Minneapolis Bridge Lessons for Digital Security

The Minneapolis bridge collapse is a tragedy. I had two thoughts that related to security.

  1. If the bridge collapsed due to structural or design flaws, the proper response is to investigate the designers, contractors, inspectors, and maintenance personnel from a safety and negligence perspective. Based on the findings architectural and construction changes plus new safety operations might be applied in the future. This is a technical and operational response.

  2. If the bridge collapsed due to attack, the proper response is to investigate, apprehend, proseceute, and incarcerate the criminals. Redesigning bridges to withstand bomb attack is unlikely. This is a threat reduction and deterrence response.


Do you agree with that assessment? If yes, why do you think response 1 (try to improve the "bridge" and similar operations) is the response to every digital security attack (i.e., case 2)? My short answer: everyone blames the victim, not the criminal.

The NTSB is on scene in Minneapolis with law enforcement to figure out if the bridge collapse was caused by scenario 1 or 2. Why don't we have a National Digital Security Board investigating breaches? My short answer: it's easier to hide a massive security breach than the destruction of any bridge, building, plane, or train.

Comments

hogfly said…
Richard,
I think if #1, They understated the "minor things that needed attention". The bridge was reported to be about 40 years old and was last inspected in 2006.

Could this be a case of set it and forget it based on assumption that concrete construction couldn't fail in only 40 years because the designers claimed it would have to be replaced in 2020?

Sounds a lot like security companies and the misgivings of management when the security folks say "it's a minor risk if we leave it". Ooops.

It is an awful tragedy.
10:44 AM
yoshi said…
Its #1. I work a mile away from it and my boyfriend witness the collapse. I also know one person in the hospital. Now that I am back from defcon I'll be walking over and checking it out myself.

Its not a cement bridge. It was a steel bridge. In fact it had many construction qualities about it that made it unique including one of the longer steel beam spans so they could avoid putting the peers in the water. So, imho, its a bad example.

But to your point - I was at defcon over the weekend and it continues to amaze me how many people avoid using the network because "its hostile" (i fail to see how its more hostile than an airports wifi but I digress). Both myself and peers happily plugged in and even vpn'ed to our respective companies networks to grabbed e-mail. Why did we do this? Simple because our defenses are sound. You can build sound, stable, and secure infrastructure that can withstand attacks. The problem is many don't.
11:12 AM
Anonymous said…
Hi Richard,

It's JB - making a comment on your bridge post just to try to figure out how to get in touch with you. Remember me, I'm the Alt-F4 guy...?

Hope you're doing well and would like a way to contact you directly. Email me at jabesnyder@hotmail.com and I'll reply.

Best,

JB
12:04 PM
Anonymous said…
Going to your point of "everyone blames the victim," I would venture to guess that unlike a bank robbery which would make local news, most companies don't report many security breaches that involve the lost of confidential and valuable data. That's where hopefully efforts like Infragard facilitate the reporting and handling of cybercrime in a sensitive manner.

At this point, after the data theft has taken place, my guess is that no one knows the company is a victim because the party is too afraid or too ashamed to come forward. What do you think of laws that compel companies to report data theft or security breaches? Do they work well? Also do you think that these crimes are more widespread than reported, or has vendor hype in an attempt to sell security tools caused reporters to sensationalize the issue? Thanks.
1:22 PM
Dan Weber said…
Going after the perpetrator doesn't always work, especially if they are dead.

The US has pretty much avoided suicide attackers so far(outside of 9/11), but deterrence is hard to do against them.

I'm not sure what the response is, because hardening a bridge seems nearly impossible. I think we need to just live with an attack every N years, like we deal with M thousand driving deaths every 1 year.
1:35 PM
jbmoore said…
There may be no negligence involved,or the negligence may be with the bureaucrats and politicians who cut upkeep. The bridge failed completely and suddenly from looking at the video. According to wikipedia.org, it had no redundancy. The failure could have been due to natural resonance. The contractors on the bridge who were removing concrete and resurfacing noticed the harmonics. Then too, the bridge is in Minnesota. It underwent over 40 years of thermal cycling and salt corrosion. Couple that with visual inspections that may have easily missed damage and you have what we've seen. You can't rule out number two though, because a contractor might have used substandard steel which would be criminal and not negligence.
1:40 PM
Anonymous said…
http://p068.ezboard.com/bminnesotabridgecollapse

A board to discuss the collapse
2:58 PM
Unknown said…
If my server gets pwned at work, do we really need to call in an oversight board? Eventually we would have to figure out how big is big enough to invoke some oversight review... It would help wiwth bridges because bridges are built publicly and used publicly, whereas companies are not always so public. Liability is a whole new ballgame, I guess.

What about the costs of upgrading the bridge? Maybe it was outdated and new discoveries and technologies could have dramatically improved it? Then we get into talks about costs and risks, which isn't really fair in comparison to digital security because of the human life factor. The same with Katrina and the levees not being good enough for that 500-year storm. Risk was taken and they failed on those odds...

I don't think there is any right answer unless you can answer the question: Do you work under the assumption that you need perfect security (craftmanship/safety) or do you work on some gradient of risk?

I read in one place that they were working on the bridge in recent weeks. It might be possible that work interrupted the integrity of the bridge, maybe maintenance or perhaps upgrades? Even Blackberry can tell us about the possibilities for upgrades taking something offline for a moment...

(Sorry I'm not more cohesive in my response, sitting in a coffeeshop at the moment...)
4:05 PM
jbmoore said…
Yes, it comes down to risk, but $300 million and some proper oversight of the Corp of Engineers and its contractors would have been a lot cheaper insurance than the $30 billion us taxpayers are paying for Katrina's mess. Another example with Katrina is the insurance companies contesting storm claims. If they don't pay your insurance claim when your mission critical app goes down due to a datacenter accident, then your premiums were money down the drain.
7:15 PM
Anonymous said…
Actually as JB said above, you really should have a way to contact yourself directly.

Most other security researchers do ... even ones that are better than you.
5:40 PM
Richard Bejtlich said…
Anonymous,

Are you talking to me? If yes, what part about "Dedicated to FreeBSD, network security monitoring, incident response, and network forensics. Email taosecurity at gmail dot com." at the top of my blog did you miss? And why the need to mention anyone "better than me?"
6:17 PM
Tom Pick said…
As a resident of the city who lives on the north end and often works on the south end, that could have been me. It did however take the life of an information security expert at one of my client companies. Peter Hausmann at Assurity River. There’s a piece on him here:

http://minnesota.publicradio.org/display/web/2007/08/07/hausmannobit/

So, the tragedy had a more direct link to network and information security than even Richard’s post imagined.
3:21 PM
Anonymous said…
Nice post
2:36 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more