Tuesday, August 07, 2007

Minneapolis Bridge Lessons for Digital Security

The Minneapolis bridge collapse is a tragedy. I had two thoughts that related to security.

  1. If the bridge collapsed due to structural or design flaws, the proper response is to investigate the designers, contractors, inspectors, and maintenance personnel from a safety and negligence perspective. Based on the findings architectural and construction changes plus new safety operations might be applied in the future. This is a technical and operational response.

  2. If the bridge collapsed due to attack, the proper response is to investigate, apprehend, proseceute, and incarcerate the criminals. Redesigning bridges to withstand bomb attack is unlikely. This is a threat reduction and deterrence response.


Do you agree with that assessment? If yes, why do you think response 1 (try to improve the "bridge" and similar operations) is the response to every digital security attack (i.e., case 2)? My short answer: everyone blames the victim, not the criminal.

The NTSB is on scene in Minneapolis with law enforcement to figure out if the bridge collapse was caused by scenario 1 or 2. Why don't we have a National Digital Security Board investigating breaches? My short answer: it's easier to hide a massive security breach than the destruction of any bridge, building, plane, or train.

13 comments:

hogfly said...

Richard,
I think if #1, They understated the "minor things that needed attention". The bridge was reported to be about 40 years old and was last inspected in 2006.

Could this be a case of set it and forget it based on assumption that concrete construction couldn't fail in only 40 years because the designers claimed it would have to be replaced in 2020?

Sounds a lot like security companies and the misgivings of management when the security folks say "it's a minor risk if we leave it". Ooops.

It is an awful tragedy.

yoshi said...

Its #1. I work a mile away from it and my boyfriend witness the collapse. I also know one person in the hospital. Now that I am back from defcon I'll be walking over and checking it out myself.

Its not a cement bridge. It was a steel bridge. In fact it had many construction qualities about it that made it unique including one of the longer steel beam spans so they could avoid putting the peers in the water. So, imho, its a bad example.

But to your point - I was at defcon over the weekend and it continues to amaze me how many people avoid using the network because "its hostile" (i fail to see how its more hostile than an airports wifi but I digress). Both myself and peers happily plugged in and even vpn'ed to our respective companies networks to grabbed e-mail. Why did we do this? Simple because our defenses are sound. You can build sound, stable, and secure infrastructure that can withstand attacks. The problem is many don't.

Anonymous said...

Hi Richard,

It's JB - making a comment on your bridge post just to try to figure out how to get in touch with you. Remember me, I'm the Alt-F4 guy...?

Hope you're doing well and would like a way to contact you directly. Email me at jabesnyder@hotmail.com and I'll reply.

Best,

JB

Stephen Brown said...

Going to your point of "everyone blames the victim," I would venture to guess that unlike a bank robbery which would make local news, most companies don't report many security breaches that involve the lost of confidential and valuable data. That's where hopefully efforts like Infragard facilitate the reporting and handling of cybercrime in a sensitive manner.

At this point, after the data theft has taken place, my guess is that no one knows the company is a victim because the party is too afraid or too ashamed to come forward. What do you think of laws that compel companies to report data theft or security breaches? Do they work well? Also do you think that these crimes are more widespread than reported, or has vendor hype in an attempt to sell security tools caused reporters to sensationalize the issue? Thanks.

Dan Weber said...

Going after the perpetrator doesn't always work, especially if they are dead.

The US has pretty much avoided suicide attackers so far(outside of 9/11), but deterrence is hard to do against them.

I'm not sure what the response is, because hardening a bridge seems nearly impossible. I think we need to just live with an attack every N years, like we deal with M thousand driving deaths every 1 year.

jbmoore said...

There may be no negligence involved,or the negligence may be with the bureaucrats and politicians who cut upkeep. The bridge failed completely and suddenly from looking at the video. According to wikipedia.org, it had no redundancy. The failure could have been due to natural resonance. The contractors on the bridge who were removing concrete and resurfacing noticed the harmonics. Then too, the bridge is in Minnesota. It underwent over 40 years of thermal cycling and salt corrosion. Couple that with visual inspections that may have easily missed damage and you have what we've seen. You can't rule out number two though, because a contractor might have used substandard steel which would be criminal and not negligence.

Anonymous said...

http://p068.ezboard.com/bminnesotabridgecollapse

A board to discuss the collapse

LonerVamp said...

If my server gets pwned at work, do we really need to call in an oversight board? Eventually we would have to figure out how big is big enough to invoke some oversight review... It would help wiwth bridges because bridges are built publicly and used publicly, whereas companies are not always so public. Liability is a whole new ballgame, I guess.

What about the costs of upgrading the bridge? Maybe it was outdated and new discoveries and technologies could have dramatically improved it? Then we get into talks about costs and risks, which isn't really fair in comparison to digital security because of the human life factor. The same with Katrina and the levees not being good enough for that 500-year storm. Risk was taken and they failed on those odds...

I don't think there is any right answer unless you can answer the question: Do you work under the assumption that you need perfect security (craftmanship/safety) or do you work on some gradient of risk?

I read in one place that they were working on the bridge in recent weeks. It might be possible that work interrupted the integrity of the bridge, maybe maintenance or perhaps upgrades? Even Blackberry can tell us about the possibilities for upgrades taking something offline for a moment...

(Sorry I'm not more cohesive in my response, sitting in a coffeeshop at the moment...)

jbmoore said...

Yes, it comes down to risk, but $300 million and some proper oversight of the Corp of Engineers and its contractors would have been a lot cheaper insurance than the $30 billion us taxpayers are paying for Katrina's mess. Another example with Katrina is the insurance companies contesting storm claims. If they don't pay your insurance claim when your mission critical app goes down due to a datacenter accident, then your premiums were money down the drain.

Anonymous said...

Actually as JB said above, you really should have a way to contact yourself directly.

Most other security researchers do ... even ones that are better than you.

Richard Bejtlich said...

Anonymous,

Are you talking to me? If yes, what part about "Dedicated to FreeBSD, network security monitoring, incident response, and network forensics. Email taosecurity at gmail dot com." at the top of my blog did you miss? And why the need to mention anyone "better than me?"

Tom Pick said...

As a resident of the city who lives on the north end and often works on the south end, that could have been me. It did however take the life of an information security expert at one of my client companies. Peter Hausmann at Assurity River. There’s a piece on him here:

http://minnesota.publicradio.org/display/web/2007/08/07/hausmannobit/

So, the tragedy had a more direct link to network and information security than even Richard’s post imagined.

Anonymous said...

Nice post