Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:47,423 --> 00:00:49,551
Through the darkness
2
00:00:49,551 --> 00:00:53,764
of the pathways that we marched,
3
00:00:54,847 --> 00:00:57,893
evil and good lived side by side.
4
00:00:57,893 --> 00:01:00,938
And this is the nature of... Of life.
5
00:01:17,079 --> 00:01:19,373
We are in an unbalanced
6
00:01:19,373 --> 00:01:23,543
and inequivalent confrontation between democracies
7
00:01:23,543 --> 00:01:25,920
who are obliged to play by the rules
8
00:01:26,587 --> 00:01:30,007
and entities who think democracy is a joke.
9
00:01:32,093 --> 00:01:34,471
You can't convince fanatics
10
00:01:34,471 --> 00:01:39,100
by saying, "hey, hatred paralyzes you,
11
00:01:39,100 --> 00:01:40,686
love releases you."
12
00:01:41,770 --> 00:01:46,066
There are different rules that we have to play by.
13
00:02:01,290 --> 00:02:04,293
Female newsreader: Today, two of Iran's top nuclear scientists
14
00:02:04,293 --> 00:02:06,253
were targeted by hit squads.
15
00:02:06,253 --> 00:02:08,296
Female newsreader 2: ...In the capital Tehran.
16
00:02:08,296 --> 00:02:09,923
Male newsreader: ...The latest in a string of attacks.
17
00:02:09,923 --> 00:02:12,175
Female newsreader 3: Today's attack has all the hallmarks
18
00:02:12,175 --> 00:02:14,343
of major strategic sabotage.
19
00:02:14,343 --> 00:02:15,469
Female newsreader 4: Iran immediately accused
20
00:02:15,469 --> 00:02:16,680
the U.S. and Israel
21
00:02:16,680 --> 00:02:18,556
of trying to damage its nuclear program.
22
00:02:18,848 --> 00:02:21,475
Mahmoud ahmadinejad:
23
00:02:28,608 --> 00:02:34,323
I want to categorically deny any United States involvement
24
00:02:34,323 --> 00:02:39,286
in any kind of act of violence inside Iran.
25
00:02:39,286 --> 00:02:42,456
Covert actions can help,
26
00:02:42,456 --> 00:02:44,457
can assist.
27
00:02:45,709 --> 00:02:48,627
They are needed, they are not all the time essential,
28
00:02:48,836 --> 00:02:53,300
and they, in no way, can replace political wisdom.
29
00:02:53,633 --> 00:02:55,885
Alex gibney: Were the assassinations in Iran
30
00:02:55,885 --> 00:02:58,305
related to the stuxnet computer attacks?
31
00:02:59,473 --> 00:03:01,307
Uh, next question, please.
32
00:03:02,893 --> 00:03:04,478
Male newsreader: Iran's infrastructure
33
00:03:04,478 --> 00:03:05,562
is being targeted
34
00:03:05,562 --> 00:03:08,731
by a new and dangerously powerful cyber worm.
35
00:03:08,731 --> 00:03:11,360
The so-called stuxnet worm is specifically designed,
36
00:03:11,360 --> 00:03:13,694
it seems, to infiltrate and sabotage
37
00:03:13,694 --> 00:03:16,823
real-world power plants and factories and refineries.
38
00:03:16,823 --> 00:03:18,240
Male newsreader 2: It's not trying to steal information
39
00:03:18,240 --> 00:03:19,408
or grab your credit card,
40
00:03:19,408 --> 00:03:22,204
they're trying to get into some sort of industrial plant
41
00:03:22,204 --> 00:03:24,830
and wreak havoc trying to blow up an engine or...
42
00:03:24,830 --> 00:03:27,376
Male newsreader 3:
43
00:03:41,055 --> 00:03:42,182
Male newsreader 4: No one knows
44
00:03:42,182 --> 00:03:43,349
who's behind the worm
45
00:03:43,349 --> 00:03:45,018
and the exact nature of its mission,
46
00:03:45,018 --> 00:03:47,853
but there are fears Iran will hold Israel
47
00:03:47,853 --> 00:03:51,233
or America responsible and seek retaliation.
48
00:03:51,233 --> 00:03:52,359
Male newsreader 5: It's not impossible that
49
00:03:52,359 --> 00:03:53,692
some group of hackers did it,
50
00:03:53,692 --> 00:03:55,736
but the security experts that are studying this
51
00:03:55,736 --> 00:03:58,531
really think this required the resource of a nation-state.
52
00:04:04,454 --> 00:04:06,372
Man: Okay, and spinning.
53
00:04:06,372 --> 00:04:07,873
Gibney: Okay, good. Here we go.
54
00:04:09,084 --> 00:04:12,420
What impact, ultimately, did the stuxnet attack have?
55
00:04:12,420 --> 00:04:13,671
Can you say?
56
00:04:14,463 --> 00:04:16,632
I don't want to get into the details.
57
00:04:16,882 --> 00:04:19,386
Gibney: Since the event has already happened,
58
00:04:19,386 --> 00:04:23,098
why can't we talk more openly and publicly about stuxnet?
59
00:04:23,098 --> 00:04:25,975
Yeah, I mean, my answer is because it's classified.
60
00:04:26,435 --> 00:04:29,562
I... I won't knowledge... You know, knowingly
61
00:04:29,562 --> 00:04:31,648
offer up anything I consider classified.
62
00:04:31,648 --> 00:04:33,899
Gibney: I know that you can't talk much about stuxnet,
63
00:04:33,899 --> 00:04:37,278
because stuxnet is officially classified.
64
00:04:37,278 --> 00:04:38,654
You're right on both those counts.
65
00:04:39,113 --> 00:04:40,449
Gibney: But there has been
66
00:04:40,449 --> 00:04:42,576
a lot reported about it in the press.
67
00:04:42,576 --> 00:04:44,786
I don't want to comment on this.
68
00:04:44,786 --> 00:04:49,081
I read it in the newspaper, the media, like you,
69
00:04:49,081 --> 00:04:52,084
but I'm unable to elaborate upon it.
70
00:04:52,293 --> 00:04:54,463
People might find it frustrating
71
00:04:54,463 --> 00:04:57,007
not to be able to talk about it when it's in the public domain,
72
00:04:57,007 --> 00:04:58,425
but...
73
00:04:58,425 --> 00:04:59,925
Gibney: I find it frustrating.
74
00:04:59,925 --> 00:05:01,427
Yeah, I'm sure you do.
75
00:05:01,427 --> 00:05:02,971
I don't answer that question.
76
00:05:02,971 --> 00:05:04,346
Unfortunately, I can't comment.
77
00:05:04,346 --> 00:05:05,973
I do not know how to answer that.
78
00:05:05,973 --> 00:05:08,143
Two answers before you even get started, I don't know,
79
00:05:08,143 --> 00:05:10,978
and if I did, we wouldn't talk about it anyway.
80
00:05:10,978 --> 00:05:12,771
Gibney: How can you have a debate if everything's secret?
81
00:05:12,771 --> 00:05:14,815
I think right now that's just where we are.
82
00:05:15,149 --> 00:05:16,610
No one wants to...
83
00:05:16,610 --> 00:05:18,987
Countries aren't happy about confessing
84
00:05:18,987 --> 00:05:21,781
or owning up to what they did because they're not quite sure
85
00:05:21,781 --> 00:05:23,658
where they want the system to go.
86
00:05:24,283 --> 00:05:26,286
And so whoever was behind stuxnet
87
00:05:26,286 --> 00:05:27,786
hasn't admitted they were behind it.
88
00:05:31,625 --> 00:05:33,502
Gibney: Asking officials about stuxnet
89
00:05:33,502 --> 00:05:35,002
was frustrating and surreal,
90
00:05:35,295 --> 00:05:37,838
like asking the emperor about his new clothes.
91
00:05:38,548 --> 00:05:41,675
Even after the cyber weapon had penetrated computers
92
00:05:41,675 --> 00:05:43,052
all over the world,
93
00:05:43,302 --> 00:05:45,639
no one was willing to admit it was loose
94
00:05:45,639 --> 00:05:48,016
or talk about the dangers it posed.
95
00:05:48,891 --> 00:05:51,144
What was it about the stuxnet operation
96
00:05:51,144 --> 00:05:52,978
that was hiding in plain sight?
97
00:05:54,396 --> 00:05:56,191
Maybe there was a way the computer code
98
00:05:56,191 --> 00:05:57,817
could speak for itself.
99
00:05:58,567 --> 00:06:00,946
Stuxnet first surfaced in Belarus.
100
00:06:01,529 --> 00:06:03,865
I started with a call to the man who discovered it
101
00:06:03,865 --> 00:06:06,867
when his clients in Iran began to panic
102
00:06:06,867 --> 00:06:09,538
over an epidemic of computer shutdowns.
103
00:06:10,372 --> 00:06:13,583
Had you ever seen anything quite so sophisticated before?
104
00:06:13,666 --> 00:06:17,461
I have seen very sophisticated viruses before,
105
00:06:17,670 --> 00:06:21,550
but they didn't have...
106
00:06:24,009 --> 00:06:25,387
this kind of...
107
00:06:26,971 --> 00:06:27,721
zero day.
108
00:06:29,057 --> 00:06:32,560
It was the first time in my practice.
109
00:06:33,353 --> 00:06:36,480
That led me to understand
110
00:06:37,816 --> 00:06:44,822
that I should notify web security companies ASAP
111
00:06:46,533 --> 00:06:51,036
about the fact that such a danger exists.
112
00:07:36,582 --> 00:07:38,459
Eric chien: On a daily basis, basically
113
00:07:38,459 --> 00:07:40,502
we are sifting through
114
00:07:40,502 --> 00:07:44,007
a massive haystack looking for that proverbial needle.
115
00:07:44,882 --> 00:07:47,843
We get millions of pieces of new malicious threats
116
00:07:47,843 --> 00:07:49,721
and there are millions of attacks going on
117
00:07:49,721 --> 00:07:50,930
every single day.
118
00:07:51,096 --> 00:07:53,516
And only way are trying to protect people
119
00:07:53,516 --> 00:07:55,100
and their computers and... And their systems
120
00:07:55,100 --> 00:07:57,812
and countries' infrastructure
121
00:07:57,812 --> 00:07:59,898
from being taken down by those attacks.
122
00:07:59,898 --> 00:08:03,233
But more importantly, we have to find the attacks that matter.
123
00:08:03,233 --> 00:08:04,944
When you're talking about that many,
124
00:08:05,278 --> 00:08:07,529
impact is extremely important.
125
00:08:19,918 --> 00:08:21,627
Eugene kaspersky: Twenty years ago, the antivirus companies,
126
00:08:21,627 --> 00:08:23,338
they were hunting for computer viruses
127
00:08:23,338 --> 00:08:24,588
because there were not so many.
128
00:08:24,588 --> 00:08:27,884
So we had, like, tens of dozens a month,
129
00:08:28,093 --> 00:08:30,678
and there was just little numbers.
130
00:08:30,678 --> 00:08:34,849
Now, we collect millions of unique attacks every month.
131
00:08:36,225 --> 00:08:38,687
Vitaly kamluk: This room we call a woodpecker's room
132
00:08:38,687 --> 00:08:40,020
or a virus lab,
133
00:08:40,230 --> 00:08:42,190
and this is where virus analysts sit.
134
00:08:42,190 --> 00:08:44,149
We call them woodpeckers because they are
135
00:08:44,149 --> 00:08:46,653
pecking the worms, network worms, and viruses.
136
00:08:47,528 --> 00:08:50,740
And we see, like, three different groups of hackers
137
00:08:50,740 --> 00:08:52,325
behind cyber-attacks.
138
00:08:53,076 --> 00:08:54,869
They are traditional cyber criminals.
139
00:08:54,994 --> 00:08:58,831
Those guys are interested only in illegal profit.
140
00:08:58,831 --> 00:09:00,250
And quick and dirty money.
141
00:09:00,250 --> 00:09:02,418
Activists, or hacktivists,
142
00:09:02,418 --> 00:09:04,796
they are hacking for fun or hacking to push
143
00:09:04,796 --> 00:09:06,047
some political message.
144
00:09:06,297 --> 00:09:08,674
And the third group is nation-states.
145
00:09:08,841 --> 00:09:11,760
They're interested in high-quality intelligence
146
00:09:11,760 --> 00:09:13,221
or sabotage activity.
147
00:09:14,471 --> 00:09:16,975
Chien: Security companies not only share information
148
00:09:16,975 --> 00:09:18,726
but we also share binary samples.
149
00:09:18,726 --> 00:09:20,311
So when this threat was found
150
00:09:20,311 --> 00:09:22,147
by a Belarusian security company
151
00:09:22,147 --> 00:09:24,481
on one of their customer's machines in Iran,
152
00:09:24,481 --> 00:09:27,067
the sample was shared amongst the security community.
153
00:09:27,985 --> 00:09:29,571
When we try to name threats, we just try to pick
154
00:09:29,571 --> 00:09:31,614
some sort of string, some sort of words,
155
00:09:31,614 --> 00:09:34,200
that are inside of the binary.
156
00:09:35,368 --> 00:09:37,703
In this case, there was a couple of words in there
157
00:09:37,703 --> 00:09:40,706
and we took pieces of each, and that formed stuxnet.
158
00:09:43,168 --> 00:09:46,379
I got the news about stuxnet from one of my engineers.
159
00:09:46,379 --> 00:09:49,090
He came to my office, opened the door,
160
00:09:49,631 --> 00:09:52,634
and he said, "so, Eugene, of course you know that
161
00:09:52,634 --> 00:09:55,221
we are waiting for something really bad.
162
00:09:55,554 --> 00:09:56,722
Ithappenedf
163
00:10:03,437 --> 00:10:05,606
Gibney: Give me some sense of what it was like
164
00:10:05,606 --> 00:10:06,982
in the lab at that time.
165
00:10:06,982 --> 00:10:08,610
Was there a palpable sense of amazement
166
00:10:08,610 --> 00:10:10,611
that you had something really different there?
167
00:10:10,903 --> 00:10:12,905
Well, I wouldn't call it amazement.
168
00:10:12,905 --> 00:10:14,948
It was a kind of a shock.
169
00:10:15,365 --> 00:10:18,495
It went beyond our worst fears, our worst nightmares,
170
00:10:18,870 --> 00:10:21,873
and this continued the more we analyzed.
171
00:10:21,873 --> 00:10:23,832
The more we researched,
172
00:10:23,832 --> 00:10:26,836
the more bizarre the whole story got.
173
00:10:27,169 --> 00:10:28,837
We look at so much malware every day that
174
00:10:28,837 --> 00:10:30,798
we can just look at the code and straightaway we can say,
175
00:10:30,798 --> 00:10:32,383
"okay, there's something bad going on here,
176
00:10:32,383 --> 00:10:33,842
and I need to investigate that."
177
00:10:33,842 --> 00:10:34,927
And that's the way it was
178
00:10:35,094 --> 00:10:37,054
when we looked at stuxnet for the first time.
179
00:10:37,054 --> 00:10:39,557
We opened it up and there was just bad things everywhere.
180
00:10:39,557 --> 00:10:42,018
Just like, okay, this is bad and that's bad,
181
00:10:42,018 --> 00:10:43,561
and, you know, we need to investigate this.
182
00:10:43,561 --> 00:10:45,020
And just suddenly we had, like,
183
00:10:45,020 --> 00:10:46,480
a hundred questions straightaway.
184
00:10:48,524 --> 00:10:50,943
The most interesting thing that we do is detective work
185
00:10:50,943 --> 00:10:53,613
where we try to track down who's behind a threat,
186
00:10:53,613 --> 00:10:55,197
what are they doing, what's their motivation,
187
00:10:55,197 --> 00:10:56,950
and try to really stop it at the root.
188
00:10:56,950 --> 00:10:59,326
And it is kind of all-consuming.
189
00:10:59,326 --> 00:11:00,953
You get this new puzzle
190
00:11:00,953 --> 00:11:02,621
and it's very difficult to put it down,
191
00:11:02,621 --> 00:11:05,082
you know, work until, like, 4:00 am in the morning
192
00:11:05,082 --> 00:11:06,292
and figure these things out.
193
00:11:06,292 --> 00:11:09,086
And I was in that zone where I was very consumed by this,
194
00:11:09,086 --> 00:11:11,214
very excited about it, very interested to know
195
00:11:11,214 --> 00:11:12,506
what was happening.
196
00:11:12,506 --> 00:11:15,634
And Eric was also in that same sort of zone.
197
00:11:15,634 --> 00:11:18,346
So the two of us were, like, back and forth all the time.
198
00:11:18,346 --> 00:11:21,057
Chien: Liam and I continued to grind at the code,
199
00:11:21,057 --> 00:11:23,142
sharing pieces, comparing notes,
200
00:11:23,142 --> 00:11:25,019
bouncing ideas off of each other.
201
00:11:25,436 --> 00:11:26,895
We realized that we needed to do
202
00:11:26,895 --> 00:11:29,982
what we called deep analysis, pick apart the threat,
203
00:11:29,982 --> 00:11:32,818
every single byte, every single zero, one,
204
00:11:32,818 --> 00:11:34,903
and understand everything that was inside of it.
205
00:11:35,446 --> 00:11:37,240
And just to give you some context,
206
00:11:37,240 --> 00:11:39,283
we can go through and understand every line of code
207
00:11:39,283 --> 00:11:41,076
for the average threat in minutes.
208
00:11:41,702 --> 00:11:43,495
And here we are one month into this threat
209
00:11:43,495 --> 00:11:45,414
and we were just starting to discover what we call
210
00:11:45,414 --> 00:11:47,332
the payload or its whole purpose.
211
00:11:49,668 --> 00:11:51,211
When looking at the stuxnet code,
212
00:11:51,211 --> 00:11:53,755
it's 2O times the size of the average piece of code
213
00:11:54,256 --> 00:11:56,509
but contains almost no bugs inside of it.
214
00:11:56,509 --> 00:11:58,385
And that's extremely rare.
215
00:11:58,385 --> 00:12:00,263
Malicious code always has bugs inside of it.
216
00:12:00,263 --> 00:12:02,056
This wasn't the case with stuxnet.
217
00:12:02,056 --> 00:12:04,893
It's dense and every piece of code does something
218
00:12:04,893 --> 00:12:07,729
and does something right in order to conduct its attack.
219
00:12:08,937 --> 00:12:11,024
One of the things that surprised us
220
00:12:11,024 --> 00:12:13,400
was that stuxnet utilized what's called
221
00:12:13,400 --> 00:12:15,945
a zero-day exploit, or basically,
222
00:12:15,945 --> 00:12:18,280
a piece of code that allows it to spread
223
00:12:18,280 --> 00:12:20,115
without you having to do anything.
224
00:12:20,115 --> 00:12:22,869
You don't have to, for example, download a file and run it.
225
00:12:22,869 --> 00:12:25,078
A zero-day exploit is an exploit that
226
00:12:25,078 --> 00:12:26,748
nobody knows about except the attacker.
227
00:12:26,748 --> 00:12:28,291
So there's no protection against it.
228
00:12:28,291 --> 00:12:29,750
There's been no patch released.
229
00:12:29,750 --> 00:12:32,044
There's been zero days protection,
230
00:12:32,044 --> 00:12:33,629
you know, against it.
231
00:12:34,504 --> 00:12:35,881
That's what attackers value,
232
00:12:35,881 --> 00:12:37,716
because they know 100 percent
233
00:12:37,716 --> 00:12:40,052
if they have this zero-day exploit,
234
00:12:40,052 --> 00:12:41,721
they can get in wherever they want.
235
00:12:41,721 --> 00:12:43,221
They're actually very valuable.
236
00:12:43,221 --> 00:12:44,640
You can sell these on the underground
237
00:12:44,640 --> 00:12:46,142
for hundreds of thousands of dollars.
238
00:12:47,518 --> 00:12:48,561
Chien: Then we became more worried
239
00:12:48,561 --> 00:12:50,647
because immediately we discovered more zero days.
240
00:12:50,647 --> 00:12:53,399
And again, these zero days are extremely rare.
241
00:12:53,399 --> 00:12:55,692
Inside stuxnet we had, you know, four zero days,
242
00:12:55,692 --> 00:12:57,403
and for the entire rest of the year,
243
00:12:57,403 --> 00:12:59,989
we only saw 12 zero days used.
244
00:12:59,989 --> 00:13:01,658
It blows all... everything else out of the water.
245
00:13:01,658 --> 00:13:02,908
We've never seen this before.
246
00:13:02,908 --> 00:13:04,451
Actually, we've never seen it since, either.
247
00:13:04,744 --> 00:13:07,330
Seeing one in a malware you could understand
248
00:13:07,330 --> 00:13:10,249
because, you know, the malware authors are making money,
249
00:13:10,249 --> 00:13:11,833
they're stealing people's credit cards and making money,
250
00:13:11,833 --> 00:13:13,001
so it's worth their while to use it,
251
00:13:13,001 --> 00:13:15,379
but seeing four zero days, could be worth
252
00:13:15,379 --> 00:13:16,588
half a million dollars right there,
253
00:13:16,588 --> 00:13:18,341
used in one piece of malware,
254
00:13:18,591 --> 00:13:21,009
this is not your ordinary criminal gangs doing this.
255
00:13:21,009 --> 00:13:22,636
This is... This is someone bigger.
256
00:13:22,636 --> 00:13:24,514
It's definitely not traditional crime,
257
00:13:24,514 --> 00:13:28,017
not hacktivists. Who else?
258
00:13:28,893 --> 00:13:31,104
It was evident on a very early stage
259
00:13:31,604 --> 00:13:33,855
that just given the sophistication
260
00:13:33,855 --> 00:13:35,357
of this malware...
261
00:13:36,609 --> 00:13:39,403
Suggested that there must have been
262
00:13:39,403 --> 00:13:40,863
a nation-state involved,
263
00:13:40,863 --> 00:13:44,116
at least one nation-state involved in the development.
264
00:13:44,116 --> 00:13:46,159
When we look at code that's coming from
265
00:13:46,159 --> 00:13:47,703
what appears to be a state attacker
266
00:13:47,703 --> 00:13:50,331
or state-sponsored attacker, usually they're scrubbed clean.
267
00:13:50,331 --> 00:13:52,750
They don't... they don't leave little bits behind.
268
00:13:52,750 --> 00:13:54,501
They don't leave little hints behind.
269
00:13:54,751 --> 00:13:56,421
But in stuxnet there were actually
270
00:13:56,421 --> 00:13:57,797
a few hints left behind.
271
00:13:59,048 --> 00:14:02,301
One was that, in order to get low-level access
272
00:14:02,301 --> 00:14:03,802
to Microsoft windows,
273
00:14:04,011 --> 00:14:05,554
stuxnet needed to use a digital certificate,
274
00:14:06,096 --> 00:14:08,515
which certifies that this piece of code
275
00:14:08,515 --> 00:14:11,351
came from a particular company.
276
00:14:12,269 --> 00:14:14,312
Now, those attackers obviously couldn't go to Microsoft
277
00:14:14,312 --> 00:14:15,815
and say, "hey, test our code out for us.
278
00:14:15,815 --> 00:14:17,399
And give us a digital certificate."
279
00:14:18,109 --> 00:14:19,693
So they essentially stole them...
280
00:14:20,945 --> 00:14:23,030
From two companies in Taiwan.
281
00:14:23,030 --> 00:14:24,907
And these two companies have nothing to do with each other
282
00:14:24,907 --> 00:14:26,576
except for their close proximity
283
00:14:26,576 --> 00:14:28,369
in the exact same business park.
284
00:14:30,955 --> 00:14:34,792
Digital certificates are guarded very, very closely
285
00:14:34,792 --> 00:14:36,335
behind multiple doors
286
00:14:36,335 --> 00:14:38,754
and they require multiple people to unlock.
287
00:14:38,754 --> 00:14:40,423
Security: ...To the camera.
288
00:14:40,423 --> 00:14:42,133
Chien: And they need to provide both biometrics
289
00:14:42,133 --> 00:14:44,552
- and, as well, pass phrases.
290
00:14:44,552 --> 00:14:46,011
It wasn't like those certificates were
291
00:14:46,011 --> 00:14:47,721
just sitting on some machine connected to the Internet.
292
00:14:47,929 --> 00:14:50,725
Some human assets had to be involved, spies.
293
00:14:50,975 --> 00:14:52,809
O'murchu: Like a cleaner who comes in at night
294
00:14:52,809 --> 00:14:54,562
and has stolen these certificates
295
00:14:54,562 --> 00:14:55,772
from these companies.
296
00:14:59,192 --> 00:15:01,277
It did feel like walking onto the set
297
00:15:01,277 --> 00:15:03,779
of this James Bond movie and you...
298
00:15:03,779 --> 00:15:05,364
You've been embroiled in this thing that,
299
00:15:05,364 --> 00:15:07,950
you know, you... You never expected.
300
00:15:10,620 --> 00:15:11,745
We continued to search,
301
00:15:11,745 --> 00:15:13,246
and we continued to search in code,
302
00:15:13,246 --> 00:15:16,042
and eventually we found some other bread crumbs left
303
00:15:16,042 --> 00:15:17,460
we were able to follow.
304
00:15:18,168 --> 00:15:19,796
It was doing something with Siemens,
305
00:15:20,087 --> 00:15:22,881
Siemens software, possibly Siemens hardware.
306
00:15:23,173 --> 00:15:24,884
We'd never ever seen that in any malware before,
307
00:15:24,884 --> 00:15:26,219
something targeting Siemens.
308
00:15:26,219 --> 00:15:28,136
We didn't even know why they would be doing that.
309
00:15:29,721 --> 00:15:32,475
But after googling, very quickly we understood
310
00:15:32,475 --> 00:15:34,894
it was targeting Siemens plcs.
311
00:15:35,394 --> 00:15:38,313
Stuxnet was targeting a very specific hardware device,
312
00:15:38,313 --> 00:15:41,734
something called a plc or a programmable logic controller.
313
00:15:42,150 --> 00:15:45,071
Langner: The plc is kind of a very small computer
314
00:15:45,363 --> 00:15:48,073
attached to physical equipment,
315
00:15:48,073 --> 00:15:50,743
like pumps, like valves, like motors.
316
00:15:51,536 --> 00:15:56,081
So this little box is running a digital program
317
00:15:56,081 --> 00:15:58,417
and the actions of this program
318
00:15:58,417 --> 00:16:02,504
turns that motor on, off, or sets a specific speed.
319
00:16:02,504 --> 00:16:04,256
Chien: Those program module controllers
320
00:16:04,256 --> 00:16:06,801
control things like power plants, power grids.
321
00:16:06,801 --> 00:16:08,510
O'murchu: This is used in factories,
322
00:16:08,510 --> 00:16:10,971
it's used in critical infrastructure.
323
00:16:11,681 --> 00:16:14,725
Critical infrastructure, it's everywhere around us,
324
00:16:14,725 --> 00:16:17,311
transportation, telecommunications,
325
00:16:17,311 --> 00:16:19,605
financial services, health care.
326
00:16:20,148 --> 00:16:23,024
So the payload of stuxnet was designed
327
00:16:23,024 --> 00:16:26,195
to attack some very important part
328
00:16:26,195 --> 00:16:27,613
of our world.
329
00:16:27,904 --> 00:16:29,447
The payload is gonna be important.
330
00:16:29,447 --> 00:16:32,201
What happens there could be very dangerous.
331
00:16:34,412 --> 00:16:37,373
Langner: The next very big surprise came
332
00:16:37,373 --> 00:16:39,667
when it infected our lab system.
333
00:16:40,418 --> 00:16:43,421
We figured out that the malware was probing
334
00:16:43,421 --> 00:16:44,797
for controllers.
335
00:16:45,130 --> 00:16:47,216
It was quite picky on its targets.
336
00:16:47,216 --> 00:16:51,553
It didn't try to manipulate any given controller in a network
337
00:16:51,553 --> 00:16:52,889
that it would see.
338
00:16:53,139 --> 00:16:57,350
It went through several checks, and when those checks failed,
339
00:16:57,350 --> 00:16:59,562
it would not implement the attack.
340
00:17:02,315 --> 00:17:06,152
It was obviously probing for a specific target.
341
00:17:07,528 --> 00:17:09,696
You've got to put this in context that,
342
00:17:09,696 --> 00:17:11,490
at the time, we already knew,
343
00:17:11,490 --> 00:17:13,867
well, this is the most sophisticated piece of malware
344
00:17:13,867 --> 00:17:15,411
that we have ever seen.
345
00:17:16,162 --> 00:17:18,163
So it's kind of strange.
346
00:17:18,163 --> 00:17:23,169
Somebody takes that huge effort to hit one specific target?
347
00:17:23,419 --> 00:17:25,378
Well, that must be quite a significant target.
348
00:17:28,965 --> 00:17:31,344
Chien: So at symantec we have probes on networks
349
00:17:31,344 --> 00:17:32,510
all over the world
350
00:17:32,510 --> 00:17:34,931
watching for malicious activity.
351
00:17:35,347 --> 00:17:37,349
O'murchu: We'd actually seen infections of stuxnet
352
00:17:37,349 --> 00:17:39,852
all over the world, in the U.S., Australia,
353
00:17:39,852 --> 00:17:42,520
in the u.K., in France, Germany, all over Europe.
354
00:17:43,021 --> 00:17:45,398
Chien: It spread to any windows machine in the entire world.
355
00:17:45,775 --> 00:17:48,027
You know, we had these organizations
356
00:17:48,027 --> 00:17:50,320
inside the United States who were in charge of
357
00:17:50,320 --> 00:17:52,030
industrial control facilities saying,
358
00:17:52,030 --> 00:17:54,032
"we're infected. What's gonna happen?"
359
00:17:54,407 --> 00:17:57,077
O'murchu: We didn't know if there was a deadline coming up
360
00:17:57,077 --> 00:17:58,621
where this threat would trigger
361
00:17:58,621 --> 00:18:00,957
and suddenly would, like, turn off all, you know,
362
00:18:00,957 --> 00:18:02,540
electricity plants around the world
363
00:18:02,540 --> 00:18:04,292
or it would start shutting things down
364
00:18:04,292 --> 00:18:05,627
or launching some attack.
365
00:18:06,461 --> 00:18:09,507
We knew that stuxnet could have very dire consequences,
366
00:18:09,507 --> 00:18:12,175
and we were very worried about
367
00:18:12,175 --> 00:18:13,635
what the payload contained
368
00:18:13,635 --> 00:18:15,887
and there was an imperative speed
369
00:18:15,887 --> 00:18:17,973
that we had to race and try and, you know,
370
00:18:17,973 --> 00:18:19,392
beat this ticking bomb.
371
00:18:20,518 --> 00:18:23,061
Eventually, we were able to refine the statistics a little
372
00:18:23,061 --> 00:18:24,563
and we saw that Iran was the number one
373
00:18:24,563 --> 00:18:26,147
infected country in the world.
374
00:18:26,147 --> 00:18:28,733
Chien: That immediately raised our eyebrows.
375
00:18:28,733 --> 00:18:30,987
We had never seen a threat before
376
00:18:30,987 --> 00:18:33,114
where it was predominantly in Iran.
377
00:18:34,073 --> 00:18:35,657
And so we began to follow what was going on
378
00:18:35,657 --> 00:18:36,909
in the geopolitical world,
379
00:18:37,076 --> 00:18:38,618
what was happening in the general news.
380
00:18:38,827 --> 00:18:42,080
And at that time, there were actually multiple explosions
381
00:18:42,080 --> 00:18:44,959
of gas pipelines going in and out of Iran.
382
00:18:45,960 --> 00:18:47,336
Unexplained explosions.
383
00:18:48,878 --> 00:18:51,007
O'murchu: And of course, we did notice that at the time
384
00:18:51,007 --> 00:18:53,634
there had been assassinations of nuclear scientists.
385
00:18:54,844 --> 00:18:56,261
So that was worrying.
386
00:18:57,096 --> 00:18:59,265
We knew there was something bad happening.
387
00:18:59,765 --> 00:19:01,599
Gibney: Did you get concerned for yourself?
388
00:19:01,599 --> 00:19:03,519
I mean, did you begin to start looking over your shoulder
389
00:19:03,519 --> 00:19:04,769
from time to time?
390
00:19:04,769 --> 00:19:06,355
Yeah, definitely looking over my shoulder
391
00:19:06,355 --> 00:19:08,941
and... and being careful about what I spoke about on the phone.
392
00:19:09,942 --> 00:19:13,112
I was... pretty confident my conversations on my...
393
00:19:13,112 --> 00:19:14,613
On the phone were being listened to.
394
00:19:14,946 --> 00:19:16,906
We were only half joking
395
00:19:16,906 --> 00:19:18,951
when we would look at each other
396
00:19:18,951 --> 00:19:20,702
and tell each other things like,
397
00:19:20,702 --> 00:19:22,954
"look, I'm not suicidal.
398
00:19:23,288 --> 00:19:26,791
If I show up dead on Monday, you know, it wasn't me."
399
00:19:35,550 --> 00:19:38,011
We'd been publishing information about stuxnet
400
00:19:38,011 --> 00:19:39,387
all through that summer.
401
00:19:40,765 --> 00:19:43,392
And then in November, the industrial control system
402
00:19:43,392 --> 00:19:46,519
sort of expert in Holland contacted us...
403
00:19:47,813 --> 00:19:50,398
And he said all of these devices that would be inside of
404
00:19:50,398 --> 00:19:53,486
an industrial control system hold a unique identifier number
405
00:19:53,486 --> 00:19:56,654
that identified the make and model of that device.
406
00:19:58,449 --> 00:20:02,118
And we actually had a couple of these numbers in the code
407
00:20:02,118 --> 00:20:03,496
that we didn't know what they were.
408
00:20:04,538 --> 00:20:06,414
And so we realized maybe what he was referring to
409
00:20:06,414 --> 00:20:07,875
was the magic numbers we had.
410
00:20:08,416 --> 00:20:09,960
And then when we searched for those magic numbers
411
00:20:09,960 --> 00:20:11,127
in that context,
412
00:20:11,127 --> 00:20:13,547
we saw that what had to be connected
413
00:20:13,547 --> 00:20:15,715
to this industrial control system that was being targeted
414
00:20:15,715 --> 00:20:17,675
were something called frequency converters
415
00:20:18,009 --> 00:20:20,179
from two specific manufacturers,
416
00:20:20,179 --> 00:20:21,931
one of which was in Iran.
417
00:20:22,515 --> 00:20:24,307
And so at this time, we absolutely knew
418
00:20:24,307 --> 00:20:26,644
that the facility that was being targeted
419
00:20:26,644 --> 00:20:28,104
had to be in Iran
420
00:20:28,436 --> 00:20:31,272
and had equipment made from iranian manufacturers.
421
00:20:32,191 --> 00:20:33,983
When we looked up those frequency converters,
422
00:20:33,983 --> 00:20:35,778
we immediately found out that they were actually
423
00:20:35,778 --> 00:20:38,197
export controlled by the nuclear regulatory commission.
424
00:20:38,780 --> 00:20:40,115
And that immediately lead us then
425
00:20:40,115 --> 00:20:42,410
to some nuclear facility.
426
00:21:00,009 --> 00:21:02,137
Gibney: This was more than a computer story,
427
00:21:02,512 --> 00:21:04,932
so I left the world of the antivirus detectives
428
00:21:05,223 --> 00:21:07,183
and sought out journalist, David sanger,
429
00:21:07,183 --> 00:21:09,436
who specialized in the strange intersection
430
00:21:09,436 --> 00:21:12,440
of cyber, nuclear weapons, and espionage.
431
00:21:13,398 --> 00:21:15,483
Sanger: The emergence of the code
432
00:21:15,483 --> 00:21:18,778
is what put me on alert that an attack was under way.
433
00:21:20,239 --> 00:21:23,409
And because of the covert nature of the operation,
434
00:21:23,409 --> 00:21:26,412
not only were official government spokesmen
435
00:21:26,412 --> 00:21:29,289
unable to talk about it, they didn't even know about it.
436
00:21:30,499 --> 00:21:32,585
Eventually, the more I dug into it,
437
00:21:32,585 --> 00:21:37,173
the more I began to find individuals
438
00:21:37,423 --> 00:21:39,592
who had been involved in some piece of it
439
00:21:39,799 --> 00:21:41,844
or who had witnessed some piece of it.
440
00:21:42,470 --> 00:21:44,846
And that meant talking to Americans,
441
00:21:44,846 --> 00:21:47,766
talking to Israelis, talking to Europeans,
442
00:21:47,766 --> 00:21:50,853
because this was obviously the first, biggest,
443
00:21:50,853 --> 00:21:55,441
and most sophisticated example of a state
444
00:21:55,441 --> 00:21:58,067
or two states using a cyber weapon
445
00:21:58,067 --> 00:21:59,612
for offensive purposes.
446
00:22:03,031 --> 00:22:05,951
I came to this with a fair bit of history,
447
00:22:05,951 --> 00:22:08,703
understanding the iranian nuclear program.
448
00:22:09,747 --> 00:22:13,125
How did Iran get its first nuclear reactor?
449
00:22:13,709 --> 00:22:16,836
We gave it to them... Under the shah,
450
00:22:17,171 --> 00:22:20,590
because the shah was considered an American ally.
451
00:22:22,092 --> 00:22:25,721
Thank you again for your warm welcome, Mr. president.
452
00:22:26,055 --> 00:22:27,681
Gary samore: During the Nixon administration,
453
00:22:27,681 --> 00:22:30,934
the U.S. was very enthusiastic about supporting
454
00:22:30,934 --> 00:22:33,019
the shah's nuclear power program.
455
00:22:33,938 --> 00:22:36,272
And at one point, the Nixon administration
456
00:22:36,272 --> 00:22:39,108
was pushing the idea that Pakistan and Iran
457
00:22:39,108 --> 00:22:43,697
should build a joint plant together in Iran.
458
00:22:45,074 --> 00:22:46,784
There's at least some evidence that
459
00:22:46,784 --> 00:22:50,287
the shah was thinking about acquisition of nuclear weapons,
460
00:22:50,287 --> 00:22:53,832
because he saw, and we were encouraging him to see Iran
461
00:22:53,832 --> 00:22:56,125
as the so-called policemen of the persian Gulf.
462
00:22:56,125 --> 00:22:58,295
And the iranians have always viewed themselves
463
00:22:58,295 --> 00:23:01,548
as naturally the dominant power in the middle east.
464
00:23:24,113 --> 00:23:25,698
Samore: But the revolution,
465
00:23:25,698 --> 00:23:27,407
which overthrew the shah in '79,
466
00:23:27,407 --> 00:23:29,201
really curtailed the program
467
00:23:29,201 --> 00:23:31,578
before it ever got any head of steam going.
468
00:23:32,663 --> 00:23:37,250
Part of our policy against Iran after the revolution
469
00:23:37,250 --> 00:23:39,545
was to deny them nuclear technology.
470
00:23:39,545 --> 00:23:42,839
So most of the period when I was involved
471
00:23:42,839 --> 00:23:44,842
in the '80s and the '90s
472
00:23:44,842 --> 00:23:47,260
was the U.S. running around the world
473
00:23:47,260 --> 00:23:50,513
and persuading potential nuclear suppliers
474
00:23:50,513 --> 00:23:53,892
not to provide even peaceful nuclear technology to Iran.
475
00:23:54,143 --> 00:23:57,563
And what we missed was the clandestine transfer
476
00:23:57,563 --> 00:24:00,481
in the mid-1980s from Pakistan to Iran.
477
00:24:04,486 --> 00:24:05,738
Rolf mowatt-larssen: Abdul qadeer Khan
478
00:24:05,738 --> 00:24:07,071
is what we would call
479
00:24:07,071 --> 00:24:09,074
the father of the Pakistan nuclear program.
480
00:24:10,491 --> 00:24:13,077
He had the full authority and confidence
481
00:24:13,077 --> 00:24:15,372
of the Pakistan government from its inception
482
00:24:15,372 --> 00:24:17,458
to the production of nuclear weapons.
483
00:24:19,167 --> 00:24:21,502
I was a CIA officer for... For...
484
00:24:21,502 --> 00:24:24,173
For over two decades, operations officer,
485
00:24:24,173 --> 00:24:25,965
worked overseas most of my career.
486
00:24:26,549 --> 00:24:28,594
The a.Q. Khan network is so notable
487
00:24:28,594 --> 00:24:31,638
because aside from building
488
00:24:31,638 --> 00:24:34,642
the Pakistani program for decades...
489
00:24:35,893 --> 00:24:39,063
It also was the means by which other countries
490
00:24:39,063 --> 00:24:41,690
were able to develop nuclear weapons,
491
00:24:41,690 --> 00:24:42,982
including Iran.
492
00:24:43,608 --> 00:24:45,234
Samore: A.Q. Khan acting on behalf
493
00:24:45,234 --> 00:24:46,319
of the Pakistani government
494
00:24:46,319 --> 00:24:49,405
negotiated with officials in Iran
495
00:24:49,405 --> 00:24:52,451
and then there was a transfer which took place
496
00:24:52,451 --> 00:24:53,493
through Dubai
497
00:24:53,493 --> 00:24:56,747
of blueprints for nuclear weapons design
498
00:24:56,747 --> 00:24:58,332
as well as some hardware.
499
00:24:59,500 --> 00:25:01,501
Throughout the mid-1980s,
500
00:25:01,501 --> 00:25:04,546
the iranian program was not very well-resourced.
501
00:25:04,546 --> 00:25:06,382
It was more of an r & d program.
502
00:25:07,423 --> 00:25:10,635
It wasn't really until the mid-'90s
503
00:25:10,635 --> 00:25:12,887
that it started to take off when they made the decision
504
00:25:12,887 --> 00:25:14,972
to build the nuclear weapons program.
505
00:25:21,646 --> 00:25:23,147
You know, we can speculate what,
506
00:25:23,147 --> 00:25:24,566
in their mind, motivated them.
507
00:25:24,566 --> 00:25:27,736
I think it was the U.S. invasion of Iraq
508
00:25:27,736 --> 00:25:29,320
after Kuwait.
509
00:25:30,655 --> 00:25:32,115
You know, there was an eight-year war
510
00:25:32,115 --> 00:25:33,701
between Iraq and Iran,
511
00:25:33,951 --> 00:25:37,371
we had wiped out Saddam's forces in a matter of weeks.
512
00:25:40,249 --> 00:25:43,000
And I think that was enough to convince the rulers
513
00:25:43,000 --> 00:25:45,170
in Tehran that they needed to pursue
514
00:25:45,170 --> 00:25:46,713
nuclear weapons more seriously.
515
00:25:48,757 --> 00:25:51,676
George Bush: States like these and their terrorist allies
516
00:25:51,676 --> 00:25:54,512
constitute an axis of evil,
517
00:25:54,512 --> 00:25:57,266
arming to threaten the peace of the world.
518
00:25:58,683 --> 00:26:01,310
Samore: From 2003 to 2005
519
00:26:01,310 --> 00:26:04,605
when they feared that the U.S. would invade them,
520
00:26:04,605 --> 00:26:06,942
they accepted limits on their nuclear program.
521
00:26:07,401 --> 00:26:11,028
But by 2006, the iranians had come to the conclusion
522
00:26:11,028 --> 00:26:13,906
that the U.S. was bogged down in Afghanistan and Iraq
523
00:26:13,906 --> 00:26:17,076
and no longer had the capacity to threaten them,
524
00:26:17,452 --> 00:26:21,205
and so they felt it was safe to resume their enrichment program
525
00:26:21,957 --> 00:26:24,625
they started producing low enriched uranium,
526
00:26:24,917 --> 00:26:26,920
producing more centrifuges, installing them
527
00:26:26,920 --> 00:26:30,715
at the large-scale underground enrichment facility at natanz.
528
00:26:42,059 --> 00:26:46,898
Journalist:
529
00:26:58,076 --> 00:27:02,163
Ahmadinejad:
530
00:27:35,197 --> 00:27:37,115
Gibney: How many times have you been to natanz?
531
00:27:37,490 --> 00:27:40,868
Not that many, because I left few years ago, the dia,
532
00:27:40,868 --> 00:27:43,204
but I was there quite... Quite a few times.
533
00:27:46,750 --> 00:27:49,294
Natanz is just in the middle of the desert.
534
00:27:51,255 --> 00:27:53,214
When they were building it in secret,
535
00:27:53,464 --> 00:27:57,510
they were calling it desert irrigation facility.
536
00:27:58,010 --> 00:27:59,555
For the local people,
537
00:27:59,555 --> 00:28:02,140
you want to sell why you are building a big complex.
538
00:28:04,934 --> 00:28:07,645
There is a lot of artillery and air force.
539
00:28:07,645 --> 00:28:12,025
It's better protected against attack from air
540
00:28:12,567 --> 00:28:15,069
than any other nuclear installation I have seen.
541
00:28:17,823 --> 00:28:20,325
So this is deeply underground.
542
00:28:24,913 --> 00:28:28,834
But then inside, natanz is like any other centrifuge facility.
543
00:28:28,834 --> 00:28:33,171
I have been all over the world, from Brazil to Russia, Japan,
544
00:28:33,171 --> 00:28:37,718
so they are all alike with their own features,
545
00:28:37,718 --> 00:28:40,095
their own centrifuges, their own culture,
546
00:28:40,095 --> 00:28:42,681
but basically, the process is the same.
547
00:28:43,765 --> 00:28:46,852
And so are the monitoring activities of the iaea.
548
00:28:46,852 --> 00:28:48,519
There are basic principles.
549
00:28:48,519 --> 00:28:51,230
You want to see what goes in, what goes out,
550
00:28:51,522 --> 00:28:53,692
and then on top of that you make sure that
551
00:28:53,692 --> 00:28:56,153
it produces low enriched uranium
552
00:28:56,153 --> 00:28:58,529
instead of anything to do with the higher enrichments
553
00:28:58,529 --> 00:29:00,740
and nuclear weapon grade uranium.
554
00:29:06,704 --> 00:29:08,080
Emad kiyaei: Iran's nuclear facilities
555
00:29:08,080 --> 00:29:10,291
are under 24-hour watch.
556
00:29:11,000 --> 00:29:13,336
Of the united nations nuclear watchdog,
557
00:29:13,336 --> 00:29:16,632
the iaea, the international atomic energy agency.
558
00:29:18,008 --> 00:29:22,220
Every single gram of iranian fissile material...
559
00:29:23,430 --> 00:29:24,765
ls accounted for.
560
00:29:27,601 --> 00:29:30,061
They have, like, basically seals they put
561
00:29:30,061 --> 00:29:33,606
on fissile materials. There are iaea seals.
562
00:29:33,856 --> 00:29:36,151
You can't break it
563
00:29:36,151 --> 00:29:37,986
without getting noticed.
564
00:29:39,988 --> 00:29:42,240
Heinonen: When you look at the uranium
565
00:29:42,240 --> 00:29:46,118
which was there in natanz, it was a very special uranium.
566
00:29:46,243 --> 00:29:51,666
This is called isotope 236, and that was a puzzle to us,
567
00:29:51,666 --> 00:29:54,126
because you only see this sort of uranium
568
00:29:54,126 --> 00:29:57,255
in states which have had nuclear weapons.
569
00:29:59,090 --> 00:30:01,801
We realized that they had cheated us.
570
00:30:02,510 --> 00:30:05,806
This sort of equipment has been bought
571
00:30:05,806 --> 00:30:07,598
from what they call a black market.
572
00:30:07,598 --> 00:30:10,810
They never pointed out it to a.Q. Khan
573
00:30:11,269 --> 00:30:13,063
at that point of time.
574
00:30:17,942 --> 00:30:21,278
What I was surprised was the sophistication
575
00:30:21,278 --> 00:30:23,115
and the quality control
576
00:30:23,406 --> 00:30:25,409
and the way they have the manufacturing
577
00:30:25,409 --> 00:30:26,785
was really professional.
578
00:30:27,952 --> 00:30:30,538
It was not something, you know, you just create
579
00:30:30,538 --> 00:30:32,082
in a few months' time.
580
00:30:32,082 --> 00:30:34,792
This was a result of a long process.
581
00:30:41,924 --> 00:30:44,720
A centrifuge, you feed uranium gas
582
00:30:44,720 --> 00:30:47,847
in and you have a cascade, thousands of centrifuges,
583
00:30:47,847 --> 00:30:50,851
and from the other end you get enriched uranium out.
584
00:30:51,559 --> 00:30:55,564
It separates uranium based on spinning the rotors.
585
00:30:55,564 --> 00:30:59,358
It spins so fast, 300 meters per second,
586
00:30:59,358 --> 00:31:02,362
the same as the velocity of sound.
587
00:31:03,739 --> 00:31:05,406
These are tremendous forces
588
00:31:05,406 --> 00:31:08,367
and as a result, the rotor, it twists,
589
00:31:08,367 --> 00:31:10,494
looks like a banana at one point of time.
590
00:31:11,913 --> 00:31:13,498
So it has to be balanced
591
00:31:13,498 --> 00:31:16,835
because any small vibration it will blow up.
592
00:31:18,252 --> 00:31:20,172
And here comes another trouble.
593
00:31:20,505 --> 00:31:22,673
You have to raise the temperature
594
00:31:22,673 --> 00:31:25,760
but this very thin rotor was...
595
00:31:25,760 --> 00:31:27,804
They are made from carbon fiber,
596
00:31:27,804 --> 00:31:30,432
and the other pieces, they are made from metal.
597
00:31:31,348 --> 00:31:34,853
When you heat carbon fiber, it shrinks.
598
00:31:35,936 --> 00:31:38,230
When you heat metal, it expands.
599
00:31:38,606 --> 00:31:41,651
So you need to balance not only that they spin,
600
00:31:41,651 --> 00:31:44,779
they twist, but this temperature behavior
601
00:31:44,779 --> 00:31:47,031
in such a way that it doesn't break.
602
00:31:47,031 --> 00:31:49,201
So this has to be very precise.
603
00:31:49,701 --> 00:31:52,203
This is what makes them very difficult to manufacture.
604
00:31:52,203 --> 00:31:54,873
You can model it, you can calculate it,
605
00:31:54,873 --> 00:31:57,334
but at the very end, it's actually based
606
00:31:57,334 --> 00:31:59,961
on practice and experience.
607
00:31:59,961 --> 00:32:03,256
So it's a... It's a piece of art, so to say.
608
00:32:13,767 --> 00:32:19,396
Man:
609
00:32:44,213 --> 00:32:46,549
Heinonen: Iranians are very proud of their centrifuges.
610
00:32:46,549 --> 00:32:49,510
They have a lot of public relations videos
611
00:32:49,510 --> 00:32:53,265
given up always in April when they have what they call
612
00:32:53,265 --> 00:32:54,766
a national nuclear day.
613
00:32:55,767 --> 00:32:59,270
Man:
614
00:33:09,071 --> 00:33:12,450
Kiyaei: Ahmadinejad came into his presidency saying
615
00:33:12,450 --> 00:33:15,036
if the international community wants to derail us
616
00:33:15,036 --> 00:33:16,704
we will stand up to it.
617
00:33:17,788 --> 00:33:20,500
If they want us to sign more inspections
618
00:33:20,500 --> 00:33:23,752
and more additional protocols and other measures,
619
00:33:23,752 --> 00:33:26,463
no, we will not. We will fight for our rights.
620
00:33:27,715 --> 00:33:30,801
Iran is a signature to nuclear non-proliferation treaty,
621
00:33:30,801 --> 00:33:34,388
and under that treaty, Iran has a right to a nuclear program.
622
00:33:34,972 --> 00:33:38,434
We can have enrichment. Who are you, world powers,
623
00:33:38,434 --> 00:33:40,895
to come and tell us that we cannot have enrichment?
624
00:33:41,270 --> 00:33:42,980
This was his mantra,
625
00:33:43,731 --> 00:33:47,109
and it galvanized the public.
626
00:33:50,697 --> 00:33:53,074
Sanger: By 2007, 2008,
627
00:33:53,074 --> 00:33:55,576
the U.S. government was in a very bad place with
628
00:33:55,576 --> 00:33:56,869
the iranian program.
629
00:33:57,871 --> 00:33:59,955
President bush recognized
630
00:33:59,955 --> 00:34:02,584
that he could not even come out in public
631
00:34:02,584 --> 00:34:05,086
and declare that the iranians were building a nuclear weapon,
632
00:34:05,086 --> 00:34:06,922
because by this time, he had gone through
633
00:34:06,922 --> 00:34:10,217
the entire wmd fiasco in Iraq.
634
00:34:10,925 --> 00:34:13,219
He could not really take military action.
635
00:34:13,219 --> 00:34:15,597
Condoleezza rice said to him at one point,
636
00:34:15,597 --> 00:34:19,016
"you know, Mr. president, I think you've invaded
637
00:34:19,016 --> 00:34:22,686
your last Muslim country, even for the best of reasons."
638
00:34:24,521 --> 00:34:26,690
He didn't want to let the Israelis
639
00:34:26,690 --> 00:34:28,568
conduct a military operation.
640
00:34:28,860 --> 00:34:34,615
It's 1938, and Iran is Germany and it's racing...
641
00:34:35,449 --> 00:34:38,077
To arm itself with atomic bombs.
642
00:34:38,661 --> 00:34:42,248
Iran's nuclear ambitions must be stopped.
643
00:34:42,873 --> 00:34:47,628
They have to be stopped. We all have to stop it, now.
644
00:34:47,628 --> 00:34:50,257
That's the one message I have for you today.
645
00:34:50,257 --> 00:34:52,132
- Thank you.
646
00:34:52,132 --> 00:34:55,010
Israel was saying they were gonna bomb Iran.
647
00:34:55,010 --> 00:34:58,222
And the government here in Washington
648
00:34:58,222 --> 00:35:00,599
did all sorts of scenarios about what would happen
649
00:35:00,599 --> 00:35:03,143
if that Israeli attack occurred.
650
00:35:03,561 --> 00:35:05,730
They were all very ugly scenarios.
651
00:35:05,730 --> 00:35:08,733
Our belief was that if they went on their own
652
00:35:08,733 --> 00:35:10,527
knowing the limitations...
653
00:35:10,527 --> 00:35:12,403
No, they're a very good air force, all right?
654
00:35:12,778 --> 00:35:14,822
But it's small and the distances are great
655
00:35:14,822 --> 00:35:17,242
and the target's disbursed and hardened, all right?
656
00:35:18,242 --> 00:35:20,786
If they would have attempted a raid
657
00:35:21,496 --> 00:35:23,248
on a military plane,
658
00:35:23,539 --> 00:35:26,333
we would have been assuming that they were assuming
659
00:35:26,333 --> 00:35:28,920
we would finish that which they started.
660
00:35:28,920 --> 00:35:31,547
In other words, there would be many of us
661
00:35:31,547 --> 00:35:33,590
in government thinking that the purpose of the raid
662
00:35:33,590 --> 00:35:36,135
wasn't to destroy the iranian nuclear system,
663
00:35:36,135 --> 00:35:39,764
but the purpose of the raid was to put us at war with Iran.
664
00:35:40,724 --> 00:35:42,766
Israel is very much concerned about
665
00:35:42,766 --> 00:35:45,436
Iran's nuclear program, more than the United States.
666
00:35:45,436 --> 00:35:48,188
It's only natural because of the size of the country,
667
00:35:48,188 --> 00:35:50,608
because we live in this neighborhood,
668
00:35:50,608 --> 00:35:54,237
America lives thousands and thousands miles away from Iran.
669
00:35:54,237 --> 00:35:57,865
The two countries agreed on the goal.
670
00:35:58,157 --> 00:36:00,909
There is no page between us
671
00:36:00,909 --> 00:36:06,248
that Iran should not have a nuclear military capability.
672
00:36:06,248 --> 00:36:08,251
There are some differences
673
00:36:08,251 --> 00:36:10,628
on how to... How to achieve it
674
00:36:10,628 --> 00:36:12,922
and when action is needed.
675
00:36:22,431 --> 00:36:24,851
Yadlin: We are taking very seriously
676
00:36:24,851 --> 00:36:27,561
leaders of countries who call to the destruction
677
00:36:27,561 --> 00:36:30,190
and annihilation of our people.
678
00:36:30,398 --> 00:36:32,900
If Iran will get nuclear weapons,
679
00:36:32,900 --> 00:36:34,360
now or in the future...
680
00:36:35,320 --> 00:36:38,197
It means that for the first time in human history
681
00:36:38,989 --> 00:36:41,659
islamic zealots, religious zealots,
682
00:36:42,369 --> 00:36:44,661
will get their hand on
683
00:36:44,661 --> 00:36:47,664
the most dangerous, devastating weapons,
684
00:36:47,664 --> 00:36:50,418
and the world should prevent this.
685
00:36:52,586 --> 00:36:56,340
Samore: The Israelis believe that the iranian leadership
686
00:36:56,340 --> 00:36:59,302
has already made the decision to build nuclear weapons
687
00:36:59,302 --> 00:37:01,221
when they think they can get away with it.
688
00:37:01,596 --> 00:37:04,391
The view in the U.S. is that the iranians
689
00:37:04,391 --> 00:37:06,559
haven't made that final decision yet.
690
00:37:07,518 --> 00:37:09,436
To me, that doesn't make any difference.
691
00:37:09,436 --> 00:37:11,188
I mean, it really doesn't make any difference,
692
00:37:11,188 --> 00:37:14,358
and it's probably unknowable, unless you can put, you know,
693
00:37:14,358 --> 00:37:17,737
supreme leader khamenei on the couch and interview him.
694
00:37:17,737 --> 00:37:20,657
I think, you know, from our standpoint,
695
00:37:20,657 --> 00:37:23,284
stopping Iran from getting the threshold capacity
696
00:37:23,284 --> 00:37:26,413
is, you know, the primary policy objective.
697
00:37:27,746 --> 00:37:29,833
Once they have the fissile material,
698
00:37:29,833 --> 00:37:32,210
once they have the capacity to produce nuclear weapons,
699
00:37:32,210 --> 00:37:33,585
then the game is lost.
700
00:37:39,384 --> 00:37:41,219
Hayden: President bush once said to me, he said,
701
00:37:41,219 --> 00:37:44,304
"Mike, I don't want any president ever to be faced
702
00:37:44,304 --> 00:37:48,351
with only two options, bombing or the bomb."
703
00:37:48,351 --> 00:37:49,561
Right?
704
00:37:49,561 --> 00:37:53,148
He... he wanted options that... That made it...
705
00:37:53,356 --> 00:37:56,317
Made it far less likely he or his successor
706
00:37:56,317 --> 00:37:58,862
or successors would ever get to that point
707
00:37:58,862 --> 00:38:00,487
where that's... That's all you've got.
708
00:38:00,822 --> 00:38:04,451
We wanted to be energetic enough in pursuing this problem
709
00:38:04,826 --> 00:38:07,829
that... that the Israelis would certainly believe,
710
00:38:07,829 --> 00:38:09,038
"yeah, we get it."
711
00:38:09,038 --> 00:38:11,166
The intelligence cooperation between Israel
712
00:38:11,166 --> 00:38:14,585
and the United States is very, very good.
713
00:38:15,378 --> 00:38:17,672
And therefore, the Israelis went to the Americans
714
00:38:17,672 --> 00:38:21,300
and said, "okay, guys, you don't want us to bomb Iran.
715
00:38:21,300 --> 00:38:24,471
Okay, let's do it differently."
716
00:38:24,971 --> 00:38:28,516
And then the American intelligence community started
717
00:38:28,516 --> 00:38:30,226
rolling in joint forces
718
00:38:30,226 --> 00:38:32,186
with the Israeli intelligence community.
719
00:38:32,853 --> 00:38:36,858
One day a group of intelligence and military officials showed up
720
00:38:37,567 --> 00:38:39,485
in president bush's office
721
00:38:40,110 --> 00:38:41,612
and said, "sir, we have an idea.
722
00:38:42,780 --> 00:38:44,114
It's a big risk.
723
00:38:44,657 --> 00:38:46,451
It might not work, but here it is."
724
00:38:54,000 --> 00:38:57,628
Langner: Moving forward in my analysis of the codes,
725
00:38:57,628 --> 00:39:01,632
I took a closer look at the photographs
726
00:39:01,632 --> 00:39:03,510
that had been published
727
00:39:03,510 --> 00:39:08,264
by the iranians themselves in a press tour from 2008
728
00:39:08,264 --> 00:39:11,391
of ahmadinejad and the shiny centrifuges.
729
00:39:13,811 --> 00:39:15,688
Sanger: Well, photographs of ahmadinejad
730
00:39:15,688 --> 00:39:18,483
going through the centrifuges at natanz
731
00:39:18,483 --> 00:39:21,902
had provided some very important clues.
732
00:39:22,612 --> 00:39:24,822
There was a huge amount to be learned.
733
00:39:33,121 --> 00:39:35,916
First of all, those photographs showed
734
00:39:35,916 --> 00:39:39,253
many of the individuals who were guiding ahmadinejad
735
00:39:39,253 --> 00:39:40,420
through the program.
736
00:39:40,420 --> 00:39:43,048
And there's one very famous photograph that shows
737
00:39:43,048 --> 00:39:45,009
ahmadinejad being shown something.
738
00:39:45,009 --> 00:39:47,594
You see his face, you can't see what's on the computer.
739
00:39:47,594 --> 00:39:51,056
And one of the scientists who was behind him
740
00:39:51,056 --> 00:39:53,434
was assassinated a few months later.
741
00:39:57,813 --> 00:39:59,523
Langner: In one of those photographs,
742
00:39:59,815 --> 00:40:03,152
you could see parts of a computer screen.
743
00:40:03,152 --> 00:40:05,737
We... we refer to that as a scada screen.
744
00:40:05,737 --> 00:40:08,699
The scada system is basically a piece of software
745
00:40:08,699 --> 00:40:10,284
running on a computer.
746
00:40:10,284 --> 00:40:13,871
It enables the operators to monitor the processes.
747
00:40:14,871 --> 00:40:19,043
What you could see when you look close enough
748
00:40:19,543 --> 00:40:23,880
was a more detailed view of the configuration
749
00:40:24,715 --> 00:40:28,010
there were these six groups of centrifuges
750
00:40:28,010 --> 00:40:31,431
and each group had 164 entries.
751
00:40:32,014 --> 00:40:33,599
And guess what?
752
00:40:33,891 --> 00:40:36,226
That was a perfect match to what we saw
753
00:40:36,226 --> 00:40:37,561
in the attack code.
754
00:40:38,938 --> 00:40:42,317
It was absolutely clear that this piece of code
755
00:40:42,317 --> 00:40:45,902
was attacking an array of six different groups
756
00:40:45,902 --> 00:40:49,740
of, let's just say, thingies, physical objects,
757
00:40:49,740 --> 00:40:55,621
and in those six groups, there were 164 elements.
758
00:40:59,333 --> 00:41:01,668
Gibney: Were you able to do any actual physical tests?
759
00:41:01,668 --> 00:41:03,920
Or it was all just code analysis?
760
00:41:03,920 --> 00:41:05,840
Yeah, so, you know, we obviously
761
00:41:05,840 --> 00:41:08,925
couldn't set up our own sort of nuclear enrichment facility.
762
00:41:09,092 --> 00:41:11,387
So... but what we did was we did obtain some pics
763
00:41:11,387 --> 00:41:12,639
the exact models.
764
00:41:19,771 --> 00:41:22,190
We then ordered an air pump, and that's what we used
765
00:41:22,190 --> 00:41:23,858
sort of as our sort of proof of concept.
766
00:41:24,692 --> 00:41:26,443
O'murchu: We needed a visual demonstration
767
00:41:26,443 --> 00:41:28,612
to show people what we discovered.
768
00:41:28,945 --> 00:41:30,989
So we thought of different things that we could do,
769
00:41:30,989 --> 00:41:33,117
and we... we settled on blowing up a balloon.
770
00:41:37,454 --> 00:41:39,414
We were able to write a program that would inflate a balloon,
771
00:41:39,414 --> 00:41:42,293
and it was set to stop after five seconds.
772
00:41:52,302 --> 00:41:54,054
So it would inflate the balloon to a certain size
773
00:41:54,054 --> 00:41:55,556
but it wouldn't burst the balloon
774
00:41:55,556 --> 00:41:57,016
and it was all safe.
775
00:41:57,016 --> 00:41:59,101
And we showed everybody, this is the code
776
00:41:59,101 --> 00:42:00,311
that's on the plc.
777
00:42:00,769 --> 00:42:02,730
And the timer says, "stop after five seconds."
778
00:42:02,980 --> 00:42:04,481
We know that's what's going to happen.
779
00:42:05,108 --> 00:42:07,360
And then we would infect the computer with stuxnet,
780
00:42:07,902 --> 00:42:10,153
and we would run the test again.
781
00:42:41,351 --> 00:42:42,978
Here is a piece of software
782
00:42:42,978 --> 00:42:45,940
that should only exist in a cyber realm
783
00:42:45,940 --> 00:42:49,068
and it is able to affect physical equipment
784
00:42:49,068 --> 00:42:52,780
in a plant or factory and cause physical damage.
785
00:42:52,780 --> 00:42:54,865
Real-world physical destruction.
786
00:42:59,369 --> 00:43:02,039
At that time, things became very scary to us.
787
00:43:02,039 --> 00:43:04,541
Here you had malware potentially killing people
788
00:43:04,541 --> 00:43:06,835
and that was something that was always Hollywood-esque to us
789
00:43:06,835 --> 00:43:08,003
that we'd always laugh at
790
00:43:08,003 --> 00:43:10,047
when people made that kind of assertion.
791
00:43:15,635 --> 00:43:18,139
Gibney: At this point, you had to have started developing
792
00:43:18,139 --> 00:43:20,891
theories as to who had built stuxnet.
793
00:43:21,851 --> 00:43:23,436
It wasn't lost on us that
794
00:43:23,436 --> 00:43:26,646
there were probably only a few countries
795
00:43:26,646 --> 00:43:28,983
in the world that would want
796
00:43:28,983 --> 00:43:31,860
and have the motivation to sabotage
797
00:43:31,860 --> 00:43:33,987
Iran's nuclear enrichment facility.
798
00:43:33,987 --> 00:43:35,907
The U.S. government would be up there.
799
00:43:35,907 --> 00:43:38,074
Israeli government certainly would be... would be up there.
800
00:43:38,074 --> 00:43:40,161
You know, maybe u.K., France, Germany,
801
00:43:40,161 --> 00:43:41,621
those sorts of countries,
802
00:43:41,621 --> 00:43:43,914
but we never found any information that
803
00:43:43,914 --> 00:43:46,958
would tie it back 100 percent to... to those countries.
804
00:43:46,958 --> 00:43:48,878
There are no telltale signs.
805
00:43:48,878 --> 00:43:51,422
You know, the attackers don't leave a message inside
806
00:43:51,422 --> 00:43:53,590
saying, you know, "it was me."
807
00:43:54,509 --> 00:43:57,762
And even if they did, all of that stuff can be faked.
808
00:43:58,137 --> 00:44:00,806
So it's very, very difficult to do attribution
809
00:44:00,806 --> 00:44:02,516
when looking at computer code.
810
00:44:03,391 --> 00:44:04,936
Gibney: Subsequent work that's been done
811
00:44:04,936 --> 00:44:07,355
leads us to believe that this was the work of
812
00:44:07,355 --> 00:44:08,898
a collaboration between Israel and the United States.
813
00:44:08,898 --> 00:44:09,940
Yeah, yeah.
814
00:44:09,940 --> 00:44:11,108
Gibney: Did you have any evidence
815
00:44:11,108 --> 00:44:12,360
in terms of your analysis
816
00:44:12,360 --> 00:44:14,362
that would lead you to believe that
817
00:44:14,362 --> 00:44:15,695
that's correct also?
818
00:44:15,695 --> 00:44:17,782
Nothing that I could talk about on camera.
819
00:44:19,282 --> 00:44:22,119
Gibney: Well, can I ask why?
820
00:44:22,119 --> 00:44:23,954
No.
821
00:44:23,954 --> 00:44:25,623
Well, you can, but I won't answer.
822
00:44:28,083 --> 00:44:30,378
Gibney: But even in the case of nation-states,
823
00:44:30,378 --> 00:44:31,878
I mean, one of the concerns is...
824
00:44:31,878 --> 00:44:34,005
Gibney: This was beginning to really piss me off.
825
00:44:34,465 --> 00:44:37,802
Even civilians with an interest in telling the stuxnet story
826
00:44:37,802 --> 00:44:40,721
were refusing to address the role of Tel Aviv
827
00:44:40,721 --> 00:44:43,974
and Washington. But luckily for me,
828
00:44:44,224 --> 00:44:46,059
while D.C. is a city of secrets,
829
00:44:46,393 --> 00:44:48,144
it is also a city of leaks.
830
00:44:48,646 --> 00:44:50,356
They're as regular as a heartbeat
831
00:44:50,356 --> 00:44:52,065
and just as hard to stop.
832
00:44:53,067 --> 00:44:54,652
That's what I was counting on.
833
00:44:59,824 --> 00:45:03,369
Finally, after speaking to a number of people on background,
834
00:45:03,369 --> 00:45:05,954
I did find a way of confirming, on the record,
835
00:45:05,954 --> 00:45:07,831
the American role in stuxnet.
836
00:45:08,791 --> 00:45:10,918
In exchange for details of the operation,
837
00:45:10,918 --> 00:45:13,003
I had to agree to find a way
838
00:45:13,003 --> 00:45:15,297
to disguise the source of the information.
839
00:45:15,297 --> 00:45:17,048
- Gibney: We're good? - Man: We're on.
840
00:45:18,634 --> 00:45:20,302
Gibney: So the first question I have to ask you
841
00:45:20,302 --> 00:45:21,679
is about secrecy.
842
00:45:22,179 --> 00:45:25,266
I mean, at this point, everyone knows about stuxnet.
843
00:45:25,266 --> 00:45:26,934
Why can't we talk about it?
844
00:45:27,434 --> 00:45:28,811
It's a covert operation.
845
00:45:28,811 --> 00:45:30,605
Gibney: Not anymore.
846
00:45:30,605 --> 00:45:32,898
I mean, we know what happened, we know who did it.
847
00:45:33,148 --> 00:45:35,860
Well, maybe you don't know as much as you think you know.
848
00:45:36,652 --> 00:45:39,237
Gibney: Well, I'm talking to you because I want to
849
00:45:39,237 --> 00:45:40,614
get the story right.
850
00:45:40,614 --> 00:45:42,365
Well, that's the same reason I'm talking to you.
851
00:45:44,827 --> 00:45:46,621
Gibney: Even though it's a covert operation?
852
00:45:47,663 --> 00:45:51,500
Look, this is not a snowden kind of thing, okay?
853
00:45:51,500 --> 00:45:52,835
I think what he did was wrong.
854
00:45:52,835 --> 00:45:55,963
He went too far. He gave away too much.
855
00:45:56,463 --> 00:45:58,465
Unlike snowden, who was a contractor,
856
00:45:58,465 --> 00:46:00,259
I was in NSA.
857
00:46:00,885 --> 00:46:03,054
I believe in the agency, so what I'm willing to give you
858
00:46:03,054 --> 00:46:04,722
will be limited, but we're talking
859
00:46:04,722 --> 00:46:06,556
because everyone's getting the story wrong
860
00:46:06,556 --> 00:46:08,141
and we have to get it right.
861
00:46:08,141 --> 00:46:09,893
We have to understand these new weapons.
862
00:46:09,893 --> 00:46:11,186
The stakes are too high.
863
00:46:11,186 --> 00:46:12,480
Gibney: What do you mean?
864
00:46:14,606 --> 00:46:16,567
We did stuxnet.
865
00:46:17,777 --> 00:46:18,902
It's a fact.
866
00:46:18,902 --> 00:46:22,657
You know, we came so fucking close to disaster,
867
00:46:22,657 --> 00:46:24,324
and we're still on the edge.
868
00:46:25,867 --> 00:46:30,914
It was a huge multinational, interagency operation.
869
00:46:32,208 --> 00:46:34,918
In the U.S. it was CIA,
870
00:46:35,378 --> 00:46:38,838
NSA, and the military cyber command.
871
00:46:39,340 --> 00:46:43,010
From britain, we used Iran intel out of gchq,
872
00:46:43,594 --> 00:46:45,429
but the main partner was Israel.
873
00:46:45,429 --> 00:46:46,931
Over there, Mossad ran the show,
874
00:46:46,931 --> 00:46:49,684
and the technical work was done by unit 8200.
875
00:46:50,601 --> 00:46:53,603
Israel is really the key to the story.
876
00:46:58,067 --> 00:47:01,112
Melman: Oh, traffic in Israel is so unpredictable.
877
00:47:03,239 --> 00:47:06,282
Gibney: Yossi, how did you get into this whole stuxnet story?
878
00:47:07,451 --> 00:47:10,496
I have been covering the Israeli intelligence
879
00:47:10,496 --> 00:47:12,789
in general, in the Mossad in particular
880
00:47:12,789 --> 00:47:16,168
for nearly 30 years.
881
00:47:16,585 --> 00:47:19,630
In '82, I was a London-based correspondent
882
00:47:19,630 --> 00:47:23,092
and I covered a trial of terrorists,
883
00:47:23,092 --> 00:47:27,387
and I became more familiar with this topic of terrorism,
884
00:47:27,387 --> 00:47:31,559
and slowly but surely, I started covering it as a beat.
885
00:47:34,436 --> 00:47:37,481
Israel, we live in a very rough neighborhood
886
00:47:37,481 --> 00:47:39,858
where the... The Democratic values,
887
00:47:39,858 --> 00:47:43,153
western values, are very rare.
888
00:47:43,570 --> 00:47:47,490
But Israel pretends to be a free, Democratic,
889
00:47:47,490 --> 00:47:49,534
westernized society,
890
00:47:49,994 --> 00:47:53,329
posh neighborhoods, rich people,
891
00:47:53,496 --> 00:47:56,500
youngsters who are having
892
00:47:56,500 --> 00:47:59,503
almost similar mind-set to their American
893
00:47:59,503 --> 00:48:01,755
or western European counterparts.
894
00:48:01,755 --> 00:48:04,507
On the other hand, you see a lot of scenes
895
00:48:04,507 --> 00:48:08,679
and events which resemble the real middle east,
896
00:48:08,679 --> 00:48:14,476
terror attacks, radicals, fanatics, religious zealots.
897
00:48:18,856 --> 00:48:21,942
I knew that Israel is trying to slow down
898
00:48:21,942 --> 00:48:23,610
Iran's nuclear program,
899
00:48:23,610 --> 00:48:26,362
and therefore, I came to the conclusion that
900
00:48:26,362 --> 00:48:29,532
if there was a virus infecting Iran's computers,
901
00:48:29,532 --> 00:48:35,371
it's... it's one more element in... in this larger picture
902
00:48:36,039 --> 00:48:38,501
based on past precedents.
903
00:48:43,088 --> 00:48:46,759
Yadlin: 1981 I was an f-16 pilot,
904
00:48:47,175 --> 00:48:50,679
and we were told that, unlike our dream
905
00:48:50,679 --> 00:48:54,099
to do dogfights and to kill migs,
906
00:48:54,682 --> 00:48:58,311
we have to be prepared for a long-range mission
907
00:48:58,978 --> 00:49:01,606
to destroy a valuable target.
908
00:49:02,398 --> 00:49:04,110
Nobody told us what is
909
00:49:04,110 --> 00:49:06,487
this very valuable strategic target.
910
00:49:07,487 --> 00:49:10,657
It was 600 miles from Israel.
911
00:49:12,034 --> 00:49:15,496
So we train our self to do the job,
912
00:49:15,496 --> 00:49:19,333
which was very difficult. No air refueling at that time.
913
00:49:19,750 --> 00:49:21,793
No satellites for reconnaissance.
914
00:49:23,753 --> 00:49:26,132
Fuel was on the limit.
915
00:49:26,715 --> 00:49:29,009
Pilot: What? Whoa! Whoa!
916
00:49:31,929 --> 00:49:33,347
Yadlin: At the end of the day,
917
00:49:34,097 --> 00:49:35,807
we accomplished the mission.
918
00:49:36,307 --> 00:49:37,601
Gibney: Which was?
919
00:49:38,059 --> 00:49:40,980
Yadlin: To destroy the Iraqi nuclear reactor
920
00:49:40,980 --> 00:49:44,775
near Baghdad, which was called osirak.
921
00:49:45,025 --> 00:49:51,072
And Iraq never was able to accomplish
922
00:49:51,072 --> 00:49:53,659
its ambition to have a nuclear bomb.
923
00:49:55,619 --> 00:49:58,246
Melman: Amos yadlin, general yadlin,
924
00:49:58,246 --> 00:50:01,041
he was the head of the military intelligence.
925
00:50:01,458 --> 00:50:04,920
The biggest unit within that organization
926
00:50:04,920 --> 00:50:06,713
was unit 8200.
927
00:50:07,422 --> 00:50:09,800
They'd block telephones, they'd block faxes,
928
00:50:09,800 --> 00:50:11,969
they're breaking into computers.
929
00:50:14,304 --> 00:50:16,639
A decade ago, when yadlin became
930
00:50:16,639 --> 00:50:18,559
the chief of military intelligence,
931
00:50:19,059 --> 00:50:23,563
there was no cyber warfare unit in 8200.
932
00:50:26,483 --> 00:50:30,278
So they started recruiting very talented people,
933
00:50:30,278 --> 00:50:32,822
hackers either from the military
934
00:50:32,822 --> 00:50:35,409
or outside the military that can contribute
935
00:50:35,409 --> 00:50:38,579
to the project of building a cyber warfare unit.
936
00:50:41,331 --> 00:50:45,835
Yadlin: In the 19th century, there were only army and Navy.
937
00:50:45,835 --> 00:50:49,632
In the 20th century, we got air power
938
00:50:49,632 --> 00:50:51,342
as a third dimension of war.
939
00:50:52,009 --> 00:50:53,969
In the 21st century,
940
00:50:53,969 --> 00:50:57,514
cyber will be the fourth dimension of war.
941
00:50:58,474 --> 00:51:00,016
It's another kind of weapon
942
00:51:00,016 --> 00:51:04,605
and it is for unlimited range in a very high speed
943
00:51:05,021 --> 00:51:07,148
and in a very low signature.
944
00:51:07,148 --> 00:51:09,693
So this give you a huge opportunity...
945
00:51:10,777 --> 00:51:14,030
And the superpowers have to change
946
00:51:14,030 --> 00:51:16,115
the way we think about warfare.
947
00:51:18,369 --> 00:51:20,371
Finally we are transforming our military
948
00:51:20,371 --> 00:51:23,039
for a new kind of war that we're fighting now...
949
00:51:24,541 --> 00:51:25,960
And for wars of tomorrow.
950
00:51:27,293 --> 00:51:29,380
We have made our military better trained,
951
00:51:29,380 --> 00:51:32,298
better equipped, and better prepared
952
00:51:32,298 --> 00:51:35,052
to meet the threats facing America today
953
00:51:35,052 --> 00:51:37,304
and tomorrow and long in the future.
954
00:51:41,099 --> 00:51:43,726
Sanger: Back in the end of the bush administration,
955
00:51:43,726 --> 00:51:45,646
people within the U.S. government
956
00:51:45,646 --> 00:51:48,856
were just beginning to convince president bush
957
00:51:48,856 --> 00:51:51,735
to pour money into offensive cyber weapons.
958
00:51:52,735 --> 00:51:55,739
Stuxnet started off in the defense department.
959
00:51:56,447 --> 00:51:58,742
Then Robert gates, secretary of defense,
960
00:51:59,201 --> 00:52:01,369
reviewed this program and he said,
961
00:52:01,369 --> 00:52:03,579
"this program shouldn't be in the defense department.
962
00:52:03,579 --> 00:52:06,083
This should really be under the covert authorities
963
00:52:06,083 --> 00:52:07,918
over in the intelligence world."
964
00:52:08,876 --> 00:52:12,005
So the CIA was very deeply involved
965
00:52:12,005 --> 00:52:13,465
in this operation,
966
00:52:13,798 --> 00:52:16,427
while much of the coding work was done
967
00:52:16,427 --> 00:52:18,804
by the national security agency
968
00:52:19,012 --> 00:52:22,099
and unit 8200, its Israeli equivalent,
969
00:52:22,099 --> 00:52:25,936
working together with a newly created military position
970
00:52:25,936 --> 00:52:28,271
called U.S. cyber command.
971
00:52:29,063 --> 00:52:33,277
And interestingly, the director of the national security agency
972
00:52:33,277 --> 00:52:35,862
would also have a second role
973
00:52:35,862 --> 00:52:39,615
as the commander of U.S. cyber command.
974
00:52:40,074 --> 00:52:43,746
And U.S. cyber command is located
975
00:52:43,746 --> 00:52:47,623
at fort Meade in the same building as the NSA.
976
00:52:51,836 --> 00:52:53,838
Col. Gary d. Brown: I was deployed for a year
977
00:52:54,130 --> 00:52:57,300
giving advice on air operations in Iraq and Afghanistan,
978
00:52:57,300 --> 00:53:00,137
and when I was returning home after that,
979
00:53:00,137 --> 00:53:02,139
the assignment I was given was to go
980
00:53:02,139 --> 00:53:03,556
to U.S. cyber command.
981
00:53:04,724 --> 00:53:06,309
Cyber command is a...
982
00:53:06,601 --> 00:53:09,980
ls the military command that's responsible for
983
00:53:09,980 --> 00:53:12,983
essentially the conducting of the nation's military affairs
984
00:53:12,983 --> 00:53:14,400
in cyberspace.
985
00:53:14,902 --> 00:53:17,320
The stated reason the United States
986
00:53:17,320 --> 00:53:19,489
decided it needed a cyber command
987
00:53:19,489 --> 00:53:22,659
was because of an event called operation buckshot yankee.
988
00:53:23,159 --> 00:53:24,744
Chris inglis: In the fall of 2008,
989
00:53:24,744 --> 00:53:27,581
we found some adversaries inside
990
00:53:27,581 --> 00:53:29,208
of our classified networks.
991
00:53:30,125 --> 00:53:31,668
While it wasn't completely true
992
00:53:31,668 --> 00:53:34,295
that we always assumed that we were successful
993
00:53:34,295 --> 00:53:36,047
at defending things at the barrier,
994
00:53:36,047 --> 00:53:38,217
at the... at the kind of perimeter that we might have
995
00:53:38,217 --> 00:53:40,219
between our networks and the outside world,
996
00:53:40,219 --> 00:53:42,262
there was a large confidence
997
00:53:42,262 --> 00:53:44,431
that we'd been mostly successful.
998
00:53:44,764 --> 00:53:46,349
But that was a moment in time when we came to
999
00:53:46,349 --> 00:53:49,894
the quick conclusion that it... It's not really ever secure.
1000
00:53:50,771 --> 00:53:53,481
That then accelerated the department of defense's
1001
00:53:53,481 --> 00:53:55,067
progress towards what ultimately
1002
00:53:55,067 --> 00:53:56,193
became cyber command.
1003
00:53:59,487 --> 00:54:00,697
Good morning.
1004
00:54:01,989 --> 00:54:03,199
Good morning.
1005
00:54:03,367 --> 00:54:05,411
Good morning, sir. Cyber has one item for you today.
1006
00:54:05,869 --> 00:54:07,579
Earlier this week, antok analysts
1007
00:54:07,579 --> 00:54:09,873
detected a foreign adversary using known methods
1008
00:54:09,873 --> 00:54:11,708
to access the U.S. military network.
1009
00:54:12,208 --> 00:54:13,793
We identified the malicious activity
1010
00:54:13,793 --> 00:54:15,711
via data collected through our information assurance
1011
00:54:15,711 --> 00:54:17,255
and signals from intelligence authorities
1012
00:54:17,255 --> 00:54:19,382
and confirmed it was a cyber adversary.
1013
00:54:19,382 --> 00:54:22,052
We provided data to our cyber partners within the dod...
1014
00:54:22,052 --> 00:54:24,346
You think of NSA as an institution
1015
00:54:24,346 --> 00:54:27,224
that essentially uses its abilities in cyberspace
1016
00:54:27,599 --> 00:54:29,976
to help defend communications in that space.
1017
00:54:30,309 --> 00:54:32,228
Cyber command extends that capability
1018
00:54:32,228 --> 00:54:35,606
by saying that they will then take responsibility to attack.
1019
00:54:37,108 --> 00:54:40,070
Hayden: NSA has no legal authority to attack.
1020
00:54:40,070 --> 00:54:42,322
It's never had it, I doubt that it ever will.
1021
00:54:42,822 --> 00:54:44,907
It might explain why U.S. cyber command
1022
00:54:44,907 --> 00:54:46,617
is sitting out at fort Meade on top of
1023
00:54:46,617 --> 00:54:48,327
the national security agency,
1024
00:54:48,327 --> 00:54:51,081
because NSA has the abilities to do these things.
1025
00:54:51,414 --> 00:54:54,208
Cyber command has the authority to do these things.
1026
00:54:54,208 --> 00:54:57,420
And "these things" here refer to the cyber-attack.
1027
00:54:57,420 --> 00:54:59,465
This is a huge change
1028
00:55:00,090 --> 00:55:03,760
for the nature of the intelligence agencies.
1029
00:55:04,219 --> 00:55:07,014
The NSA was supposed to be a code-making
1030
00:55:07,014 --> 00:55:09,391
and code-breaking operation
1031
00:55:09,391 --> 00:55:13,561
to monitor the communications of foreign powers
1032
00:55:13,561 --> 00:55:14,980
and American adversaries
1033
00:55:14,980 --> 00:55:17,273
in the defense of the United States.
1034
00:55:17,773 --> 00:55:21,320
But creating a cyber command meant using
1035
00:55:21,320 --> 00:55:24,322
the same technology to do offense.
1036
00:55:26,449 --> 00:55:30,454
Once you get inside an adversary's computer networks,
1037
00:55:30,454 --> 00:55:33,289
you put an implant in that network.
1038
00:55:33,539 --> 00:55:36,168
And we have tens of thousands of foreign computers
1039
00:55:36,168 --> 00:55:38,878
and networks that the United States put implants in.
1040
00:55:39,630 --> 00:55:42,632
You can use it to monitor what's going across
1041
00:55:42,632 --> 00:55:44,675
that network and you can use it
1042
00:55:44,675 --> 00:55:47,887
to insert cyber weapons, malware.
1043
00:55:48,972 --> 00:55:52,184
If you can spy on a network, you can manipulate it.
1044
00:55:52,893 --> 00:55:54,644
It's already included.
1045
00:55:54,811 --> 00:55:57,188
The only thing you need is an act of will.
1046
00:56:01,150 --> 00:56:02,985
NSA source: I played a role in Iraq.
1047
00:56:02,985 --> 00:56:05,322
I can't tell you whether it was military or not,
1048
00:56:05,322 --> 00:56:06,949
but I can tell you
1049
00:56:06,949 --> 00:56:09,284
NSA had combat support teams in country.
1050
00:56:10,827 --> 00:56:13,496
And for the first time, units in the field
1051
00:56:13,496 --> 00:56:15,873
had direct access to NSA intel.
1052
00:56:18,460 --> 00:56:20,336
Over time, we thought more about offense
1053
00:56:20,336 --> 00:56:21,797
than defense, you know,
1054
00:56:21,797 --> 00:56:23,548
more about attacking than intelligence.
1055
00:56:24,840 --> 00:56:27,885
In the old days, sigint units would try to track radios,
1056
00:56:27,885 --> 00:56:30,137
but through NSA in Iraq,
1057
00:56:30,137 --> 00:56:32,181
we had access to all the networks
1058
00:56:32,181 --> 00:56:33,684
going in and out of the country.
1059
00:56:33,684 --> 00:56:35,768
And we hoovered up every text message,
1060
00:56:35,768 --> 00:56:37,271
email, and phone call.
1061
00:56:37,813 --> 00:56:40,190
A complete surveillance state.
1062
00:56:41,108 --> 00:56:45,195
We could find the bad guys, say, a gang making ieds,
1063
00:56:45,195 --> 00:56:48,699
map their networks, and follow them in real time.
1064
00:56:48,699 --> 00:56:50,032
Soldier: Roger.
1065
00:56:50,032 --> 00:56:51,827
NSA source: And we could lock into cell phones
1066
00:56:51,827 --> 00:56:53,869
even when they were off and send a fake text
1067
00:56:53,869 --> 00:56:56,331
from a friend, suggest a meeting place,
1068
00:56:56,331 --> 00:56:58,208
and then capture...
1069
00:56:58,208 --> 00:56:59,543
Soldier: 1A, clear to fire.
1070
00:57:00,043 --> 00:57:01,335
...or kill.
1071
00:57:01,335 --> 00:57:02,420
Soldier: Good shot.
1072
00:57:05,465 --> 00:57:07,759
Brown: A lot of the people that came to cyber command,
1073
00:57:07,759 --> 00:57:09,552
the military guys, came directly from
1074
00:57:09,552 --> 00:57:11,597
an assignment in Afghanistan or Iraq,
1075
00:57:11,597 --> 00:57:14,141
'cause those are the people with experience
1076
00:57:14,141 --> 00:57:16,059
and expertise in operations,
1077
00:57:16,059 --> 00:57:18,019
and those are the ones you want looking at this
1078
00:57:18,019 --> 00:57:20,063
to see how cyber could facilitate
1079
00:57:20,063 --> 00:57:22,273
traditional military operations.
1080
00:57:33,994 --> 00:57:35,829
NSA source: Fresh from the surge,
1081
00:57:35,829 --> 00:57:40,333
I went to work at NSA in '07 in a supervisory capacity.
1082
00:57:40,333 --> 00:57:42,501
Gibney: Exactly where did you work?
1083
00:57:42,501 --> 00:57:43,836
NSA source: Fort Meade.
1084
00:57:43,836 --> 00:57:45,588
You know, I commuted to that massive complex
1085
00:57:45,588 --> 00:57:47,007
every single day.
1086
00:57:48,342 --> 00:57:52,637
I was in tao-s321, "the roc."
1087
00:57:53,221 --> 00:57:55,264
Gibney: Okay, the tao, the roc?
1088
00:57:55,431 --> 00:57:58,684
Right, sorry. Tao is tailored access operations.
1089
00:57:58,684 --> 00:58:00,728
It's where NSA's hackers work.
1090
00:58:00,728 --> 00:58:02,481
Of course, we didn't call them that.
1091
00:58:02,773 --> 00:58:04,106
Gibney: What did you call them?
1092
00:58:04,273 --> 00:58:05,608
NSA source: On net operators.
1093
00:58:05,942 --> 00:58:08,487
They're the only people at NSA allowed to break in
1094
00:58:08,487 --> 00:58:09,987
or attack on the Internet.
1095
00:58:10,989 --> 00:58:13,074
Inside tao headquarters is the roc,
1096
00:58:13,074 --> 00:58:14,659
remote operations center.
1097
00:58:15,452 --> 00:58:18,664
If the U.S. government wants to get in somewhere,
1098
00:58:19,748 --> 00:58:21,123
it goes to the roc.
1099
00:58:21,291 --> 00:58:24,168
I mean, we were flooded with requests.
1100
00:58:24,920 --> 00:58:27,463
So many that we could only do about, mm,
1101
00:58:27,463 --> 00:58:30,634
30% of the missions that were requested of us at one time,
1102
00:58:30,634 --> 00:58:32,260
through the web
1103
00:58:32,260 --> 00:58:35,137
but also by hijacking shipments of parts.
1104
00:58:35,972 --> 00:58:38,016
You know, sometimes the CIA would assist
1105
00:58:38,016 --> 00:58:40,643
inputting implants in machines,
1106
00:58:41,811 --> 00:58:44,563
so once inside a target network,
1107
00:58:45,440 --> 00:58:46,692
we could just...
1108
00:58:47,650 --> 00:58:48,860
Watch...
1109
00:58:50,612 --> 00:58:52,155
Or we could attack.
1110
00:58:55,992 --> 00:58:59,538
Inside NSA was a strange kind of culture,
1111
00:58:59,538 --> 00:59:01,914
like, two parts macho military
1112
00:59:01,914 --> 00:59:06,001
and two parts cyber geek. I mean, I came from Iraq,
1113
00:59:06,001 --> 00:59:07,920
so I was used to, "yes, sir. No, sir."
1114
00:59:07,920 --> 00:59:10,047
But for the weapons programmers
1115
00:59:10,047 --> 00:59:12,592
we needed more "think outside the box" types.
1116
00:59:13,427 --> 00:59:15,177
From cubicle to cubicle,
1117
00:59:15,177 --> 00:59:18,431
you'd see lightsabers, tribbles,
1118
00:59:18,431 --> 00:59:20,599
those naruto action figures,
1119
00:59:20,599 --> 00:59:22,893
lots of aqua teen hunger force.
1120
00:59:25,646 --> 00:59:29,233
This one guy, they were mostly guys,
1121
00:59:30,193 --> 00:59:32,362
who liked to wear a yellow hooded cape,
1122
00:59:32,820 --> 00:59:36,407
he used a ton of gray Iegos to build a massive death star.
1123
00:59:39,452 --> 00:59:41,621
Gibney: Were they all working on stuxnet?
1124
00:59:42,204 --> 00:59:44,248
NSA source: We never called it stuxnet.
1125
00:59:44,248 --> 00:59:47,001
That was the name invented by the antivirus guys.
1126
00:59:47,001 --> 00:59:49,003
When it hit the papers,
1127
00:59:49,003 --> 00:59:51,005
we're not allowed to read about classified operations,
1128
00:59:51,005 --> 00:59:52,507
even if it's in the New York times.
1129
00:59:52,507 --> 00:59:54,217
We went out of our way to avoid the term.
1130
00:59:54,217 --> 00:59:56,135
I mean, saying "stuxnet" out loud
1131
00:59:56,135 --> 00:59:58,304
was like saying "Voldemort" in Harry Potter.
1132
00:59:58,304 --> 00:59:59,931
The name that shall not be spoken.
1133
01:00:00,222 --> 01:00:01,724
Gibney: What did you call it then?
1134
01:00:10,233 --> 01:00:13,778
The natanz attack, and this is out there already,
1135
01:00:14,653 --> 01:00:18,617
was called olympic games or og.
1136
01:00:22,161 --> 01:00:24,581
There was a huge operation to test the code
1137
01:00:24,581 --> 01:00:26,958
on plcs here are fort Meade
1138
01:00:27,541 --> 01:00:29,960
and in sandia, new Mexico.
1139
01:00:31,755 --> 01:00:33,172
Remember during the bush era
1140
01:00:33,172 --> 01:00:35,592
when Libya turned over all the centrifuges?
1141
01:00:36,050 --> 01:00:38,219
Those were the same models the iranians got
1142
01:00:38,219 --> 01:00:40,514
from a.Q. Khan. P1's.
1143
01:00:41,931 --> 01:00:44,391
We took them to oak Ridge and used them
1144
01:00:44,391 --> 01:00:47,938
to test the code which demolished the insides.
1145
01:00:48,938 --> 01:00:52,818
At dimona, the Israelis also tested on the p1's.
1146
01:00:54,277 --> 01:00:56,862
Then, partly by using our intel on Iran,
1147
01:00:56,862 --> 01:01:00,115
we got the plans for the newer models, the ir-2's.
1148
01:01:00,951 --> 01:01:03,202
We tried out different attack vectors.
1149
01:01:03,202 --> 01:01:07,498
We ended up focusing on ways to destroy the rotor tubes.
1150
01:01:08,416 --> 01:01:11,836
In the tests we ran, we blew them apart.
1151
01:01:13,338 --> 01:01:15,257
They swept up the pieces,
1152
01:01:15,257 --> 01:01:17,967
they put it on an airplane, they flew it to Washington,
1153
01:01:17,967 --> 01:01:19,677
they stuck it in the truck,
1154
01:01:19,677 --> 01:01:21,637
they drove it through the gates of the white house,
1155
01:01:21,637 --> 01:01:25,766
and dumped the shards out on the conference room table
1156
01:01:25,766 --> 01:01:27,476
in the situation room.
1157
01:01:27,476 --> 01:01:28,978
And then they invited president bush
1158
01:01:28,978 --> 01:01:30,563
to come down and take a look.
1159
01:01:30,563 --> 01:01:32,398
And when he could pick up the shard
1160
01:01:32,398 --> 01:01:34,150
of a piece of centrifuge...
1161
01:01:35,150 --> 01:01:37,362
He was convinced this might be worth it,
1162
01:01:37,653 --> 01:01:39,489
and he said, "go ahead and try."
1163
01:01:40,322 --> 01:01:43,242
Gibney: Was there legal concern inside the bush administration
1164
01:01:43,242 --> 01:01:45,661
that this might be an act of undeclared war?
1165
01:01:46,579 --> 01:01:50,333
If there were concerns, I haven't found them.
1166
01:01:51,626 --> 01:01:54,295
That doesn't mean that they didn't exist
1167
01:01:54,295 --> 01:01:56,297
and that some lawyers somewhere
1168
01:01:56,297 --> 01:01:57,840
weren't concerned about it,
1169
01:01:57,840 --> 01:02:01,219
but this was an entirely new territory.
1170
01:02:01,802 --> 01:02:04,306
At the time, there were really very few people
1171
01:02:04,306 --> 01:02:08,434
who had expertise specifically on the law of war and cyber.
1172
01:02:08,851 --> 01:02:11,103
And basically what we did was looking at, okay,
1173
01:02:11,103 --> 01:02:12,563
here's our broad direction.
1174
01:02:13,148 --> 01:02:15,733
Now, let's look... Technically what can we do
1175
01:02:16,150 --> 01:02:18,027
to facilitate this broad direction?
1176
01:02:18,277 --> 01:02:21,155
After that, maybe the... I would come in
1177
01:02:21,155 --> 01:02:23,699
or one of my lawyers would come in and say,
1178
01:02:23,699 --> 01:02:27,704
"okay, this is what we may do." Okay.
1179
01:02:28,788 --> 01:02:29,873
There are many things we can do,
1180
01:02:29,873 --> 01:02:31,916
but we are not allowed to do them.
1181
01:02:31,916 --> 01:02:34,043
And then after that, there's still a final level
1182
01:02:34,043 --> 01:02:35,920
that we look at and that's, what should we do?
1183
01:02:36,338 --> 01:02:38,297
Because there are many things that would be
1184
01:02:38,297 --> 01:02:41,550
technically possible and technically legal
1185
01:02:41,550 --> 01:02:43,094
but a bad idea.
1186
01:02:43,637 --> 01:02:47,349
For natanz, it was a CIA-led operation,
1187
01:02:47,349 --> 01:02:49,768
so we had to have agency sign-off.
1188
01:02:50,059 --> 01:02:51,268
Gibney: Really?
1189
01:02:51,393 --> 01:02:54,230
Someone from the agency
1190
01:02:55,065 --> 01:02:57,233
stood behind the operator and the analyst
1191
01:02:57,233 --> 01:03:00,152
and gave the order to launch every attack.
1192
01:03:07,744 --> 01:03:09,579
Chien: Before they had even started this attack,
1193
01:03:09,579 --> 01:03:11,831
they put inside of the code the kill date,
1194
01:03:12,164 --> 01:03:13,958
a date at which it would stop operating.
1195
01:03:14,501 --> 01:03:16,628
O'murchu: Cutoff dates, we don't normally see that
1196
01:03:16,628 --> 01:03:18,295
in other threats, and you have to think,
1197
01:03:18,295 --> 01:03:20,172
"well, why is there a cutoff date in there?"
1198
01:03:20,590 --> 01:03:23,050
And when you realize that, well, stuxnet was probably
1199
01:03:23,050 --> 01:03:26,262
written by government and that there are laws
1200
01:03:26,262 --> 01:03:29,099
regarding how you can use this sort of software,
1201
01:03:29,099 --> 01:03:31,768
that there may have been a legal team who said, "no, you...
1202
01:03:31,768 --> 01:03:33,978
You need to have a cutoff date in there,
1203
01:03:33,978 --> 01:03:36,063
and you can only do this and you can only go that far
1204
01:03:36,063 --> 01:03:37,690
and we need to check if this is legal or not.
1205
01:03:39,733 --> 01:03:42,987
That date is a few days before Obama's inauguration.
1206
01:03:44,030 --> 01:03:46,907
So the theory was that this was an operation
1207
01:03:46,907 --> 01:03:49,327
that needed to be stopped at a certain time
1208
01:03:49,327 --> 01:03:51,704
because there was gonna be a handover
1209
01:03:51,704 --> 01:03:54,039
and that more approval was needed.
1210
01:03:57,293 --> 01:03:59,128
Are you prepared to take the oath, senator?
1211
01:03:59,128 --> 01:04:00,380
I am.
1212
01:04:00,755 --> 01:04:02,715
I, Barack Hussein Obama...
1213
01:04:02,715 --> 01:04:04,259
- I, Barack... - Do solemnly swear...
1214
01:04:04,259 --> 01:04:06,844
I, Barack Hussein Obama, do solemnly swear...
1215
01:04:07,052 --> 01:04:10,597
Sanger: Olympic games was reauthorized by president Obama
1216
01:04:10,597 --> 01:04:12,391
in his first year in office, 2009.
1217
01:04:16,896 --> 01:04:18,981
It was fascinating because it was the first year of
1218
01:04:18,981 --> 01:04:20,983
the Obama administration and they would talk to you
1219
01:04:20,983 --> 01:04:23,820
endlessly about cyber defense.
1220
01:04:24,570 --> 01:04:25,739
Obama: We count on computer networks
1221
01:04:25,739 --> 01:04:28,867
to deliver our oil and gas, our power, and our water.
1222
01:04:29,159 --> 01:04:32,411
We rely on them for public transportation
1223
01:04:32,411 --> 01:04:33,996
and air traffic control.
1224
01:04:34,329 --> 01:04:36,458
But just as we failed in the past
1225
01:04:36,458 --> 01:04:38,501
to invest in our physical infrastructure,
1226
01:04:38,793 --> 01:04:41,170
our roads, our Bridges, and rails,
1227
01:04:41,503 --> 01:04:43,172
we failed to invest in the security
1228
01:04:43,172 --> 01:04:45,050
of our digital infrastructure.
1229
01:04:45,257 --> 01:04:47,677
Sanger: He was running east room events
1230
01:04:47,844 --> 01:04:50,597
trying to get people to focus on the need to
1231
01:04:50,597 --> 01:04:52,556
defend cyber networks
1232
01:04:52,556 --> 01:04:54,266
and defend American infrastructure.
1233
01:04:54,641 --> 01:04:58,188
But when you asked questions about the use of
1234
01:04:58,188 --> 01:05:01,775
offensive cyber weapons, everything went dead.
1235
01:05:01,775 --> 01:05:03,525
No cooperation.
1236
01:05:03,525 --> 01:05:05,612
White house wouldn't help, Pentagon wouldn't help,
1237
01:05:05,612 --> 01:05:06,780
NSA wouldn't help.
1238
01:05:07,030 --> 01:05:08,447
Nobody would talk to you about it.
1239
01:05:09,364 --> 01:05:10,992
But when you dug into the budget
1240
01:05:10,992 --> 01:05:14,204
for cyber spending during the Obama administration,
1241
01:05:14,204 --> 01:05:16,164
what you discovered was
1242
01:05:16,164 --> 01:05:19,541
much of it was being spent on offensive cyber weapons.
1243
01:05:21,376 --> 01:05:25,882
You see phrases like "title 10 cno."
1244
01:05:26,298 --> 01:05:29,552
Title 10 means operations for the U.S. military,
1245
01:05:29,844 --> 01:05:34,099
and cno means computer network operations.
1246
01:05:34,807 --> 01:05:36,391
This is considerable evidence
1247
01:05:36,391 --> 01:05:38,978
that stuxnet was just the opening wedge
1248
01:05:39,646 --> 01:05:43,440
of what is a much broader U.S. government effort now
1249
01:05:43,900 --> 01:05:46,902
to develop an entire new class of weapons.
1250
01:05:52,492 --> 01:05:55,244
Chien: Stuxnet wasn't just an evolution.
1251
01:05:55,244 --> 01:05:57,914
It was really a revolution in the threat landscape.
1252
01:05:59,706 --> 01:06:02,668
In the past, the vast majority of threats that we saw
1253
01:06:02,668 --> 01:06:04,670
were always controlled by an operator somewhere.
1254
01:06:04,670 --> 01:06:06,380
They would infect your machines,
1255
01:06:06,380 --> 01:06:08,215
but they would have what's called a callback
1256
01:06:08,215 --> 01:06:09,759
or a command-and-control channel.
1257
01:06:09,925 --> 01:06:12,052
The threats would actually contact the operator
1258
01:06:12,052 --> 01:06:13,429
and say, what do you want me to do next?
1259
01:06:13,429 --> 01:06:15,014
And the operator would send down commands
1260
01:06:15,014 --> 01:06:16,932
and say, maybe, search through this directory,
1261
01:06:16,932 --> 01:06:18,893
find these folders, find these files,
1262
01:06:18,893 --> 01:06:20,728
upload these files to me, spread to this other machine,
1263
01:06:20,728 --> 01:06:22,188
things of that nature.
1264
01:06:22,730 --> 01:06:25,775
But stuxnet couldn't have a command-and-control channel
1265
01:06:26,275 --> 01:06:29,027
because once it got inside in natanz
1266
01:06:29,027 --> 01:06:31,780
it would not have been able to reach back out to the attackers.
1267
01:06:31,780 --> 01:06:34,074
The natanz network is completely air gapped
1268
01:06:34,074 --> 01:06:35,284
from the rest of the Internet.
1269
01:06:35,284 --> 01:06:36,619
It's not connected to the Internet.
1270
01:06:36,619 --> 01:06:38,121
It's its own isolated network.
1271
01:06:38,121 --> 01:06:39,873
Generally, getting across an air gap is...
1272
01:06:39,873 --> 01:06:41,498
ls one of the more difficult challenges
1273
01:06:41,498 --> 01:06:43,751
that attackers will face just because of the fact that
1274
01:06:43,751 --> 01:06:46,628
there... everything is in place to prevent that.
1275
01:06:46,628 --> 01:06:49,215
You know, everything, you know, the policies and procedures
1276
01:06:49,215 --> 01:06:51,134
and the physical network that's in place is
1277
01:06:51,134 --> 01:06:54,596
specifically designed to prevent you crossing the air gap.
1278
01:06:54,596 --> 01:06:57,056
But there's no truly air-gapped network
1279
01:06:57,056 --> 01:06:59,309
in these real-world production environments.
1280
01:06:59,309 --> 01:07:01,393
People gotta get new code into natanz.
1281
01:07:01,393 --> 01:07:04,313
People have to get log files off of this network in natanz.
1282
01:07:04,313 --> 01:07:05,773
People have to upgrade equipment.
1283
01:07:05,773 --> 01:07:07,483
People have to upgrade computers.
1284
01:07:07,650 --> 01:07:10,820
This highlights one of the major
1285
01:07:11,320 --> 01:07:14,239
security issues that we have in the field.
1286
01:07:14,239 --> 01:07:17,159
If you think, "well, nobody can attack
1287
01:07:17,159 --> 01:07:19,411
this power plant or this chemical plant
1288
01:07:19,411 --> 01:07:21,164
because it's not connected to the lnternet,"
1289
01:07:21,164 --> 01:07:22,998
that's a bizarre illusion.
1290
01:07:26,668 --> 01:07:30,005
NSA source: The first time we introduced the code into natanz
1291
01:07:30,547 --> 01:07:32,342
we used human assets,
1292
01:07:33,217 --> 01:07:36,762
maybe CIA, more likely Mossad,
1293
01:07:36,762 --> 01:07:40,182
but our team was kept in the dark about the trade craft.
1294
01:07:41,099 --> 01:07:43,603
We heard rumors in Moscow,
1295
01:07:43,603 --> 01:07:47,440
an iranian laptop infected by a phony Siemens technician
1296
01:07:47,440 --> 01:07:48,733
with a flash drive...
1297
01:07:50,275 --> 01:07:53,403
A double agent in Iran with access to natanz,
1298
01:07:53,987 --> 01:07:55,697
but I don't really know.
1299
01:07:55,697 --> 01:07:58,409
What we had to focus on was to write the code
1300
01:07:59,034 --> 01:08:02,454
so that, once inside, the worm acted on its own.
1301
01:08:02,664 --> 01:08:05,041
They built in all the code and all the logic
1302
01:08:05,041 --> 01:08:07,835
into the threat to be able to operate all by itself.
1303
01:08:07,835 --> 01:08:10,088
It had the ability to spread by itself.
1304
01:08:10,088 --> 01:08:13,132
It had the ability to figure out, do I have the right pics?
1305
01:08:13,132 --> 01:08:16,051
Have I arrived in natanz? Am I at the target?
1306
01:08:16,051 --> 01:08:17,636
Langner: And when it's on target,
1307
01:08:17,636 --> 01:08:19,805
it executes autonomously.
1308
01:08:20,180 --> 01:08:23,475
That also means you... You cannot call off the attack.
1309
01:08:24,143 --> 01:08:25,895
It was definitely the type of attack
1310
01:08:26,479 --> 01:08:27,980
where someone had decided
1311
01:08:28,689 --> 01:08:30,483
that this is what they wanted to do.
1312
01:08:31,024 --> 01:08:33,819
There was no turning back once stuxnet was released.
1313
01:08:39,033 --> 01:08:41,159
When it began to actually execute its payload,
1314
01:08:41,159 --> 01:08:43,412
you would have a whole bunch of centrifuges
1315
01:08:43,412 --> 01:08:46,541
in a huge array of cascades sitting in a big hall.
1316
01:08:46,541 --> 01:08:48,751
And then just off that hall
1317
01:08:48,751 --> 01:08:50,545
you would have an operators room,
1318
01:08:50,545 --> 01:08:52,421
the control panels in front of them, a big window
1319
01:08:52,421 --> 01:08:53,840
where they could see into the hall.
1320
01:08:54,423 --> 01:08:56,591
Computers monitor the activities
1321
01:08:56,591 --> 01:08:57,969
of all these centrifuges.
1322
01:08:58,845 --> 01:09:02,931
So a centrifuge, it's driven by an electrical motor.
1323
01:09:03,515 --> 01:09:06,435
And the speed of this electrical motor
1324
01:09:06,435 --> 01:09:09,646
is controlled by another plc,
1325
01:09:09,646 --> 01:09:11,315
by another programmable logic controller.
1326
01:09:13,525 --> 01:09:17,238
Chien: Stuxnet would wait for 13 days
1327
01:09:17,238 --> 01:09:18,530
before doing anything,
1328
01:09:18,530 --> 01:09:20,658
because 13 days is about the time it takes
1329
01:09:20,658 --> 01:09:23,618
to actually fill an entire cascade of centrifuges
1330
01:09:23,618 --> 01:09:25,121
with uranium.
1331
01:09:25,454 --> 01:09:28,291
They didn't want to attack when the centrifuges essentially
1332
01:09:28,291 --> 01:09:30,667
were empty or at the beginning of the enrichment process.
1333
01:09:31,918 --> 01:09:34,296
What stuxnet did was it actually would sit there
1334
01:09:34,296 --> 01:09:37,007
during the 13 days and basically record
1335
01:09:37,007 --> 01:09:38,967
all of the normal activities
1336
01:09:38,967 --> 01:09:40,511
that were happening and save it.
1337
01:09:41,304 --> 01:09:43,639
And once they saw them spinning for 13 days,
1338
01:09:43,639 --> 01:09:45,307
then the attack occurred.
1339
01:09:46,059 --> 01:09:48,310
Centrifuges spin at incredible speeds,
1340
01:09:48,310 --> 01:09:50,270
about 1,000 hertz.
1341
01:09:50,270 --> 01:09:52,648
Langner: They have a safe operating speed,
1342
01:09:52,648 --> 01:09:55,484
63,000 revolutions per minute.
1343
01:09:55,777 --> 01:09:58,320
Chien: Stuxnet caused the uranium enrichment centrifuges
1344
01:09:58,320 --> 01:10:00,655
to spin up to 1,400 hertz.
1345
01:10:00,655 --> 01:10:03,368
Langner: Up to 80,000 revolutions per minute.
1346
01:10:06,828 --> 01:10:09,289
What would happen was those centrifuges
1347
01:10:09,289 --> 01:10:11,542
would go through what's called a resonance frequency.
1348
01:10:12,085 --> 01:10:14,337
It would go through a frequency at which the metal would
1349
01:10:14,337 --> 01:10:16,171
basically vibrate uncontrollably
1350
01:10:16,171 --> 01:10:17,506
and essentially shatter.
1351
01:10:17,672 --> 01:10:19,841
There'd be uranium gas everywhere.
1352
01:10:21,010 --> 01:10:22,886
And then the second attack they attempted
1353
01:10:22,886 --> 01:10:25,180
was they actually tried to lower it to two hertz.
1354
01:10:25,180 --> 01:10:28,850
They were slowed down to almost standstill.
1355
01:10:29,644 --> 01:10:32,188
Chien: And at two hertz, sort of an opposite effect occurs.
1356
01:10:32,188 --> 01:10:34,439
You can imagine a toy top that you spin
1357
01:10:34,439 --> 01:10:37,359
and as the top begins to slow down, it begins to wobble.
1358
01:10:37,359 --> 01:10:39,362
That's what would happen to these centrifuges.
1359
01:10:39,362 --> 01:10:41,363
They'd begin to wobble and essentially shatter
1360
01:10:41,363 --> 01:10:42,614
and fall apart.
1361
01:10:46,368 --> 01:10:49,247
And instead of sending back to the computer
1362
01:10:49,247 --> 01:10:50,872
what was really happening, it would send back
1363
01:10:50,872 --> 01:10:52,833
that old data that it had recorded.
1364
01:10:52,833 --> 01:10:54,627
So the computer's sitting there thinking,
1365
01:10:54,627 --> 01:10:56,337
"yep, running at 1,000 hertz, everything is fine.
1366
01:10:56,337 --> 01:10:58,256
Running at 1,000 hertz, everything is fine."
1367
01:10:58,256 --> 01:11:01,050
But those centrifuges are potentially spinning up wildly,
1368
01:11:01,050 --> 01:11:02,885
a huge noise would occur.
1369
01:11:02,885 --> 01:11:04,886
It'd be like, you know, a jet engine.
1370
01:11:08,390 --> 01:11:10,016
So the operators then would know, "whoa,
1371
01:11:10,016 --> 01:11:11,644
something is going wrong here."
1372
01:11:11,644 --> 01:11:13,563
They might look at their monitors and say, "hmm,
1373
01:11:13,563 --> 01:11:16,064
it says it's 1,000 hertz," but they would hear that in the room
1374
01:11:16,064 --> 01:11:17,859
something gravely bad was happening.
1375
01:11:17,859 --> 01:11:21,237
Not only are the operators fooled into thinking
1376
01:11:21,237 --> 01:11:23,029
everything's normal,
1377
01:11:23,029 --> 01:11:27,368
but also any kind of automated protective logic
1378
01:11:27,368 --> 01:11:29,119
is fooled.
1379
01:11:29,996 --> 01:11:31,913
Chien: You can't just turn these centrifuges off.
1380
01:11:32,206 --> 01:11:34,833
They have to be brought down in a very controlled manner.
1381
01:11:34,833 --> 01:11:37,002
And so they would hit, literally, the big red button
1382
01:11:37,002 --> 01:11:38,587
to initiate a graceful shutdown,
1383
01:11:38,921 --> 01:11:41,047
and stuxnet intercepts that code.
1384
01:11:41,047 --> 01:11:42,591
So you would have these operators
1385
01:11:42,591 --> 01:11:44,760
slamming on that button over and over again
1386
01:11:44,760 --> 01:11:45,927
and nothing would happen.
1387
01:11:47,220 --> 01:11:50,807
Yadlin: If your cyber weapon is good enough,
1388
01:11:50,807 --> 01:11:53,519
if your enemy is not aware of it,
1389
01:11:53,769 --> 01:11:57,439
it is an ideal weapon, because the enemy
1390
01:11:57,439 --> 01:11:59,484
even don't understand what is happening to it.
1391
01:12:00,067 --> 01:12:02,028
Gibney: Maybe even better if the enemy begins to doubt
1392
01:12:02,028 --> 01:12:04,322
- their own capability. - Absolutely.
1393
01:12:05,030 --> 01:12:07,908
Certainly one must conclude
1394
01:12:07,908 --> 01:12:10,703
that what happened at natanz
1395
01:12:10,703 --> 01:12:13,122
must have driven the engineers crazy,
1396
01:12:13,122 --> 01:12:15,582
because the worst thing that can happen
1397
01:12:15,582 --> 01:12:19,462
to a maintenance engineer is not being able to figure out
1398
01:12:19,462 --> 01:12:22,297
what the cause of specific trouble is.
1399
01:12:22,297 --> 01:12:25,635
So they must have been analyzing themselves to death.
1400
01:12:28,386 --> 01:12:31,181
Heinonen: You know, you see centrifuges blowing up.
1401
01:12:31,556 --> 01:12:35,353
You look the computer screens, they go with the proper speed.
1402
01:12:35,728 --> 01:12:39,398
There's a proper gas pressure. Everything looks beautiful.
1403
01:12:41,984 --> 01:12:45,154
Sanger: Through 2009 it was going pretty smoothly.
1404
01:12:45,154 --> 01:12:46,988
Centrifuges were blowing up.
1405
01:12:46,988 --> 01:12:49,658
The international atomic energy agency inspectors
1406
01:12:49,658 --> 01:12:52,161
would go in to natanz and they would see that
1407
01:12:52,161 --> 01:12:55,038
whole sections of the centrifuges had been removed.
1408
01:12:56,289 --> 01:12:59,377
The United States knew from its intelligence channels
1409
01:12:59,377 --> 01:13:02,837
that some iranian scientists and engineers
1410
01:13:02,837 --> 01:13:06,634
were being fired because the centrifuges were blowing up
1411
01:13:06,634 --> 01:13:09,761
and the iranians had assumed that this was because
1412
01:13:09,761 --> 01:13:13,265
they had been making errors or manufacturing mistakes.
1413
01:13:13,265 --> 01:13:14,891
Clearly this was somebody's fault.
1414
01:13:16,018 --> 01:13:18,020
So the program was doing
1415
01:13:18,020 --> 01:13:19,854
exactly what it was supposed to be doing,
1416
01:13:20,189 --> 01:13:22,942
which was it was blowing up centrifuges
1417
01:13:23,192 --> 01:13:25,027
and it was leaving no trace
1418
01:13:25,694 --> 01:13:27,779
and leaving the iranians to wonder
1419
01:13:28,238 --> 01:13:29,573
what they got hit by.
1420
01:13:30,032 --> 01:13:32,702
This was the brilliance of olympic games.
1421
01:13:32,993 --> 01:13:34,703
You know, as a former director of a couple of big
1422
01:13:34,703 --> 01:13:35,954
3-letter agencies,
1423
01:13:36,329 --> 01:13:38,748
slowing down 1,000 centrifuges in natanz...
1424
01:13:39,625 --> 01:13:40,960
Abnormally good.
1425
01:13:40,960 --> 01:13:43,587
There was a need for... for... For buying time.
1426
01:13:43,587 --> 01:13:46,215
There was a need for slowing them down.
1427
01:13:46,215 --> 01:13:48,134
There was the need to try to push them
1428
01:13:48,134 --> 01:13:49,510
to the negotiating table.
1429
01:13:49,510 --> 01:13:51,804
I mean, there are a lot of variables at play here.
1430
01:13:56,141 --> 01:13:59,770
Sanger: President Obama would
go down into the situation room,
1431
01:14:00,229 --> 01:14:03,481
and he would have laid out in front of him
1432
01:14:03,481 --> 01:14:05,150
what they called the horse blanket,
1433
01:14:05,150 --> 01:14:07,360
which was a giant schematic
1434
01:14:07,360 --> 01:14:10,823
of the natanz nuclear enrichment plan.
1435
01:14:11,407 --> 01:14:14,493
And the designers of olympic games
1436
01:14:14,493 --> 01:14:17,662
would describe to him what kind of progress they made
1437
01:14:17,662 --> 01:14:19,957
and look for him for the authorization
1438
01:14:19,957 --> 01:14:22,167
to move on ahead to the next attack.
1439
01:14:24,002 --> 01:14:26,046
And at one point during those discussions,
1440
01:14:26,046 --> 01:14:27,797
he said to a number of his aides,
1441
01:14:27,797 --> 01:14:29,382
"you know, I have some concerns
1442
01:14:29,382 --> 01:14:31,844
because once word of this gets out,"
1443
01:14:31,844 --> 01:14:33,511
and eventually he knew it would get out,
1444
01:14:33,511 --> 01:14:35,514
"the Chinese may use it as an excuse
1445
01:14:35,514 --> 01:14:38,850
for their attacks on us. The Russians might or others."
1446
01:14:39,393 --> 01:14:42,438
So he clearly had some misgivings,
1447
01:14:43,064 --> 01:14:44,856
but they weren't big enough to stop him
1448
01:14:44,856 --> 01:14:46,274
from going ahead with the program.
1449
01:14:47,443 --> 01:14:50,613
And then in 2010,
1450
01:14:50,988 --> 01:14:54,199
a decision was made to change the code.
1451
01:15:00,038 --> 01:15:01,498
Our human assets
1452
01:15:02,123 --> 01:15:05,586
weren't always able to get code updates into natanz
1453
01:15:05,586 --> 01:15:07,712
and we weren't told exactly why,
1454
01:15:08,296 --> 01:15:12,301
but we were told we had to have a cyber solution
1455
01:15:12,301 --> 01:15:13,802
for delivering the code.
1456
01:15:14,261 --> 01:15:16,805
But the delivery systems were tricky.
1457
01:15:17,139 --> 01:15:19,809
If they weren't aggressive enough, they wouldn't get in.
1458
01:15:20,100 --> 01:15:22,478
If they were too aggressive, they could spread
1459
01:15:22,895 --> 01:15:24,145
and be discovered.
1460
01:15:26,148 --> 01:15:27,899
Chien: When we got the first sample,
1461
01:15:27,899 --> 01:15:30,235
there was some configuration information inside of it.
1462
01:15:30,235 --> 01:15:33,447
And one of the pieces in there was a version number, 1.1
1463
01:15:34,489 --> 01:15:35,783
and that made us realize,
1464
01:15:35,783 --> 01:15:37,993
well, look, this likely isn't the only copy.
1465
01:15:37,993 --> 01:15:40,246
We went back through our databases looking for
1466
01:15:40,246 --> 01:15:42,707
anything that looks similar to stuxnet.
1467
01:15:44,457 --> 01:15:46,167
Chien: As we began to collect more samples,
1468
01:15:46,167 --> 01:15:48,045
we found a few earlier versions of stuxnet.
1469
01:15:49,130 --> 01:15:50,840
O'murchu: And when we analyzed that code,
1470
01:15:50,840 --> 01:15:53,509
we saw that versions previous to 1.1
1471
01:15:53,509 --> 01:15:55,176
were a lot less aggressive.
1472
01:15:55,636 --> 01:15:57,470
The earlier version of stuxnet,
1473
01:15:57,470 --> 01:15:59,640
it basically required humans to do a little bit
1474
01:15:59,640 --> 01:16:01,975
of double clicking in order for it to spread
1475
01:16:01,975 --> 01:16:03,519
from one computer to another.
1476
01:16:03,519 --> 01:16:05,770
And, so, what we believe after looking at that code
1477
01:16:05,770 --> 01:16:06,896
is two things,
1478
01:16:07,314 --> 01:16:09,608
one, either they didn't get in to natanz
1479
01:16:09,608 --> 01:16:10,859
with that earlier version,
1480
01:16:10,859 --> 01:16:12,444
because it simply wasn't aggressive enough,
1481
01:16:12,444 --> 01:16:14,195
wasn't able to jump over that air gap,
1482
01:16:15,155 --> 01:16:17,992
and/or two, that payload as well
1483
01:16:17,992 --> 01:16:21,287
didn't work properly, didn't work to their satisfaction,
1484
01:16:21,578 --> 01:16:23,372
maybe was not explosive enough.
1485
01:16:23,956 --> 01:16:26,207
There were slightly different versions
1486
01:16:26,207 --> 01:16:28,543
which were aimed at different parts
1487
01:16:28,543 --> 01:16:30,171
of the centrifuge cascade.
1488
01:16:30,171 --> 01:16:33,173
Gibney: But the guys at symantec figured you changed the code
1489
01:16:33,173 --> 01:16:34,966
because the first variations couldn't get in
1490
01:16:34,966 --> 01:16:36,135
and didn't work right.
1491
01:16:36,426 --> 01:16:37,427
Bullshit.
1492
01:16:38,220 --> 01:16:40,472
We always found a way to get across the air gap.
1493
01:16:40,472 --> 01:16:42,766
At tao, we laughed when people thought they were
1494
01:16:42,766 --> 01:16:44,393
protected by an air gap.
1495
01:16:45,060 --> 01:16:48,104
And for og, the early versions of the payload did work.
1496
01:16:48,564 --> 01:16:50,356
But What NSA did...
1497
01:16:51,984 --> 01:16:54,779
Was always low-key and subtle.
1498
01:16:55,904 --> 01:16:59,158
The problem was that unit 8200, the Israelis,
1499
01:16:59,158 --> 01:17:01,284
kept pushing us to be more aggressive.
1500
01:17:02,912 --> 01:17:05,581
Chien: The later version of stuxnet 1.1,
1501
01:17:05,581 --> 01:17:07,707
that version had multiple ways of spreading.
1502
01:17:07,707 --> 01:17:09,918
Had the four zero days inside of it, for example,
1503
01:17:09,918 --> 01:17:11,712
that allowed it to spread all by itself
1504
01:17:11,712 --> 01:17:12,837
without you doing anything.
1505
01:17:12,837 --> 01:17:14,422
It could spread via network shares.
1506
01:17:14,422 --> 01:17:16,341
It could spread via USB keys.
1507
01:17:16,341 --> 01:17:18,761
It was able to spread via network exploits.
1508
01:17:18,761 --> 01:17:20,261
That's the sample that introduced us
1509
01:17:20,261 --> 01:17:22,305
to stolen digital certificates.
1510
01:17:22,305 --> 01:17:24,725
That is the sample that, all of a sudden,
1511
01:17:24,725 --> 01:17:26,894
became so noisy
1512
01:17:26,894 --> 01:17:29,979
and caught the attention of the antivirus guys.
1513
01:17:30,898 --> 01:17:33,525
In the first sample we don't find that.
1514
01:17:34,859 --> 01:17:40,949
And this is very strange, because it tells us that
1515
01:17:40,949 --> 01:17:43,202
in the process of this development
1516
01:17:43,743 --> 01:17:46,287
the attackers were less concerned
1517
01:17:46,287 --> 01:17:48,122
with operational security.
1518
01:17:53,628 --> 01:17:56,172
Chien: Stuxnet actually kept a log inside of itself
1519
01:17:56,881 --> 01:17:59,301
of all the machines that it infected along the way
1520
01:17:59,301 --> 01:18:01,386
as it jumped from one machine to another
1521
01:18:01,386 --> 01:18:02,555
to another to another.
1522
01:18:02,971 --> 01:18:04,974
And we were able to gather up
1523
01:18:04,974 --> 01:18:06,975
all the samples that we could acquire,
1524
01:18:07,141 --> 01:18:10,436
tens of thousands of samples. We extracted all of those logs.
1525
01:18:10,436 --> 01:18:13,148
O'murchu: We could see the exact path that stuxnet took.
1526
01:18:15,275 --> 01:18:17,319
Chien: Eventually, we were able to trace back
1527
01:18:17,319 --> 01:18:19,488
this version of stuxnet to ground zero,
1528
01:18:19,779 --> 01:18:22,323
to the first five infections in the world.
1529
01:18:23,158 --> 01:18:25,994
The first five infections are all outside a natanz plant,
1530
01:18:26,161 --> 01:18:28,997
all inside of organizations inside of Iran,
1531
01:18:29,747 --> 01:18:32,001
all organizations that are involved in
1532
01:18:32,001 --> 01:18:34,461
industrial control systems and construction
1533
01:18:34,461 --> 01:18:36,087
of industrial control facilities,
1534
01:18:36,337 --> 01:18:39,925
clearly contractors who were working on the natanz facility.
1535
01:18:39,925 --> 01:18:41,676
And the attackers knew that.
1536
01:18:42,261 --> 01:18:45,014
They were electrical companies. They were piping companies.
1537
01:18:45,014 --> 01:18:46,599
They were, you know, these sorts of companies.
1538
01:18:46,806 --> 01:18:48,434
And they knew... They knew the technicians
1539
01:18:48,434 --> 01:18:50,185
from those companies would visit natanz.
1540
01:18:50,185 --> 01:18:51,729
So they would infect these companies
1541
01:18:51,936 --> 01:18:54,981
and then technicians would take their computer
1542
01:18:54,981 --> 01:18:56,274
or their laptop or their USB...
1543
01:18:56,274 --> 01:18:58,068
That operator then goes down to natanz
1544
01:18:58,068 --> 01:19:00,237
and he plugs in his USB key, which has some code
1545
01:19:00,237 --> 01:19:02,113
that he needs to update into natanz,
1546
01:19:02,113 --> 01:19:03,698
into the natanz network,
1547
01:19:03,698 --> 01:19:05,367
and now stuxnet is able to get inside natanz
1548
01:19:05,367 --> 01:19:06,702
and conduct its attack.
1549
01:19:07,953 --> 01:19:10,331
These five companies were specifically targeted
1550
01:19:10,331 --> 01:19:12,207
to spread stuxnet into natanz
1551
01:19:12,373 --> 01:19:15,627
and that it wasn't that... that stuxnet escaped out of natanz
1552
01:19:15,627 --> 01:19:17,128
and then spread all over the world
1553
01:19:17,128 --> 01:19:19,547
and it was this big mistake and "oh, it wasn't meant
1554
01:19:19,547 --> 01:19:21,300
to spread that far but it really did."
1555
01:19:21,300 --> 01:19:23,051
No, that's not the way we see it.
1556
01:19:23,051 --> 01:19:25,970
The way we see it is that they wanted it to spread far
1557
01:19:25,970 --> 01:19:27,640
so that they could get it into natanz.
1558
01:19:27,847 --> 01:19:31,726
Someone decided that we're gonna create something new,
1559
01:19:31,976 --> 01:19:33,061
something evolved,
1560
01:19:33,686 --> 01:19:35,814
that's gonna be far, far, far more aggressive.
1561
01:19:36,481 --> 01:19:39,902
And we're okay, frankly,
1562
01:19:39,902 --> 01:19:42,613
with it spreading all over the world to innocent machines
1563
01:19:42,863 --> 01:19:44,448
in order to go after our target.
1564
01:19:50,162 --> 01:19:55,333
The Mossad had the role, had the... the assignment
1565
01:19:56,042 --> 01:20:01,923
to deliver the virus to make sure that stuxnet
1566
01:20:01,923 --> 01:20:06,804
would be put in place in natanz to affect the centrifuges.
1567
01:20:08,680 --> 01:20:10,890
Meir dagan, the head of Mossad,
1568
01:20:10,890 --> 01:20:14,185
was under growing pressure from the prime minister,
1569
01:20:14,185 --> 01:20:17,064
Benjamin netanyahu, to produce results.
1570
01:20:18,940 --> 01:20:20,109
Inside the roc,
1571
01:20:20,109 --> 01:20:22,194
we were furious.
1572
01:20:23,945 --> 01:20:26,782
The Israelis took our code for the delivery system
1573
01:20:27,365 --> 01:20:28,658
and changed it.
1574
01:20:30,077 --> 01:20:32,578
Then, on their own, without our agreement,
1575
01:20:32,578 --> 01:20:34,372
they just fucking launched it.
1576
01:20:35,039 --> 01:20:36,958
2010 around the same time
1577
01:20:36,958 --> 01:20:38,752
they started killing iranian scientists...
1578
01:20:38,752 --> 01:20:40,462
And they fucked up the code!
1579
01:20:40,921 --> 01:20:42,463
Instead of hiding,
1580
01:20:42,463 --> 01:20:44,925
the code started shutting down computers,
1581
01:20:44,925 --> 01:20:46,676
so naturally, people noticed.
1582
01:20:48,636 --> 01:20:51,640
Because they were in a hurry, they opened pandora's box.
1583
01:20:52,640 --> 01:20:53,766
They let it out
1584
01:20:53,766 --> 01:20:57,061
and it spread all over the world.
1585
01:21:02,234 --> 01:21:04,028
Gibney: The worm spread quickly
1586
01:21:04,319 --> 01:21:06,154
but somehow it remained unseen
1587
01:21:06,154 --> 01:21:08,198
until it was identified in Belarus.
1588
01:21:09,158 --> 01:21:11,743
Soon after, Israeli intelligence confirmed
1589
01:21:11,743 --> 01:21:13,746
that it had made its way into the hands
1590
01:21:13,746 --> 01:21:15,747
of the Russian federal security service,
1591
01:21:15,747 --> 01:21:17,707
a successor to the kgb.
1592
01:21:19,292 --> 01:21:22,671
So it happened that the formula for a secret cyber weapon
1593
01:21:22,671 --> 01:21:24,338
designed by the U.S. and Israel
1594
01:21:24,338 --> 01:21:25,882
fell into the hands of Russia
1595
01:21:26,425 --> 01:21:28,426
and the very country it was meant to attack.
1596
01:21:50,990 --> 01:21:52,533
Kiyaei: In international law,
1597
01:21:52,533 --> 01:21:56,037
when some country or a coalition of countries
1598
01:21:56,287 --> 01:22:00,751
targets a nuclear facility, it's a act of war.
1599
01:22:01,667 --> 01:22:04,587
Please, let's be frank here.
1600
01:22:05,213 --> 01:22:07,925
If it wasn't Iran,
1601
01:22:08,550 --> 01:22:11,261
let's say a nuclear facility in United States...
1602
01:22:12,554 --> 01:22:14,264
Was targeted in the same way...
1603
01:22:16,475 --> 01:22:18,101
The American government
1604
01:22:18,519 --> 01:22:21,229
would not sit by and let this go.
1605
01:22:22,064 --> 01:22:24,649
Gibney: Stuxnet is an attack in peacetime
1606
01:22:24,649 --> 01:22:25,734
on critical infrastructures.
1607
01:22:25,900 --> 01:22:29,029
Yes, it is. I'm... Look, when I read about it,
1608
01:22:29,029 --> 01:22:31,739
I read it, I go, "whoa, this is a big deal."
1609
01:22:31,739 --> 01:22:33,449
Yeah.
1610
01:22:35,159 --> 01:22:37,703
Sanger: The people who were running this program,
1611
01:22:37,703 --> 01:22:39,163
including Leon panetta,
1612
01:22:39,163 --> 01:22:41,166
the director of the CIA at the time,
1613
01:22:41,750 --> 01:22:44,418
had to go down into the situation room
1614
01:22:44,418 --> 01:22:46,587
and face president Obama,
1615
01:22:46,587 --> 01:22:50,134
vice president biden and explain that this program
1616
01:22:50,425 --> 01:22:52,970
was suddenly on the loose.
1617
01:22:54,262 --> 01:22:55,805
Vice president biden,
1618
01:22:55,805 --> 01:22:58,350
at one point during this discussion,
1619
01:22:59,184 --> 01:23:01,895
sort of exploded in biden-esque fashion
1620
01:23:01,895 --> 01:23:03,438
and blamed the Israelis.
1621
01:23:03,438 --> 01:23:05,858
He said, "it must have been the Israelis
1622
01:23:05,858 --> 01:23:07,943
who made a change in the code
1623
01:23:07,943 --> 01:23:10,028
that enabled it to get out."
1624
01:23:11,904 --> 01:23:14,115
Richard Clarke: President Obama said to the senior leadership,
1625
01:23:14,115 --> 01:23:17,118
"you told me it wouldn't get out of the network. It did.
1626
01:23:17,118 --> 01:23:19,287
You told me the iranians would never figure out
1627
01:23:19,287 --> 01:23:21,289
it was the United States. They did.
1628
01:23:21,582 --> 01:23:23,292
You told me it would have a huge affect
1629
01:23:23,292 --> 01:23:26,962
on their nuclear program, and it didn't."
1630
01:23:28,630 --> 01:23:32,134
Sanger: The natanz plant is inspected every couple of weeks
1631
01:23:32,466 --> 01:23:35,636
by the international atomic energy agency inspectors.
1632
01:23:36,095 --> 01:23:38,806
And if you line up what you know about the attacks
1633
01:23:39,056 --> 01:23:41,976
with the inspection reports, you can see the effects.
1634
01:23:43,311 --> 01:23:45,479
Heinonen: If you go to the IAEA reports,
1635
01:23:45,479 --> 01:23:47,774
they really show that all of those centrifuges
1636
01:23:47,774 --> 01:23:50,652
were switched off and they were removed.
1637
01:23:51,278 --> 01:23:54,655
As much as almost couple of thousand got compromised.
1638
01:23:55,823 --> 01:23:57,283
When you put this altogether,
1639
01:23:57,283 --> 01:24:00,078
I wouldn't be surprised if their program got delayed
1640
01:24:00,078 --> 01:24:01,246
by the one year.
1641
01:24:01,622 --> 01:24:05,417
But go then to year 2012-13
1642
01:24:05,417 --> 01:24:08,712
and looking how the centrifuges started to come up again.
1643
01:24:09,003 --> 01:24:10,588
Kiyaei: Iran's number of centrifuges
1644
01:24:10,588 --> 01:24:12,466
went up exponentially,
1645
01:24:12,466 --> 01:24:16,511
to 20,000, with a stockpile of low enriched uranium.
1646
01:24:16,511 --> 01:24:18,846
This isn't... These are high numbers.
1647
01:24:19,680 --> 01:24:22,184
Iran's nuclear facilities expanded
1648
01:24:22,184 --> 01:24:24,770
with the construction of fordow
1649
01:24:24,770 --> 01:24:27,355
and other highly protected facilities.
1650
01:24:29,440 --> 01:24:32,194
So ironically, cyber warfare...
1651
01:24:33,028 --> 01:24:35,613
Assassination of its nuclear scientists,
1652
01:24:36,030 --> 01:24:39,326
economic sanctions, political isolation...
1653
01:24:41,203 --> 01:24:43,704
Iran has gone through "a" to "x"
1654
01:24:43,704 --> 01:24:48,292
of every chorus of policy that the U.S., Israel,
1655
01:24:48,292 --> 01:24:52,421
and those who ally with them have placed on Iran,
1656
01:24:52,965 --> 01:24:55,926
and they have actually made Iran's nuclear program
1657
01:24:55,926 --> 01:24:58,636
more advanced today than it was ever before.
1658
01:25:02,807 --> 01:25:04,559
Mossad operative: This is a very
1659
01:25:04,559 --> 01:25:07,688
very dangerous minefield that we are walking,
1660
01:25:07,688 --> 01:25:10,606
and nations who decide
1661
01:25:10,606 --> 01:25:12,775
to take these covert actions
1662
01:25:13,902 --> 01:25:16,947
should be taking into consideration
1663
01:25:17,572 --> 01:25:22,411
all the effects, including the moral effects.
1664
01:25:23,036 --> 01:25:27,082
I would say that this is the price
1665
01:25:27,082 --> 01:25:31,420
that we have to pay in this... In this war,
1666
01:25:31,752 --> 01:25:34,297
and our blade of righteousness
1667
01:25:34,297 --> 01:25:35,673
shouldn't be so sharp.
1668
01:25:41,512 --> 01:25:43,931
Gibney: In Israel and in the United States,
1669
01:25:43,931 --> 01:25:46,268
the blade of righteousness cut both ways,
1670
01:25:46,768 --> 01:25:49,313
wounding the targets and the attackers.
1671
01:25:50,396 --> 01:25:52,815
When stuxnet infected American computers,
1672
01:25:52,815 --> 01:25:54,859
the department of homeland security,
1673
01:25:55,193 --> 01:25:58,113
unaware of the cyber weapons launch by the NSA,
1674
01:25:58,404 --> 01:26:01,574
devoted enormous resources trying to protect Americans
1675
01:26:01,574 --> 01:26:02,868
from their own government.
1676
01:26:03,368 --> 01:26:05,787
We had met the enemy and it was us.
1677
01:26:11,585 --> 01:26:13,252
Se Paul mcgurk: The purpose of the watch stations that
1678
01:26:13,252 --> 01:26:15,421
you see in front of you is to aggregate the data
1679
01:26:15,421 --> 01:26:16,881
- coming in from multiple feeds
1680
01:26:16,881 --> 01:26:18,632
of what the cyber threats could be,
1681
01:26:18,632 --> 01:26:20,051
so if we see threats
1682
01:26:20,051 --> 01:26:22,636
we can provide real-time recommendations
1683
01:26:22,636 --> 01:26:25,849
for both private companies, as well as federal agencies.
1684
01:26:26,600 --> 01:26:30,061
Male journalist:
1685
01:26:30,479 --> 01:26:32,898
Yep, absolutely. We'd be more than happy to discuss that.
1686
01:26:32,898 --> 01:26:33,981
Female journalist: Se is it...
1687
01:26:33,981 --> 01:26:36,568
Mcgurk: Early July of 2010 we received a call
1688
01:26:36,568 --> 01:26:39,195
that said that this piece of malware was discovered
1689
01:26:39,195 --> 01:26:40,572
and could we take a look at it.
1690
01:26:42,157 --> 01:26:43,658
When we first started the analysis,
1691
01:26:43,658 --> 01:26:46,036
there was that "oh, crap" moment, you know,
1692
01:26:46,036 --> 01:26:47,828
where we sat there and said, this is something
1693
01:26:47,828 --> 01:26:48,997
that's significant.
1694
01:26:48,997 --> 01:26:50,707
It's impacting industrial control.
1695
01:26:50,957 --> 01:26:53,417
It can disrupt it to the point where it could cause harm
1696
01:26:53,417 --> 01:26:55,503
and not only damage to the equipment,
1697
01:26:55,503 --> 01:26:57,546
but potentially harm or loss of life.
1698
01:26:58,340 --> 01:27:00,509
We were very concerned because stuxnet
1699
01:27:00,509 --> 01:27:02,301
was something that we had not seen before.
1700
01:27:02,301 --> 01:27:04,429
So there wasn't a lot of sleep that night.
1701
01:27:04,429 --> 01:27:07,349
Basically, light up the phones, call everybody we know,
1702
01:27:07,349 --> 01:27:10,560
inform the secretary, inform the white house,
1703
01:27:10,769 --> 01:27:12,854
inform the other departments and agencies,
1704
01:27:13,020 --> 01:27:15,689
wake up the world, and figure out what's going on
1705
01:27:15,689 --> 01:27:17,900
with this particular malware.
1706
01:27:19,694 --> 01:27:20,987
Good morning, chairman lieberman,
1707
01:27:20,987 --> 01:27:22,238
ranking member Collins.
1708
01:27:22,823 --> 01:27:24,615
Something as simple and innocuous as this
1709
01:27:24,615 --> 01:27:26,784
becomes a challenge for all of us to maintain
1710
01:27:26,784 --> 01:27:29,746
accountability control of our critical infrastructure systems.
1711
01:27:30,247 --> 01:27:32,373
This actually contains the stuxnet virus.
1712
01:27:32,541 --> 01:27:34,042
I've been asked on a number of occasions,
1713
01:27:34,042 --> 01:27:35,877
"did you ever think this was us?"
1714
01:27:35,877 --> 01:27:39,547
And at... at no point did that ever really cross our mind,
1715
01:27:39,547 --> 01:27:42,384
because we were looking at it from the standpoint of,
1716
01:27:42,716 --> 01:27:44,677
is this something that's coming after the homeland?
1717
01:27:44,677 --> 01:27:47,221
You know, what... what's going to potentially impact,
1718
01:27:47,221 --> 01:27:50,015
you know, our industrial control based
here in the United States?
1719
01:27:50,475 --> 01:27:53,395
You know, I liken it to, you know, field of battle.
1720
01:27:53,561 --> 01:27:55,564
You don't think the sniper that's behind you
1721
01:27:55,564 --> 01:27:57,064
is gonna be shooting at you,
1722
01:27:57,231 --> 01:27:58,817
'cause you expect him to be on your side.
1723
01:27:59,359 --> 01:28:03,070
We really don't know who the attacker was
1724
01:28:03,070 --> 01:28:04,448
in the stuxnet case.
1725
01:28:04,655 --> 01:28:06,867
So help us understand a little more
1726
01:28:07,158 --> 01:28:09,327
what this thing is
1727
01:28:10,036 --> 01:28:15,417
whose origin and destination we don't understand.
1728
01:28:16,667 --> 01:28:18,752
Gibney: Did anybody ever give you any indication
1729
01:28:18,752 --> 01:28:20,921
that it was something that they already knew about?
1730
01:28:20,921 --> 01:28:23,675
No, at no time did I get the impression from someone
1731
01:28:23,675 --> 01:28:26,552
that that's okay, you know, get the little pat on the head,
1732
01:28:26,552 --> 01:28:28,012
and... and scooted out the door.
1733
01:28:28,012 --> 01:28:29,890
I never received a stand-down order.
1734
01:28:29,890 --> 01:28:33,518
I never... no one ever asked, "stop looking at this."
1735
01:28:34,101 --> 01:28:37,939
Do we think that this was a nation-state actor
1736
01:28:37,939 --> 01:28:40,358
and that there are a limited number of nation-states
1737
01:28:40,358 --> 01:28:43,737
that have such advanced capacity?
1738
01:28:45,613 --> 01:28:47,865
Gibney: Se mcgurk, the director of cyber
1739
01:28:47,865 --> 01:28:49,618
for the department of homeland security,
1740
01:28:49,618 --> 01:28:52,453
testified before the senate about how he thought
1741
01:28:52,453 --> 01:28:55,539
stuxnet was a terrifying threat to the United States.
1742
01:28:55,789 --> 01:28:57,082
Is that not a problem?
1743
01:28:57,082 --> 01:28:58,960
I don't... and... and how... How do you mean?
1744
01:28:59,252 --> 01:29:01,630
That stuxnet was a bad idea?
1745
01:29:02,046 --> 01:29:04,716
Gibney: No, no, no, just that before he knew what it was
1746
01:29:04,716 --> 01:29:06,551
- and what it attacks... - Oh, I... I get it.
1747
01:29:06,551 --> 01:29:07,969
- Gibney: Yeah... - Yeah,
1748
01:29:07,969 --> 01:29:09,554
he was responding to something that we...
1749
01:29:09,554 --> 01:29:10,555
Gibney: He thought it was a threat
1750
01:29:10,889 --> 01:29:12,765
to critical infrastructure in the United States.
1751
01:29:12,765 --> 01:29:14,475
Yeah. The worm is loose!
1752
01:29:14,475 --> 01:29:16,310
Gibney: The worm is loose. I understand.
1753
01:29:16,310 --> 01:29:19,355
But there's... There's a further theory
1754
01:29:19,355 --> 01:29:20,940
having to do with whether or not,
1755
01:29:20,940 --> 01:29:23,150
following upon David sanger...
1756
01:29:23,150 --> 01:29:25,069
I got the subplot, and who did that?
1757
01:29:25,069 --> 01:29:26,947
Was it the Israelis? And, yeah, I...
1758
01:29:27,572 --> 01:29:30,492
I truly don't know, and even though I don't know,
1759
01:29:30,492 --> 01:29:32,159
I still can't talk about it, all right?
1760
01:29:32,493 --> 01:29:35,997
Stuxnet was somebody's covert action, all right?
1761
01:29:36,247 --> 01:29:37,916
And the definition of covert action
1762
01:29:37,916 --> 01:29:40,835
is an activity in which you want to have the hand
1763
01:29:40,835 --> 01:29:42,837
of the actor forever hidden.
1764
01:29:43,171 --> 01:29:46,341
So by definition, it's gonna end up in this
1765
01:29:46,341 --> 01:29:48,260
"we don't talk about these things" box.
1766
01:29:53,931 --> 01:29:56,810
Sanger: To this day, the United States government
1767
01:29:56,810 --> 01:29:58,936
has never acknowledged
1768
01:29:58,936 --> 01:30:03,399
conducting any offensive cyber attack anywhere in the world.
1769
01:30:05,443 --> 01:30:10,364
But thanks to Mr. snowden, we know that in 2012
1770
01:30:10,364 --> 01:30:12,742
president Obama issued an executive order
1771
01:30:12,951 --> 01:30:15,703
that laid out some of the conditions
1772
01:30:15,703 --> 01:30:18,163
under which cyber weapons can be used.
1773
01:30:18,163 --> 01:30:21,710
And interestingly, every use of a cyber weapon
1774
01:30:21,710 --> 01:30:24,753
requires presidential sign-off.
1775
01:30:26,006 --> 01:30:29,842
That is only true in the physical world
1776
01:30:29,842 --> 01:30:31,720
for nuclear weapons.
1777
01:30:43,023 --> 01:30:45,317
Clarke: Nuclear war and nuclear weapons are vastly different
1778
01:30:45,317 --> 01:30:47,193
from cyber war and cyber weapons.
1779
01:30:47,193 --> 01:30:50,154
Having said that, there are some similarities.
1780
01:30:50,154 --> 01:30:52,573
And in the early 1960s,
1781
01:30:52,990 --> 01:30:54,908
the United States government suddenly realized
1782
01:30:54,908 --> 01:30:56,953
it had thousands of nuclear weapons,
1783
01:30:57,162 --> 01:30:58,829
big ones and little ones,
1784
01:30:58,829 --> 01:31:01,166
weapons on jeeps, weapons on submarines,
1785
01:31:02,042 --> 01:31:04,168
and it really didn't have a doctrine.
1786
01:31:04,168 --> 01:31:06,003
It really didn't have a strategy.
1787
01:31:06,003 --> 01:31:07,756
It really didn't have an understanding
1788
01:31:08,047 --> 01:31:10,175
at the policy level about how he was going to use
1789
01:31:10,175 --> 01:31:11,342
all of these things.
1790
01:31:11,926 --> 01:31:13,927
And so academics
1791
01:31:13,927 --> 01:31:16,765
started publishing unclassified documents
1792
01:31:16,765 --> 01:31:20,601
about nuclear war and nuclear weapons.
1793
01:31:23,104 --> 01:31:24,355
Sanger: And the result was
1794
01:31:24,730 --> 01:31:27,067
more than 2O years, in the United States,
1795
01:31:27,067 --> 01:31:29,778
of very vigorous national debates
1796
01:31:30,278 --> 01:31:33,823
about how we want to go use nuclear weapons.
1797
01:31:37,202 --> 01:31:39,496
And not only did that cause the congress
1798
01:31:39,496 --> 01:31:41,872
and people in the executive branch in Washington
1799
01:31:41,872 --> 01:31:43,625
to think about these things,
1800
01:31:43,625 --> 01:31:46,877
it caused the Russians to think about these things.
1801
01:31:47,837 --> 01:31:51,048
And out of that grew nuclear doctrine,
1802
01:31:51,048 --> 01:31:52,716
mutual assured destruction,
1803
01:31:52,716 --> 01:31:57,846
all of that complicated set of nuclear dynamics.
1804
01:31:58,472 --> 01:32:01,434
Today, on this vital issue at least,
1805
01:32:01,434 --> 01:32:03,478
we have seen what can be accomplished
1806
01:32:03,478 --> 01:32:05,145
when we pull together.
1807
01:32:05,145 --> 01:32:09,317
We can't have that discussion in a sensible way right now
1808
01:32:09,609 --> 01:32:11,653
about cyber war and cyber weapons
1809
01:32:11,653 --> 01:32:13,029
because everything is secret.
1810
01:32:13,988 --> 01:32:17,158
And when you get into a discussion
1811
01:32:17,158 --> 01:32:20,286
with people in the government, people still in the government,
1812
01:32:20,286 --> 01:32:21,829
people who have security clearances,
1813
01:32:22,079 --> 01:32:23,331
you run into a brick wall.
1814
01:32:23,581 --> 01:32:24,916
Trying to stop Iran
1815
01:32:24,916 --> 01:32:28,252
is really the... my number one job, and I think...
1816
01:32:28,252 --> 01:32:29,671
Host: And let me ask you, in that context,
1817
01:32:29,671 --> 01:32:31,672
about the stuxnet computer virus potentially...
1818
01:32:31,672 --> 01:32:33,257
You can ask, but I won't comment.
1819
01:32:34,341 --> 01:32:35,426
Host: Can you tell us anything?
1820
01:32:35,426 --> 01:32:36,594
No.
1821
01:32:36,594 --> 01:32:39,012
What do you think has had the most impact
1822
01:32:39,012 --> 01:32:41,181
on their nuclear decision-making,
1823
01:32:41,181 --> 01:32:42,850
the stuxnet virus?
1824
01:32:42,850 --> 01:32:45,145
I can't talk about stuxnet.
1825
01:32:45,145 --> 01:32:49,524
I can't even talk about the operation of Iran centrifuges.
1826
01:32:49,690 --> 01:32:51,943
Was the U.S. involved in any way
1827
01:32:51,943 --> 01:32:53,528
in the development of stuxnet?
1828
01:32:54,028 --> 01:32:56,698
It's hard to get into any kind of comment on that
1829
01:32:56,698 --> 01:32:58,867
till we've finished any... Our examination.
1830
01:32:59,701 --> 01:33:01,034
But, sir, I'm not asking you
1831
01:33:01,034 --> 01:33:02,996
if you think another country was involved.
1832
01:33:02,996 --> 01:33:04,997
I'm asking you if the U.S. was involved.
1833
01:33:04,997 --> 01:33:07,375
And we're... This is not something
1834
01:33:07,375 --> 01:33:09,252
that we're gonna be able to answer at this point.
1835
01:33:09,668 --> 01:33:12,005
Look, for the longest time, I was in fear that
1836
01:33:12,005 --> 01:33:13,506
I couldn't actually say the phrase
1837
01:33:13,506 --> 01:33:15,175
"computer network attack."
1838
01:33:15,175 --> 01:33:18,051
This stuff is hideously overclassified,
1839
01:33:18,051 --> 01:33:20,180
and it gets into the way of a...
1840
01:33:20,180 --> 01:33:22,974
Of a mature public discussion
1841
01:33:22,974 --> 01:33:25,518
as to what it is we as a democracy
1842
01:33:25,518 --> 01:33:29,689
want our nation to be doing up here in the cyber domain.
1843
01:33:29,689 --> 01:33:32,524
Now, this is a former director of NSA and CIA
1844
01:33:32,524 --> 01:33:34,485
saying this stuff is overclassified.
1845
01:33:34,735 --> 01:33:38,238
One of the reasons this is highly classified as it is
1846
01:33:38,238 --> 01:33:39,823
this is a peculiar weapons system.
1847
01:33:39,823 --> 01:33:41,826
This is a weapons system that's come out of
1848
01:33:41,826 --> 01:33:43,161
the espionage community,
1849
01:33:43,161 --> 01:33:46,456
and... and so those people have a habit of secrecy.
1850
01:33:46,456 --> 01:33:48,750
Secrecy is still justifiable in certain cases
1851
01:33:48,750 --> 01:33:51,920
to protect sources or to protect national security
1852
01:33:51,920 --> 01:33:55,088
but when we deal with secrecy, don't hide behind it
1853
01:33:55,088 --> 01:33:59,051
to use as an excuse to not disclose something properly
1854
01:33:59,051 --> 01:34:01,095
that you know should be
1855
01:34:01,095 --> 01:34:02,346
or that the American people
1856
01:34:02,346 --> 01:34:03,597
need ultimately to see.
1857
01:34:06,266 --> 01:34:08,353
Gibney: While most government officials refused
1858
01:34:08,353 --> 01:34:09,813
to acknowledge the operation,
1859
01:34:10,395 --> 01:34:13,190
at least one key insider did leak parts of the story
1860
01:34:13,190 --> 01:34:14,317
to the press.
1861
01:34:14,317 --> 01:34:18,195
In 2012, David sanger wrote a detailed account
1862
01:34:18,195 --> 01:34:21,533
of olympic games that unmasked the extensive joint operation
1863
01:34:21,533 --> 01:34:23,451
between the U.S. and Israel
1864
01:34:23,451 --> 01:34:25,703
to launch cyber attacks on natanz.
1865
01:34:26,578 --> 01:34:28,456
Sanger: The publication of this story
1866
01:34:28,456 --> 01:34:30,457
coming at a time that turned out that there were
1867
01:34:30,457 --> 01:34:33,293
a number of other unrelated national security stories
1868
01:34:33,293 --> 01:34:35,963
being published, lead to the announcement
1869
01:34:35,963 --> 01:34:39,300
of investigations by the Attorney General.
1870
01:34:39,801 --> 01:34:42,095
Gibney: In... into the press and into the leaks?
1871
01:34:42,095 --> 01:34:43,595
Into the press and into the leaks.
1872
01:34:46,099 --> 01:34:47,266
Gibney: Soon after the article,
1873
01:34:47,266 --> 01:34:49,435
the Obama administration targeted
1874
01:34:49,435 --> 01:34:52,479
general James Cartwright in a criminal investigation
1875
01:34:52,479 --> 01:34:53,730
for allegedly leaking
1876
01:34:53,730 --> 01:34:56,067
classified details about stuxnet.
1877
01:34:57,443 --> 01:34:58,944
Journalist: There are reports of cyber attacks
1878
01:34:58,944 --> 01:35:01,738
on the iranian nuclear program that you ordered.
1879
01:35:01,738 --> 01:35:03,240
What's your reaction to this information getting out?
1880
01:35:03,240 --> 01:35:04,868
Well, first of all, I'm not gonna comment on the...
1881
01:35:04,868 --> 01:35:08,203
The details of... what are...
1882
01:35:10,582 --> 01:35:14,877
Supposed to be classified items.
1883
01:35:15,670 --> 01:35:18,046
Since I've been in office, my attitude has been
1884
01:35:18,297 --> 01:35:21,551
zero tolerance for these kinds of leaks.
1885
01:35:22,176 --> 01:35:23,845
We have mechanisms in place
1886
01:35:24,136 --> 01:35:27,681
where, if we can root out folks who have leaked,
1887
01:35:28,474 --> 01:35:29,893
they will suffer consequences.
1888
01:35:30,268 --> 01:35:32,686
It became a significant issue
1889
01:35:32,686 --> 01:35:34,939
and a very wide-ranging investigation
1890
01:35:34,939 --> 01:35:37,358
in which I think most of the people who were cleared
1891
01:35:37,358 --> 01:35:38,943
for olympic games at some point
1892
01:35:38,943 --> 01:35:40,819
had been, you know, interviewed and so forth.
1893
01:35:40,819 --> 01:35:42,529
When stuxnet hit the media,
1894
01:35:42,529 --> 01:35:44,698
they polygraphed everyone in our office,
1895
01:35:44,698 --> 01:35:46,326
including people who didn't know shit.
1896
01:35:46,326 --> 01:35:48,453
You know, they polyed the interns, for god's sake.
1897
01:35:48,994 --> 01:35:50,371
These are criminal acts
1898
01:35:50,371 --> 01:35:52,039
when they release information like this,
1899
01:35:52,539 --> 01:35:56,377
and we will conduct thorough investigations
1900
01:35:57,002 --> 01:35:58,755
as we have in the past.
1901
01:36:00,797 --> 01:36:03,051
Gibney: The administration never filed charges,
1902
01:36:03,384 --> 01:36:05,177
possibly afraid that a prosecution
1903
01:36:05,177 --> 01:36:08,055
would reveal classified details about stuxnet.
1904
01:36:08,972 --> 01:36:12,393
To this day, no one in the U.S. or Israeli governments
1905
01:36:12,393 --> 01:36:14,479
has officially acknowledged the existence
1906
01:36:14,479 --> 01:36:15,939
of the joint operation.
1907
01:36:17,899 --> 01:36:19,399
I would never compromise
1908
01:36:19,399 --> 01:36:21,152
ongoing operations in the field,
1909
01:36:21,152 --> 01:36:25,238
but we should be able to talk about capability.
1910
01:36:26,573 --> 01:36:28,076
We can talk about our...
1911
01:36:29,243 --> 01:36:31,996
Bunker busters, why not our cyber weapons?
1912
01:36:32,372 --> 01:36:33,456
I mean, the secrecy
1913
01:36:33,456 --> 01:36:35,123
of the operation has been blown.
1914
01:36:36,667 --> 01:36:38,711
Our friends in Israel took a weapon
1915
01:36:38,711 --> 01:36:40,171
that we jointly developed,
1916
01:36:40,171 --> 01:36:42,297
in part to keep Israel from doing something crazy,
1917
01:36:42,756 --> 01:36:44,550
and then used it on their own in a way
1918
01:36:44,550 --> 01:36:45,926
that blew the cover of the operation
1919
01:36:45,926 --> 01:36:47,095
and could have led to war.
1920
01:36:47,095 --> 01:36:48,512
And we can't talk about that?
1921
01:36:53,059 --> 01:36:54,935
Mowatt-larssen: There's a way to talk about stuxnet.
1922
01:36:55,520 --> 01:36:56,895
Ithappened.
1923
01:36:56,895 --> 01:36:59,774
That... to deny that it happened is... is foolish.
1924
01:36:59,774 --> 01:37:01,693
So the fact it happened
1925
01:37:01,693 --> 01:37:03,194
is really what we're talking about here.
1926
01:37:03,194 --> 01:37:05,029
What does... What are the implications
1927
01:37:05,029 --> 01:37:07,864
of the fact that we now are in a post-stuxnet world?
1928
01:37:08,365 --> 01:37:10,827
What I said to David sanger was,
1929
01:37:10,827 --> 01:37:13,496
"I understand the difference in destruction is dramatic,
1930
01:37:13,746 --> 01:37:16,207
but this has the whiff of August 1945."
1931
01:37:17,041 --> 01:37:18,626
Somebody just used a new weapon,
1932
01:37:18,960 --> 01:37:21,712
and this weapon will not be put back into the box.
1933
01:37:22,130 --> 01:37:24,798
I... I know no operational details
1934
01:37:24,798 --> 01:37:27,760
and don't know what anyone did or didn't do
1935
01:37:27,760 --> 01:37:30,387
before someone decided to use the weapon, all right.
1936
01:37:30,721 --> 01:37:31,972
I do know this.
1937
01:37:31,972 --> 01:37:33,850
If we go out and do something,
1938
01:37:34,641 --> 01:37:36,728
most of the rest of the world now thinks
1939
01:37:36,935 --> 01:37:37,936
that's the new standard
1940
01:37:38,479 --> 01:37:41,356
and it's something that they now feel legitimated to do as well.
1941
01:37:42,774 --> 01:37:44,234
But the rules of engagement,
1942
01:37:44,234 --> 01:37:46,820
international norms, treaty standards,
1943
01:37:46,820 --> 01:37:48,655
they don't exist right now.
1944
01:37:52,493 --> 01:37:55,662
Brown: The law of war, because it began to develop so long ago
1945
01:37:55,662 --> 01:37:59,207
is really dependent on thinking of things kinetically
1946
01:37:59,583 --> 01:38:01,085
and the physical realm.
1947
01:38:01,377 --> 01:38:04,756
So for example, we think in terms of attacks.
1948
01:38:05,672 --> 01:38:07,925
You know an attack when it happens in the kinetic world.
1949
01:38:07,925 --> 01:38:09,676
It's not really much of a mystery.
1950
01:38:09,676 --> 01:38:12,596
But in cyberspace it is sort of confusing to think,
1951
01:38:13,180 --> 01:38:14,640
how far do we have to go
1952
01:38:14,640 --> 01:38:16,850
before something is considered an attack?
1953
01:38:16,975 --> 01:38:20,771
So we have to take all the vocabulary
1954
01:38:21,271 --> 01:38:24,108
and the terms that we use in strategy
1955
01:38:24,108 --> 01:38:25,734
and military operations
1956
01:38:25,984 --> 01:38:29,029
and adapt them into the cyber realm.
1957
01:38:30,363 --> 01:38:31,823
Sanger: For nuclear we have these
1958
01:38:31,823 --> 01:38:33,743
extensive inspection regimes.
1959
01:38:34,034 --> 01:38:36,119
The Russians come and look at our silos.
1960
01:38:36,453 --> 01:38:38,038
We go and look at their silos.
1961
01:38:38,538 --> 01:38:40,541
Bad as things get between the two countries,
1962
01:38:40,707 --> 01:38:42,627
those inspection regimes have held up.
1963
01:38:42,627 --> 01:38:45,546
But working that our for... For cyber
1964
01:38:45,546 --> 01:38:47,090
would be virtually impossible.
1965
01:38:47,381 --> 01:38:48,757
Where do you send your inspector?
1966
01:38:49,132 --> 01:38:51,176
Inside the laptop of, you know...
1967
01:38:51,551 --> 01:38:53,805
How many laptops are there in the United States and Russia?
1968
01:38:54,180 --> 01:38:56,390
It's much more difficult in the cyber area
1969
01:38:56,390 --> 01:38:58,725
to construct an international regime
1970
01:38:58,725 --> 01:39:01,729
based on treaty commitments and rules of the road
1971
01:39:01,729 --> 01:39:02,896
and so forth.
1972
01:39:02,896 --> 01:39:06,234
Although, we've tried to have discussions with the Chinese
1973
01:39:06,234 --> 01:39:08,277
and Russians and so forth about that,
1974
01:39:08,277 --> 01:39:09,612
but it's very difficult.
1975
01:39:10,695 --> 01:39:14,242
Brown: Right now, the norm in cyberspace is
1976
01:39:14,242 --> 01:39:15,576
do whatever you can get away with.
1977
01:39:16,577 --> 01:39:18,954
That's not a good norm, but it's the norm that we have.
1978
01:39:19,538 --> 01:39:21,582
That's the norm that's preferred by states
1979
01:39:21,582 --> 01:39:24,252
that are engaging in lots of different kinds of activities
1980
01:39:24,252 --> 01:39:26,295
that they feel are benefitting their national security.
1981
01:39:27,505 --> 01:39:30,091
Yadlin: Those who excel in cyber
1982
01:39:30,091 --> 01:39:32,926
are trying to slow down the process
1983
01:39:32,926 --> 01:39:34,595
of creating regulation.
1984
01:39:35,054 --> 01:39:38,890
Those who are victims we like the regulation
1985
01:39:38,890 --> 01:39:42,603
to be in the open as... As soon as possible.
1986
01:39:44,771 --> 01:39:47,608
Brown: International law in this area is written by custom,
1987
01:39:47,608 --> 01:39:50,735
and customary law requires a nation to say,
1988
01:39:50,735 --> 01:39:52,488
this is what we did and this is why we did it.
1989
01:39:53,280 --> 01:39:56,199
And the U.S. doesn't want to push the law in that direction
1990
01:39:56,199 --> 01:39:58,618
and so it chooses not to disclose its involvement.
1991
01:39:59,203 --> 01:40:01,413
And one of the reasons that I thought it was important
1992
01:40:01,413 --> 01:40:04,292
to tell the story of olympic games
1993
01:40:04,292 --> 01:40:07,086
was not simply because it's a cool spy story,
1994
01:40:07,086 --> 01:40:10,297
it is, but it's because as a nation...
1995
01:40:11,506 --> 01:40:15,051
We need to have a debate about how
we want to use cyber weapons
1996
01:40:15,302 --> 01:40:18,805
because we are the most vulnerable nation on earth
1997
01:40:18,972 --> 01:40:20,765
to cyber-attack ourselves.
1998
01:40:24,770 --> 01:40:27,273
Mcgurk: If you get up in the morning and turn off your alarm
1999
01:40:27,273 --> 01:40:31,652
and make coffee and pump gas and use the atm,
2000
01:40:32,153 --> 01:40:33,988
you've touched industrial control systems.
2001
01:40:33,988 --> 01:40:35,655
It's what powers our lives.
2002
01:40:35,989 --> 01:40:38,618
And unfortunately, these systems are connected
2003
01:40:38,618 --> 01:40:42,287
and interconnected in some ways that make them vulnerable.
2004
01:40:42,287 --> 01:40:44,998
Critical infrastructure systems generally were built
2005
01:40:44,998 --> 01:40:47,667
years and years and years ago without security in mind
2006
01:40:47,667 --> 01:40:49,753
and they didn't realize how things were gonna change,
2007
01:40:49,753 --> 01:40:52,006
maybe they weren't even meant to be connected to the Internet.
2008
01:40:52,006 --> 01:40:55,091
And we've seen, through a lot of experimentation
2009
01:40:55,091 --> 01:40:57,720
and through also, unfortunately, a lot of attacks
2010
01:40:58,011 --> 01:41:00,347
that most of these systems are relatively easy
2011
01:41:00,347 --> 01:41:03,016
for a sophisticated hacker to get into.
2012
01:41:05,019 --> 01:41:06,811
Let's say you took over the control system
2013
01:41:06,811 --> 01:41:09,523
of a railway. You could switch tracks.
2014
01:41:10,024 --> 01:41:12,318
You could cause derailments of trains
2015
01:41:12,318 --> 01:41:14,110
carrying explosive materials.
2016
01:41:15,320 --> 01:41:18,532
What if you were in the control system of gas pipelines
2017
01:41:18,865 --> 01:41:21,452
and when a valve was supposed to be open,
2018
01:41:21,452 --> 01:41:24,121
it was closed and the pressure built up
2019
01:41:24,329 --> 01:41:25,872
and the pipeline exploded?
2020
01:41:26,832 --> 01:41:30,752
There are companies that run electric power generation
2021
01:41:31,170 --> 01:41:33,046
or electric power distribution
2022
01:41:33,338 --> 01:41:35,382
that we know have been hacked
2023
01:41:35,716 --> 01:41:38,176
by foreign entities that have the ability
2024
01:41:38,176 --> 01:41:39,804
to shut down the power grid.
2025
01:41:40,345 --> 01:41:42,472
Sanger: Imagine for a moment
2026
01:41:42,472 --> 01:41:45,225
that not only all the power went off on the east coast,
2027
01:41:45,559 --> 01:41:47,560
but the entire Internet came down.
2028
01:41:48,229 --> 01:41:50,773
Imagine what the economic impact of that is
2029
01:41:51,231 --> 01:41:53,400
even if it only lasted for 24 hours.
2030
01:41:55,735 --> 01:41:57,445
Newsreader: According to the officials,
2031
01:41:57,445 --> 01:42:00,658
Iran is the first country ever in the middle east
2032
01:42:00,658 --> 01:42:03,159
to actually be engaged in a cyber war
2033
01:42:03,159 --> 01:42:05,371
with the United States and Israel.
2034
01:42:05,371 --> 01:42:08,748
If anything they said the recent cyber attacks
2035
01:42:08,748 --> 01:42:10,917
were what encouraged them to plan to set up
2036
01:42:10,917 --> 01:42:14,255
the cyber army, which will gather computer scientists,
2037
01:42:14,255 --> 01:42:17,091
programmers, software engineers...
2038
01:42:17,091 --> 01:42:20,011
Kiyaei: If you are a youth and you see assassination
2039
01:42:20,011 --> 01:42:21,636
of a nuclear scientist,
2040
01:42:22,054 --> 01:42:24,515
your nuclear facilities are getting attacked,
2041
01:42:25,224 --> 01:42:28,519
wouldn't you join your national cyber army?
2042
01:42:29,228 --> 01:42:30,520
Well, many did.
2043
01:42:30,770 --> 01:42:33,940
And that's why today, Iran has one of the largest...
2044
01:42:35,109 --> 01:42:37,528
Cyber armies in the world.
2045
01:42:38,029 --> 01:42:40,448
So whoever initiated this
2046
01:42:40,448 --> 01:42:42,949
and was very proud of themselves to see that little dip
2047
01:42:43,451 --> 01:42:47,662
in Iran's centrifuge numbers, should look back now
2048
01:42:48,122 --> 01:42:51,708
and acknowledge that it was a major mistake.
2049
01:42:52,292 --> 01:42:55,546
Very quickly, Iran sent a message
2050
01:42:55,546 --> 01:42:59,257
to the United States, very sophisticated message,
2051
01:42:59,257 --> 01:43:02,052
and they did that with two attacks.
2052
01:43:02,720 --> 01:43:05,514
First, they attacked Saudi aramco,
2053
01:43:05,805 --> 01:43:07,766
the biggest oil company in the world,
2054
01:43:08,141 --> 01:43:10,810
and wiped out every piece of software,
2055
01:43:10,810 --> 01:43:15,231
every line of code, on 30,000 computer devices.
2056
01:43:16,609 --> 01:43:22,155
Then Iran did a surge attack on the American banks.
2057
01:43:22,155 --> 01:43:25,117
The most extensive attack on American banks ever
2058
01:43:25,117 --> 01:43:27,953
launched from the middle east, happening right now.
2059
01:43:27,953 --> 01:43:28,953
Newsreader: Millions of customers
2060
01:43:29,497 --> 01:43:32,832
trying to bank online this week blocked, among the targets,
2061
01:43:33,083 --> 01:43:35,920
bank of America, pnc, and Wells Fargo.
2062
01:43:36,170 --> 01:43:39,590
The U.S. suspects hackers in Iran may be involved.
2063
01:43:41,509 --> 01:43:43,511
NSA source: When Iran hit our banks,
2064
01:43:43,511 --> 01:43:45,930
we could have shut down their botnet,
2065
01:43:45,930 --> 01:43:48,099
but the state department got nervous,
2066
01:43:48,306 --> 01:43:50,975
because the servers weren't actually in Iran.
2067
01:43:51,685 --> 01:43:54,020
So until there was a diplomatic solution,
2068
01:43:54,438 --> 01:43:57,065
Obama let the private sector deal with the problem.
2069
01:43:57,690 --> 01:44:00,610
I imagine that in the white house situation room
2070
01:44:00,944 --> 01:44:03,029
people sat around and said...
2071
01:44:03,655 --> 01:44:06,699
Let me be clear, I don't imagine, I know.
2072
01:44:07,033 --> 01:44:09,619
People sat around in the white house situation room
2073
01:44:09,619 --> 01:44:12,664
and said, "the iranians have sent us a message
2074
01:44:12,664 --> 01:44:16,877
which is essentially, 'stop attacking us in cyberspace
2075
01:44:16,877 --> 01:44:19,421
the way you did at natanz with stuxnet.
2076
01:44:19,880 --> 01:44:21,215
We can do it, too."'
2077
01:44:23,134 --> 01:44:25,719
Melman: There are unintended consequences
2078
01:44:25,719 --> 01:44:27,762
of the stuxnet attack.
2079
01:44:28,221 --> 01:44:31,975
You wanted to cause confusion and damage to the other side,
2080
01:44:31,975 --> 01:44:34,728
but then the other side can do the same to you.
2081
01:44:35,520 --> 01:44:38,399
The monster turned against its creators,
2082
01:44:38,399 --> 01:44:40,818
and now everyone is in this game.
2083
01:44:41,734 --> 01:44:44,195
They did a good job in showing the world,
2084
01:44:44,195 --> 01:44:47,615
including the bad guys, what you would need to do
2085
01:44:47,615 --> 01:44:49,743
in order to cause serious trouble
2086
01:44:49,993 --> 01:44:52,496
that could lead to injuries and death.
2087
01:44:52,746 --> 01:44:55,582
It's inevitable that more countries will acquire
2088
01:44:55,582 --> 01:44:57,877
the capacity to use cyber,
2089
01:44:57,877 --> 01:45:01,337
both for espionage and for destructive activities.
2090
01:45:02,088 --> 01:45:04,466
And we've seen this in some of the recent conflicts
2091
01:45:04,466 --> 01:45:05,926
that Russia's been involved in.
2092
01:45:06,092 --> 01:45:08,761
If there's a war, then somebody will try to knock out
2093
01:45:08,761 --> 01:45:11,181
our communication system or the radar.
2094
01:45:11,181 --> 01:45:13,725
Mcgurk: State-sponsored cyber sleeper cells,
2095
01:45:14,185 --> 01:45:16,020
they're out there everywhere today.
2096
01:45:16,270 --> 01:45:18,605
It could be for communications purposes.
2097
01:45:18,605 --> 01:45:20,774
It could be for data exfiltration.
2098
01:45:21,065 --> 01:45:24,653
It could be to, you know, Shepherd in the next stuxnet.
2099
01:45:25,069 --> 01:45:26,947
I mean, you've been focusing on stuxnet,
2100
01:45:26,947 --> 01:45:28,448
but that was just a small part
2101
01:45:28,448 --> 01:45:30,618
of a much larger iranian mission.
2102
01:45:31,368 --> 01:45:32,994
Gibney: There was a larger iranian mission?
2103
01:45:36,122 --> 01:45:39,376
Nitro Zeus. Nz.
2104
01:45:40,752 --> 01:45:44,965
We spent hundreds of millions, maybe billions on it.
2105
01:45:47,551 --> 01:45:51,137
In the event the Israelis did attack Iran,
2106
01:45:51,137 --> 01:45:53,765
we assumed we would be drawn into the conflict.
2107
01:45:55,141 --> 01:45:58,645
We built in attacks on Iran's command-and-control system
2108
01:45:58,645 --> 01:46:00,980
so the iranians couldn't talk to each other in a fight.
2109
01:46:01,481 --> 01:46:05,027
We infiltrated their iads(lntegrated Air Defense
System), military air defense systems,
2110
01:46:05,319 --> 01:46:07,363
so they couldn't shoot down our planes if we flew over.
2111
01:46:08,154 --> 01:46:11,242
We also went after their civilian support systems,
2112
01:46:11,242 --> 01:46:13,786
power grids, transportation,
2113
01:46:14,161 --> 01:46:16,956
communications, financial systems.
2114
01:46:17,581 --> 01:46:20,876
We were inside waiting, watching,
2115
01:46:21,126 --> 01:46:24,171
ready to disrupt, degrade, and destroy those systems
2116
01:46:24,171 --> 01:46:25,506
with cyber-attacks.
2117
01:46:29,134 --> 01:46:30,594
And in comparison,
2118
01:46:30,844 --> 01:46:33,055
stuxnet was a back alley operation.
2119
01:46:34,180 --> 01:46:37,725
Nz was the plan for a full-scale cyber war
2120
01:46:37,725 --> 01:46:39,561
with no attribution.
2121
01:46:40,354 --> 01:46:41,854
The question is, is that the kind of world
2122
01:46:41,854 --> 01:46:42,855
we want to live in?
2123
01:46:43,356 --> 01:46:47,152
And if we don't, as citizens, how do we go about a process
2124
01:46:47,152 --> 01:46:49,154
where we have a more sane discussion?
2125
01:46:49,154 --> 01:46:51,532
We need an entirely new way of thinking about
2126
01:46:51,532 --> 01:46:53,117
how we're gonna solve this problem.
2127
01:46:54,033 --> 01:46:56,203
You're not going to get an entirely new way
2128
01:46:56,203 --> 01:46:57,579
of solving this problem
2129
01:46:57,871 --> 01:47:00,666
until you begin to have an open acknowledgement
2130
01:47:01,166 --> 01:47:03,543
that we have cyber weapons as well,
2131
01:47:04,377 --> 01:47:07,422
and that we may have to agree to some limits on their use
2132
01:47:07,965 --> 01:47:10,301
if we're going to get other nations to limit their use.
2133
01:47:10,301 --> 01:47:11,885
It's not gonna be a one-way street.
2134
01:47:12,051 --> 01:47:14,721
I'm old enough to have worked on nuclear arms control
2135
01:47:15,055 --> 01:47:17,557
and biological weapons arms control
2136
01:47:17,557 --> 01:47:19,726
and chemical weapons arms control.
2137
01:47:20,894 --> 01:47:25,399
And I was told in each of those types of arms control,
2138
01:47:25,399 --> 01:47:26,734
when we were beginning,
2139
01:47:27,025 --> 01:47:29,987
"it's too hard. There are all these problems.
2140
01:47:30,237 --> 01:47:32,363
It's technical. There's engineering.
2141
01:47:32,363 --> 01:47:34,033
There's science involved.
2142
01:47:34,033 --> 01:47:36,368
There are real verification difficulties.
2143
01:47:36,368 --> 01:47:37,911
You'll never get there."
2144
01:47:38,328 --> 01:47:40,706
Well, it took 20, 30 years in some cases,
2145
01:47:41,164 --> 01:47:42,916
but we have a biological weapons treaty
2146
01:47:42,916 --> 01:47:44,335
that's pretty damn good.
2147
01:47:44,335 --> 01:47:45,836
We have a chemical weapons treaty
2148
01:47:45,836 --> 01:47:47,253
that's pretty damn good.
2149
01:47:47,421 --> 01:47:49,756
We've got three or four nuclear weapons treaties.
2150
01:47:50,048 --> 01:47:51,634
Yes, it may be hard,
2151
01:47:51,925 --> 01:47:54,011
and it may take 2O or 3O years,
2152
01:47:54,386 --> 01:47:56,971
but it'll never happen unless you get serious about it,
2153
01:47:57,430 --> 01:47:59,432
and it'll never happen unless you start it.
2154
01:48:05,229 --> 01:48:08,192
Today, after two years of negotiations,
2155
01:48:08,609 --> 01:48:11,944
the United States, together with our international partners,
2156
01:48:12,404 --> 01:48:15,783
has achieved something that decades of animosity has not,
2157
01:48:16,449 --> 01:48:18,327
a comprehensive, long-term deal
2158
01:48:18,786 --> 01:48:22,456
with Iran that will prevent it from obtaining a nuclear weapon.
2159
01:48:22,622 --> 01:48:25,125
It was reached in lausanne, Switzerland,
2160
01:48:25,125 --> 01:48:27,627
by Iran, the U.S., britain, France,
2161
01:48:27,627 --> 01:48:29,546
Germany, Russia, and China.
2162
01:48:29,546 --> 01:48:32,632
It is a deal in which Iran will cut
2163
01:48:32,632 --> 01:48:36,845
its installed centrifuges by more than two thirds.
2164
01:48:37,054 --> 01:48:40,265
Iran will not enrich uranium with its advanced centrifuges
2165
01:48:40,265 --> 01:48:42,309
for at least the next ten years.
2166
01:48:42,309 --> 01:48:44,936
It will make our country, our allies,
2167
01:48:44,936 --> 01:48:46,563
and our world safer.
2168
01:48:47,480 --> 01:48:51,484
Netanyahu: Seventy years after the murder of 6 million Jews
2169
01:48:51,484 --> 01:48:56,532
Iran's rulers promised to destroy my country,
2170
01:48:56,823 --> 01:49:00,577
and the response from nearly every one of the governments
2171
01:49:00,577 --> 01:49:04,664
represented here has been utter silence.
2172
01:49:05,289 --> 01:49:07,083
Deafening silence.
2173
01:49:14,800 --> 01:49:16,844
Perhaps you can now understand
2174
01:49:17,594 --> 01:49:21,097
why Israel is not joining you in celebrating this deal.
2175
01:49:22,265 --> 01:49:24,685
History shows that America must lead,
2176
01:49:24,685 --> 01:49:27,604
not just with our might, but with our principles.
2177
01:49:28,521 --> 01:49:31,692
It shows were are stronger, not when we are alone,
2178
01:49:31,692 --> 01:49:33,860
but when we bring the world together.
2179
01:49:35,028 --> 01:49:37,322
Today's announcement marks one more chapter
2180
01:49:37,322 --> 01:49:41,577
in this pursuit of a safer and more helpful,
2181
01:49:41,952 --> 01:49:45,288
more hopeful world. Thank you.
2182
01:49:45,831 --> 01:49:49,042
God bless you, and god bless the United States of America.
2183
01:49:53,463 --> 01:49:55,215
NSA source: Everyone I know is basically
2184
01:49:55,215 --> 01:49:56,759
thrilled with the Iran deal.
2185
01:49:57,341 --> 01:49:59,219
Sanctions and diplomacy worked.
2186
01:49:59,552 --> 01:50:01,846
But behind that deal was a lot of confidence
2187
01:50:01,846 --> 01:50:03,431
in our cyber capability.
2188
01:50:04,515 --> 01:50:07,394
We were everywhere inside Iran. Still are.
2189
01:50:08,228 --> 01:50:10,480
I'm not gonna tell you the operational details
2190
01:50:10,480 --> 01:50:13,108
of what we can do going forward or where...
2191
01:50:14,650 --> 01:50:18,738
But the science fiction cyber war scenario is here.
2192
01:50:18,738 --> 01:50:20,239
That's nitro Zeus.
2193
01:50:21,658 --> 01:50:24,328
But my concern and the reason I'm talking...
2194
01:50:25,828 --> 01:50:28,748
ls because when you shut down a country's power grid...
2195
01:50:30,082 --> 01:50:33,045
It doesn't just pop back up, you know?
2196
01:50:33,045 --> 01:50:34,837
It's more like humpty-dumpty...
2197
01:50:36,215 --> 01:50:40,092
And if all the king's men can't turn the lights back on
2198
01:50:40,092 --> 01:50:41,970
or filter the water for weeks,
2199
01:50:42,179 --> 01:50:44,055
then lots of people die.
2200
01:50:46,350 --> 01:50:48,268
And something we can do to others,
2201
01:50:48,601 --> 01:50:50,103
they can do to us too.
2202
01:50:51,521 --> 01:50:54,190
Is that something that we should keep quiet?
2203
01:50:55,359 --> 01:50:57,027
Or should we talk about it?
2204
01:50:57,944 --> 01:50:59,863
Gibney: I've gone to many people in this film,
2205
01:50:59,863 --> 01:51:01,657
even friends of mine, who won't talk to me
2206
01:51:01,657 --> 01:51:03,783
about the NSA or stuxnet even off the record
2207
01:51:03,783 --> 01:51:05,077
for fear of going to jail.
2208
01:51:05,452 --> 01:51:07,246
Is that fear protecting us?
2209
01:51:08,454 --> 01:51:11,041
No, but it protects me.
2210
01:51:11,792 --> 01:51:13,210
Or should I say we?
2211
01:51:14,545 --> 01:51:16,296
I'm an actor playing a role
2212
01:51:16,296 --> 01:51:18,422
written from the testimony of a small number of people
2213
01:51:18,422 --> 01:51:19,966
from NSA and CIA,
2214
01:51:20,300 --> 01:51:22,636
all of whom are angry about the secrecy
2215
01:51:22,636 --> 01:51:24,387
but too scared to come forward.
2216
01:51:24,720 --> 01:51:26,139
Now, we're forward.
2217
01:51:27,431 --> 01:51:30,226
Well, forward-leaning.
176098
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.