Introduction

In recent years, congressional concerns have grown over potential risks to domestic food security posed by foreign ownership, control, and influence (FOCI) of critical infrastructure in the U.S. food and agriculture sector (FA Sector). Critical infrastructure is defined in statute as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."¹ Critical infrastructure systems and assets in the FA Sector encompass many elements of the nation's food supply chain. Examples include farms, grain elevators, farm supply wholesalers, certain testing laboratories, meatpacking facilities, bars and restaurants, and supermarkets.²

The national critical infrastructure security and resilience (CISR) enterprise combines both varying degrees of regulation and voluntary public-private partnerships for information sharing and best practices.³ The Department of Homeland Security (DHS) coordinates national strategy, interagency activities, and public-private partnerships for infrastructure security and resilience. DHS delegates sector leadership to other federal agencies in some cases, including the FA Sector. The FA Sector is 1 of 16 designated critical infrastructure sectors under current presidential directives.⁴

CISR programs and activities in the FA Sector are led by the U.S. Department of Agriculture (USDA) and Food and Drug Administration (FDA), which are the FA Sector's designated Sector Risk Management Agencies (SRMAs). Public-private partnerships are largely voluntary and are premised on the overarching assumption that private-sector owners of critical systems and assets are good-faith actors in a risk management enterprise focused on protecting critical systems and assets and the functions they enable.⁵ USDA and FDA identify four main categories of risk to FA Sector-related functions: food contamination and disruption (accidental or intentional), disease and pests, severe weather (i.e., droughts, floods, and climate variability), and cybersecurity.⁶

FOCI risks in the FA Sector are not associated with the incapacity or destruction of critical systems and assets or disruption of essential functions. More often, FOCI risks relate to the control, exploitation, or malicious use of productive systems and assets by self-interested foreign adversaries—instances where the good faith of asset owners cannot be assumed. This type of risk has not been consistently or systematically assessed within the existing CISR voluntary partnership framework.

Potential FOCI risks in the FA Sector identified in this report include prioritization of foreign markets over domestic food security considerations; intellectual property (IP) theft of strategically important genetic engineering research; illicit or forced technology transfer; control of agricultural land and basic agricultural inputs; access to sensitive infrastructure information (e.g., vulnerability assessments based on voluntary disclosures by private-sector entities); and control of critical cyber systems, assets, and networks.

This report provides analysis of potential FOCI risks in the FA Sector and the bearing these risks might have on the overall security and resilience of the sector. The report also provides options for congressional legislation and oversight.

Background: The Food and Agriculture Sector

Presidential directives established critical infrastructure sectors that encompass broad areas of the economy, government, and public services.⁷ There are currently 16 sectors and numerous subsectors. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY2021 NDAA; P.L. 116-283) defined the role of SRMAs.⁸ In each sector, SRMAs chair the Government Coordinating Councils (GCCs), which provide for coordination among interagency and intergovernmental partners. Sector Coordinating Councils (SCCs) operate as counterparts to the GCCs, representing the interests of private-sector partners and other nongovernmental stakeholders within a given sector. SCCs are voluntary, self-organized, and self-governing bodies, often chaired by private-sector industry leaders.

The Department of Health and Human Services (HHS), acting through FDA, and USDA are the designated co-SRMAs for the FA Sector. FA SCC membership is composed of major industry enterprises and trade groups.⁹ Most sectors have a recognized Information Sharing and Analysis Center (ISAC), which serves as a hub for threat reporting, analysis, and information sharing with sector partners on cybersecurity and other matters.

The FA Sector's ISAC was originally formed in 2002 but closed in 2008 after failing to attract an active user base.¹⁰ Sector stakeholder interests were then represented by the Food and Ag Special Interest Group (SIG) within the Information Technology (IT) ISAC. Some observers criticized this arrangement as inadequate to the scale of cyber threats faced by the FA Sector.¹¹ Industry leaders rebranded the Food and Ag SIG as the Food and Agriculture Sector ISAC in 2023.¹² Although the new ISAC continued to operate under IT-ISAC auspices, its leaders asserted that the change would raise the profile of the organization and clarify its mission.¹³ Separately, in 2022, DHS sponsored preliminary development of a state-level pilot ISAC for FA Sector issues through the National Agriculture Biosecurity Center at Kansas State University.¹⁴

Policy options for Congress include whether current information-sharing organizations are appropriately organized and have the necessary resources to meet FA Sector cybersecurity and other security needs, as well as legislation to create new information-sharing organizations.¹⁵

Risk Management in the FA Sector

SRMAs consider a wide range of plausible man-made and natural hazard events that could negatively affect availability and continuity of critical infrastructure functions.¹⁶ CISR programs and activities in the FA Sector to date have been limited in scale and centered on traditional agency missions, such as maintaining the national food safety system and safeguarding farm production of raw foodstuffs from contamination.

FOCI risks affecting food and agriculture may be addressed through national security reviews of certain covered foreign investment transactions, including mergers and acquisitions, by the interagency Committee on Foreign Investment in the United States (CFIUS)—CFIUS authorities are governed by Section 721 of the Defense Production Act of 1950 (P.L. 81-774), as amended. CFIUS may recommend that the President block certain foreign investments, including those that would result in foreign control of any critical infrastructure, if it determines that the transaction would threaten to impair U.S. national security and the risk cannot be mitigated. CFIUS may review certain covered foreign investment and real estate transactions involving the acquisition of agricultural land and corporate entities, and may consider "elements of the agriculture industrial base that have implications for food security."¹⁷

However, the range of transactions CFIUS covers is relatively narrow, focusing on national security risks of corporate acquisitions, noncontrolling investments, and real estate transactions, rather than CISR writ large. Options for Congress include legislation to expand CFIUS jurisdiction over transactions in the FA Sector and to add the Secretary of Agriculture as a full member of CFIUS.¹⁸ Another option is to provide USDA with additional appropriations to fund expansion of CFIUS-related programs and activities to cover a wider range of FOCI risks in the FA Sector.

SRMA Organization and Resourcing for FA Sector Engagements

USDA SRMA responsibilities reside with USDA's National Security Division within the Office of Homeland Security (OHS). The division oversees the agency's programs and participation in interagency activities, which may include FOCI-related risk management activities under programs such as CFIUS, Critical Infrastructure and Insider Threat, Foreign National Vetting, Intelligence, and FA Sector.¹⁹ FDA SRMA responsibilities reside with the Office of Analytics and Outreach/Food Defense and Emergency Coordination Staff at the Center for Food Safety and Applied Nutrition (CFSAN). Neither USDA/OHS nor FDA/CFSAN receives dedicated appropriations for SRMA-related programs and activities. Instead, SRMA engagement appears to be carried out in addition to other customary activities included in these offices' program portfolios.²⁰

USDA requested $225,000 in funds to support OHS engagements with FA Sector stakeholders in its FY2024 budget request.²¹ Referencing a ransomware attack on JBS—a Brazilian-owned meat processing firm with extensive operations in the United States—USDA/OHS stated that as "cybersecurity threats and vulnerabilities continue to grow, USDA is unable to conduct ... SRMA responsibilities[,] which could have a significant impact on the safety and security of U.S. agriculture" because of a lack of dedicated appropriations for this purpose.²² The FDA budget justification for FY2025 does not show any dedicated SRMA appropriations for FA Sector activities.²³

USDA and FDA list FA Sector engagement activities in annual Food and Agriculture Sector Specific Plan (FA SSP) progress reports, including exercises with FA Sector stakeholders.²⁴ The exercises include several food defense emergency scenarios but do not include FOCI-related threats or other FOCI issues that might affect emergency response. In April 2024, the Cybersecurity and Infrastructure Security Agency (CISA) hosted the Cyber Storm IX exercise, a major national cybersecurity exercise, which focused on the FA Sector as a possible target of cyberattacks.²⁵ The extent to which potential FOCI-related vulnerabilities or threats were incorporated into the exercise scenario is not clear.²⁶

The USDA Office of Inspector General (OIG) has participated in the interagency Foreign Influence Investigations Working Group, but it is not clear what the scope of the activity was or whether the group is still active.²⁷ Some former agency officials and infrastructure protection experts have publicly voiced general concerns about the scope and effectiveness of FA Sector SRMA engagements with key stakeholders, according to media reports, although these concerns do not appear to be specific to management of FOCI risks.²⁸

USDA is not an official member of CFIUS but is sometimes brought in at the Treasury Department's discretion on certain transactions. Some Members of Congress have argued that USDA should be a full member given the number of CFIUS cases and sensitive foreign acquisitions involving agriculture, biotechnology, and other USDA equities.²⁹ USDA/OHS currently has one staff member fully dedicated to CFIUS, according to the agency's FY2024 budget justification. USDA requested an additional $500,000 and two full-time employees in anticipation of a potential increase in the scope of CFIUS activity, to include a wider array of agriculture-related transactions. According to its FY2024 budget justification, USDA concluded an agreement with the Treasury Department, giving it "enhanced access" to CFIUS cases that "requires additional OHS and [Office of the General Counsel] resources to ensure we support the agreement between Departments. Previously USDA reviewed less than 50 CFIUS cases annually, and since August 2022, our workload has increased to over 250 cases."³⁰

Options for Congress include requesting additional information about the scope and extent of FDA and USDA activities to support CISR (and specifically FOCI) risk management programs and activities in the FA Sector and providing appropriations to support additional SRMA engagement with the FA Sector. A potential oversight question for Congress could be whether FOCI-related risks are included in relevant exercise scenarios provided by SRMAs (see above). Congressional oversight could also include examination of reports and data on sector engagement from the relevant FA Sector SRMAs—to include appropriate quantifiable metrics and criteria of success. Greater overall engagement with industry stakeholders may clarify what, if any, differences exist between the rate and quality of foreign- and U.S.-owned firms' participation in public-private partnerships and the nature of those differences.

DHS Leadership and Coordination

DHS is responsible for overall coordination of federal CISR activities. It maintains food and agriculture defense programs and activities through the Office of Health Security to support the FA Sector according to legislative requirements and executive branch policy directives.³¹ In addition, DHS previously provided grant funding to the University of Minnesota Center of Excellence for food protection and defense, which now operates independently as the Food Protection and Defense Institute. The institute supports interdisciplinary research on protection of the global food supply, "including supply chain resilience, information sharing, risk analysis and assessment, education, epidemiology, [and] economics," among other topics.³²

In 2019, CISA introduced National Critical Functions as a conceptual framework for identifying and assessing cross-sector risk to essential or systematically important infrastructure systems, assets, and networks, to complement and expand the existing sector-based CISR framework. CISA defines National Critical Functions as

functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.³³

The 55 designated National Critical Functions include production and provision of agricultural products and services, and human and animal food products and services.³⁴

Related Programs, Policies, and Directives

The 2013 National Infrastructure Protection Plan (NIPP) and the FA SSP have provided the primary risk management guidance for FA Sector stakeholders over the past decade.³⁵ The FA SSP defines risk "in the context of the NIPP 2013 ... as the potential for loss, damage, or disruption to the Nation's critical infrastructure resulting from destruction, incapacitation, or exploitation during some future manmade or naturally occurring event."³⁶ These documents outline an organizational approach and framework for sector risk management—primarily through voluntary public-private partnerships—but generally do not direct specific agency actions. FA Sector Annual Reports provide updates on progress toward meeting FA SSP goals.³⁷ (The FA SSP and the subsequent annual progress reports do not specifically identify foreign ownership of agricultural land or sector assets as threats to the FA Sector.)

Section 9002 of the FY2021 NDAA (P.L. 116-283) directed the Secretary of Homeland Security to assess the current CISR policy framework and assess the need for changes to the existing critical infrastructure sectors. In November 2021, CISA submitted a statutorily mandated report on its assessment of the CISR framework and preliminary findings. It suggested, among other things, that the review process offered "an opportunity" to designate a Bioeconomy Sector separate from the existing FA Sector.³⁸ (The National Security Memorandum [NSM] on Critical Infrastructure Security and Resilience [NSM-22] retained existing sectors without modification but did not foreclose the possibility of new sectors in the future.) The bioeconomy is the portion of the economy based on products, services, and processes derived from biological resources (e.g., plants and microorganisms). Some of the FOCI risks in the FA Sector, such as IP protection of genetically engineered seed traits, relate to the bioeconomy.

Options for congressional action include oversight over DHS updates of its CISR policy framework as mandated in the FY2021 NDAA, to include changes to risk assessment scope and methods, and creation of a new Bioeconomy Sector. Another option would be oversight of executive branch programs and activities set forth in Executive Order (E.O.) 14017, NSM-16, NSM-22, Section 9002(b) of P.L. 116-283, and other laws, policies, and directives that may have a bearing on assessment of FOCI risks in the FA Sector.

National Security Memorandum for the FA Sector

On November 10, 2022, the White House released an NSM, "Strengthening the Security and Resilience of United States Food and Agriculture" (NSM-16), which covers the security and resilience of food and agriculture systems and supply chains; directs federal agencies to take actions to "identify and assess threats, vulnerabilities, and impacts" from high-consequence and catastrophic incidents; and prioritize resources "to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk."³⁹ It supersedes previous White House policy guidance given in Homeland Security Presidential Directive 9 (HSPD-9), issued in 2004.⁴⁰

NSM-16 identifies a wide range of threats facing sector stakeholders, to include chemical, biological, radiological, and nuclear (CBRN) threats; intentional introduction of hazardous contaminants; natural or genetically engineered pathogens and pests; and cybersecurity breaches leading to disruption of networked systems or IP theft. As with the earlier plans and directives, it does not specifically identify foreign ownership and control as a threat.

NSM-16 assigns primary responsibility for coordinating executive branch actions to the Assistant to the President for National Security Affairs (APNSA). The APNSA must provide an annual report to the President summarizing implementation progress, identifying capability gaps, and providing recommendations to close those gaps. Relevant provisions and reporting requirements are summarized in Table 1.

In March 2023, the FA Sector SRMAs and DHS jointly published the interim risk review mandated under NSM-16. The review contains a short section on foreign acquisitions in the FA Sector as a "potential factor contributing to risk," which states⁴¹

Foreign acquisition of U.S. agricultural assets may pose risks to the U.S. food and agriculture sector in some cases. For example, a recent research report prepared to support the deliberations of the U.S.-China Economic and Security Review Commission describes several potential risks to U.S. agriculture associated with recent acquisitions and attempted acquisitions of U.S.-based agricultural assets (including agricultural land, intellectual property [such as IP related to genetically modified seeds], and U.S.-based food producers and logistics companies), which may include loss of economic competitiveness, reduced exports, negative environmental impacts, and associated public health risks.⁴²

The review supports several other required assessment and planning products mandated by NSM-16 (see Table 1), which are in progress as of this writing, according to information posted on agency websites.⁴³

Three other relevant E.O.s preceded NSM-16—E.O. 14081 on the bioeconomy, E.O. 14083 related to CFIUS reviews, and E.O. 14017 on supply chain security and resilience. They are discussed below.

Executive Order on Bioeconomy

On September 12, 2022, President Biden issued E.O. 14081, "Advancing Biotechnology and Biomanufacturing Innovation for a Sustainable, Safe, and Secure American Bioeconomy."⁴⁴ The E.O. focused on the economic potential of the bioeconomy and federal support of research and development (R&D), data sharing, workforce training, regulatory reforms, and other goals and objectives. In addition, it contained a security-related objective:

Secure and protect the United States bioeconomy by adopting a forward-looking, proactive approach to assessing and anticipating threats, risks, and potential vulnerabilities (including digital intrusion, manipulation, and exfiltration efforts by foreign adversaries), and by partnering with the private sector and other relevant stakeholders to jointly mitigate risks to protect technology leadership and economic competitiveness.

Accordingly, the E.O. instructed the APNSA and the Assistant to the President for Economic Policy to coordinate with the Secretaries of Defense and Agriculture and other agency leaders to identify actions to "mitigate risks posed by foreign adversary involvement in the biomanufacturing supply chain and to enhance biosafety, biosecurity, and cybersecurity in new and existing infrastructure." Additionally, it required the Secretary of Homeland Security to conduct vulnerability assessments of bioeconomy-related critical infrastructure and National Critical Functions and to "enhance coordination with industry on threat information sharing, vulnerability disclosure, and risk mitigation for cybersecurity and infrastructure risks to the United States bioeconomy."

For more information on E.O. 14081 and bioeconomy issues, see CRS Report R47274, White House Initiative to Advance the Bioeconomy, E.O. 14081: In Brief; CRS Report R46881, The Bioeconomy: A Primer; and CRS Report R47265, Synthetic/Engineering Biology: Issues for Congress.

Executive Order on CFIUS

On September 15, 2022, President Biden issued E.O. 14083, "Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States," to update the factors taken into consideration in the CFIUS review process as part of ongoing implementation of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA; P.L. 115-232, Title XVII, Subtitle A).⁴⁵ E.O. 14083 notes that certain foreign investments "may undermine supply chain resilience efforts and therefore national security by making the United States vulnerable to future supply disruptions" and directs CFIUS to consider the effect of covered transactions on supply chain resilience and security, including with respect to "elements of the agriculture industrial base that have implications for food security," among other sectors. For more information on E.O. 14083, see CRS In Focus IF12415, CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines.

Executive Order on America's Supply Chains

On February 24, 2021, President Biden signed E.O. 14017, "America's Supply Chains," to ensure that supply chains are "resilient, diverse, and secure" against threats and hazards that might affect the "availability and integrity of critical goods, products, and services."⁴⁶ It contains two requirements related to foreign investment issues (not specific to the FA Sector): (1) a progress report on developing domestic critical minerals supply chains and (2) recommendations for federal incentives and regulatory changes to encourage domestic and foreign investment in critical goods and materials. As with the more recent NSM, it assigns the White House coordination role to the APNSA. It requires each critical infrastructure sector SRMA to produce a report on relevant supply chain risks within one year. USDA, as co-SRMA in the FA Sector, published the required report (hereinafter the USDA supply chain report) in February 2022.⁴⁷

Prospective Cyber Incident Reporting Requirements

In April 2024, DHS issued a proposed rule, "Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements."⁴⁸ The proposed rule was issued in compliance with provisions of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enacted under Division Y of the Consolidated Appropriations Act, 2022 (P.L. 117-103). It requires CISA to (1) engage in rulemaking to mandate reporting of cybersecurity incidents to the agency, (2) enforce noncompliance with required reporting, and (3) disseminate analysis based on the information collected. The FA Sector annual progress report for FY2022 noted that the FA Sector GCC and SCC "assisted in shaping the implementation" of CIRCIA requirements, without providing further detail.⁴⁹

According to P.L. 117-103, the reporting requirements apply to entities in federally designated critical infrastructure sectors "that [satisfy] the definition established by the Director in the final rule." In designating covered entities, CISA proposed both general (e.g., size) and sector-based criteria. CISA declined to apply sector-based criteria to the FA Sector following consultations with the co-SRMAs.⁵⁰ Instead, CISA would apply a general size-based criterion to agricultural enterprises, which exempts small businesses from regulatory compliance, likely "based on the mean, median, or mode of number of employees across such entities."⁵¹ According to CISA, the intent is to cover larger entities in the FA Sector to allow for development of "sector-specific threat and trends analysis."⁵² The threat of state and non-state foreign adversaries was discussed throughout the proposed rule. However, the discussion did not include potential FOCI risks.

Potential FOCI Risks in the FA Sector

Supply Chain Security

A 2021 joint report on FA Sector risks by DHS, the Office of the Director of National Intelligence (ODNI), academics, and industry stakeholders (hereinafter the joint report) identified certain FOCI threats in agricultural supply chains.⁵³ Specifically, it identified the possibility of a "takeover of [an] important supply chain entity by foreign investors" as part of an economic coercion and manipulation campaign but did not elaborate on specific cases, threats, or acquisition mechanisms.⁵⁴ A 2022 report (hereinafter the Review Commission report) by the congressionally mandated U.S.-China Economic and Security Review Commission provided information on these and other issues as they related to China. The report stated that acquisition of major domestic agribusinesses may "confer undue leverage over U.S. supply chains" and lead to restructuring of supply chains that negatively affects domestic producers and service providers.⁵⁵

The Review Commission report also identified risks of IP theft, illicit technology transfer, and foreign control of domestic FA Sector supply chains. According to the report, these activities are part of a coordinated and deliberate policy of the government of the People's Republic of China (PRC) to address China's domestic food security challenges by increasing productivity through illicit technology transfer and overseas diversification of its agricultural supply chains.⁵⁶ In addition, the report warned that the PRC-linked firms may attempt to reverse-engineer illegally acquired U.S. seed varieties to identify vulnerabilities to crop disease and other threats.

The USDA supply chain report identified the growing ownership concentration in meat and poultry manufacturing, pesticides and crop seeds, and farm machine parts as sources of potential risk.⁵⁷ It did not specifically identify FOCI as a threat or risk factor. However, foreign-owned or -controlled multinationals have significant presence in these areas of production.

Foreign Acquisition of Seed and Agricultural Chemical Suppliers

In 2016, ChemChina announced plans to acquire Syngenta, a Swiss-based agricultural conglomerate (with extensive business operations in the United States) for $43 billion.⁵⁸ The acquisition—claimed as the largest foreign acquisition by a PRC company at the time—became the subject of CFIUS review and was eventually approved.⁵⁹ While CFIUS reviews are not public, media reports suggested that the review would likely focus on defense-specific issues, such as proximity of Syngenta facilities to U.S. military bases and ownership of potentially sensitive military contracts, more than food-security-related FOCI issues.⁶⁰

In a press release following CFIUS's approval of the transaction, Senator Grassley (IA) stated

It's clear that China is looking at purchasing companies with food production expertise as part of a long-term strategic plan and a component of their national security. We need to be looking at these mergers in the same way, so it makes sense for CFIUS to take that angle into consideration when reviewing these transactions. The fact that a state-owned enterprise may have yet another stake in U.S. agriculture is alarming.⁶¹

In 2020, ChemChina and Sinochem—a Chinese state-owned multinational chemical manufacturing conglomerate—consolidated their agricultural assets into Syngenta.⁶² In response, some Members of Congress called upon the Treasury Secretary, as chair of CFIUS, to include food security issues in assessments of any foreign acquisitions of FA Sector entities.⁶³ In the 118^th Congress, several bills under consideration would expand CFIUS reviews of foreign investment transactions in the FA Sector to include food security issues and would mandate regular USDA membership as opposed to informal, ad hoc participation.

The Consolidated Appropriations Act, 2024 (P.L. 118-42, §787), enacted in March 2024, requires the Secretary of Agriculture to be included as a member of CFIUS on a case-by-case basis with respect to covered transactions involving agricultural land, agriculture biotechnology, or the agriculture industry (including agricultural transportation, agricultural storage, and agricultural processing), as determined by the chair of CFIUS in coordination with the Secretary of Agriculture.⁶⁴ Congress provided $2 million in appropriated funds, to remain available until expended, for USDA to implement this provision.

Foreign Acquisition of Meat and Poultry Suppliers

The MITRE Corporation noted in a July 2021 report (hereinafter the MITRE report) on domestic meat and poultry supply chains that some foreign-owned U.S. meat and poultry providers prioritized exporting meat products to their home country rather than supplying domestic consumption needs when spot shortages occurred during the COVID-19 public health emergency.⁶⁵ Further, the report recommended that FA Sector SRMAs and certain interagency partners identify foreign ownership of key processing and production facilities and analyze "the policy implications of non-compliance with U.S. government mandates during an emergency."⁶⁶

Four major multinational agricultural companies control the majority of U.S. beef production. Two of these—JBS and National Beef Packing Company—are owned or controlled by Brazilian entities.⁶⁷ Similarly, the acquisition of Smithfield Foods by WH Group Limited—a PRC firm—conferred control of 20% of the domestic pork processing industry to a foreign owner.⁶⁸

Reports that some foreign-owned meat processing plants prioritized deliveries to their home countries during the COVID-19 pandemic could also be a subject for congressional oversight and legislation.

Food Processing, Packaging, and Production

The MITRE report found that trends toward consolidation of entities were highly pronounced in the processing, packaging, and production of meat and poultry, creating a "dense and complex network" with several "key hubs" that were potentially vulnerable to disruption by man-made or natural causes:⁶⁹

With their high connectivity, these five key hubs have significant and extensive influence on the resilience and continuity of the U.S. meat supply chain. A disruption in any one of these hubs can have a large downstream effect on the rest of the network. The potential for disruption is further exacerbated by the network structure of "super embedded hubs" where each of these five key hubs are tightly interconnected.⁷⁰

The MITRE report considered several types of intentional threats to such hubs, to include biological, physical, or cyber-based attacks. The report did not specifically consider FOCI risks as they might relate to any of these types of attacks. It is not clear whether foreign-owned entities are more vulnerable to these attacks than their U.S.-owned counterparts or whether the fact of foreign ownership itself may be a threat in some cases. A report by the Food Protection and Defense Institute (hereinafter the FPDI report) asserts that cybersecurity vulnerabilities, exacerbated by poor technical competence and a lax security culture, are widespread throughout FA Sector supply chains, but the FPDI report does not attribute specific risks to FOCI threats in the FA Sector.

Although not specific to the FA Sector, E.O. 14083 of September 2022 states

investments by foreign persons with the capability and intent to conduct cyber intrusions or other malicious cyber-enabled activity—such as ... the operation of United States critical infrastructure ... may pose a risk to national security.

It is not yet clear whether FOCI risks to critical infrastructure identified in E.O. 14083 would fall within the scope of various risk management activities mandated in NSM-16, because the latter directive is still in the early implementation phase as of the date of this report (see "National Security Memorandum for the FA Sector" section).

Agricultural and Food Supporting Facilities

Agricultural and food supporting facilities include R&D facilities. The joint report states that these may be targeted by foreign entities for purposes of espionage, theft of trade secrets, and IP theft.⁷¹ Further, these activities may confer competitive advantages on foreign entities and provide "coercion points on aggressive corporate takeovers of U.S. corporations."⁷² The joint report identifies "small and emerging corporations, universities, and government research organizations" as the most vulnerable entities of such targeting.⁷³

Regulatory, Oversight, and Industry Organizations

The USDA OIG noted investigations involving foreign influence or interference in the FA Sector in some recent reports to Congress. In its FY2022 (second half) semiannual report to Congress, the USDA OIG reported substantiated allegations of insider threat activity involving a senior official at USDA's Animal and Plant Health Inspection Service (APHIS). Investigators found that the official maintained "inappropriate relationships" with foreign nationals, failed to report personal and official foreign travel, violated IT security, and accepted a gift from a foreign official without properly reporting it.⁷⁴ The FY2020 (first half) report noted that OIG audited USDA controls to prevent "unauthorized access to, and transfer of, USDA-funded research technology to foreign countries" by foreign research collaborators and found weaknesses that required correction by USDA agencies.⁷⁵ Semiannual USDA OIG reports for FY2023—the most recent available as of this writing—do not note any FOCI-related activities.

An option for Congress would be to exercise its oversight authorities to ascertain whether the recommended corrections suggested by USDA OIG to prevent further occurrences of IP theft by foreign entities were implemented. Another option for Congress would be to request the relevant OIG report in nonredacted form from USDA.

The Role of Transnational Criminal Organizations

A 2019 study included in the FPDI report found that FOCI threats in the FA Sector were not necessarily limited to otherwise legitimate business transactions. According to the FPDI study, "transnational criminal organizations (TCOs) are already heavily involved in large-scale food-related crimes such as counterfeiting, economically motivated adulteration, theft and resale, and smuggling."⁷⁶ Further, cargo thefts are often aided by malicious cyber intrusions to penetrate agricultural supply chains and to identify and reconnoiter targets.⁷⁷

In some cases, foreign-controlled firms have been targeted by TCOs for criminal exploitation or have themselves engaged in criminal practices. According to media reports, meat production by JBS facilities in the United States was disrupted in 2021 by a ransomware attack, which JBS attributed to a Russian TCO.⁷⁸ It is not clear whether foreign-owned entities are more vulnerable to these attacks than their U.S.-owned counterparts. The previous year, J&F Investimentos S.A., the Brazilian investment group that controls JBS,⁷⁹ pleaded guilty to violations of the Foreign Corrupt Practices Act as part of a bribery scheme in Brazil to obtain financing and other benefits and agreed to pay a $256 million criminal penalty.⁸⁰

Foreign Control of U.S. Farmland

FOCI risks to U.S. farmland may involve direct ownership of the land or de facto control over land use for agricultural purposes, such as use of specific seed varieties and pesticides.

Land Ownership Risks

Increasing scarcity of arable land globally coupled with increasing demand for agricultural commodities has made U.S. farmland an attractive investment for certain foreign entities. Motivations for land acquisitions may be economic, strategic, or both. USDA tracks foreign acquisition of agricultural and nonagricultural land under authorities of the Agricultural Foreign Investment Disclosure Act of 1978 (AFIDA; P.L. 95-460). According to USDA, as of December 31, 2022, foreign persons and entities held an interest in 44.3 million acres of U.S. agricultural and nonagricultural land, accounting for 3.4% of total privately owned land.⁸¹

Owners from five countries (Canada, the Netherlands, Italy, the United Kingdom, and Germany) accounted for approximately 62% of all foreign-owned U.S. agricultural land in 2022. Other countries with aggregate owner holdings of more than 500,000 acres were Portugal, France, Denmark, Luxembourg, Mexico, Switzerland, the Cayman Islands, Japan, and Belgium. As of year-end 2022, USDA reports that PRC entities accounted for 383,935 acres, or 0.8%, of total foreign-owned U.S. agricultural land.⁸²

Ownership of U.S. agricultural land by PRC entities, as reported by USDA under AFIDA, appears negligible, accounting for less than 1% of total foreign-owned U.S. agricultural land as of year-end 2022. However, the Review Commission report raised concerns about the noncommercial purposes of PRC acquisitions (i.e., increasing China's food security) and the apparent acceleration of the pace of acquisitions, which have elicited concern both from Congress and from certain agricultural stakeholders and industry observers.⁸³ Legislation to restrict certain sales of agricultural land, tighten disclosure requirements, and expand federal review of foreign investment transactions has been introduced in recent Congresses.⁸⁴

Neither USDA, FDA, nor businesses associated with the FA Sector track or compile data on any associated farm assets and property conveyances that may be attached to the farmland ownership or property investment, such as buildings, equipment, machinery, livestock, and IP and other production-related or technology rights. This may create data gaps that complicate analysis of relevant events or trends. Congress may consider what data categories used for AFIDA disclosures are sufficient to identify FOCI-related risks to the FA Sector.

Technology Use Agreements for Basic Agricultural Inputs

Large agrochemical and seed firms—many foreign owned—commonly require customers to sign technology use agreements for use of seed and pesticides. Technology use agreements for patented seed varieties typically impose legally enforceable conditions on end users (farmers) that cover a range of common agricultural practices.⁸⁵ Some public interest groups and critics claim that the current patent system gives too much power to large firms, exceeds congressional intent, and allows for agency overreach in granting and enforcing IP rights.⁸⁶

"Ownership of [seed] biotech traits enable a level of control over every acre containing the trait," one law firm wrote in response to a 2022 USDA request for public comment on competitiveness in the agricultural seed production business. "The contractual terms reach far beyond grants of [IP] rights and impose wide-ranging, intrusive, and often poorly defined, obligations and requirements on licensees."⁸⁷

Enforcement clauses of technology use agreements may allow firms to have unrestricted access to licensees' properties and facilities, business records (including receipts for chemicals and herbicides), internet service provider details, required crop-record submissions to USDA, and detailed records of farming practices (e.g., fertilizing, planting, and harvesting).⁸⁸ Violations may result in lawsuits or cancellation of use agreements, which may have the practical effect of cutting off access to seed supply for planting.

Some public interest groups assert that corporate collection and ownership of detailed data on farming practices may also raise fair data use and privacy issues. According to the American Antitrust Institute, "digital farming will likely enhance incentives to amass and appropriate valuable farm data for potential use as a strategic competitive asset."⁸⁹

Because foreign-owned agrochemical and seed firms predominate in the U.S. market (see "Foreign Acquisition of Seed and Agricultural Chemical Suppliers" section), it follows that foreign-owned and -controlled entities may be able to amass detailed farm-level data—whether collected through IP enforcement activities or other means—across broad swaths of U.S. agricultural land.

Global agriculture firms assert that the patent system incentivizes and protects long-term R&D investments, which are necessary to produce seed traits such as those that have made higher crop yields possible over time at reasonable cost to farmers.⁹⁰ Additionally, they assert that acquisition of farm-level data facilitates development of precision agriculture products, as well as individualized recommendations for seed and herbicide use that benefit farmers.

In 2021, the Biden Administration directed USDA to prepare a report on consolidation within the agricultural seed industry, for which the agency subsequently sought public comment.⁹¹ Commenters—ranging from small organic farmers to major multinational conglomerates—noted the trend toward consolidation and globalization in the seed industry, the seed industry's convergence with the agrochemical industry, and the increasing prevalence of seeds engineered to withstand various treatments (often sold by the same firms) against pests, weeds, and disease. In general, arguments centered on ecological, economic, and competitiveness concerns, rather than potential FOCI risks. Nonetheless, in some cases, foreign firms' acquisitions of major seed producers have raised security concerns (see "Foreign Acquisition of Seed and Agricultural Chemical Suppliers" section).

Options for Congress include amending patent law to clarify its intent regarding the use of utility patents for genetically engineered seed traits and examining IP enforcement practices that foreign-owned firms may use to collect farm-level data and whether data are aggregated and used in ways that safeguard U.S. security interests.

Conclusion

FOCI within the U.S. FA Sector is widespread. Foreign-owned multinationals are present throughout the sector, in segments such as meat processing, agricultural chemicals, and crop seeds. Some foreign acquisitions of corporate entities or agricultural land may be subject to CFIUS review but are generally legal and generally allowed. In the R&D field, collaboration with foreign nationals and research institutions is commonplace in both the public and private sector. Further, the national CISR enterprise itself frequently relies on collaboration of U.S. public- and private-sector entities with their foreign counterparts. SRMAs generally assume that asset owners are good-faith actors, regardless of nationality.

However, FOCI may also present potential risks to the FA Sector, as seen in allegations of unauthorized technology transfer, theft or misappropriation of IP, prioritization of overseas markets over domestic demand, and attempted land purchases near sensitive military assets. Other potential areas of concern, such as farm-level data gathering by multinational firms and alleged abuse of IP protections to control farming practices, relate primarily to concerns about corporate consolidation and concentration that are not specific to foreign ownership. Nonetheless, some Members of Congress and other observers have raised concerns over foreign acquisitions of U.S. and multinational firms in key FA Sector segments.

The full extent to which specifically foreign ownership, control, or influence over critical infrastructure systems and assets affects the overall level of risk to critical functions of the FA Sector (i.e., the safe production, distribution, and supply of food) has yet to be established. Much of the publicly available reporting is conjectural and anecdotal, complicating any more systemic analysis of FOCI risk to the FA Sector. Legislative mandates for data gathering on certain commercial transactions (e.g., AFIDA) and cybersecurity incident reporting (e.g., CIRCIA), as well as executive branch directives to appropriate federal agencies to conduct relevant studies, may offer an opportunity for more authoritative analyses.