Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:47,820 --> 00:00:52,520 Through the darkness of the pathways that we march, 2 00:00:52,800 --> 00:00:59,780 evil and good live side by side, and this is the nature of life. 3 00:01:16,560 --> 00:01:23,100 We are in an unbalanced, an unequivalent confrontation between democracies who 4 00:01:23,100 --> 00:01:29,260 are obliged to play by the rules and entities who think democracy is a joke. 5 00:01:31,000 --> 00:01:37,140 You can't convince fanatics by saying, hey, hatred 6 00:01:37,140 --> 00:01:39,740 paralyzes you, love relifts you. 7 00:01:40,820 --> 00:01:45,300 There are different rules that we have to play by. 8 00:02:00,810 --> 00:02:05,710 Today, two of Iran's top nuclear scientists were targeted by hit squads. 9 00:02:07,470 --> 00:02:14,010 Today's attack has all the hallmarks of major strategic sabotage. Iran 10 00:02:14,010 --> 00:02:17,290 immediately accused the U .S. and Israel of trying to damage its nuclear 11 00:02:17,290 --> 00:02:18,290 program. 12 00:02:28,040 --> 00:02:35,000 I want to categorically deny any United States involvement in any kind 13 00:02:35,000 --> 00:02:38,500 of act of violence inside Iran. 14 00:02:38,800 --> 00:02:43,260 Covert actions can help, can assist. 15 00:02:44,440 --> 00:02:47,880 They are needed. They are not all the time essentials. 16 00:02:48,340 --> 00:02:52,260 They in no way can replace their political wisdom. 17 00:02:53,390 --> 00:02:57,310 Were the assassinations in Iran related to the Stuxnet computer attacks? 18 00:02:58,850 --> 00:03:00,430 Next question, please. 19 00:03:35,190 --> 00:03:37,990 I don't know. 20 00:03:38,680 --> 00:03:44,760 No one knows who's behind the worm and the exact nature of its mission, but 21 00:03:44,760 --> 00:03:49,860 there are fears Iran will hold Israel or America responsible and seek 22 00:03:49,860 --> 00:03:53,460 retaliation. It's not impossible that some group of hackers did it, but the 23 00:03:53,460 --> 00:03:56,920 security experts that are studying this really think this required the resources 24 00:03:56,920 --> 00:03:57,920 of a nation state. 25 00:04:03,720 --> 00:04:05,360 Okay, good. 26 00:04:06,200 --> 00:04:07,200 Here we go. 27 00:04:08,329 --> 00:04:11,630 What impact, ultimately, did the Duxnet attack have? 28 00:04:11,830 --> 00:04:12,830 Can you say? 29 00:04:13,670 --> 00:04:15,730 I don't want to get into the detail. 30 00:04:16,350 --> 00:04:21,970 The event has already happened. Why can't we talk more openly and publicly 31 00:04:21,970 --> 00:04:24,830 Duxnet? Yeah. I mean, my answer is because it's classified. 32 00:04:25,670 --> 00:04:30,790 I won't knowledge, you know, knowingly offer up anything I consider classified. 33 00:04:31,250 --> 00:04:35,750 I know that you can't talk much about Duxnet because Duxnet is officially 34 00:04:35,750 --> 00:04:37,800 classified. You're right on both those counts. 35 00:04:38,540 --> 00:04:41,840 But there has been a lot reported about it in the press. 36 00:04:42,180 --> 00:04:47,940 I don't want to comment on this. I read it in the newspapers, in the media like 37 00:04:47,940 --> 00:04:51,340 you, but I'm unable to elaborate upon it. 38 00:04:51,640 --> 00:04:55,740 People might find it frustrating not to be able to talk about it when it's in 39 00:04:55,740 --> 00:04:56,820 the public domain, but... 40 00:04:58,120 --> 00:05:00,240 I find it frustrating. Yeah, I'm sure you do. 41 00:05:00,640 --> 00:05:02,360 I don't answer that question. 42 00:05:02,600 --> 00:05:03,800 Unfortunately, I can't comment. 43 00:05:04,020 --> 00:05:07,160 I do not know how to answer that. Two answers before we even get started. I 44 00:05:07,160 --> 00:05:09,600 don't know, and if I did, we wouldn't talk about it anyway. 45 00:05:09,980 --> 00:05:11,920 But how can you have a debate if everything is secret? 46 00:05:12,140 --> 00:05:14,020 I think right now that's just where we are. 47 00:05:14,420 --> 00:05:19,420 No one wants to... Countries aren't happy about confessing or owning up to 48 00:05:19,420 --> 00:05:22,780 they did because they're not quite sure where they want the system to go. 49 00:05:23,480 --> 00:05:27,020 And so whoever was behind Stuxnet hasn't admitted they were behind it. 50 00:05:31,050 --> 00:05:35,590 Asking officials about Stuxnet was frustrating and surreal, like asking the 51 00:05:35,590 --> 00:05:36,950 emperor about his new clothes. 52 00:05:38,090 --> 00:05:43,210 Even after the cyber weapon had penetrated computers all over the world, 53 00:05:43,210 --> 00:05:47,090 was willing to admit that it was loose or to talk about the dangers it posed. 54 00:05:48,010 --> 00:05:52,110 What was it about the Stuxnet operation that was hiding in plain sight? 55 00:05:53,630 --> 00:05:56,630 Maybe there was a way the computer code could speak for itself. 56 00:05:58,130 --> 00:05:59,990 Stuxnet first surfaced in Belarus. 57 00:06:00,810 --> 00:06:04,830 I started with a call to the man who discovered it when his clients in Iran 58 00:06:04,830 --> 00:06:08,870 began to panic over an epidemic of computer shutdowns. 59 00:06:09,470 --> 00:06:12,590 Had you ever seen anything quite so sophisticated before? 60 00:06:28,890 --> 00:06:32,150 It was firstly in my practice. 61 00:07:36,560 --> 00:07:41,340 On a day -to -day basis, basically, we are sifting through a massive haystack 62 00:07:41,340 --> 00:07:43,620 looking for that verbal needle. 63 00:07:44,260 --> 00:07:48,640 We get millions of pieces of new malicious threats, and there are 64 00:07:48,640 --> 00:07:50,380 attacks going on every single day. 65 00:07:50,860 --> 00:07:54,460 And not only are we trying to protect people and their computers and their 66 00:07:54,460 --> 00:07:59,540 systems and countries' infrastructure from being taken down by those attacks, 67 00:07:59,720 --> 00:08:03,720 but more importantly, we have to find the attacks that matter. And we're 68 00:08:03,720 --> 00:08:04,720 about that many. 69 00:08:05,540 --> 00:08:07,080 impact is extremely important. 70 00:08:19,380 --> 00:08:22,680 Twenty years ago, the antivirus companies, they were hunting for 71 00:08:22,680 --> 00:08:27,000 viruses because there were not so many. So we had like a tenth of a dozen a 72 00:08:27,000 --> 00:08:32,840 month, and there was just a little number. Now we collect millions of 73 00:08:32,840 --> 00:08:39,539 attacks. every month this room we call a woodpecker's room or virus lab 74 00:08:39,539 --> 00:08:44,020 and this is where virus analysts we call them woodpeckers because they are 75 00:08:44,020 --> 00:08:49,600 packing the worms network worms and viruses we see like three different 76 00:08:49,600 --> 00:08:55,220 of actors behind cyber attacks they are traditional cyber criminals those guys 77 00:08:55,220 --> 00:09:01,360 are interested only in illegal profit and quick and dirty money activists or 78 00:09:01,360 --> 00:09:05,560 hacktivists They are hacking for fun or hacking to push some political message. 79 00:09:05,820 --> 00:09:08,160 And the third group is nation -state. 80 00:09:08,380 --> 00:09:12,600 They are interested in high -quality intelligence or sabotage activity. 81 00:09:14,320 --> 00:09:18,180 Security companies not only share information, but we also share binary 82 00:09:18,500 --> 00:09:22,620 So when this threat was found by a Belarusian security company on one of 83 00:09:22,620 --> 00:09:26,200 customers' machines in Iran, the sample was shared amongst the security 84 00:09:26,200 --> 00:09:27,200 community. 85 00:09:27,480 --> 00:09:31,180 When we try to name threats, we just try to pick some sort of string, some sort 86 00:09:31,180 --> 00:09:31,909 of word. 87 00:09:31,910 --> 00:09:33,610 that are inside of the binary. 88 00:09:34,890 --> 00:09:37,310 In this case, there were a couple of words in there. 89 00:09:37,670 --> 00:09:40,170 We took pieces of each, and that formed Stuxnet. 90 00:09:42,670 --> 00:09:45,770 I got the news about Stuxnet from one of my engineers. 91 00:09:46,210 --> 00:09:52,050 He came to my office, opened the door, and he said, So, Eugene, of course you 92 00:09:52,050 --> 00:09:54,710 know we are waiting for something really bad. 93 00:09:55,090 --> 00:09:56,090 It happened. 94 00:10:03,910 --> 00:10:07,590 some sense of what it was like in the lab at that time. Was there a palpable 95 00:10:07,590 --> 00:10:10,310 sense of amazement that you had something really different there? 96 00:10:10,550 --> 00:10:14,610 Well, I wouldn't call it amazement. It was kind of a talk. 97 00:10:14,850 --> 00:10:17,770 It went beyond our worst fears, our worst nightmares. 98 00:10:18,210 --> 00:10:24,430 And this continued. The more we analyzed, the more we researched, the 99 00:10:24,430 --> 00:10:26,430 bizarre the whole story got. 100 00:10:27,050 --> 00:10:29,910 We look at so much malware every day that we can just look at the code and 101 00:10:29,910 --> 00:10:33,090 straight away you can say, okay, there's something bad going on here and I need 102 00:10:33,090 --> 00:10:36,530 to investigate that. And that's the way it was when we looked at Success for the 103 00:10:36,530 --> 00:10:39,250 first time. We opened it up and there was just bad things everywhere. 104 00:10:39,510 --> 00:10:42,770 Just like, okay, this is bad and that's bad and, you know, we need to 105 00:10:42,770 --> 00:10:46,190 investigate this. And just suddenly we had like 100 questions straight away. 106 00:10:48,420 --> 00:10:51,400 The most interesting thing that we do is the detective work, where we try to 107 00:10:51,400 --> 00:10:54,780 track down who's behind a threat, what are they doing, what's their motivation, 108 00:10:54,920 --> 00:10:56,660 and try to really stop it at the root. 109 00:10:57,240 --> 00:11:01,280 And it is kind of all -consuming. You get this new puzzle, and it's very 110 00:11:01,280 --> 00:11:05,140 difficult to put it down. You know, work until like 4 a .m. in the morning and 111 00:11:05,140 --> 00:11:08,820 figure these things out. And I was in that zone where I was very consumed by 112 00:11:08,820 --> 00:11:11,600 this, very excited about it, very interested to know what was happening. 113 00:11:12,380 --> 00:11:17,120 And Eric was also in that same sort of zone. So the two of us were like back 114 00:11:17,120 --> 00:11:18,120 forth all the time. 115 00:11:18,340 --> 00:11:22,960 Liam and I continued to grind at the code, sharing pieces, comparing notes, 116 00:11:23,220 --> 00:11:24,660 bouncing ideas off of each other. 117 00:11:25,080 --> 00:11:27,640 We realized that we needed to do what we call deep analysis. 118 00:11:27,940 --> 00:11:33,060 Pick apart the threat, every single byte, every single zero one, and 119 00:11:33,060 --> 00:11:34,620 everything that was inside of it. 120 00:11:35,340 --> 00:11:36,620 And just give you some context. 121 00:11:36,900 --> 00:11:40,380 We can go through and understand every line of code for the average threat in 122 00:11:40,380 --> 00:11:44,640 minutes. And here we are one month into this threat, and we're just starting to 123 00:11:44,640 --> 00:11:46,860 discover what we call the payload, or its whole purpose. 124 00:11:49,520 --> 00:11:53,240 When looking at the Stuxnet code, 20 times the size of the average piece of 125 00:11:53,240 --> 00:11:57,960 code, but contains almost no bugs inside of it. And that's extremely rare, 126 00:11:58,120 --> 00:12:00,080 because code always has bugs inside of it. 127 00:12:00,540 --> 00:12:04,420 This wasn't the case with Stuxnet. It's dense, and every piece of code does 128 00:12:04,420 --> 00:12:07,220 something, and does something right in order to conduct its attack. 129 00:12:09,160 --> 00:12:13,380 One of the things that surprised us, was that Sexnet utilized what's called a 130 00:12:13,380 --> 00:12:18,640 zero -day exploit, or basically a piece of code that allows it to spread without 131 00:12:18,640 --> 00:12:19,640 you having to do anything. 132 00:12:19,760 --> 00:12:23,520 You don't have to, for example, download a file and run it. A zero -day exploit 133 00:12:23,520 --> 00:12:27,260 is an exploit that nobody knows about except the attacker. So there's no 134 00:12:27,260 --> 00:12:30,620 protection against it. There's been no patch released. There's been zero days 135 00:12:30,620 --> 00:12:33,320 protection, you know, against it. 136 00:12:34,260 --> 00:12:38,680 That's what attackers value, because they know 100 % if they have this. 137 00:12:38,940 --> 00:12:41,260 Zero -day exploits. They can get in wherever they want. 138 00:12:41,860 --> 00:12:43,000 They're actually very valuable. 139 00:12:43,220 --> 00:12:45,640 You can sell these in the underground for hundreds of thousands of dollars. 140 00:12:47,060 --> 00:12:50,320 Then we became more worried because immediately we discovered more zero 141 00:12:50,840 --> 00:12:53,140 And again, these zero -days are extremely rare. 142 00:12:53,400 --> 00:12:57,520 Inside Stuxnet, we had four zero -days, and for the entire rest of the year, we 143 00:12:57,520 --> 00:13:01,660 only saw 12 zero -days used. It blows everything else out of the water. We've 144 00:13:01,660 --> 00:13:04,060 never seen this before. Actually, we've never seen it since either. 145 00:13:04,280 --> 00:13:07,860 Seeing one in a malware you could understand because... 146 00:13:08,280 --> 00:13:11,040 You know, the malware authors are making money. They're stealing people's credit 147 00:13:11,040 --> 00:13:13,400 cards and making money. So it's worth their while to use it. But seeing four 148 00:13:13,400 --> 00:13:17,660 zero days could be worth half a million dollars right there used in one piece of 149 00:13:17,660 --> 00:13:22,040 malware. This is not your ordinary criminal gang doing this. This is 150 00:13:22,040 --> 00:13:25,540 bigger. It's definitely not traditional crime, not hacktivism. 151 00:13:26,800 --> 00:13:27,800 Who else? 152 00:13:28,560 --> 00:13:34,460 It was evident on a very early stage that just given the sophistication of 153 00:13:34,460 --> 00:13:35,460 malware, 154 00:13:36,480 --> 00:13:41,820 suggested that there must have been a nation state involved, at least one 155 00:13:41,820 --> 00:13:43,440 state involved in the development. 156 00:13:43,980 --> 00:13:47,560 When we look at code that's coming from what appears to be a state attacker or 157 00:13:47,560 --> 00:13:49,780 state -sponsored attacker, usually they're scrubbed clean. 158 00:13:50,060 --> 00:13:52,380 They don't leave little bits behind. 159 00:13:52,740 --> 00:13:54,040 They don't leave little hints behind. 160 00:13:54,440 --> 00:13:57,260 But in Stuxnet, there were actually a few hints left behind. 161 00:13:59,160 --> 00:14:04,100 One was that in order to get low -level access to Microsoft Windows, Stuxnet 162 00:14:04,100 --> 00:14:05,100 needed to use a digital certificate. 163 00:14:05,870 --> 00:14:10,950 which certifies that this piece of code came from a particular company. 164 00:14:11,970 --> 00:14:15,030 Now, those attackers obviously couldn't go to Microsoft and say, hey, test our 165 00:14:15,030 --> 00:14:16,950 code out for us and give us a digital certificate. 166 00:14:17,710 --> 00:14:22,490 So they essentially stole them from two companies in Taiwan. 167 00:14:22,850 --> 00:14:25,670 And these two companies have nothing to do with each other except for their 168 00:14:25,670 --> 00:14:28,110 close proximity in the exact same business park. 169 00:14:30,810 --> 00:14:34,530 Digital certificates are guarded very, very closely. 170 00:14:35,020 --> 00:14:38,340 Behind multiple doors, and they require multiple people to unlock. 171 00:14:39,940 --> 00:14:43,400 And they need to provide both biometrics and as well passphrases. 172 00:14:44,200 --> 00:14:47,140 It wasn't like those certificates were just sitting on a machine connected to 173 00:14:47,140 --> 00:14:47,619 the internet. 174 00:14:47,620 --> 00:14:49,280 Some human asset had to be involved. 175 00:14:49,940 --> 00:14:54,360 Spies, like a cleaner who comes in at night and has stolen these certificates 176 00:14:54,360 --> 00:14:55,360 from these companies. 177 00:14:59,140 --> 00:15:03,000 It did feel like walking onto the set of this James Bond movie and... 178 00:15:03,480 --> 00:15:07,440 You've been embroiled in this thing that you'd never expected. 179 00:15:10,240 --> 00:15:14,400 We continued to search and we continued to search in the code and eventually we 180 00:15:14,400 --> 00:15:16,960 found some other breadcrumbs left that we were able to follow. 181 00:15:17,720 --> 00:15:21,860 There was doing something with Siemens, Siemens software, possibly Siemens 182 00:15:21,860 --> 00:15:25,380 hardware. We'd never ever seen that in any malware before, something targeting 183 00:15:25,380 --> 00:15:27,840 Siemens. We didn't even know why they would be doing that. 184 00:15:29,420 --> 00:15:34,540 But after Googling very quickly, we understood it was targeting Siemens 185 00:15:34,780 --> 00:15:39,960 It was targeting a very specific hardware device, something called a PLC, 186 00:15:39,960 --> 00:15:41,040 programmable logic controller. 187 00:15:41,480 --> 00:15:48,140 The PLC is kind of a very small computer attached to physical equipment like 188 00:15:48,140 --> 00:15:50,320 pumps, like valves, like motors. 189 00:15:50,820 --> 00:15:57,580 So this little box is running a digital program, and the actions of this 190 00:15:57,580 --> 00:16:02,050 program... turns that motor on or off or sets a specific speed. 191 00:16:02,630 --> 00:16:06,290 Those program logic controllers control things like power plant, power grid. 192 00:16:06,610 --> 00:16:10,190 This is used in factories, it's used in critical infrastructure. 193 00:16:10,950 --> 00:16:14,370 Critical infrastructure is everywhere around us. 194 00:16:14,650 --> 00:16:18,850 Transportation, telecommunication, financial services, healthcare. 195 00:16:19,450 --> 00:16:25,850 So the payload of TaxNet was designed to attack some very important part 196 00:16:25,850 --> 00:16:27,230 of our world. 197 00:16:27,760 --> 00:16:31,720 the payload is going to be important what happens there could be very 198 00:16:31,720 --> 00:16:38,720 the next very big surprise came when we infected our lab 199 00:16:38,720 --> 00:16:45,700 system we figured out that the malware was probing the controllers it was quite 200 00:16:45,700 --> 00:16:51,060 picky on its target it didn't try to manipulate any given controller in a 201 00:16:51,060 --> 00:16:56,580 network that it would see it went through several checks and when those 202 00:16:56,580 --> 00:16:59,070 failed It would not implement the attack. 203 00:17:01,770 --> 00:17:05,730 It was obviously probing for a specific target. 204 00:17:07,089 --> 00:17:11,730 You've got to put this in context that at the time we already knew, well, this 205 00:17:11,730 --> 00:17:14,869 is the most sophisticated piece of malware that we have ever seen. 206 00:17:15,770 --> 00:17:22,150 So it's kind of strange. Somebody takes that huge effort to hit one specific 207 00:17:22,150 --> 00:17:24,990 target. Well, that must be quite a significant target. 208 00:17:28,910 --> 00:17:33,530 So at Symantec, we have probes on networks all over the world watching for 209 00:17:33,530 --> 00:17:34,530 malicious activity. 210 00:17:35,250 --> 00:17:39,030 We'd actually seen infections of stuff all over the world, in the U .S., in 211 00:17:39,030 --> 00:17:42,170 Australia, in the U .K., in France, Germany, all over Europe. 212 00:17:42,630 --> 00:17:45,190 It spread to any Windows machine in the entire world. 213 00:17:45,530 --> 00:17:49,950 You know, we had these organizations inside the United States who were in 214 00:17:49,950 --> 00:17:53,710 of industrial control facilities saying, we're infected, what's going to happen? 215 00:17:54,170 --> 00:17:58,330 We didn't know if there was a deadline coming up where this threat would 216 00:17:58,330 --> 00:18:02,650 and suddenly would turn off all electricity plants around the world or 217 00:18:02,650 --> 00:18:05,210 start shutting things down or launching some attack. 218 00:18:05,890 --> 00:18:11,270 We knew that Stuxnet could have very dire consequences and we were very 219 00:18:11,270 --> 00:18:16,130 about what the payload contained and there was an imperative speed that we 220 00:18:16,130 --> 00:18:18,830 to race and try and beat this ticking bomb. 221 00:18:20,540 --> 00:18:23,340 Eventually, we were able to refine the statistics a little bit and we saw that 222 00:18:23,340 --> 00:18:27,880 Iran was the number one infected country in the world. That immediately raised 223 00:18:27,880 --> 00:18:28,699 our eyebrows. 224 00:18:28,700 --> 00:18:32,780 We had never seen a threat before where it was predominantly in Iran. 225 00:18:33,860 --> 00:18:37,200 And so we began to follow what was going on in the geopolitical world, what was 226 00:18:37,200 --> 00:18:38,240 happening in the general news. 227 00:18:38,500 --> 00:18:43,780 And at that time, there were actually multiple explosions of gas pipelines 228 00:18:43,780 --> 00:18:44,780 in and out of Iran. 229 00:18:45,920 --> 00:18:46,920 Unexplained explosions. 230 00:18:48,590 --> 00:18:52,350 And, of course, we did notice that at the time there had been assassinations 231 00:18:52,350 --> 00:18:53,350 nuclear scientists. 232 00:18:54,510 --> 00:18:55,810 So that was worrying. 233 00:18:56,550 --> 00:18:58,890 We knew there was something bad happening. 234 00:18:59,630 --> 00:19:02,910 Did you get concerned for yourself? I mean, did you begin to start looking 235 00:19:02,910 --> 00:19:04,250 your shoulder from time to time? 236 00:19:04,470 --> 00:19:07,790 Yeah, definitely looking over my shoulder and being careful about what I 237 00:19:07,790 --> 00:19:08,790 about on the phone. 238 00:19:09,510 --> 00:19:14,270 I was pretty confident my conversations on the phone were being listened to. 239 00:19:14,470 --> 00:19:16,430 We were only half joking. 240 00:19:16,960 --> 00:19:22,100 when we would look at each other and tell each other things like, look, I'm 241 00:19:22,100 --> 00:19:26,260 suicidal if I show up dead on Monday. You know, it wasn't me. 242 00:19:35,260 --> 00:19:39,000 We've been publishing information about sexnet all through that summer. 243 00:19:40,360 --> 00:19:45,140 And then in November, the industrial control system sort of expert in Holland 244 00:19:45,140 --> 00:19:46,200 contacted us. 245 00:19:47,310 --> 00:19:50,750 And he said, all of these devices that would be inside of an industrial control 246 00:19:50,750 --> 00:19:55,710 system hold a unique identifier number that identifies the make and model of 247 00:19:55,710 --> 00:19:56,710 that device. 248 00:19:57,970 --> 00:20:02,510 And we actually had a couple of these numbers in the code that we didn't know 249 00:20:02,510 --> 00:20:03,510 what they were. 250 00:20:04,090 --> 00:20:07,450 And so we realized maybe what he was referring to was the magic numbers we 251 00:20:08,070 --> 00:20:11,490 And then when we searched for those magic numbers in that context, we saw 252 00:20:11,490 --> 00:20:15,130 what had to be connected to this industrial control system that was being 253 00:20:15,130 --> 00:20:18,980 targeted. were something called frequency converters from two specific 254 00:20:18,980 --> 00:20:21,540 manufacturers, one of which was in Iran. 255 00:20:22,000 --> 00:20:25,920 And so at this time, we absolutely knew that the facility that was being 256 00:20:25,920 --> 00:20:30,040 targeted had to be in Iran, and it had equipment made from Iranian 257 00:20:30,040 --> 00:20:31,040 manufacturers. 258 00:20:31,640 --> 00:20:35,300 When we looked up those frequency converters, we immediately found out 259 00:20:35,300 --> 00:20:37,700 were actually export -controlled by the Nuclear Regulatory Commission. 260 00:20:38,320 --> 00:20:41,860 And that immediately led us then to some nuclear facility. 261 00:20:59,920 --> 00:21:04,160 This was more than a computer story, so I left the world of the antivirus 262 00:21:04,160 --> 00:21:08,300 detectives and sought out journalist David Sanger, who specialized in the 263 00:21:08,300 --> 00:21:11,960 strange intersection of cyber, nuclear weapons, and espionage. 264 00:21:13,160 --> 00:21:18,240 The emergence of the code is what put me on alert that an attack was underway. 265 00:21:19,720 --> 00:21:24,980 And because of the covert nature of the operation, not only were official 266 00:21:24,980 --> 00:21:28,960 government spokesmen unable to talk about it, they didn't even know about 267 00:21:30,159 --> 00:21:36,260 Eventually, the more I dug into it, the more I began to find individuals 268 00:21:36,260 --> 00:21:41,740 who had been involved in some piece of it or who had witnessed some piece of 269 00:21:41,860 --> 00:21:47,040 And that meant talking to Americans, talking to Israelis, talking to 270 00:21:47,040 --> 00:21:53,560 because this was obviously the first, biggest, and most sophisticated example 271 00:21:53,560 --> 00:21:59,200 a state or two states using a cyber weapon for offensive purposes. 272 00:22:02,890 --> 00:22:07,810 I came to this with a fair bit of history, understanding the Iranian 273 00:22:07,810 --> 00:22:08,810 program. 274 00:22:09,070 --> 00:22:12,630 How did Iran get its first nuclear reactor? 275 00:22:13,230 --> 00:22:19,870 We gave it to them, under the Shah, because the Shah was considered an 276 00:22:19,870 --> 00:22:20,870 ally. 277 00:22:21,710 --> 00:22:25,310 Thank you again for your warm welcome, Mr. President. 278 00:22:26,060 --> 00:22:29,960 During the Nixon administration, the U .S. was very enthusiastic about 279 00:22:29,960 --> 00:22:32,580 supporting the Shah's nuclear power program. 280 00:22:33,460 --> 00:22:37,780 And at one point, the Nixon administration was pushing the idea that 281 00:22:37,780 --> 00:22:43,120 and Iran should build a joint plant together in Iran. 282 00:22:44,440 --> 00:22:49,220 There's at least some evidence that the Shah was thinking about acquisition of 283 00:22:49,220 --> 00:22:51,280 nuclear weapons because he saw... 284 00:22:51,600 --> 00:22:55,320 And we were encouraging him to see Iran as the so -called policeman of the 285 00:22:55,320 --> 00:22:59,340 Persian Gulf. And the Iranians have always viewed themselves as naturally 286 00:22:59,340 --> 00:23:01,160 dominant power in the Middle East. 287 00:23:21,720 --> 00:23:28,440 But the revolution which overthrew the Sharan 79 really curtailed the 288 00:23:28,440 --> 00:23:31,140 program before it ever got any head of steam going. 289 00:23:32,560 --> 00:23:38,400 Part of our policy against Iran after the revolution was to deny them nuclear 290 00:23:38,400 --> 00:23:39,400 technology. 291 00:23:41,360 --> 00:23:46,800 when I was involved in the 80s and the 90s, was the U .S. running around the 292 00:23:46,800 --> 00:23:51,920 world and persuading potential nuclear suppliers not to provide even peaceful 293 00:23:51,920 --> 00:23:53,540 nuclear technology to Iran. 294 00:23:53,820 --> 00:23:59,340 And what we missed was the clandestine transfer in the mid -1980s from Pakistan 295 00:23:59,340 --> 00:24:00,340 to Iran. 296 00:24:04,160 --> 00:24:08,240 Abdul Qadir Khan is what we would call the father of the Pakistan nuclear 297 00:24:08,240 --> 00:24:09,240 program. 298 00:24:10,090 --> 00:24:14,590 He had the full authority and confidence of the Pakistan government from its 299 00:24:14,590 --> 00:24:17,070 inception to the production of nuclear weapons. 300 00:24:18,370 --> 00:24:24,530 I was a CIA officer for over two decades, operations officer, worked 301 00:24:24,530 --> 00:24:25,530 most of my career. 302 00:24:25,850 --> 00:24:32,170 The AQ Khan network is so notable because aside from building the 303 00:24:32,170 --> 00:24:38,870 program for decades, it also was the means by which other countries, 304 00:24:39,200 --> 00:24:42,120 were able to develop nuclear weapons, including Iran. 305 00:24:43,040 --> 00:24:47,540 AQ Khan, acting on behalf of the Pakistani government, negotiated with 306 00:24:47,540 --> 00:24:54,200 in Iran, and then there was a transfer, which took place through Dubai, of 307 00:24:54,200 --> 00:24:57,860 blueprints for nuclear weapons design, as well as some hardware. 308 00:24:59,200 --> 00:25:04,440 Throughout the mid -1980s, the Iranian program was not very well resourced. It 309 00:25:04,440 --> 00:25:05,820 was more of an R &D program. 310 00:25:06,990 --> 00:25:12,350 It wasn't really until the mid-'90s that it started to take off, when they made 311 00:25:12,350 --> 00:25:14,530 the decision to build a nuclear weapons program. 312 00:25:21,230 --> 00:25:25,070 You know, we can speculate what, in their mind, motivated them. I think it 313 00:25:25,070 --> 00:25:28,950 the U .S. invasion of Iraq after Kuwait. 314 00:25:30,510 --> 00:25:33,310 There was an eight -year war between Iraq and Iran. 315 00:25:33,630 --> 00:25:36,910 We wiped out the Afghan forces in a matter of weeks. 316 00:25:39,850 --> 00:25:44,290 And I think that was enough to convince the rulers in Tehran that they needed to 317 00:25:44,290 --> 00:25:46,330 pursue nuclear weapons more seriously. 318 00:25:48,370 --> 00:25:55,250 States like these and their terrorist allies constitute an axis of evil, 319 00:25:55,250 --> 00:25:56,890 to threaten the peace of the world. 320 00:25:58,490 --> 00:26:04,570 From 2003 to 2005, when they feared that the U .S. would invade them, they 321 00:26:04,570 --> 00:26:06,450 accepted limits on their nuclear program. 322 00:26:06,950 --> 00:26:12,170 But by 2006, the Iranians had come to the conclusion that the U .S. was bogged 323 00:26:12,170 --> 00:26:16,830 down in Afghanistan and Iraq and no longer had the capacity to threaten 324 00:26:17,050 --> 00:26:20,510 And so they felt it was safe to resume their enrichment program. 325 00:26:21,800 --> 00:26:26,020 They started producing low -enriched uranium, producing more centrifuges, 326 00:26:26,020 --> 00:26:30,360 installing them at the large -scale underground enrichment facility at 327 00:26:50,880 --> 00:26:55,580 Today, with the support of the president, he made this possible for us. 328 00:26:57,380 --> 00:27:03,660 They say, well, you have to negotiate with us for 10 years, and then we will 329 00:27:03,660 --> 00:27:06,800 allow you to have 20 of these or not. 330 00:27:07,380 --> 00:27:12,600 Of course, the people of Iran do not accept it. And today, about 7 ,000 of 331 00:27:12,600 --> 00:27:13,600 teams are working in Tunisia. 332 00:27:36,740 --> 00:27:41,720 Not that many, because I left a few years ago already, but I was there quite 333 00:27:41,720 --> 00:27:42,760 few times. 334 00:27:46,860 --> 00:27:48,840 Natanzi is just in the middle of the desert. 335 00:27:50,800 --> 00:27:56,040 When they were building it in secret, they were calling it a desert irrigation 336 00:27:56,040 --> 00:28:01,200 facility. For the local people, you want to sell while you are building a big 337 00:28:01,200 --> 00:28:02,200 complex. 338 00:28:04,620 --> 00:28:07,260 There is a lot of artillery and air force. 339 00:28:07,560 --> 00:28:13,280 It's better protected against attack from air than any other nuclear 340 00:28:13,280 --> 00:28:14,640 installation I have seen. 341 00:28:17,480 --> 00:28:19,520 So this is deeply underground. 342 00:28:24,580 --> 00:28:29,300 But then inside, Natanzi is like any other centrifuge facility. I have been 343 00:28:29,300 --> 00:28:33,340 over the world, from Brazil to Russia, Japan, so... 344 00:28:33,770 --> 00:28:36,650 They are all alike with their own features, 345 00:28:37,430 --> 00:28:42,390 their own centrifuges, their own culture, but basically the process is 346 00:28:43,590 --> 00:28:48,490 And so are the monitoring activities of the IAEA. They are basic principles. You 347 00:28:48,490 --> 00:28:53,470 want to see what goes in, what goes out, and then on top of that you make sure 348 00:28:53,470 --> 00:28:57,970 that it produces low -end uranium instead of anything to do with the 349 00:28:57,970 --> 00:29:00,150 enrichment and nuclear weapon -grade uranium. 350 00:29:06,510 --> 00:29:12,590 Iran's nuclear facilities are under 24 -hour watch of the United Nations 351 00:29:12,590 --> 00:29:15,990 watchdog, the IAEA, the International Atomic Energy Agency. 352 00:29:17,250 --> 00:29:23,950 Every single gram of Iranian fissile material is accounted 353 00:29:23,950 --> 00:29:24,950 for. 354 00:29:26,770 --> 00:29:31,790 They have, like, basically seals that they put on fissile materials that are 355 00:29:31,790 --> 00:29:33,090 IAEA seals. 356 00:29:33,450 --> 00:29:34,850 You can't break anything. 357 00:29:35,980 --> 00:29:37,480 without getting noticed. 358 00:29:39,680 --> 00:29:45,000 When you look at the uranium which was there in Natanz, it was a very special 359 00:29:45,000 --> 00:29:48,840 uranium. This is called isotope 236. 360 00:29:49,380 --> 00:29:55,120 And that was a puzzle to us because you only see this sort of uranium in states 361 00:29:55,120 --> 00:29:56,920 which have had nuclear weapons. 362 00:29:58,580 --> 00:30:01,500 We realized that they had cheated us. 363 00:30:02,080 --> 00:30:03,420 This sort of... 364 00:30:03,710 --> 00:30:08,350 equipment has been bought from what they call black market they never pointed 365 00:30:08,350 --> 00:30:12,770 out it to aq card at that point of time 366 00:30:12,770 --> 00:30:19,690 what i was surprised was the 367 00:30:19,690 --> 00:30:25,110 sophistication and the quality control and the way they have the manufacturing 368 00:30:25,110 --> 00:30:30,770 it was really professional it was not something you know you just create in a 369 00:30:30,770 --> 00:30:34,610 few months time this was a result of a long process. 370 00:30:41,250 --> 00:30:47,050 The centrifuges, you feed uranium gas in and you have a cascade, thousands of 371 00:30:47,050 --> 00:30:50,470 centrifuges and from the other end you get enriched uranium out. 372 00:30:50,950 --> 00:30:54,890 It separates uranium based on spinning the rotor. 373 00:30:55,330 --> 00:30:57,030 It spins so fast. 374 00:30:57,310 --> 00:31:01,930 300 meters per second. The same as the velocity of sound. 375 00:31:03,440 --> 00:31:07,780 These are tremendous forces, and as a result, the rotor, it twists. 376 00:31:08,100 --> 00:31:10,220 It looks like a banana at one point in time. 377 00:31:11,540 --> 00:31:16,480 So it has to be in balance because any small vibration, it will blow up. 378 00:31:18,200 --> 00:31:19,840 And here comes another trouble. 379 00:31:20,080 --> 00:31:25,920 You have to raise the temperature, but these very thin rotor walls, they are 380 00:31:25,920 --> 00:31:29,980 made from carbon fiber, and the other pieces, they are made from metal. 381 00:31:31,340 --> 00:31:34,400 When you heat carbon fiber, it shrinks. 382 00:31:35,300 --> 00:31:37,620 When you heat metal, it expands. 383 00:31:38,220 --> 00:31:43,560 So you need to balance not only that they spin, they twist, but the 384 00:31:43,560 --> 00:31:46,420 behavior in such a way that it doesn't break. 385 00:31:46,840 --> 00:31:48,660 So this has to be very precise. 386 00:31:49,100 --> 00:31:51,720 This is what makes them very difficult to manufacture. 387 00:31:52,060 --> 00:31:57,040 You can model it, you can calculate it, but at the very end, it's actually based 388 00:31:57,040 --> 00:31:58,040 on practice. 389 00:31:59,440 --> 00:32:02,800 So it's a piece of art, so to say. 390 00:32:44,120 --> 00:32:46,420 Iranians are very proud of their centric racism. 391 00:32:46,680 --> 00:32:52,460 There were a lot of public relations videos given up always in April when 392 00:32:52,460 --> 00:32:54,320 had what they call a national nuclear day. 393 00:33:09,430 --> 00:33:13,530 Ahmadinejad came into his presidency saying that if the international 394 00:33:13,530 --> 00:33:16,410 wants to derail us, we will stand up to it. 395 00:33:17,330 --> 00:33:23,170 If they want us to sign more inspections and more additional protocols and other 396 00:33:23,170 --> 00:33:24,290 measures, no, we will not. 397 00:33:24,590 --> 00:33:26,310 We will fight for our rights. 398 00:33:27,310 --> 00:33:31,430 Iran is the signatory to the Nuclear Non -Proliferation Treaty, and under that 399 00:33:31,430 --> 00:33:33,990 treaty, Iran has a right to nuclear program. 400 00:33:34,590 --> 00:33:35,670 We can have enrichment. 401 00:33:36,210 --> 00:33:40,410 Who are you, world powers, to come and tell us that we cannot have enrichment? 402 00:33:40,830 --> 00:33:46,890 This was his mantra, and it galvanized the public. 403 00:33:50,130 --> 00:33:55,850 By 2007, 2008, the U .S. government was in a very bad place with the Iranian 404 00:33:55,850 --> 00:33:56,850 program. 405 00:33:57,870 --> 00:34:02,910 President Bush recognized that he could not even come out in public and declare 406 00:34:02,910 --> 00:34:06,390 that the Iranians were building a nuclear weapon because by this time he 407 00:34:06,390 --> 00:34:09,710 gone through the entire WMD fiasco in Iraq. 408 00:34:10,370 --> 00:34:13,050 He could not really take military action. 409 00:34:13,489 --> 00:34:17,690 Condoleezza Rice said to him at one point, you know, Mr. President, I think 410 00:34:17,690 --> 00:34:22,110 you've invaded your last Muslim country, even for the best of reasons. 411 00:34:24,230 --> 00:34:28,030 He didn't want to let the Israelis conduct a military operation. 412 00:34:28,989 --> 00:34:35,670 It's 1938, and Iran is Germany, and it's racing to 413 00:34:35,670 --> 00:34:37,510 arm itself with atomic bombs. 414 00:34:38,409 --> 00:34:41,850 Iran's nuclear ambitions must be stopped. 415 00:34:42,469 --> 00:34:44,050 They have to be stopped. 416 00:34:44,270 --> 00:34:50,330 We all have to stop it now. That's the one message I have for you today. Thank 417 00:34:50,330 --> 00:34:51,330 you. 418 00:34:51,830 --> 00:34:54,570 Israel was saying they were going to bomb Iran. 419 00:34:54,909 --> 00:34:59,930 And the government here in Washington did all sorts of scenarios about what 420 00:34:59,930 --> 00:35:02,710 would happen if that Israeli attack occurred. 421 00:35:03,030 --> 00:35:05,130 They were all very ugly scenarios. 422 00:35:05,690 --> 00:35:10,830 Our belief was that if they went on their own, knowing the limitations, 423 00:35:10,830 --> 00:35:14,810 a very good air force, all right, but it's small and the distances are great 424 00:35:14,810 --> 00:35:20,010 the target's dispersed and hardened, all right, if they would have attempted a 425 00:35:20,010 --> 00:35:21,010 raid. 426 00:35:21,290 --> 00:35:26,850 On a military plane, we would have been assuming that they were assuming we 427 00:35:26,850 --> 00:35:28,510 would finish that which they started. 428 00:35:28,870 --> 00:35:32,970 In other words, there will be many of us in government thinking that the purpose 429 00:35:32,970 --> 00:35:37,130 of the raid wasn't to destroy the Iranian nuclear system, but the purpose 430 00:35:37,130 --> 00:35:39,270 raid was to put us at war with Iran. 431 00:35:40,270 --> 00:35:44,570 Israel is very much concerned about Iran's nuclear program more than the 432 00:35:44,570 --> 00:35:49,390 States. It's only natural because of the size of the country, because we live in 433 00:35:49,390 --> 00:35:53,510 this neighborhood. America lives thousands and thousands of miles away 434 00:35:53,510 --> 00:36:00,190 Iran. The two countries agreed on the goal. There is no page between 435 00:36:00,190 --> 00:36:05,330 us that Iran should not have a nuclear military capability. 436 00:36:06,010 --> 00:36:07,750 There are some differences. 437 00:36:08,380 --> 00:36:12,620 on how to achieve it and when action is needed. 438 00:36:22,000 --> 00:36:27,020 We are taking very seriously leaders of countries who call to the destruction 439 00:36:27,020 --> 00:36:29,860 and annihilation of our people. 440 00:36:30,120 --> 00:36:33,940 If Iran will get nuclear weapons now or in the future. 441 00:36:35,120 --> 00:36:40,580 It means that for the first time in human history, Islamic zealots, 442 00:36:40,580 --> 00:36:47,220 zealots, will get their hand on the most dangerous, devastating weapon. 443 00:36:47,740 --> 00:36:50,080 And the world should prevent this. 444 00:36:51,960 --> 00:36:57,580 The Israelis believe that the Iranian leadership has already made the decision 445 00:36:57,580 --> 00:37:00,780 to build nuclear weapons when they think they can get away with it. 446 00:37:01,440 --> 00:37:06,160 The view in the U .S. is that the Iranians haven't made that final 447 00:37:06,960 --> 00:37:09,180 To me, that doesn't make any difference. 448 00:37:09,440 --> 00:37:12,380 I mean, it really doesn't make any difference, and it's probably unknowable 449 00:37:12,380 --> 00:37:17,200 unless you can put, you know, Supreme Leader Khamenei on the couch and 450 00:37:17,200 --> 00:37:22,080 him. I think, you know, from our standpoint, stopping Iran from getting 451 00:37:22,080 --> 00:37:25,940 threshold capacity is, you know, the primary policy objective. 452 00:37:27,690 --> 00:37:31,630 Once they have the material, once they have the capacity to produce nuclear 453 00:37:31,630 --> 00:37:33,030 weapons, then the game is lost. 454 00:37:39,290 --> 00:37:43,470 President Bush once said to me, he says, Mike, I don't want any president ever 455 00:37:43,470 --> 00:37:47,990 to be faced with only two options, bombing or the bomb. 456 00:37:48,710 --> 00:37:55,550 He wanted options that made it far less likely he or his 457 00:37:55,550 --> 00:37:56,550 successor. 458 00:37:56,760 --> 00:38:00,120 or successors would ever get to that point where that's all you've got. 459 00:38:00,320 --> 00:38:06,000 We wanted to be energetic enough in pursuing this problem that the Israelis 460 00:38:06,000 --> 00:38:10,260 would certainly believe, yeah, we get it. The intelligence cooperation between 461 00:38:10,260 --> 00:38:14,280 Israel and the United States is very, very good. 462 00:38:14,860 --> 00:38:19,060 And therefore the Israelis went to the Americans and said, okay, guys, you 463 00:38:19,060 --> 00:38:20,860 want us to bomb Iran? 464 00:38:21,180 --> 00:38:23,860 Okay, let's do it differently. 465 00:38:24,750 --> 00:38:29,910 And then the American intelligence community started rolling and joined 466 00:38:29,910 --> 00:38:31,610 with the Israeli intelligence community. 467 00:38:32,310 --> 00:38:38,170 One day, a group of intelligence and military officials showed up in 468 00:38:38,170 --> 00:38:41,150 Bush's office and said, Sir, we have an idea. 469 00:38:42,250 --> 00:38:43,410 It's a big risk. 470 00:38:44,010 --> 00:38:46,190 It might not work, but here it is. 471 00:38:53,960 --> 00:39:00,300 Moving forward in my analysis of the code, I took a closer look at the 472 00:39:00,300 --> 00:39:06,100 photographs that had been published by the Iranians themselves in a press tour 473 00:39:06,100 --> 00:39:11,020 from 2008, Ahmadinejad and the Chinese centrifuges. 474 00:39:13,040 --> 00:39:18,920 The photographs of Ahmadinejad going through the centrifuges at Natanz 475 00:39:18,920 --> 00:39:21,300 some very important clues. 476 00:39:22,280 --> 00:39:24,400 There was a huge amount to be learned. 477 00:39:32,900 --> 00:39:38,300 First of all, those photographs showed many of the individuals who were guiding 478 00:39:38,300 --> 00:39:39,900 Ahmadinejad through the program. 479 00:39:40,280 --> 00:39:44,280 And there's one very famous photograph that shows Ahmadinejad being shown 480 00:39:44,280 --> 00:39:47,300 something. You see his face. You can't see what's on the computer. 481 00:39:47,540 --> 00:39:50,900 And one of the scientists who was behind him. 482 00:39:51,320 --> 00:39:53,020 Was it fascinated a few months later? 483 00:39:57,480 --> 00:40:02,700 In one of those photographs, you could see parts of a computer screen. 484 00:40:03,000 --> 00:40:05,400 We refer to that as a SCADA screen. 485 00:40:05,980 --> 00:40:09,460 The SCADA system is basically a piece of software running on a computer. 486 00:40:09,740 --> 00:40:13,060 It enables the operators to monitor the process. 487 00:40:14,560 --> 00:40:18,620 What you could see, when you look close enough, 488 00:40:19,390 --> 00:40:23,070 was a more detailed view of the configuration. 489 00:40:23,970 --> 00:40:30,610 There were the six groups of centrifuges, and each group had 164 490 00:40:31,750 --> 00:40:33,010 And guess what? 491 00:40:33,370 --> 00:40:37,050 That was a perfect match to what we saw in the attack code. 492 00:40:38,450 --> 00:40:44,410 It was absolutely clear that this piece of code was attacking an array with... 493 00:40:44,460 --> 00:40:49,140 six different groups of, let's just say, thingies, physical objects. 494 00:40:49,680 --> 00:40:55,040 And in those six groups, there were 164 elements. 495 00:40:59,040 --> 00:41:01,380 Were you able to do any actual physical tests? 496 00:41:01,620 --> 00:41:03,580 Or it was all just a code analysis? 497 00:41:04,000 --> 00:41:07,560 Yeah. So, you know, we obviously couldn't set up our own sort of nuclear 498 00:41:07,560 --> 00:41:08,560 enrichment facility. 499 00:41:08,640 --> 00:41:11,860 But what we did was we did obtain some PLCs, the exact models. 500 00:41:19,690 --> 00:41:23,430 We then ordered an air pump, and that's what we used as our proof of concept. 501 00:41:24,290 --> 00:41:28,250 We needed a visual demonstration to show people what we discovered. 502 00:41:28,810 --> 00:41:32,470 So we thought of different things that we could do, and we settled on blowing 503 00:41:32,470 --> 00:41:33,470 a balloon. 504 00:41:36,930 --> 00:41:40,890 We were able to write a program that would inflate a balloon, and it was set 505 00:41:40,890 --> 00:41:41,990 stop after five seconds. 506 00:41:52,420 --> 00:41:55,020 So it would inflate the balloon to a certain size, but it wouldn't burst the 507 00:41:55,020 --> 00:41:56,160 balloon, and it was all safe. 508 00:41:56,660 --> 00:42:01,260 And we showed everybody, this is the code that's on the PLC, and the timer 509 00:42:01,260 --> 00:42:04,120 stop after five seconds. We know that's what's going to happen. 510 00:42:04,760 --> 00:42:09,560 And then we would infect the computer with Stuxnet, and we would run the test 511 00:42:09,560 --> 00:42:10,560 again. 512 00:42:41,290 --> 00:42:46,610 Here is a piece of software that should only exist in the cyber realm, and it is 513 00:42:46,610 --> 00:42:52,030 able to affect physical equipment in a plant or factory and cause physical 514 00:42:52,030 --> 00:42:54,310 damage. Real -world physical destruction. 515 00:42:59,070 --> 00:43:03,670 At that time, things became very scary to us. Here you had malware potentially 516 00:43:03,670 --> 00:43:06,770 killing people, and that was something that was always Hollywood -esque to us, 517 00:43:06,830 --> 00:43:09,510 that we'd always laugh at when people made that kind of assertion. 518 00:43:15,820 --> 00:43:20,040 At this point, you had to have started developing theories as to who had built 519 00:43:20,040 --> 00:43:21,040 them. 520 00:43:21,320 --> 00:43:27,060 It wasn't lost on us that there were probably only a few countries in the 521 00:43:27,060 --> 00:43:33,120 that would want and have the motivation to sabotage Iranian nuclear enrichment 522 00:43:33,120 --> 00:43:36,700 facility. The U .S. government would be up there. Israeli government certainly 523 00:43:36,700 --> 00:43:40,600 would be up there. You know, maybe U .K., France, Germany, those sorts of 524 00:43:40,600 --> 00:43:45,930 countries. But we never found any information that would... tie it back 525 00:43:45,930 --> 00:43:46,930 those countries. 526 00:43:47,030 --> 00:43:48,070 There are no telltale signs. 527 00:43:48,870 --> 00:43:52,970 You know, the attackers don't leave a message inside saying, you know, it was 528 00:43:52,970 --> 00:43:53,970 me. 529 00:43:54,030 --> 00:43:55,450 And even if they did, 530 00:43:56,190 --> 00:43:57,390 all that stuff can be faked. 531 00:43:57,870 --> 00:44:02,070 So it's very, very difficult to do attribution when looking at computer 532 00:44:03,350 --> 00:44:07,350 Subsequent work that's been done leads us to believe that this was the work of 533 00:44:07,350 --> 00:44:11,050 collaboration between Israel and the United States. Did you have any evidence 534 00:44:11,050 --> 00:44:13,610 terms of your analysis that would lead you to... 535 00:44:13,920 --> 00:44:15,160 Believe that that's correct also? 536 00:44:15,440 --> 00:44:17,380 Nothing that I could talk about on camera. 537 00:44:20,300 --> 00:44:21,680 Can I ask why? 538 00:44:22,000 --> 00:44:23,000 No. 539 00:44:23,860 --> 00:44:25,400 You can, but I won't answer. 540 00:44:27,640 --> 00:44:31,960 But even in the case of nation states, one of the concerns is... This was 541 00:44:31,960 --> 00:44:33,520 beginning to really piss me off. 542 00:44:34,140 --> 00:44:38,880 Even civilians with an interest in telling the Stuxnet story were refusing 543 00:44:38,880 --> 00:44:41,060 address the role of Tel Aviv and Washington. 544 00:44:42,480 --> 00:44:47,580 But luckily for me, while D .C. is a city of secrets, it is also a city of 545 00:44:47,580 --> 00:44:51,700 leaks. They're as regular as a heartbeat and just as hard to stop. 546 00:44:52,780 --> 00:44:54,200 That's what I was counting on. 547 00:44:59,360 --> 00:45:04,360 Finally, after speaking to a number of people on background, I did find a way 548 00:45:04,360 --> 00:45:07,380 confirming on the record the American role in Stuxnet. 549 00:45:08,360 --> 00:45:10,600 In exchange for details of the operation, 550 00:45:11,390 --> 00:45:15,030 I had to agree to find a way to disguise the source of the information. 551 00:45:15,430 --> 00:45:16,089 You good? 552 00:45:16,090 --> 00:45:17,090 We're off. 553 00:45:18,230 --> 00:45:21,350 The first question I have to ask you is about secrecy. 554 00:45:22,230 --> 00:45:24,790 I mean, at this point, everyone knows about the document. 555 00:45:25,070 --> 00:45:26,530 Why can't we talk about it? 556 00:45:27,150 --> 00:45:28,390 It's a covert operation. 557 00:45:29,330 --> 00:45:32,490 Not anymore. I mean, we know what happened. We know who did it. 558 00:45:33,230 --> 00:45:35,470 Well, maybe you don't know as much as you think you know. 559 00:45:36,310 --> 00:45:39,970 Well, I'm talking to you because I want to get the story right. 560 00:45:40,330 --> 00:45:41,890 Well, that's the same reason I'm talking to you. 561 00:45:44,650 --> 00:45:46,110 Even though it's a covert operation. 562 00:45:47,870 --> 00:45:52,430 Look, this is not a Snowden kind of thing, okay? I think what he did was 563 00:45:52,630 --> 00:45:53,710 He went too far. 564 00:45:54,330 --> 00:45:55,610 He gave away too much. 565 00:45:56,350 --> 00:45:59,490 Unlike Snowden, who was a contractor, I was in NSA. 566 00:46:00,430 --> 00:46:04,030 I believe in the agency, so what I'm willing to give you will be limited, but 567 00:46:04,030 --> 00:46:07,490 we're talking because everyone's getting this story wrong, and we have to get it 568 00:46:07,490 --> 00:46:10,630 right. We have to understand these new weapons. The stakes are too high. 569 00:46:10,990 --> 00:46:11,990 What do you mean? 570 00:46:14,390 --> 00:46:16,170 We did stuck in that. 571 00:46:17,610 --> 00:46:18,610 It's a fact. 572 00:46:19,230 --> 00:46:23,830 We came so fucking close to disaster, and we're still on the edge. 573 00:46:25,610 --> 00:46:28,970 It was a huge, multinational... 574 00:46:29,240 --> 00:46:35,840 interagency operation in the u .s it was cia nfa 575 00:46:35,840 --> 00:46:42,500 and the military cyber command from britain we used iran intel out of gchq 576 00:46:42,500 --> 00:46:47,560 but the main partner was israel over there massad ran the show and the 577 00:46:47,560 --> 00:46:53,240 work was done by unit 8200 israel is really the key to the story 578 00:46:58,510 --> 00:47:00,170 Traffic in Israel is so unpredictable. 579 00:47:02,970 --> 00:47:05,910 Yossi, how did you get into this whole Stuxnet story? 580 00:47:06,850 --> 00:47:11,810 I have been covering the Israeli intelligence in general and the Mossad 581 00:47:11,810 --> 00:47:15,710 particular for nearly 30 years. 582 00:47:16,030 --> 00:47:22,590 In 1982, I was a London -based correspondent and I covered a trial of 583 00:47:22,590 --> 00:47:26,670 and I became more familiar with this topic of terrorism. 584 00:47:27,770 --> 00:47:31,090 Slowly but surely, I started covering it as a beat. 585 00:47:34,130 --> 00:47:40,610 Israel, we live in a very rough neighborhood where democratic values, 586 00:47:40,610 --> 00:47:42,670 values are very rare. 587 00:47:43,010 --> 00:47:48,690 But Israel pretends to be a free, democratic, westernized society. 588 00:47:49,750 --> 00:47:55,150 Posh neighborhoods, rich people, youngsters who are... 589 00:47:55,840 --> 00:48:00,540 having almost similar mindset to their American or Western European 590 00:48:00,540 --> 00:48:06,320 counterparts. On the other hand, you see a lot of scenes and events which 591 00:48:06,320 --> 00:48:08,120 resemble the real Middle East. 592 00:48:08,520 --> 00:48:14,320 Terror attacks, radicals, fanatics, religious zealots. 593 00:48:18,860 --> 00:48:24,080 I knew that Israel is trying to slow down Iran's nuclear program, and 594 00:48:24,080 --> 00:48:29,120 I came to the conclusion that if there was a virus affecting Iran's computers, 595 00:48:29,540 --> 00:48:36,220 it's one more element in this larger picture based 596 00:48:36,220 --> 00:48:37,900 on past precedents. 597 00:48:42,820 --> 00:48:46,200 1981, I was a F -16 pilot. 598 00:48:47,120 --> 00:48:53,760 We were told that unlike our dream to do dogfights and to kill pigs, 599 00:48:53,960 --> 00:49:00,300 we have to be prepared for a long -range mission to destroy a valuable 600 00:49:00,300 --> 00:49:06,080 target. Nobody told us what is this very valuable strategic target. 601 00:49:06,860 --> 00:49:10,240 It was 600 miles from Israel. 602 00:49:11,500 --> 00:49:13,280 So we trained ourselves. 603 00:49:14,140 --> 00:49:19,900 to do the job, which was very difficult. No air refueling at that time. No 604 00:49:19,900 --> 00:49:21,360 satellite for reconnaissance. 605 00:49:22,920 --> 00:49:25,820 Fuel was on the limit. 606 00:49:29,860 --> 00:49:35,400 At the end of the day, we accomplished the mission. 607 00:49:35,900 --> 00:49:36,900 Which was? 608 00:49:37,260 --> 00:49:42,460 To destroy the Iraqi nuclear reactor near Baghdad. 609 00:49:42,890 --> 00:49:48,710 which was called Ost -Iraq, and Iraq never was able to 610 00:49:48,710 --> 00:49:53,190 accomplish its ambition to have a nuclear bomb. 611 00:49:55,630 --> 00:50:00,370 Amos Yadlin, General Yadlin, he was the head of the military intelligence. 612 00:50:01,030 --> 00:50:06,090 The biggest unit within that organization is Unit H -200. 613 00:50:06,730 --> 00:50:11,050 They bug telephones, they bug faxes, they break into computers. 614 00:50:13,960 --> 00:50:19,360 A decade ago, when Yardim became the chief of military intelligence, there 615 00:50:19,360 --> 00:50:22,880 no cyber warfare unit in H -200. 616 00:50:26,060 --> 00:50:32,120 So they started recruiting very talented people, hackers, either from the 617 00:50:32,120 --> 00:50:36,640 military or outside the military, that can contribute to the project of 618 00:50:36,640 --> 00:50:38,260 a cyber warfare unit. 619 00:50:41,040 --> 00:50:45,280 In the 19th century, there were only army and navy. 620 00:50:45,760 --> 00:50:51,000 In the 20th century, we got air power as a third dimension of war. 621 00:50:51,440 --> 00:50:57,060 In the 21st century, cyber will be the fourth dimension of war. 622 00:50:57,880 --> 00:51:03,820 It's another kind of weapon, and it is for unlimited range, in a very high 623 00:51:03,820 --> 00:51:06,700 speed, and in a very low signature. 624 00:51:07,040 --> 00:51:09,020 So this gives you a huge opportunity. 625 00:51:10,800 --> 00:51:15,460 And the superpowers have to change the way we think about war. 626 00:51:17,680 --> 00:51:22,000 Finally, we are transforming our military for a new kind of war that 627 00:51:22,000 --> 00:51:25,500 fighting now and for wars of tomorrow. 628 00:51:26,640 --> 00:51:31,960 We have made our military better trained, better equipped, and better 629 00:51:31,960 --> 00:51:37,000 to meet the threats facing America today and tomorrow and long in the future. 630 00:51:40,810 --> 00:51:45,170 Back in the end of the Bush administration, people within the U .S. 631 00:51:45,170 --> 00:51:50,370 were just beginning to convince President Bush to pour money into 632 00:51:50,370 --> 00:51:51,370 cyber weapons. 633 00:51:52,710 --> 00:51:55,330 Stuxnet started off in the Defense Department. 634 00:51:55,830 --> 00:52:01,470 Then Robert Gates, Secretary of Defense, reviewed this program and he said, this 635 00:52:01,470 --> 00:52:04,970 program shouldn't be in the Defense Department. This should really be under 636 00:52:04,970 --> 00:52:07,550 covert authorities over in the intelligence world. 637 00:52:08,560 --> 00:52:12,840 So the CIA was very deeply involved in this operation. 638 00:52:13,080 --> 00:52:19,240 While much of the coding work was done by the National Security Agency and Unit 639 00:52:19,240 --> 00:52:24,960 8200, its Israeli equivalent, working together with a newly created military 640 00:52:24,960 --> 00:52:27,740 position called U .S. Cyber Command. 641 00:52:28,280 --> 00:52:34,440 And interestingly, the director of the National Security Agency would also have 642 00:52:34,440 --> 00:52:36,880 a second role as the commander. 643 00:52:37,870 --> 00:52:39,170 of U .S. Cyber Command. 644 00:52:39,790 --> 00:52:46,770 And U .S. Cyber Command is located at Fort Meade in the same building as the 645 00:52:46,770 --> 00:52:47,770 NSA. 646 00:52:51,430 --> 00:52:56,510 I was deployed for a year giving advice on air operations in Iraq and 647 00:52:56,510 --> 00:53:01,130 Afghanistan. And when I was returning home after that, the assignment I was 648 00:53:01,130 --> 00:53:03,150 given was to go to U .S. Cyber Command. 649 00:53:04,230 --> 00:53:05,910 Cyber Command is the... 650 00:53:07,200 --> 00:53:12,120 military command that's responsible for essentially conducting the nation's 651 00:53:12,120 --> 00:53:13,840 military affairs in cyberspace. 652 00:53:14,660 --> 00:53:19,560 The stated reason the United States decided it needed a cyber command was 653 00:53:19,560 --> 00:53:22,260 because of an event called Operation Buckshot Yankee. 654 00:53:22,760 --> 00:53:28,280 In the fall of 2008, we found some adversaries inside of our classified 655 00:53:28,280 --> 00:53:29,280 networks. 656 00:53:29,870 --> 00:53:33,990 While it wasn't completely true that we always assumed that we were successful 657 00:53:33,990 --> 00:53:38,030 at defending things at the barrier, at the kind of perimeter that we might have 658 00:53:38,030 --> 00:53:42,350 between our networks and the outside world, there was a large confidence that 659 00:53:42,350 --> 00:53:44,030 we'd been mostly successful. 660 00:53:44,330 --> 00:53:48,070 But that was a moment in time when we came to the quick conclusion that it's 661 00:53:48,070 --> 00:53:49,330 really ever secure. 662 00:53:50,790 --> 00:53:54,350 That then accelerated the Department of Defense's progress towards what 663 00:53:54,350 --> 00:53:55,770 ultimately became Cyber Command. 664 00:54:01,600 --> 00:54:02,700 Good morning, sir. 665 00:54:03,580 --> 00:54:05,160 Team Cyber has one item for you today. 666 00:54:05,460 --> 00:54:09,280 Earlier this week, NTOC analysts detected a foreign adversary using known 667 00:54:09,280 --> 00:54:11,280 methods to access the U .S. military network. 668 00:54:11,800 --> 00:54:15,180 We identified the malicious activity via data collected through our information 669 00:54:15,180 --> 00:54:18,740 assurance and signals intelligence authorities and confirmed it was a cyber 670 00:54:18,740 --> 00:54:22,320 adversary. We provide data to our cyber partners within the DOD. If you think of 671 00:54:22,320 --> 00:54:27,740 NSA as an institution that essentially uses its abilities in cyberspace to help 672 00:54:27,740 --> 00:54:32,400 defend communications in that space, Cyber Command extends that capability by 673 00:54:32,400 --> 00:54:35,100 saying that they will then take responsibility to attack. 674 00:54:36,920 --> 00:54:39,620 NSA has no legal authority to attack. 675 00:54:39,860 --> 00:54:42,000 It's never had it. I doubt that it ever will. 676 00:54:42,400 --> 00:54:46,620 It might explain why U .S. Cyber Command is sitting out at Fort Meade on top of 677 00:54:46,620 --> 00:54:47,660 the National Security Agency. 678 00:54:48,190 --> 00:54:52,770 Because NSA has the ability to do these things, Cyber Command has the authority 679 00:54:52,770 --> 00:54:56,910 to do these things. And these things here refer to the cyber attack. 680 00:54:57,250 --> 00:55:03,190 This is a huge change for the nature of the intelligence agencies. 681 00:55:03,650 --> 00:55:09,470 The NSA was supposed to be a code -making and code -breaking operation to 682 00:55:09,470 --> 00:55:15,410 monitor the communications of foreign powers and American adversaries in the 683 00:55:15,410 --> 00:55:16,810 defense of the United States. 684 00:55:17,630 --> 00:55:23,750 But creating a cyber command meant using the same technology to do offense. 685 00:55:26,090 --> 00:55:32,470 Once you get inside an adversary's computer networks, you put an implant in 686 00:55:32,470 --> 00:55:37,230 network. And we have tens of thousands of foreign computers and networks that 687 00:55:37,230 --> 00:55:38,630 the United States has put implants in. 688 00:55:39,030 --> 00:55:43,030 You can use it to monitor what's going across that network. 689 00:55:43,630 --> 00:55:47,310 And you can use it to insert cyber weapons, malware. 690 00:55:48,590 --> 00:55:51,970 If you can spy on a network, you can manipulate it. 691 00:55:52,730 --> 00:55:54,070 It's already included. 692 00:55:54,410 --> 00:55:56,770 The only thing you need is an act of will. 693 00:56:00,910 --> 00:56:02,390 It played a role in Iraq. 694 00:56:02,810 --> 00:56:07,430 I can't tell you whether it was military or not, but I can tell you NFA had 695 00:56:07,430 --> 00:56:08,810 combat support teams in country. 696 00:56:10,190 --> 00:56:15,410 And for the first time, units in the field had direct access to NSA intel. 697 00:56:18,010 --> 00:56:21,710 Over time, we thought more about offense than defense, you know, more about 698 00:56:21,710 --> 00:56:23,010 attacking than intelligence. 699 00:56:24,550 --> 00:56:29,270 In the old days, SIGINT units would try to track radios, but through NSA in 700 00:56:29,270 --> 00:56:33,930 Iraq, we had access to all the networks going in and out of the country. We 701 00:56:33,930 --> 00:56:36,750 hoovered off every text message, email, and phone call. 702 00:56:37,590 --> 00:56:39,770 the complete surveillance state. 703 00:56:40,650 --> 00:56:46,950 We could find the bad guys, say a gang making IEDs, map their networks, and 704 00:56:46,950 --> 00:56:48,670 follow them in real time. 705 00:56:49,170 --> 00:56:54,030 We could lock into cell phones even when they were off, send a fake text from a 706 00:56:54,030 --> 00:57:00,630 friend, suggest a meeting place, and then capture or kill. 707 00:57:02,930 --> 00:57:09,040 A lot of the people that came to cyber command the military guys, came directly 708 00:57:09,040 --> 00:57:13,340 from an assignment in Afghanistan or Iraq, because those are the people with 709 00:57:13,340 --> 00:57:17,440 experience and expertise in operations, and those are the ones you want looking 710 00:57:17,440 --> 00:57:21,580 at this to see how cyber could facilitate traditional military 711 00:57:34,030 --> 00:57:39,750 Fresh from the surge, I went to work at NSA in 07 in a supervisory capacity. 712 00:57:40,490 --> 00:57:42,150 Exactly where did you work? 713 00:57:42,630 --> 00:57:46,470 Fort Meade. You know, I commuted to that massive complex every single day. 714 00:57:47,990 --> 00:57:52,370 I was in TAO S321, The Rock. 715 00:57:53,030 --> 00:57:54,890 Okay, the TAO, The Rock? 716 00:57:55,350 --> 00:57:58,150 Right, sorry. TAO is Tailored Access Operations. 717 00:57:58,650 --> 00:58:00,290 It's where NSA's hackers work. 718 00:58:00,530 --> 00:58:02,090 Of course, we didn't call them that. 719 00:58:02,370 --> 00:58:03,470 What did you call it? 720 00:58:03,900 --> 00:58:04,900 On -net operators. 721 00:58:05,460 --> 00:58:09,580 They're the only people at NSA allowed to break in or attack on the internet. 722 00:58:10,620 --> 00:58:14,240 Inside TAO headquarters is the ROC, Remote Operations Center. 723 00:58:14,980 --> 00:58:20,640 If the US government wants to get in somewhere, it goes to the ROC. 724 00:58:20,920 --> 00:58:23,560 I mean, we were flooded with requests. 725 00:58:24,460 --> 00:58:29,420 So many that we could only do about 30 % of the missions that were requested of 726 00:58:29,420 --> 00:58:30,420 us at one time. 727 00:58:30,890 --> 00:58:34,550 through the web, but also by hijacking shipments of parts. 728 00:58:35,450 --> 00:58:39,910 Sometimes the CIA would assist in putting implants in machines. 729 00:58:41,290 --> 00:58:48,010 So once inside a target network, we could just watch, 730 00:58:48,310 --> 00:58:51,790 or we could attack. 731 00:58:55,550 --> 00:58:59,150 Inside NSA was a strange kind of culture. 732 00:59:00,160 --> 00:59:03,480 Two parts macho military and two parts cyber geek. 733 00:59:04,160 --> 00:59:08,840 I mean, I came from Iraq, so I was used to, yes, sir, no, sir, but for the 734 00:59:08,840 --> 00:59:12,020 weapons programmers, we needed more think -outside -the -box types. 735 00:59:13,280 --> 00:59:19,940 From cubicle to cubicle, you'd see lightsabers, tribbles, Naruto action 736 00:59:20,140 --> 00:59:22,380 lots of Aqua Teen Hunger Force. 737 00:59:25,280 --> 00:59:28,600 This one guy, they were mostly guys. 738 00:59:29,840 --> 00:59:31,840 who liked to wear a yellow hooded cape. 739 00:59:32,240 --> 00:59:36,100 He used a ton of gray Legos to build a massive Death Star. 740 00:59:39,300 --> 00:59:41,340 Were they all working on Stuxnet? 741 00:59:41,940 --> 00:59:46,460 We never called it Stuxnet. That was the name invented by the antivirus guys. 742 00:59:47,380 --> 00:59:50,770 When it hit the papers, We're not allowed to read about classified 743 00:59:50,950 --> 00:59:54,270 even if it's in the New York Times. We went out of our way to avoid the term. I 744 00:59:54,270 --> 00:59:58,290 mean, saying Stuxnet out loud was like saying Voldemort in Harry Potter, the 745 00:59:58,290 --> 00:59:59,550 name that shall not be spoken. 746 01:00:00,190 --> 01:00:01,250 What did you call it then? 747 01:00:09,890 --> 01:00:16,570 The Natanz attack, and this is out there already, was called Olympic Games, 748 01:00:16,650 --> 01:00:18,050 or OG. 749 01:00:21,800 --> 01:00:28,360 There was a huge operation to test the code on PLCs here at Fort Meade and in 750 01:00:28,360 --> 01:00:29,360 Sandia, New Mexico. 751 01:00:31,580 --> 01:00:35,120 Remember during the Bush era when Libya turned over all of its centrifuges? 752 01:00:35,460 --> 01:00:40,140 Those were the same models the Iranians got from AQ Khan, P1s. 753 01:00:41,620 --> 01:00:46,880 We took them to Oak Ridge and used them to test the code, just demolish the 754 01:00:46,880 --> 01:00:47,880 inside. 755 01:00:48,640 --> 01:00:52,760 At Dimona, The Israelis also tested on the P -1s. 756 01:00:53,920 --> 01:00:58,400 Then, partly by using our intel on Iran, we got the plans for the newer models, 757 01:00:58,600 --> 01:00:59,700 the IR -2s. 758 01:01:00,320 --> 01:01:02,660 We cut out different attack vectors. 759 01:01:03,020 --> 01:01:07,000 We ended up focusing on ways to destroy the rotor tubes. 760 01:01:08,020 --> 01:01:11,360 In the tests we ran, we blew them apart. 761 01:01:12,800 --> 01:01:14,460 They swept up the pieces. 762 01:01:14,680 --> 01:01:15,940 They put it on an airplane. 763 01:01:16,220 --> 01:01:17,580 They flew it to Washington. 764 01:01:18,060 --> 01:01:21,300 They stuck it in the truck, they drove it through the gates of the White House, 765 01:01:21,420 --> 01:01:26,960 and dumped the shards out on the conference room table in the Situation 766 01:01:27,240 --> 01:01:30,040 And then they invited President Bush to come down and take a look. 767 01:01:30,500 --> 01:01:35,880 And when he could pick up the shard of a piece of centrifuge, he was convinced 768 01:01:35,880 --> 01:01:37,040 this might be worth it. 769 01:01:37,480 --> 01:01:38,920 And he said, go ahead and try. 770 01:01:39,840 --> 01:01:44,440 Was there legal concern inside the Bush administration that this might be an act 771 01:01:44,440 --> 01:01:45,440 of undeclared war? 772 01:01:46,410 --> 01:01:49,970 If there were concerns, I haven't found them. 773 01:01:51,310 --> 01:01:56,910 That doesn't mean that they didn't exist and that some lawyers somewhere were 774 01:01:56,910 --> 01:02:00,570 concerned about it, but this was an entirely new territory. 775 01:02:01,450 --> 01:02:06,590 At the time, there were really very few people who had expertise specifically on 776 01:02:06,590 --> 01:02:08,030 the law of war and cyber. 777 01:02:08,350 --> 01:02:11,930 And basically what we did was looking at, okay, here's our broad direction. 778 01:02:12,770 --> 01:02:15,390 Now let's look technically, what can we do? 779 01:02:15,950 --> 01:02:17,610 to facilitate this broad direction. 780 01:02:18,010 --> 01:02:23,730 After that, maybe I would come in or one of my lawyers would come in and say, 781 01:02:23,790 --> 01:02:26,530 okay, this is what we may do. 782 01:02:27,130 --> 01:02:28,130 Okay. 783 01:02:28,370 --> 01:02:32,190 There are many things we can do, but we are not allowed to do them. And then 784 01:02:32,190 --> 01:02:35,270 after that, there's still a final level that we look at, and that's what should 785 01:02:35,270 --> 01:02:36,049 we do? 786 01:02:36,050 --> 01:02:40,810 Because there are many things that would be technically possible and technically 787 01:02:40,810 --> 01:02:42,570 legal, but a bad idea. 788 01:02:43,470 --> 01:02:49,460 For Natan, It was a CIA -led operation, so we had to have agency sign off. 789 01:02:50,020 --> 01:02:56,800 Really? Someone from the agency stood behind the operator and the analyst 790 01:02:56,800 --> 01:02:59,660 and gave the order to launch every attack. 791 01:03:07,400 --> 01:03:11,460 Before they even started this attack, they put inside of the code the kill 792 01:03:11,600 --> 01:03:13,420 a date at which it would stop operating. 793 01:03:14,129 --> 01:03:16,990 Cut -off date. We don't normally see that in other threats. 794 01:03:17,310 --> 01:03:19,870 And you have to think, well, why is there a cut -off date in there? 795 01:03:20,230 --> 01:03:24,410 And when you realize that, well, succinct was probably written by 796 01:03:24,410 --> 01:03:29,610 that there are laws regarding how you can use this sort of software, that 797 01:03:29,610 --> 01:03:33,450 may have been a legal team who said, no, you need to have a cut -off date in 798 01:03:33,450 --> 01:03:36,630 there and you can only do this and you can only go that far and we need to 799 01:03:36,630 --> 01:03:37,630 if this is legal or not. 800 01:03:39,550 --> 01:03:42,670 That date is a few days before Obama's inauguration. 801 01:03:43,690 --> 01:03:48,390 So the theory was that this was an operation that needed to be stopped at a 802 01:03:48,390 --> 01:03:53,470 certain time because there was going to be a handover and that more approval was 803 01:03:53,470 --> 01:03:54,470 needed. 804 01:03:56,830 --> 01:03:58,850 Are you prepared to take the oath, Senator? 805 01:03:59,110 --> 01:04:00,110 I am. 806 01:04:00,370 --> 01:04:03,730 I, Barack Hussein Obama, do solemnly swear. 807 01:04:03,950 --> 01:04:06,450 I, Barack Hussein Obama, do solemnly swear. 808 01:04:06,650 --> 01:04:11,310 The Olympic Games was reauthorized by President Obama in his first year in 809 01:04:11,310 --> 01:04:12,310 office, 2009. 810 01:04:16,880 --> 01:04:20,020 It was fascinating because it was the first year of the Obama administration 811 01:04:20,020 --> 01:04:23,180 they would talk to you endlessly about cyber defense. 812 01:04:24,060 --> 01:04:28,240 We count on computer networks to deliver our oil and gas, our power and our 813 01:04:28,240 --> 01:04:33,440 water. We rely on them for public transportation and air traffic control. 814 01:04:34,000 --> 01:04:38,840 But just as we failed in the past to invest in our physical infrastructure, 815 01:04:38,840 --> 01:04:43,800 roads, our bridges and rails, we failed to invest in the security of our digital 816 01:04:43,800 --> 01:04:44,800 infrastructure. 817 01:04:45,320 --> 01:04:50,460 He was running East Room events, trying to get people to focus on the need to 818 01:04:50,460 --> 01:04:53,780 defend cyber networks and defend American infrastructure. 819 01:04:54,300 --> 01:04:59,700 But when you asked questions about the use of offensive cyber weapons, 820 01:04:59,980 --> 01:05:02,780 everything went dead. No cooperation. 821 01:05:03,340 --> 01:05:07,120 White House wouldn't help. Pentagon wouldn't help. NSA wouldn't help. Nobody 822 01:05:07,120 --> 01:05:08,140 would talk to you about it. 823 01:05:08,660 --> 01:05:13,110 But when you dug into the budget, for cyber spending during the Obama 824 01:05:13,110 --> 01:05:18,590 administration, what you discovered was much of it was being spent on offensive 825 01:05:18,590 --> 01:05:19,590 cyber weapons. 826 01:05:20,790 --> 01:05:25,430 You see phrases like Title X CNO. 827 01:05:25,690 --> 01:05:32,370 Title X means operations for the U .S. military, and CNO means computer network 828 01:05:32,370 --> 01:05:33,370 operations. 829 01:05:34,090 --> 01:05:38,530 This is considerable evidence that Stuxnet was just the opening wedge. 830 01:05:39,340 --> 01:05:45,460 of what is a much broader U .S. government effort now to develop an 831 01:05:45,460 --> 01:05:46,500 class of weapons. 832 01:05:52,480 --> 01:05:54,860 Sexnet wasn't just an evolution. 833 01:05:55,160 --> 01:05:57,360 It was really a revolution in the threat landscape. 834 01:05:59,420 --> 01:06:03,500 In the past, the vast majority of threats that we saw were always 835 01:06:03,500 --> 01:06:04,500 an operator somewhere. 836 01:06:04,799 --> 01:06:08,060 They wouldn't infect your machine, but they would have what's called a callback 837 01:06:08,060 --> 01:06:09,220 or command and control channel. 838 01:06:09,440 --> 01:06:12,500 The threats would actually contact the operator and say, what do you want me to 839 01:06:12,500 --> 01:06:12,979 do next? 840 01:06:12,980 --> 01:06:16,380 And the operator would send down commands and say, maybe search through 841 01:06:16,380 --> 01:06:19,520 directory, find these folders, find these files, upload these files to me, 842 01:06:19,560 --> 01:06:21,760 spread to this other machine, things of that nature. 843 01:06:22,420 --> 01:06:27,660 But Stuxnet couldn't have a command and control channel because once it got 844 01:06:27,660 --> 01:06:30,480 inside in its hands, it would not have been able to reach back out. 845 01:06:30,760 --> 01:06:31,538 to the attackers. 846 01:06:31,540 --> 01:06:35,300 The Natanz network is completely air -gapped from the rest of the internet. 847 01:06:35,300 --> 01:06:37,680 not connected to the internet. It's its own isolated network. 848 01:06:37,980 --> 01:06:40,980 Generally, getting across an air -gap is one of the more difficult challenges 849 01:06:40,980 --> 01:06:45,760 that attackers will face just because of the fact that everything is in place to 850 01:06:45,760 --> 01:06:46,760 prevent that. 851 01:06:46,800 --> 01:06:50,000 Everything, you know, the policies and procedures and the physical network 852 01:06:50,000 --> 01:06:54,280 that's in place is specifically designed to prevent you crossing the air -gap. 853 01:06:54,420 --> 01:06:58,320 But there's no truly air -gap network in these real -world production 854 01:06:58,320 --> 01:07:01,060 environments. People got to get new code into Natan. 855 01:07:01,260 --> 01:07:05,000 People have to get log files off of the networks in Natan. People have to 856 01:07:05,000 --> 01:07:05,819 upgrade equipment. 857 01:07:05,820 --> 01:07:06,960 People have to upgrade computers. 858 01:07:07,240 --> 01:07:13,920 This highlights one of the major security issues that we have in the 859 01:07:14,160 --> 01:07:19,200 If you think, well, nobody can attack this power plant or this chemical plant 860 01:07:19,200 --> 01:07:22,420 because it's not connected to the Internet, that's a bizarre illusion. 861 01:07:26,600 --> 01:07:31,620 The first time we introduced the code into Natan, we used human assets. 862 01:07:32,800 --> 01:07:39,200 Maybe CIA, more likely than thought. But our team was kept in the dark about the 863 01:07:39,200 --> 01:07:40,200 tradecraft. 864 01:07:40,560 --> 01:07:46,500 We heard rumors in Moscow, an Iranian laptop infected by a phony semen 865 01:07:46,500 --> 01:07:47,920 technician with a flash drive. 866 01:07:49,800 --> 01:07:53,020 A double agent in Iran with access to Natan. 867 01:07:53,600 --> 01:07:55,280 But I don't really know. 868 01:07:55,720 --> 01:08:01,260 What we had to focus on was to write the code so that once inside, the worm 869 01:08:01,260 --> 01:08:02,260 acted on its own. 870 01:08:02,440 --> 01:08:06,460 They built in all the code and all the logic into the threat to be able to 871 01:08:06,460 --> 01:08:07,460 operate all by itself. 872 01:08:07,660 --> 01:08:09,520 It had the ability to spread by itself. 873 01:08:09,840 --> 01:08:12,800 It had the ability to figure out, do I have the right PLCs? 874 01:08:13,080 --> 01:08:15,740 Have I arrived in a TAM? Am I at the target? 875 01:08:15,940 --> 01:08:19,300 And when it's on target, it executes autonomously. 876 01:08:19,920 --> 01:08:23,000 That also means you cannot call off the attack. 877 01:08:23,790 --> 01:08:29,550 It was definitely the type of attack where someone had decided that this is 878 01:08:29,550 --> 01:08:30,550 they wanted to do. 879 01:08:30,609 --> 01:08:33,390 There was no turning back once Sexcent was released. 880 01:08:38,710 --> 01:08:42,770 When it began to actually execute its payload, you would have a whole bunch of 881 01:08:42,770 --> 01:08:46,090 centrifuges in a huge array of cascades, sitting in a big hall. 882 01:08:46,930 --> 01:08:49,950 And then just off that hall, you would have an operator's room. 883 01:08:50,270 --> 01:08:53,170 big control panels in front of them, a big window where they could see into the 884 01:08:53,170 --> 01:08:54,170 hall. 885 01:08:54,229 --> 01:08:57,410 Computers monitor the activities of all these centrifuges. 886 01:08:58,370 --> 01:09:02,490 So a centrifuge is driven by an electrical motor. 887 01:09:03,069 --> 01:09:09,710 And the speed of this electrical motor is controlled by another PLC, by another 888 01:09:09,710 --> 01:09:10,970 programmable logic controller. 889 01:09:13,790 --> 01:09:17,710 SexNet would wait for 13 days before doing anything. 890 01:09:18,270 --> 01:09:23,050 Because 13 days is about the time it takes to actually fill an entire cascade 891 01:09:23,050 --> 01:09:24,649 centrifuges with uranium. 892 01:09:25,090 --> 01:09:29,010 They didn't want to attack when the centrifuges essentially were empty or at 893 01:09:29,010 --> 01:09:30,010 beginning of the enrichment process. 894 01:09:31,470 --> 01:09:35,990 What SexNet did was it actually would sit there during the 13 days and 895 01:09:35,990 --> 01:09:40,149 record all of the normal activities that were happening and save it. 896 01:09:40,850 --> 01:09:44,430 And once they saw them spinning for 13 days, then the attack occurred. 897 01:09:45,839 --> 01:09:51,260 Centrifuges spin at incredible speeds, about 1 ,000 hertz. They have a safe 898 01:09:51,260 --> 01:09:55,040 operating speed, 63 ,000 revolutions per minute. 899 01:09:55,400 --> 01:09:59,800 That's what caused the uranium enrichment centrifuges to spin up to 1 900 01:09:59,800 --> 01:10:03,060 hertz. Up to 80 ,000 revolutions per minute. 901 01:10:06,500 --> 01:10:10,320 What would happen was those centrifuges would go through what's called a 902 01:10:10,320 --> 01:10:11,320 resonance frequency. 903 01:10:11,740 --> 01:10:15,140 It would go through a frequency at which the metal would basically vibrate 904 01:10:15,140 --> 01:10:16,980 uncontrollably and essentially shatter. 905 01:10:17,460 --> 01:10:19,220 There'd be uranium gas everywhere. 906 01:10:20,560 --> 01:10:24,320 And then the second attack they attempted was they actually tried to 907 01:10:24,320 --> 01:10:28,500 2 hertz. They were slowed down to almost 10 still. 908 01:10:29,280 --> 01:10:31,820 And at 2 hertz, sort of an opposite effect occurred. 909 01:10:32,120 --> 01:10:36,100 You can imagine it to a top that you spin, and as the top begins to slow 910 01:10:36,160 --> 01:10:38,680 it begins to wobble. That's what happens to these centrifuges. 911 01:10:39,070 --> 01:10:41,750 They would begin to wobble and essentially shatter and fall apart. 912 01:10:46,530 --> 01:10:50,350 And instead of sending back to the computer what was really happening, it 913 01:10:50,350 --> 01:10:52,650 send back that old data that it had recorded. 914 01:10:52,910 --> 01:10:55,570 And so the computer's sitting there thinking, yep, running at 1 ,000 hertz, 915 01:10:55,690 --> 01:10:57,770 everything's fine. Running at 1 ,000 hertz, everything's fine. 916 01:10:58,070 --> 01:11:00,590 But those centrifuges are potentially spinning up wildly. 917 01:11:01,010 --> 01:11:02,350 A huge noise would occur. 918 01:11:02,930 --> 01:11:04,410 It'd be like, you know, a jet engine. 919 01:11:08,040 --> 01:11:11,460 So the operators then would know, whoa, something is going wrong here. They 920 01:11:11,460 --> 01:11:14,820 might look at their monitors and see, it says 1 ,000 hertz, but they would hear 921 01:11:14,820 --> 01:11:17,340 that in the room something gravely bad was happening. 922 01:11:17,600 --> 01:11:23,480 Not only are the operators fooled into thinking everything's normal, but also 923 01:11:23,480 --> 01:11:28,360 any kind of automated protective logic is fooled. 924 01:11:29,680 --> 01:11:31,440 You can't just turn these centrifuges off. 925 01:11:31,660 --> 01:11:34,520 They have to be brought down in a very controlled manner. 926 01:11:34,900 --> 01:11:36,700 And so they would hit literally the big red button. 927 01:11:37,040 --> 01:11:38,160 to initiate a graceful shutdown. 928 01:11:38,660 --> 01:11:40,740 And that intercepts that code. 929 01:11:41,000 --> 01:11:44,340 So you would have these operators slamming on that button over and over 930 01:11:44,460 --> 01:11:45,460 and nothing would happen. 931 01:11:47,060 --> 01:11:53,060 If your cyber weapon is good enough, if your enemy is not aware of it, 932 01:11:53,300 --> 01:11:58,840 it is an ideal weapon, because the enemy even don't understand what is happening 933 01:11:58,840 --> 01:11:59,679 to it. 934 01:11:59,680 --> 01:12:02,660 Maybe even better, the enemy begins to doubt their own capability. 935 01:12:03,180 --> 01:12:04,180 Absolutely. 936 01:12:04,700 --> 01:12:05,700 Certainly. 937 01:12:06,250 --> 01:12:12,090 One must conclude that what happened at Natanz must have driven the engineers 938 01:12:12,090 --> 01:12:17,770 crazy. Because the worst thing that can happen to a maintenance engineer is not 939 01:12:17,770 --> 01:12:22,710 being able to figure out what the cause of specific trouble is. So they must 940 01:12:22,710 --> 01:12:25,110 have been analyzing themselves to death. 941 01:12:27,850 --> 01:12:30,930 You know, you see centrifuges blowing up. 942 01:12:31,150 --> 01:12:32,950 You look at the computer screens. 943 01:12:33,270 --> 01:12:34,890 They go with the proper speed. 944 01:12:35,790 --> 01:12:38,810 There's a proper gas pressure. Everything looks beautiful. 945 01:12:41,630 --> 01:12:44,770 Through 2009, it was going pretty smoothly. 946 01:12:45,330 --> 01:12:49,530 Centrifuges were blowing up. The International Atomic Energy Agency 947 01:12:49,530 --> 01:12:53,710 would go into Natanz and they would see that whole sections of the centrifuges 948 01:12:53,710 --> 01:12:54,710 had been removed. 949 01:12:55,610 --> 01:13:01,070 The United States knew from its intelligence channels that some Iranian 950 01:13:01,070 --> 01:13:04,650 scientists and engineers were being fired because... 951 01:13:05,040 --> 01:13:09,140 The centrifuges were blowing up, and the Iranians had assumed that this was 952 01:13:09,140 --> 01:13:13,640 because they were making errors, they were manufacturing mistakes. Clearly 953 01:13:13,640 --> 01:13:14,640 was somebody's fault. 954 01:13:15,440 --> 01:13:21,200 So the program was doing exactly what it was supposed to be doing, which was it 955 01:13:21,200 --> 01:13:26,820 was blowing up centrifuges and it was leaving no trace and leaving the 956 01:13:26,820 --> 01:13:32,300 to wonder what they got hit by. This was the brilliance of Olympic Games. 957 01:13:32,760 --> 01:13:35,400 You know, as the former director of a couple of big three -letter agencies, 958 01:13:35,820 --> 01:13:40,260 slowing down 1 ,000 centrifuges in a ton, an unalloyed good. 959 01:13:40,500 --> 01:13:45,640 There was a need for buying time. There was a need for slowing them down. 960 01:13:45,900 --> 01:13:49,120 There was a need to try to push them to the negotiating table. 961 01:13:49,380 --> 01:13:51,480 I mean, there are a lot of variables at play here. 962 01:13:56,000 --> 01:13:59,480 President Obama would go down into the Situation Room. 963 01:13:59,960 --> 01:14:04,540 And he would have laid out in front of him what they called the horse blanket, 964 01:14:04,700 --> 01:14:10,460 which was a giant schematic of the Natanz nuclear enrichment plant. 965 01:14:11,000 --> 01:14:16,880 And the designers of Olympic Games would describe to him what kind of progress 966 01:14:16,880 --> 01:14:21,280 they made and look for him for the authorization to move on ahead to the 967 01:14:21,280 --> 01:14:22,280 attack. 968 01:14:23,720 --> 01:14:27,840 And at one point during those discussions, he said to a number of his 969 01:14:27,840 --> 01:14:32,320 know, I had some concerns because once word of this gets out, and eventually he 970 01:14:32,320 --> 01:14:36,440 knew it would get out, the Chinese may use it as an excuse for their attacks on 971 01:14:36,440 --> 01:14:38,280 us or Russians might or others. 972 01:14:39,040 --> 01:14:44,940 So he clearly had some misgivings, but they weren't big enough to stop him from 973 01:14:44,940 --> 01:14:45,940 going ahead with the program. 974 01:14:47,400 --> 01:14:52,180 And then in 2010, a decision was made. 975 01:14:52,640 --> 01:14:53,880 to change the code. 976 01:14:59,580 --> 01:15:05,020 Our human assets weren't always able to get code updates into Natanz. 977 01:15:05,320 --> 01:15:07,160 And we weren't told exactly why. 978 01:15:07,640 --> 01:15:13,360 But we were told we had to have a cyber solution for delivering the code. 979 01:15:13,960 --> 01:15:16,460 But the delivery systems were tricky. 980 01:15:16,680 --> 01:15:20,420 If they weren't aggressive enough, they wouldn't get in. They were too 981 01:15:20,420 --> 01:15:23,490 aggressive. they could spread and be discovered. 982 01:15:25,970 --> 01:15:29,810 When we got the first sample, there was some configuration information inside of 983 01:15:29,810 --> 01:15:33,270 it, and one of the pieces in there was a version number, 1 .1. 984 01:15:34,130 --> 01:15:37,650 And that made us realize, well, look, this likely isn't the only copy. 985 01:15:37,850 --> 01:15:42,070 We went back through our databases looking for anything that looked similar 986 01:15:42,070 --> 01:15:43,070 Stuxnet. 987 01:15:44,290 --> 01:15:47,750 As we began to collect more samples, we found a few earlier versions of Stuxnet. 988 01:15:48,830 --> 01:15:54,130 And when we analyzed that code, we saw that versions previous to 1 .1 were a 989 01:15:54,130 --> 01:15:55,130 less aggressive. 990 01:15:55,510 --> 01:15:59,530 The earlier version of Sexton, it basically required humans to do a little 991 01:15:59,530 --> 01:16:02,970 of double -clicking in order for it to spread from one computer to another. 992 01:16:03,310 --> 01:16:06,310 And so what we believe after looking at that code is two things. 993 01:16:07,250 --> 01:16:11,330 One, either they didn't get into Natanz with that earlier version because it 994 01:16:11,330 --> 01:16:13,790 simply wasn't aggressive enough, wasn't able to jump over that error gap. 995 01:16:14,870 --> 01:16:17,850 And or two, that payload as well... 996 01:16:18,220 --> 01:16:19,220 Didn't work properly. 997 01:16:19,520 --> 01:16:20,800 Didn't work to their satisfaction. 998 01:16:21,380 --> 01:16:23,100 Maybe was not explosive enough. 999 01:16:23,640 --> 01:16:28,560 There were slightly different versions, which were aimed at different parts of 1000 01:16:28,560 --> 01:16:29,580 the centrifuge cascade. 1001 01:16:30,260 --> 01:16:33,640 But the guys at Symantec figured you changed the code because the first 1002 01:16:33,640 --> 01:16:35,720 variations couldn't get in and didn't work right. 1003 01:16:36,300 --> 01:16:37,300 Bullshit. 1004 01:16:37,700 --> 01:16:39,920 We always found a way to get across the air gap. 1005 01:16:40,320 --> 01:16:43,920 At TAO, we laughed when people thought they were protected by an air gap. 1006 01:16:44,750 --> 01:16:47,770 And for OG, the early versions of the payload did work. 1007 01:16:48,030 --> 01:16:54,370 But what NSA did was always low -key and subtle. 1008 01:16:55,290 --> 01:17:00,410 The problem was that Unit 8200, the Israeli, kept pushing up to be more 1009 01:17:00,410 --> 01:17:01,410 aggressive. 1010 01:17:02,650 --> 01:17:05,270 The later version of DuckNet, 1 .1. 1011 01:17:05,690 --> 01:17:09,190 That version had multiple ways of spreading. It had the four zero days 1012 01:17:09,190 --> 01:17:12,130 it, for example, that allowed it to spread all by itself without you doing 1013 01:17:12,130 --> 01:17:13,870 anything. It could spread via network shares. 1014 01:17:14,310 --> 01:17:15,890 It could spread via USB keys. 1015 01:17:16,190 --> 01:17:20,270 It was able to spread via network exploits. That's the sample that 1016 01:17:20,270 --> 01:17:21,710 the stolen digital certificate. 1017 01:17:22,170 --> 01:17:27,810 That is the sample that all of a sudden became so noisy and caught the attention 1018 01:17:27,810 --> 01:17:29,450 of the antivirus guys. 1019 01:17:30,250 --> 01:17:33,110 In the first sample, we don't find that. 1020 01:17:35,530 --> 01:17:42,090 This is very strange because it tells us that in the process of this 1021 01:17:42,090 --> 01:17:47,430 development, the attackers were less concerned with operational security. 1022 01:17:53,330 --> 01:17:58,030 Pac -Man actually kept a log inside of itself of all the machines that it 1023 01:17:58,030 --> 01:18:01,850 infected along the way as it jumped from one machine to another to another to 1024 01:18:01,850 --> 01:18:04,610 another. And we were able to gather up. 1025 01:18:04,990 --> 01:18:08,750 All the samples that we could acquire, tens of thousands of samples. We 1026 01:18:08,750 --> 01:18:12,390 extracted all of those logs. We can see the exact path that took. 1027 01:18:15,370 --> 01:18:19,090 Eventually, we were able to trace back this version of Stuxnet to ground zero, 1028 01:18:19,230 --> 01:18:21,890 to the first five infections in the world. 1029 01:18:22,770 --> 01:18:27,110 The first five infections are all outside an intense plant, all inside of 1030 01:18:27,110 --> 01:18:32,010 organizations inside of Iran, all organizations that are involved in 1031 01:18:32,010 --> 01:18:33,010 control systems. 1032 01:18:33,180 --> 01:18:37,880 The construction of industrial control facilities, clearly contractors who were 1033 01:18:37,880 --> 01:18:41,260 working on the Natanz facility, and the attackers knew that. 1034 01:18:41,760 --> 01:18:45,640 They're electrical companies, they're piping companies, they're, you know, 1035 01:18:45,640 --> 01:18:49,180 sorts of companies, and they knew that technicians from those companies would 1036 01:18:49,180 --> 01:18:53,440 visit Natanz. So they would infect these companies, and then technicians would 1037 01:18:53,440 --> 01:18:57,080 take... Their computer or their laptop or their USB, that operator then goes 1038 01:18:57,080 --> 01:19:00,380 down into Natanz. And he plugs in his USB key, which has some code that he 1039 01:19:00,380 --> 01:19:02,900 to update into Natanz, into the Natanz network. 1040 01:19:03,120 --> 01:19:05,980 And now Sucset is able to get inside Natanz and conduct its attack. 1041 01:19:07,980 --> 01:19:11,760 These five companies were specifically targeted to spread Sucset into Natanz. 1042 01:19:12,000 --> 01:19:13,380 And that it wasn't that... 1043 01:19:13,920 --> 01:19:17,260 So it kind of escaped out in the town and then spread all over the world. And 1044 01:19:17,260 --> 01:19:20,760 was this big mistake and, oh, it wasn't meant to spread that far, but it really 1045 01:19:20,760 --> 01:19:25,040 did. No, that's not the way we see it. The way we see it is that they wanted it 1046 01:19:25,040 --> 01:19:27,160 to spread far so that they could get it into the town. 1047 01:19:27,480 --> 01:19:32,260 Someone decided that we're going to create something new, something evolved, 1048 01:19:32,600 --> 01:19:35,420 that's going to be far, far, far more aggressive. 1049 01:19:36,800 --> 01:19:41,240 And we're okay, frankly, with it spreading all over the world. 1050 01:19:41,480 --> 01:19:43,980 to innocent machines and in order to go after our target. 1051 01:19:49,560 --> 01:19:56,140 The Mossad had the role, had the assignment to 1052 01:19:56,140 --> 01:20:03,000 deliver the virus, to make sure that Stuxnet would be put 1053 01:20:03,000 --> 01:20:06,400 in place in a time to affect the centrifuges. 1054 01:20:08,300 --> 01:20:13,400 Mayor Dagan, the head of Mossad, was under growing pressure from the prime 1055 01:20:13,400 --> 01:20:16,700 minister, Benjamin Netanyahu, to produce results. 1056 01:20:18,640 --> 01:20:21,420 Inside Iraq, we were furious. 1057 01:20:23,240 --> 01:20:28,280 The Israelis took our code for delivery system and changed it. 1058 01:20:29,740 --> 01:20:34,080 Then, on their own, without our agreement, they just fucking launched 1059 01:20:34,879 --> 01:20:38,280 2010, around the same time they started killing Iranian scientists. 1060 01:20:38,640 --> 01:20:40,080 And they fucked up the code. 1061 01:20:40,740 --> 01:20:45,640 Instead of hiding, the code started shutting down computers, so naturally 1062 01:20:45,640 --> 01:20:46,640 noticed. 1063 01:20:48,280 --> 01:20:51,200 Because they were in a hurry, they opened Pandora's box. 1064 01:20:52,260 --> 01:20:56,700 They let it out, and it spread all over the world. 1065 01:21:02,000 --> 01:21:03,560 The worm spread quickly. 1066 01:21:04,120 --> 01:21:07,640 But somehow it remained unseen until it was identified in Belarus. 1067 01:21:08,780 --> 01:21:13,240 Soon after, Israeli intelligence confirmed that it had made its way into 1068 01:21:13,240 --> 01:21:17,200 hands of the Russian Federal Security Service, a successor to the KGB. 1069 01:21:18,940 --> 01:21:23,660 So it happened that the formula for a secret cyber weapon designed by the U 1070 01:21:23,660 --> 01:21:27,740 and Israel fell into the hands of Russia and the very country it was meant to 1071 01:21:27,740 --> 01:21:28,740 attack. 1072 01:21:51,869 --> 01:21:58,170 When some country or a coalition of countries targets a nuclear facility, 1073 01:21:58,370 --> 01:22:00,370 it's an act of war. 1074 01:22:01,420 --> 01:22:04,200 Please, let's be frank here. 1075 01:22:04,660 --> 01:22:10,780 If it wasn't Iran, if a nuclear facility in the United States 1076 01:22:10,780 --> 01:22:17,700 was targeted in the same way, the American government 1077 01:22:17,700 --> 01:22:20,860 would not sit by and let this go. 1078 01:22:21,940 --> 01:22:25,440 Shuxnet is an attack in peacetime on critical infrastructure. 1079 01:22:25,640 --> 01:22:26,459 Yes, it is. 1080 01:22:26,460 --> 01:22:30,180 Look, when I read about it, I thought, whoa. 1081 01:22:30,670 --> 01:22:31,670 That's a big deal. 1082 01:22:32,050 --> 01:22:33,050 Yeah. 1083 01:22:34,530 --> 01:22:39,450 The people who were running this program, including Leon Panetta, the 1084 01:22:39,450 --> 01:22:45,130 of the CIA at the time, had to go down into the Situation Room and face 1085 01:22:45,130 --> 01:22:50,610 President Obama, Vice President Biden, and explain that this program was 1086 01:22:50,610 --> 01:22:52,490 suddenly on the loose. 1087 01:22:53,530 --> 01:22:58,230 Vice President Biden, at one point during this discussion... 1088 01:22:58,760 --> 01:23:03,100 sort of exploded in Biden -esque fashion and blamed the Israelis. 1089 01:23:03,420 --> 01:23:08,260 He said, it must have been the Israelis who made a change in the code that 1090 01:23:08,260 --> 01:23:09,660 enabled it to get out. 1091 01:23:11,500 --> 01:23:15,620 President Obama said to the senior leadership, you told me it wouldn't get 1092 01:23:15,620 --> 01:23:19,340 of the network. It did. You told me the Iranians would never figure out it was 1093 01:23:19,340 --> 01:23:20,239 the United States. 1094 01:23:20,240 --> 01:23:26,100 They did. You told me it would have a huge effect on their nuclear program, 1095 01:23:26,100 --> 01:23:27,100 it didn't. 1096 01:23:28,279 --> 01:23:33,740 The Natanz plant is inspected every couple of weeks by the International 1097 01:23:33,740 --> 01:23:35,300 Energy Agency inspectors. 1098 01:23:35,520 --> 01:23:39,840 And if you line up what you know about the attacks with the inspection reports, 1099 01:23:40,200 --> 01:23:41,460 you can see the effects. 1100 01:23:42,940 --> 01:23:47,580 If you go to the IAEA reports, we really saw that a lot of centrifuges were 1101 01:23:47,580 --> 01:23:50,140 switched off and they were removed. 1102 01:23:50,760 --> 01:23:53,960 As much as almost a couple of thousand got compromised. 1103 01:23:55,500 --> 01:23:59,700 When you put it all together, I wouldn't be surprised if the program got delayed 1104 01:23:59,700 --> 01:24:00,700 by the one year. 1105 01:24:01,140 --> 01:24:07,540 But go then to year 2012 -13 and look, you know, how the centrifuges started to 1106 01:24:07,540 --> 01:24:08,540 come up again. 1107 01:24:08,940 --> 01:24:14,420 Iran's number of centrifuges went up exponentially to 20 ,000 with a 1108 01:24:14,420 --> 01:24:16,160 of low -enriched uranium. 1109 01:24:16,480 --> 01:24:18,460 These are high numbers. 1110 01:24:19,500 --> 01:24:21,780 Iran's nuclear facility has expanded. 1111 01:24:22,510 --> 01:24:26,830 with the construction of Fordow and other highly protected facilities. 1112 01:24:28,670 --> 01:24:34,930 So ironically, cyber warfare, assassination of its nuclear scientists, 1113 01:24:35,390 --> 01:24:38,750 economic sanctions, political isolation. 1114 01:24:40,170 --> 01:24:46,550 Iran has gone through A to X of every coercive policy that the US, 1115 01:24:46,850 --> 01:24:50,490 Israel and those who ally with them. 1116 01:24:50,880 --> 01:24:52,020 have placed on Iran. 1117 01:24:52,380 --> 01:24:57,680 And they have actually made Iran's nuclear program more advanced today than 1118 01:24:57,680 --> 01:24:58,680 was ever before. 1119 01:25:02,300 --> 01:25:09,300 This is a very, very dangerous minefield that we are walking. And the nations 1120 01:25:09,300 --> 01:25:16,120 who decide to take these covert actions should be taking into consideration 1121 01:25:16,120 --> 01:25:19,960 all the effects. 1122 01:25:20,460 --> 01:25:21,840 including the moral effect. 1123 01:25:22,500 --> 01:25:29,280 I would say that this is the price that we have to pay in this 1124 01:25:29,280 --> 01:25:35,200 war, and our blade of righteousness should be so sharp. 1125 01:25:40,920 --> 01:25:45,860 In Israel and in the United States, the blade of righteousness cut both ways, 1126 01:25:46,100 --> 01:25:48,660 wounding the targets and the attackers. 1127 01:25:50,060 --> 01:25:54,360 When Stuxnet infected American computers, the Department of Homeland 1128 01:25:54,780 --> 01:25:59,800 unaware of the cyber weapons launched by the NSA, devoted enormous resources 1129 01:25:59,800 --> 01:26:02,320 trying to protect Americans from their own government. 1130 01:26:03,020 --> 01:26:05,560 We had met the enemy, and it was us. 1131 01:26:11,470 --> 01:26:14,890 The purpose of the watch stations that you see in front of you is to aggregate 1132 01:26:14,890 --> 01:26:19,050 the data coming in from multiple feeds of what the cyber threats could be. So 1133 01:26:19,050 --> 01:26:23,510 we see threats, we can provide real -time recommendations for both private 1134 01:26:23,510 --> 01:26:25,430 companies as well as federal agencies. 1135 01:26:26,070 --> 01:26:29,450 Can you give us a readout on this DuckNet virus? 1136 01:26:30,110 --> 01:26:32,650 Absolutely. We'd be more than happy to discuss that. 1137 01:26:33,210 --> 01:26:38,290 Early July of 2010, we received a call that said that this piece of malware was 1138 01:26:38,290 --> 01:26:40,510 discovered, and could we take a look at it? 1139 01:26:41,870 --> 01:26:45,990 When we first started the analysis, there was that, oh, crap moment, you 1140 01:26:46,010 --> 01:26:49,030 where we sat there and said, this is something that's significant. It's 1141 01:26:49,030 --> 01:26:50,290 impacting industrial control. 1142 01:26:50,570 --> 01:26:54,830 It can disrupt it to the point where it could cause harm and not only damage to 1143 01:26:54,830 --> 01:26:57,130 the equipment, but potentially harm or loss of life. 1144 01:26:57,810 --> 01:27:01,710 We were very concerned because Stuxnet was something that we had not seen 1145 01:27:01,710 --> 01:27:03,950 before. So there wasn't a lot of sleep that night. 1146 01:27:04,460 --> 01:27:08,460 Basically, light up the phones, call everybody we know, inform the Secretary, 1147 01:27:08,920 --> 01:27:13,460 inform the White House, inform the other departments and agencies, wake up the 1148 01:27:13,460 --> 01:27:17,260 world, and figure out what's going on with this particular malware. 1149 01:27:19,460 --> 01:27:21,660 Good morning, Chairman Lieberman, Ranking Member Collins. 1150 01:27:22,420 --> 01:27:26,200 Something as simple and innocuous as this becomes a challenge for all of us 1151 01:27:26,200 --> 01:27:29,440 maintain accountability and control of our critical infrastructure systems. 1152 01:27:29,720 --> 01:27:31,760 This actually contains the Stuxnet virus. 1153 01:27:32,330 --> 01:27:35,410 I've been asked on a number of occasions, did you ever think this was 1154 01:27:35,630 --> 01:27:40,890 And at no point did that ever really cross our mind because we were looking 1155 01:27:40,890 --> 01:27:44,250 it from the standpoint of, is this something that's coming after the 1156 01:27:44,510 --> 01:27:48,650 You know, what's going to potentially impact, you know, our industrial control 1157 01:27:48,650 --> 01:27:49,750 base here in the United States? 1158 01:27:50,030 --> 01:27:52,850 You know, I liken it to, you know, field battle. 1159 01:27:53,170 --> 01:27:56,550 You don't think the sniper that's behind you is going to be shooting at you 1160 01:27:56,550 --> 01:27:58,530 because you expect him to be on your side. 1161 01:27:59,360 --> 01:28:04,040 We really don't know who the attacker was in the Stuxnet case. 1162 01:28:04,260 --> 01:28:10,920 So help us understand a little more what this thing is, whose origin 1163 01:28:10,920 --> 01:28:14,820 and destination we don't understand. 1164 01:28:16,140 --> 01:28:20,320 Did anybody ever give you any indication that it was something that they already 1165 01:28:20,320 --> 01:28:24,580 knew about? No. At no time did I get the impression from someone that that's 1166 01:28:24,580 --> 01:28:27,680 okay, you know, get the little pat on the head and scoot it out the door. 1167 01:28:27,900 --> 01:28:29,560 I never received a stand -down order. 1168 01:28:29,840 --> 01:28:33,180 No one ever asked to stop looking at this. 1169 01:28:33,700 --> 01:28:38,940 Do we think that this was a nation -state actor and that there are a 1170 01:28:38,940 --> 01:28:43,080 number of nation -states that have such advanced capacity? 1171 01:28:45,320 --> 01:28:48,900 Sean McGurk, the director of cyber for the Department of Homeland Security, 1172 01:28:49,220 --> 01:28:53,920 testified before the Senate about how he thought Suxnet was a terrifying threat 1173 01:28:53,920 --> 01:28:55,020 to the United States. 1174 01:28:55,300 --> 01:28:56,520 Is that not a problem? 1175 01:28:56,840 --> 01:28:58,540 And how do you mean? 1176 01:28:58,880 --> 01:29:01,280 That the Suxnet thing was a bad idea? 1177 01:29:01,920 --> 01:29:06,100 No, no, no, just that before he knew what it was and what it attached to. Oh, 1178 01:29:06,100 --> 01:29:10,060 get it. Yeah, that he was responding to something that... He thought it was a 1179 01:29:10,060 --> 01:29:12,740 threat to critical infrastructure in the United States. Yeah. 1180 01:29:13,150 --> 01:29:14,150 The worm is loose. 1181 01:29:14,350 --> 01:29:15,710 The worm is loose. I understand. 1182 01:29:16,090 --> 01:29:22,170 But there's a further theory having to do with whether or not, following upon 1183 01:29:22,170 --> 01:29:26,550 David Sanger. I got the subplot. And who did that? Was it the Israelis? Yeah. I 1184 01:29:26,550 --> 01:29:28,290 truly don't know. 1185 01:29:29,070 --> 01:29:31,930 And even though I don't know, I still can't talk about it. All right? 1186 01:29:32,310 --> 01:29:34,650 Sucks not with somebody's covert action. 1187 01:29:35,050 --> 01:29:39,750 All right? And the definition of covert action is an activity in which you want 1188 01:29:39,750 --> 01:29:42,450 to have the hand of the actor forever hidden. 1189 01:29:42,880 --> 01:29:47,460 So by definition, it's going to end up in this, we don't talk about these 1190 01:29:47,460 --> 01:29:48,460 box. 1191 01:29:53,520 --> 01:30:00,260 To this day, the United States government has never acknowledged 1192 01:30:00,260 --> 01:30:03,140 offensive cyber attack anywhere in the world. 1193 01:30:05,140 --> 01:30:11,580 But thanks to Mr. Snowden, we know that in 2012, President Obama issued an 1194 01:30:11,580 --> 01:30:12,580 executive order. 1195 01:30:12,780 --> 01:30:18,440 that laid out some of the conditions under which cyber weapons can be used. 1196 01:30:18,440 --> 01:30:24,520 interestingly, every use of a cyber weapon requires presidential sign -off. 1197 01:30:25,380 --> 01:30:31,240 That is only true in the physical world for nuclear weapons. 1198 01:30:42,480 --> 01:30:46,400 Nuclear war and nuclear weapons are vastly different from cyber war and 1199 01:30:46,400 --> 01:30:49,580 weapons. Having said that, there are some similarities. 1200 01:30:50,240 --> 01:30:55,040 And in the early 1960s, the United States government suddenly realized it 1201 01:30:55,040 --> 01:30:59,620 thousands of nuclear weapons, big ones and little ones, weapons on Jeeps, 1202 01:30:59,680 --> 01:31:00,680 weapons on submarines. 1203 01:31:01,520 --> 01:31:05,400 And it really didn't have a doctrine. It really didn't have a strategy. 1204 01:31:05,620 --> 01:31:09,560 It really didn't have an understanding at the policy level about how it was 1205 01:31:09,560 --> 01:31:10,800 going to use all of these things. 1206 01:31:11,770 --> 01:31:18,350 And so academics started publishing unclassified documents about nuclear war 1207 01:31:18,350 --> 01:31:20,250 and nuclear weapons. 1208 01:31:22,090 --> 01:31:28,330 And the result was more than 20 years in the United States of very vigorous 1209 01:31:28,330 --> 01:31:33,450 national debates about how we want to go use nuclear weapons. 1210 01:31:36,910 --> 01:31:41,050 And not only did that cause the Congress and people in the executive branch in 1211 01:31:41,050 --> 01:31:46,110 Washington to think about these things, it caused the Russians to think about 1212 01:31:46,110 --> 01:31:47,110 these things. 1213 01:31:47,290 --> 01:31:54,190 And out of that grew nuclear doctrine, mutual assured destruction, all of that 1214 01:31:54,190 --> 01:31:57,290 complicated set of nuclear dynamics. 1215 01:31:58,050 --> 01:32:03,890 Today, on this vital issue, at least, we have seen what can be accomplished when 1216 01:32:03,890 --> 01:32:04,890 we pull together. 1217 01:32:05,130 --> 01:32:10,850 We can't have that discussion in a sensible way right now about cyber war 1218 01:32:10,850 --> 01:32:12,590 cyber weapons because everything is secret. 1219 01:32:13,950 --> 01:32:19,470 And when you get into a discussion with people in the government, people still 1220 01:32:19,470 --> 01:32:22,690 in the government, people who have security clearances, you run into a 1221 01:32:22,690 --> 01:32:26,880 wall. Trying to stop Iran is really my number one job. 1222 01:32:27,260 --> 01:32:31,800 Can I ask you in that context about the Stuxnet computer virus potentially? You 1223 01:32:31,800 --> 01:32:32,920 can ask, but I won't comment. 1224 01:32:33,640 --> 01:32:34,760 Can you tell us anything? 1225 01:32:35,460 --> 01:32:40,960 No. What do you think has had the most impact on their nuclear decision 1226 01:32:41,080 --> 01:32:42,300 The Stuxnet virus? 1227 01:32:42,960 --> 01:32:48,380 I can't talk about Stuxnet. I can't even talk about the operation of Iran 1228 01:32:48,380 --> 01:32:53,280 centrifuges. Was the U .S. involved in any way in the development of Stuxnet? 1229 01:32:53,740 --> 01:32:57,520 It's hard to get into any kind of comment on that until we've finished our 1230 01:32:57,520 --> 01:32:58,520 examination. 1231 01:32:59,380 --> 01:33:03,020 But, sir, I'm not asking you if you think another country was involved. I'm 1232 01:33:03,020 --> 01:33:04,720 asking you if the U .S. was involved. 1233 01:33:05,060 --> 01:33:08,900 And this is not something that we're going to be able to answer at this 1234 01:33:09,560 --> 01:33:13,060 Look, for the longest time, I was in fear that I couldn't actually say the 1235 01:33:13,060 --> 01:33:14,620 phrase computer network attack. 1236 01:33:14,940 --> 01:33:20,800 This stuff is hideously overclassified, and it gets into the way of a mature 1237 01:33:20,800 --> 01:33:27,460 public discussion as to what it is we as a democracy want our nation to be doing 1238 01:33:27,460 --> 01:33:29,260 up here in the cyber domain. 1239 01:33:30,300 --> 01:33:34,140 This is the former director of NSA and CIA saying this stuff is overclassified. 1240 01:33:34,900 --> 01:33:39,140 One of the reasons it's as highly classified as it is, this is a peculiar 1241 01:33:39,140 --> 01:33:42,580 system. This is a weapon system that's come out of the espionage community. 1242 01:33:42,940 --> 01:33:46,060 And so those people have a habit of secrecy. 1243 01:33:46,340 --> 01:33:50,480 Secrecy is still justifiable in certain cases to protect sources or to protect 1244 01:33:50,480 --> 01:33:51,480 national security. 1245 01:33:51,700 --> 01:33:56,780 But when we deal with secrecy, don't hide behind it to use it as an excuse to 1246 01:33:56,780 --> 01:33:59,500 not disclose something properly that you... 1247 01:33:59,930 --> 01:34:03,270 know should be, or that the American people need ultimately to see. 1248 01:34:05,890 --> 01:34:10,710 While most government officials refused to acknowledge the operation, at least 1249 01:34:10,710 --> 01:34:13,590 one key insider did leak parts of the story to the press. 1250 01:34:14,650 --> 01:34:20,170 In 2012, David Sanger wrote a detailed account of Olympic Games that unmasked 1251 01:34:20,170 --> 01:34:24,030 the extensive joint operation between the U .S. and Israel to launch cyber 1252 01:34:24,030 --> 01:34:25,270 attacks on Matanz. 1253 01:34:25,930 --> 01:34:30,480 The publication of this story Coming at a time that turned out that there were a 1254 01:34:30,480 --> 01:34:35,360 number of other unrelated national security stories being published led to 1255 01:34:35,360 --> 01:34:38,760 announcement of investigations by the Attorney General. 1256 01:34:39,560 --> 01:34:43,080 Into the press and into the leaf. Into the press and into the leaf. 1257 01:34:45,640 --> 01:34:49,840 Soon after the article, the Obama administration targeted General James 1258 01:34:49,840 --> 01:34:54,580 Cartwright in a criminal investigation for allegedly leaking classified details 1259 01:34:54,580 --> 01:34:55,760 about Stuxnet. 1260 01:34:57,100 --> 01:35:01,120 There are reports of cyber attacks on the Iranian nuclear programs that you've 1261 01:35:01,120 --> 01:35:03,560 ordered. What's your reaction to this information getting out? Well, first of 1262 01:35:03,560 --> 01:35:07,720 all, I'm not going to comment on the details of what are 1263 01:35:07,720 --> 01:35:14,400 supposed to be classified items. 1264 01:35:15,220 --> 01:35:20,400 Since I've been in office, my attitude has been zero tolerance for these kinds 1265 01:35:20,400 --> 01:35:21,400 of leaks. 1266 01:35:21,660 --> 01:35:25,920 We have mechanisms in place where if we can root out folks. 1267 01:35:26,440 --> 01:35:29,360 who have leaked, they will suffer consequences. 1268 01:35:29,980 --> 01:35:35,320 It became a significant issue and a very wide -ranging investigation in which I 1269 01:35:35,320 --> 01:35:38,940 think most of the people who were cleared for Olympic Games at some point 1270 01:35:38,940 --> 01:35:40,500 been, you know, interviewed and so forth. 1271 01:35:40,740 --> 01:35:44,860 When Stuxnet hit the media, they polygraphed everyone in our office, 1272 01:35:44,860 --> 01:35:48,100 people who didn't know shit. You know, they poly the interns, for God's sake. 1273 01:35:48,800 --> 01:35:51,680 These are criminal acts when they release information like this. 1274 01:35:52,280 --> 01:35:58,240 and we will conduct thorough investigations as we have in the past. 1275 01:36:00,080 --> 01:36:05,400 The administration never filed charges, possibly afraid that a prosecution would 1276 01:36:05,400 --> 01:36:07,740 reveal classified details about Stuxnet. 1277 01:36:08,200 --> 01:36:13,000 To this day, no one in the U .S. or Israeli governments has officially 1278 01:36:13,000 --> 01:36:15,340 acknowledged the existence of the joint operation. 1279 01:36:17,100 --> 01:36:20,740 I would never compromise ongoing operations in the field, 1280 01:36:22,190 --> 01:36:24,450 We should be able to talk about capability. 1281 01:36:26,330 --> 01:36:29,950 We can talk about our bunker busters. 1282 01:36:30,250 --> 01:36:31,570 Why not our cyber weapons? 1283 01:36:32,170 --> 01:36:34,650 The secrecy of the operation has been blown. 1284 01:36:36,310 --> 01:36:40,590 Our friends in Israel took a weapon that we jointly developed, in part to keep 1285 01:36:40,590 --> 01:36:44,470 Israel from doing something crazy, and then used it on their own in a way that 1286 01:36:44,470 --> 01:36:47,590 blew the cover of the operation and could have led to war. And we can't talk 1287 01:36:47,590 --> 01:36:48,590 about that? 1288 01:36:52,750 --> 01:36:54,630 There's a way to talk about Stuxnet. 1289 01:36:55,450 --> 01:37:01,530 It happened. The deny that it happened is foolish. So the fact that it happened 1290 01:37:01,530 --> 01:37:05,330 is really what we're talking about here. What are the implications of the fact 1291 01:37:05,330 --> 01:37:07,490 that we now are in a post -Stuxnet world? 1292 01:37:07,910 --> 01:37:12,690 What I said to David Sanger was I understand the difference in destruction 1293 01:37:12,690 --> 01:37:15,410 dramatic, but this has the whiff of August 1945. 1294 01:37:16,730 --> 01:37:21,190 Somebody just used a new weapon, and this weapon will not be put back into 1295 01:37:21,190 --> 01:37:27,580 box. I know no operational details and don't know what anyone did or didn't do 1296 01:37:27,580 --> 01:37:33,160 before someone decided to use the weapon. I do know this. If we go out and 1297 01:37:33,160 --> 01:37:38,280 something, most of the rest of the world now thinks that's a new standard and 1298 01:37:38,280 --> 01:37:41,040 it's something that they now feel legitimated to do as well. 1299 01:37:42,420 --> 01:37:47,420 But the rules of engagement, international norms, treaty standards, 1300 01:37:47,420 --> 01:37:48,420 exist right now. 1301 01:37:52,200 --> 01:37:57,320 The law of war, because it began to develop so long ago, is really dependent 1302 01:37:57,320 --> 01:38:00,660 thinking of things kinetically, in the physical realm. 1303 01:38:01,080 --> 01:38:04,320 So, for example, we think in terms of attacks. 1304 01:38:05,260 --> 01:38:08,880 You know an attack when it happens in the kinetic world. It's not really much 1305 01:38:08,880 --> 01:38:14,020 a mystery. But in cyberspace, it is sort of confusing to think, how far do we 1306 01:38:14,020 --> 01:38:16,260 have to go before something is considered an attack? 1307 01:38:16,640 --> 01:38:20,080 So we have to take all the vocabulary. 1308 01:38:21,000 --> 01:38:26,880 and the terms that we use in strategy and military operations and adapt them 1309 01:38:26,880 --> 01:38:28,620 into the cyber realm. 1310 01:38:29,780 --> 01:38:33,280 For nuclear, we have these extensive inspection regimes. 1311 01:38:33,660 --> 01:38:35,680 The Russians come and look at our silos. 1312 01:38:35,960 --> 01:38:37,560 We go and look at their silos. 1313 01:38:38,040 --> 01:38:42,020 Bad as things get between the two countries, those inspection regimes have 1314 01:38:42,020 --> 01:38:46,460 up. But working that out for cyber would be virtually impossible. 1315 01:38:46,840 --> 01:38:48,340 Where do you send your inspector? 1316 01:38:48,960 --> 01:38:53,100 Inside the laptop of, you know, how many laptops are there in the United States 1317 01:38:53,100 --> 01:38:53,679 and Russia? 1318 01:38:53,680 --> 01:38:58,200 It's much more difficult in the cyber area to construct an international 1319 01:38:58,200 --> 01:39:02,200 based on treaty commitments and rules of the road and so forth. 1320 01:39:02,920 --> 01:39:07,140 Although we've tried to have discussions with the Chinese and Russians and so 1321 01:39:07,140 --> 01:39:09,060 forth about that, but it's very difficult. 1322 01:39:10,220 --> 01:39:15,240 Right now, the norm in cyberspace is do whatever you can get away with. 1323 01:39:16,300 --> 01:39:18,660 That's not a good norm, but it's the norm that we have. 1324 01:39:19,120 --> 01:39:22,760 That's the norm that's preferred by states that are engaging in lots of 1325 01:39:22,760 --> 01:39:25,400 different kinds of activities that they feel are benefiting their national 1326 01:39:25,400 --> 01:39:26,400 security. 1327 01:39:27,080 --> 01:39:33,320 Those who excel in cyber are trying to slow down the process of creating 1328 01:39:33,320 --> 01:39:34,320 regulation. 1329 01:39:34,540 --> 01:39:40,420 Those who are victims will like the regulation to be in the open as 1330 01:39:40,420 --> 01:39:42,240 soon as possible. 1331 01:39:44,580 --> 01:39:49,840 International law in this area is written by custom, and customary law 1332 01:39:49,840 --> 01:39:52,340 a nation to say, this is what we did and this is why we did it. 1333 01:39:52,940 --> 01:39:56,840 And the U .S. doesn't want to push the law in that direction, and so it chooses 1334 01:39:56,840 --> 01:39:58,220 not to disclose its involvement. 1335 01:39:58,820 --> 01:40:03,020 And one of the reasons that I thought it was important to tell the story of 1336 01:40:03,020 --> 01:40:08,760 Olympic Games was not simply because it's a cool spy story. It is, but it's 1337 01:40:08,760 --> 01:40:10,220 because as a nation... 1338 01:40:11,050 --> 01:40:16,130 We need to have a debate about how we want to use cyber weapons because we are 1339 01:40:16,130 --> 01:40:20,090 the most vulnerable nation on earth to cyber attack ourselves. 1340 01:40:24,430 --> 01:40:29,430 If you get up in the morning and turn off your alarm and make coffee and pump 1341 01:40:29,430 --> 01:40:34,610 gas and use the ATM, you've touched industrial control systems. It's what 1342 01:40:34,610 --> 01:40:40,110 our lives. And unfortunately, these systems are connected and interconnected 1343 01:40:40,110 --> 01:40:41,730 some ways that make them vulnerable. 1344 01:40:42,280 --> 01:40:45,720 Critical infrastructure systems generally were built years and years and 1345 01:40:45,720 --> 01:40:49,320 ago without security in mind, that they didn't realize how things were going to 1346 01:40:49,320 --> 01:40:52,940 change. Maybe they weren't even meant to be connected to the Internet. And we've 1347 01:40:52,940 --> 01:40:57,000 seen through a lot of experimentation and through also, unfortunately, a lot 1348 01:40:57,000 --> 01:41:00,900 attacks, that most of these systems are relatively easy for a sophisticated 1349 01:41:00,900 --> 01:41:02,760 hacker to get into. 1350 01:41:04,560 --> 01:41:07,200 Let's say you took over the control system of a railway. 1351 01:41:07,420 --> 01:41:09,060 You could switch tracks. 1352 01:41:09,660 --> 01:41:13,440 you could cause derailment of trains carrying explosive materials. 1353 01:41:14,680 --> 01:41:20,340 What if you were in the control system of gas pipelines, and when a valve was 1354 01:41:20,340 --> 01:41:24,800 supposed to be open, it was closed from the pressure built up that the pipeline 1355 01:41:24,800 --> 01:41:25,800 exploded? 1356 01:41:26,340 --> 01:41:31,860 There are companies that run electric power generation or electric power 1357 01:41:31,860 --> 01:41:36,580 distribution that we know have been hacked by foreign entities. 1358 01:41:36,800 --> 01:41:38,180 To have the ability... 1359 01:41:38,410 --> 01:41:39,470 to shut down the power grid. 1360 01:41:40,290 --> 01:41:45,650 Imagine for a moment that not only all the power went off on the East Coast, 1361 01:41:45,650 --> 01:41:47,210 the entire Internet came down. 1362 01:41:47,950 --> 01:41:52,650 Imagine what the economic impact of that is, even if it only lasted for 24 1363 01:41:52,650 --> 01:41:53,650 hours. 1364 01:41:55,630 --> 01:42:00,690 According to the officials, Iran is the first country ever in the Middle East to 1365 01:42:00,690 --> 01:42:05,450 actually be engaged in a cyber war with the United States and Israel. If 1366 01:42:05,450 --> 01:42:10,170 anything, they said the recent cyber attacks were what encouraged them to 1367 01:42:10,170 --> 01:42:13,550 to set up the cyber army, which will gather computer scientists, 1368 01:42:14,290 --> 01:42:20,050 programmers, software engineers. If you are youth and you see assassination or 1369 01:42:20,050 --> 01:42:23,730 nuclear scientists, your nuclear facilities are getting attacked. 1370 01:42:24,780 --> 01:42:28,100 Wouldn't you join your national cyber army? 1371 01:42:28,760 --> 01:42:35,260 Well, many did. And that's why today Iran has one of the largest cyber 1372 01:42:35,260 --> 01:42:37,060 armies in the world. 1373 01:42:37,360 --> 01:42:42,240 So whoever initiated this and was very proud of themselves to see that little 1374 01:42:42,240 --> 01:42:48,560 dip in Iran's centrifuge numbers should look back now and acknowledge 1375 01:42:48,560 --> 01:42:50,960 that it was a major mistake. 1376 01:42:51,740 --> 01:42:52,880 Very quickly. 1377 01:42:53,500 --> 01:42:59,600 Iran sent a message to the United States, very sophisticated message, and 1378 01:42:59,600 --> 01:43:01,360 did that with two attacks. 1379 01:43:02,180 --> 01:43:08,320 First, they attacked Saudi Aramco, the biggest oil company in the world, and 1380 01:43:08,320 --> 01:43:14,240 wiped out every piece of software, every line of code on 30 ,000 computer 1381 01:43:14,240 --> 01:43:15,240 devices. 1382 01:43:16,360 --> 01:43:21,760 Then... Iran did a surge attack on the American banks. 1383 01:43:21,980 --> 01:43:26,220 The most extensive attack on American banks ever, launched from the Middle 1384 01:43:26,360 --> 01:43:27,540 happening right now. 1385 01:43:27,840 --> 01:43:31,120 Millions of customers trying to bank online this week blocked. 1386 01:43:31,420 --> 01:43:36,840 Among the targets, Bank of America, PNC, and Wells Fargo. The U .S. suspects 1387 01:43:36,840 --> 01:43:39,040 hackers in Iran may be involved. 1388 01:43:40,980 --> 01:43:45,600 When Iran hit our banks, we could have shut down their botnet. 1389 01:43:46,000 --> 01:43:50,280 But the State Department got nervous because the servers weren't actually in 1390 01:43:50,280 --> 01:43:55,780 Iran. So until there was a diplomatic solution, Obama let the private sector 1391 01:43:55,780 --> 01:43:56,780 deal with the problem. 1392 01:43:57,160 --> 01:44:02,560 I imagine that in the White House Situation Room, people sat around and 1393 01:44:02,780 --> 01:44:08,600 let me be clear, I don't imagine, I know, people sat around in the White 1394 01:44:08,600 --> 01:44:12,940 Situation Room and said, the Iranians have sent us a message which is 1395 01:44:12,940 --> 01:44:14,660 essentially, stop. 1396 01:44:15,100 --> 01:44:19,000 attacking us in cyberspace the way you did at Natanz with Stuxnet. 1397 01:44:19,440 --> 01:44:20,900 We can do it too. 1398 01:44:22,640 --> 01:44:27,260 There are unintended consequences of the Stuxnet attack. 1399 01:44:27,700 --> 01:44:32,540 You wanted to cause confusion and damage to the other side, but then the other 1400 01:44:32,540 --> 01:44:34,460 side can do the same to you. 1401 01:44:34,960 --> 01:44:40,480 The monster turned against its creator, and now everyone is in this game. 1402 01:44:41,340 --> 01:44:46,940 They did a good job in showing the world, including the bad guys, what you 1403 01:44:46,940 --> 01:44:51,760 need to do in order to cause serious trouble that could lead to injuries and 1404 01:44:51,760 --> 01:44:57,060 deaths. It's inevitable that more countries will acquire the capacity to 1405 01:44:57,060 --> 01:45:00,860 cyber both for espionage and for destructive activities. 1406 01:45:01,500 --> 01:45:05,260 And we've seen this in some of the recent conflicts that Russia's been 1407 01:45:05,260 --> 01:45:09,320 in. If there's a war, then somebody will try to knock out our communications 1408 01:45:09,320 --> 01:45:10,740 system or the radar. 1409 01:45:10,980 --> 01:45:16,260 State -sponsored cyber sleeper cells, they're out there everywhere today. It 1410 01:45:16,260 --> 01:45:20,360 could be for communications purposes. It could be for data exfiltration. 1411 01:45:20,840 --> 01:45:24,380 It could be to, you know, shepherd in the next Stuxnet. 1412 01:45:24,600 --> 01:45:28,640 I mean, you've been focusing on Stuxnet, but that was just a small part of a 1413 01:45:28,640 --> 01:45:30,300 much larger Iranian mission. 1414 01:45:30,740 --> 01:45:32,720 It was a larger Iranian mission? 1415 01:45:35,960 --> 01:45:36,960 Nitro Zeus. 1416 01:45:38,200 --> 01:45:39,200 NZ. 1417 01:45:40,300 --> 01:45:44,600 We spent hundreds of millions, maybe billions on it. 1418 01:45:47,180 --> 01:45:52,900 In the event the Israelis did attack Iran, we assumed we would be drawn into 1419 01:45:52,900 --> 01:45:53,900 conflict. 1420 01:45:54,800 --> 01:45:59,260 We built in attacks on Iran's command and control systems so the Iranians 1421 01:45:59,260 --> 01:46:00,640 couldn't talk to each other in a fight. 1422 01:46:01,290 --> 01:46:05,750 We infiltrated their IADs, military air defense systems, so they couldn't shoot 1423 01:46:05,750 --> 01:46:07,030 down our planes if we flew over. 1424 01:46:07,670 --> 01:46:12,970 We also went after their civilian support systems, power grids, 1425 01:46:13,550 --> 01:46:16,410 communications, financial systems. 1426 01:46:17,010 --> 01:46:23,510 We were inside, waiting, watching, ready to disrupt, degrade, and destroy those 1427 01:46:23,510 --> 01:46:25,130 systems with cyber attacks. 1428 01:46:28,570 --> 01:46:29,570 In comparison, 1429 01:46:30,560 --> 01:46:32,500 That was a back alley operation. 1430 01:46:34,100 --> 01:46:39,200 NZ was the plan for a full -scale cyber war with no attribution. 1431 01:46:39,860 --> 01:46:42,500 The question is, is that the kind of world we want to live in? 1432 01:46:42,760 --> 01:46:48,040 And if we don't, as citizens, how do we go about a process where we have a more 1433 01:46:48,040 --> 01:46:49,040 sane discussion? 1434 01:46:49,100 --> 01:46:52,340 We need an entirely new way of thinking about how we're going to solve this 1435 01:46:52,340 --> 01:46:53,340 problem. 1436 01:46:53,640 --> 01:46:57,060 You're not going to get an entirely new way of solving this problem. 1437 01:46:57,640 --> 01:47:02,800 until you begin to have an open acknowledgement that we have cyber 1438 01:47:02,800 --> 01:47:08,540 well and that we may have to agree to some limits on their use if we're going 1439 01:47:08,540 --> 01:47:11,420 get other nations to limit their use. It's not going to be a one -way street. 1440 01:47:11,800 --> 01:47:16,360 I'm old enough to have worked on nuclear arms control and biological weapons 1441 01:47:16,360 --> 01:47:19,340 arms control and chemical weapons arms control. 1442 01:47:20,620 --> 01:47:25,900 And I was told in each of those types of arms control, when we were beginning, 1443 01:47:26,629 --> 01:47:29,490 It's too hard. There are all these problems. 1444 01:47:30,150 --> 01:47:32,010 It's technical. There's engineering. 1445 01:47:32,350 --> 01:47:33,350 There's science involved. 1446 01:47:33,630 --> 01:47:35,610 There are real verification difficulties. 1447 01:47:36,230 --> 01:47:37,510 You'll never get there. 1448 01:47:37,850 --> 01:47:40,430 Well, it took 20, 30 years in some cases. 1449 01:47:40,750 --> 01:47:44,530 But we have a biological weapons treaty that's pretty damn good. We have a 1450 01:47:44,530 --> 01:47:48,550 chemical weapons treaty that's pretty damn good. We've got three or four 1451 01:47:48,550 --> 01:47:49,550 weapons treaties. 1452 01:47:49,750 --> 01:47:53,610 Yes, it may be hard, and it may take 20 or 30 years. 1453 01:47:54,140 --> 01:47:58,140 But it'll never happen unless you get serious about it. And it'll never happen 1454 01:47:58,140 --> 01:47:59,140 unless you start it. 1455 01:48:04,920 --> 01:48:10,520 Today, after two years of negotiations, the United States, together with our 1456 01:48:10,520 --> 01:48:15,180 international partners, has achieved something that decades of animosity has 1457 01:48:15,180 --> 01:48:20,700 not. A comprehensive, long -term deal with Iran that will prevent it from 1458 01:48:20,700 --> 01:48:22,040 obtaining a nuclear weapon. 1459 01:48:22,480 --> 01:48:27,260 It was reached in Lausanne, Switzerland, by Iran, the U .S., Britain, France, 1460 01:48:27,540 --> 01:48:33,300 Germany, Russia, and China. It is a deal in which Iran will cut its installed 1461 01:48:33,300 --> 01:48:39,040 centrifuges by more than two -thirds. Iran will not enrich uranium with its 1462 01:48:39,040 --> 01:48:41,600 advanced centrifuges for at least the next ten years. 1463 01:48:41,860 --> 01:48:46,140 It will make our country, our allies, and our world safer. 1464 01:48:47,320 --> 01:48:50,860 Seventy years after the murder of six million Jews. 1465 01:48:51,440 --> 01:48:58,120 Iran's rulers promised to destroy my country, and the response from nearly 1466 01:48:58,120 --> 01:49:04,220 every one of the governments represented here has been utter silence, 1467 01:49:04,440 --> 01:49:06,440 deafening silence. 1468 01:49:14,140 --> 01:49:16,140 Perhaps you can all understand. 1469 01:49:17,480 --> 01:49:20,820 why Israel is not joining you in celebrating this deal. 1470 01:49:21,820 --> 01:49:26,760 History shows that America must lead not just with our might, but with our 1471 01:49:26,760 --> 01:49:27,760 principles. 1472 01:49:28,120 --> 01:49:32,980 It shows we are stronger not when we are alone, but when we bring the world 1473 01:49:32,980 --> 01:49:33,980 together. 1474 01:49:34,820 --> 01:49:40,880 Today's announcement marks one more chapter in the pursuit of a safer and 1475 01:49:40,880 --> 01:49:43,020 helpful, more hopeful world. 1476 01:49:44,200 --> 01:49:45,199 Thank you. 1477 01:49:45,200 --> 01:49:46,200 God bless you. 1478 01:49:46,640 --> 01:49:48,620 And God bless the United States of America. 1479 01:50:15,850 --> 01:50:19,630 The science fiction cyber war scenario is here. That's Nitro Zeus. 1480 01:50:21,090 --> 01:50:27,290 But my concern, the reason I'm talking, is because when you shut down a 1481 01:50:27,290 --> 01:50:31,710 country's power grid, it doesn't just pop back up. 1482 01:50:32,450 --> 01:50:34,390 It's more like Humpty Dumpty. 1483 01:50:35,710 --> 01:50:41,130 And if all the king's men can't turn the lights back on or filter the water for 1484 01:50:41,130 --> 01:50:43,490 weeks, then lots of people die. 1485 01:50:46,140 --> 01:50:49,540 and something we can do to others, they can do to us too. 1486 01:50:51,660 --> 01:50:53,780 Is that something that we should keep quiet? 1487 01:50:55,220 --> 01:50:56,600 Or should we talk about it? 1488 01:50:57,800 --> 01:51:01,380 I've gone to many people on this film, even friends of mine, who won't talk to 1489 01:51:01,380 --> 01:51:04,660 me about the NSA or Sucks, not even off the record, for fear of going to jail. 1490 01:51:05,180 --> 01:51:06,800 Is that fear protecting us? 1491 01:51:08,280 --> 01:51:10,500 No, but it protects me. 1492 01:51:11,340 --> 01:51:12,560 Or should I say, we. 1493 01:51:14,350 --> 01:51:18,110 I'm an actor playing a role written from the testimony of a small number of 1494 01:51:18,110 --> 01:51:23,270 people from NSA and CIA, all of whom are angry about the secrecy, but too scared 1495 01:51:23,270 --> 01:51:25,550 to come forward. Now we're forward. 1496 01:51:27,170 --> 01:51:29,730 Well, forward leaning. 136401