLaughlin observes that the same people who object to criticizing the government of China because it could fuel racism against Asian Americans . . . don’t mind criticizing the government of Israel or fear that it could fuel anti-Semitism. “I suppose the theory of why it’s racist to criticize the People’s Republic of China but not Israel is that Communist China has a democratically elected government and Israel doesn’t.”