1
00:00:47,112 --> 00:00:49,213
Through the darkness
2
00:00:49,215 --> 00:00:53,450
of the pathways
that we marched,
3
00:00:54,519 --> 00:00:57,554
evil and good lived side by side.
4
00:00:57,556 --> 00:01:00,624
And this is the nature of life.
5
00:01:16,741 --> 00:01:19,042
We are in an unbalanced
6
00:01:19,044 --> 00:01:23,247
and inequivalent confrontation
between democracies
7
00:01:23,249 --> 00:01:25,616
who are obliged to
play by the rules
8
00:01:26,251 --> 00:01:29,686
and entities who think
democracy is a joke.
9
00:01:31,790 --> 00:01:34,158
You can't convince fanatics
10
00:01:34,160 --> 00:01:38,762
by saying, hey,
hatred paralyzes you,
11
00:01:38,764 --> 00:01:40,364
love releases you.
12
00:01:41,466 --> 00:01:45,736
There are different rules
that we have to play by.
13
00:02:01,319 --> 00:02:03,987
Today, two of Iran's
top nuclear scientists
14
00:02:03,989 --> 00:02:05,956
were targeted by hit squads.
15
00:02:05,958 --> 00:02:07,991
In the capital Tehran.
16
00:02:07,993 --> 00:02:09,626
The latest in a string of attacks.
17
00:02:09,628 --> 00:02:11,862
Today's attack has
all the hallmarks
18
00:02:11,864 --> 00:02:14,031
of major strategic sabotage.
19
00:02:14,033 --> 00:02:15,132
Iran immediately accused
20
00:02:15,134 --> 00:02:16,366
the U.S. and Israel
21
00:02:16,368 --> 00:02:18,235
of trying to damage
its nuclear program.
22
00:02:19,900 --> 00:02:21,089
Unfortunately,
and without any doubt,
23
00:02:21,340 --> 00:02:23,800
in the assassinations
which took place today
24
00:02:24,134 --> 00:02:27,974
Western countries and the
Zionist regime were involved.
25
00:02:28,280 --> 00:02:34,017
I want to categorically deny
any United States involvement
26
00:02:34,019 --> 00:02:38,956
in any kind of act of
violence inside Iran.
27
00:02:38,958 --> 00:02:42,125
Covert actions can help,
28
00:02:42,127 --> 00:02:44,127
can assist.
29
00:02:45,396 --> 00:02:48,298
They are needed, they are
not all the time essential,
30
00:02:48,533 --> 00:02:52,970
and they, in no way,
can replace political wisdom.
31
00:02:53,338 --> 00:02:55,572
Were the assassinations in Iran
32
00:02:55,574 --> 00:02:57,975
related to the STUXnet
computer attacks?
33
00:02:59,143 --> 00:03:00,978
Uh, next question, please.
34
00:03:02,580 --> 00:03:04,147
Iran's infrastructure
35
00:03:04,149 --> 00:03:05,249
is being targeted
36
00:03:05,251 --> 00:03:08,418
by a new and dangerously
powerful cyber worm.
37
00:03:08,420 --> 00:03:11,054
The so-called STUXnet
worm is specifically designed,
38
00:03:11,056 --> 00:03:13,390
it seems,
to infiltrate and sabotage
39
00:03:13,392 --> 00:03:16,526
real-world power plants
and factories and refineries.
40
00:03:16,528 --> 00:03:17,928
It's not trying to steal information
41
00:03:17,930 --> 00:03:19,096
or grab your credit card,
42
00:03:19,098 --> 00:03:21,899
they're trying to get into
some sort of industrial plant
43
00:03:21,901 --> 00:03:24,285
and wreak havoc trying
to blow up an engine or...
44
00:03:24,285 --> 00:03:25,576
The Stuxnet virus has
made attacks worldwide.
45
00:03:26,988 --> 00:03:31,785
In Iran alone it was
identified 30 thousand times.
46
00:03:32,536 --> 00:03:37,536
A super computer virus has put on
alert several countries' secret services.
47
00:03:37,791 --> 00:03:40,751
The information could be
in the reach of terrorists.
48
00:03:40,752 --> 00:03:41,852
No one knows
49
00:03:41,854 --> 00:03:43,020
who's behind the worm
50
00:03:43,022 --> 00:03:44,688
and the exact
nature of its mission,
51
00:03:44,690 --> 00:03:47,557
but there are fears
Iran will hold Israel
52
00:03:47,559 --> 00:03:50,928
or America responsible
and seek retaliation.
53
00:03:50,930 --> 00:03:52,029
It's not impossible that
54
00:03:52,031 --> 00:03:53,363
some group of hackers did it,
55
00:03:53,365 --> 00:03:55,432
but the security experts
that are studying this
56
00:03:55,434 --> 00:03:58,201
really think this required the
resource of a nation-state.
57
00:04:04,142 --> 00:04:06,076
Okay, and spinning.
58
00:04:06,078 --> 00:04:07,544
Okay, good. Here we go.
59
00:04:08,780 --> 00:04:12,082
What impact, ultimately,
did the STUXnet attack have?
60
00:04:12,084 --> 00:04:13,350
Can you say?
61
00:04:14,152 --> 00:04:16,320
I don't want to get
into the details.
62
00:04:16,554 --> 00:04:19,056
Since the event has
already happened,
63
00:04:19,058 --> 00:04:22,759
why can't we talk more openly
and publicly about STUXnet?
64
00:04:22,761 --> 00:04:25,662
Yeah, I mean, my answer
is because it's classified.
65
00:04:26,130 --> 00:04:29,232
I won't knowledge...
you know, knowingly
66
00:04:29,234 --> 00:04:31,335
offer up anything I
consider classified.
67
00:04:31,337 --> 00:04:33,570
I know that you can't
talk much about STUXnet,
68
00:04:33,572 --> 00:04:36,974
because STUXnet is
officially classified.
69
00:04:36,976 --> 00:04:38,342
You're right on both those counts.
70
00:04:38,810 --> 00:04:40,143
But there has been
71
00:04:40,145 --> 00:04:42,245
a lot reported
about it in the press.
72
00:04:42,247 --> 00:04:44,481
I don't want to comment on this.
73
00:04:44,483 --> 00:04:48,752
I read it in the newspaper,
the media, like you,
74
00:04:48,754 --> 00:04:51,755
but I'm unable to
elaborate upon it.
75
00:04:51,990 --> 00:04:54,157
People might find it frustrating
76
00:04:54,159 --> 00:04:56,693
not to be able to talk about it
when it's in the public domain,
77
00:04:56,695 --> 00:04:58,095
but...
78
00:04:58,097 --> 00:04:59,596
I find it frustrating.
79
00:04:59,598 --> 00:05:01,098
Yeah, I'm sure you do.
80
00:05:01,100 --> 00:05:02,666
I don't answer that question.
81
00:05:02,668 --> 00:05:04,034
Unfortunately, I can't comment.
82
00:05:04,036 --> 00:05:05,669
I do not know how
to answer that.
83
00:05:05,671 --> 00:05:07,838
Two answers before you
even get started, I don't know,
84
00:05:07,840 --> 00:05:10,640
and if I did, we wouldn't
talk about it anyway.
85
00:05:10,642 --> 00:05:12,476
How can you have a
debate if everything's secret?
86
00:05:12,478 --> 00:05:14,511
I think right now that's
just where we are.
87
00:05:14,812 --> 00:05:16,279
No one wants to...
88
00:05:16,281 --> 00:05:18,682
Countries aren't
happy about confessing
89
00:05:18,684 --> 00:05:21,485
or owning up to what they did
because they're not quite sure
90
00:05:21,487 --> 00:05:23,353
where they want
the system to go.
91
00:05:23,988 --> 00:05:25,956
And so whoever
was behind STUXnet
92
00:05:25,958 --> 00:05:27,457
hasn't admitted
they were behind it.
93
00:05:31,295 --> 00:05:33,163
Asking officials about STUXnet
94
00:05:33,165 --> 00:05:34,698
was frustrating and surreal,
95
00:05:34,999 --> 00:05:37,534
like asking the emperor
about his new clothes.
96
00:05:38,236 --> 00:05:41,338
Even after the cyber weapon
had penetrated computers
97
00:05:41,340 --> 00:05:42,739
all over the world,
98
00:05:43,007 --> 00:05:45,308
no one was willing
to admit it was loose
99
00:05:45,310 --> 00:05:47,711
or talk about the
dangers it posed.
100
00:05:48,579 --> 00:05:50,847
What was it about
the STUXnet operation
101
00:05:50,849 --> 00:05:52,649
that was hiding in plain sight?
102
00:05:54,085 --> 00:05:55,852
Maybe there was a
way the computer code
103
00:05:55,854 --> 00:05:57,487
could speak for itself.
104
00:05:58,256 --> 00:06:00,624
STUXnet first surfaced in Belarus.
105
00:06:01,192 --> 00:06:03,560
I started with a call to
the man who discovered it
106
00:06:03,562 --> 00:06:06,563
when his clients in
Iran began to panic
107
00:06:06,565 --> 00:06:09,232
over an epidemic of
computer shutdowns.
108
00:06:10,034 --> 00:06:13,270
Had you ever seen anything
quite so sophisticated before?
109
00:06:13,864 --> 00:06:17,624
I have seen very
sophisticated viruses before,
110
00:06:17,868 --> 00:06:21,748
but they didn't have...
111
00:06:24,208 --> 00:06:25,578
this kind of...
112
00:06:27,169 --> 00:06:27,919
zero day.
113
00:06:29,254 --> 00:06:32,724
It was the first
time in my practice.
114
00:06:33,550 --> 00:06:36,640
That led me to understand
115
00:06:38,013 --> 00:06:44,983
that I should notify web
security companies ASAP
116
00:06:46,730 --> 00:06:51,230
about the fact that
such a danger exists.
117
00:07:36,687 --> 00:07:38,522
On a daily basis, basically
118
00:07:38,524 --> 00:07:40,590
we are sifting through
119
00:07:40,592 --> 00:07:44,094
a massive haystack looking
for that proverbial needle.
120
00:07:44,962 --> 00:07:47,931
We get millions of pieces
of new malicious threats
121
00:07:47,933 --> 00:07:49,799
and there are millions
of attacks going on
122
00:07:49,801 --> 00:07:51,001
every single day.
123
00:07:51,169 --> 00:07:53,603
And only way are
trying to protect people
124
00:07:53,605 --> 00:07:55,205
and their computers
and their systems
125
00:07:55,207 --> 00:07:57,874
and countries' infrastructure
126
00:07:57,876 --> 00:07:59,976
from being taken
down by those attacks.
127
00:07:59,978 --> 00:08:03,313
But more importantly, we have
to find the attacks that matter.
128
00:08:03,315 --> 00:08:05,048
When you're talking
about that many,
129
00:08:05,349 --> 00:08:07,617
impact is extremely important.
130
00:08:19,997 --> 00:08:21,698
Twenty years ago,
the antivirus companies,
131
00:08:21,700 --> 00:08:23,400
they were hunting
for computer viruses
132
00:08:23,402 --> 00:08:24,668
because there were not so many.
133
00:08:24,670 --> 00:08:27,971
So we had, like,
tens of dozens a month,
134
00:08:28,172 --> 00:08:30,740
and there was just little numbers.
135
00:08:30,742 --> 00:08:34,945
Now, we collect millions of
unique attacks every month.
136
00:08:36,314 --> 00:08:38,748
This room we call a
woodpecker's room
137
00:08:38,750 --> 00:08:40,083
or a virus lab,
138
00:08:40,318 --> 00:08:42,252
and this is where
virus analysts sit.
139
00:08:42,254 --> 00:08:44,221
We call them woodpeckers
because they are
140
00:08:44,223 --> 00:08:46,723
pecking the worms,
network worms, and viruses.
141
00:08:47,592 --> 00:08:50,827
And we see, like, three
different groups of hackers
142
00:08:50,829 --> 00:08:52,395
behind cyber-attacks.
143
00:08:53,164 --> 00:08:54,931
They are traditional
cyber criminals.
144
00:08:55,099 --> 00:08:58,935
Those guys are interested
only in illegal profit.
145
00:08:58,937 --> 00:09:00,337
And quick and dirty money.
146
00:09:00,339 --> 00:09:02,505
Activists, or hacktivists,
147
00:09:02,507 --> 00:09:04,874
they are hacking for
fun or hacking to push
148
00:09:04,876 --> 00:09:06,142
some political message.
149
00:09:06,377 --> 00:09:08,745
And the third group
is nation-states.
150
00:09:08,946 --> 00:09:11,848
They're interested in
high-quality intelligence
151
00:09:11,850 --> 00:09:13,283
or sabotage activity.
152
00:09:14,552 --> 00:09:17,053
Security companies not
only share information
153
00:09:17,055 --> 00:09:18,788
but we also share
binary samples.
154
00:09:18,790 --> 00:09:20,390
So when this threat was found
155
00:09:20,392 --> 00:09:22,225
by a Belarusian
security company
156
00:09:22,227 --> 00:09:24,561
on one of their
customer's machines in Iran,
157
00:09:24,563 --> 00:09:27,163
the sample was shared
amongst the security community.
158
00:09:28,065 --> 00:09:29,633
When we try to name
threats, we just try to pick
159
00:09:29,635 --> 00:09:31,701
some sort of string,
some sort of words,
160
00:09:31,703 --> 00:09:34,271
that are inside of the binary.
161
00:09:35,439 --> 00:09:37,807
In this case, there was a
couple of words in there
162
00:09:37,809 --> 00:09:40,777
and we took pieces of each,
and that formed STUXnet.
163
00:09:43,247 --> 00:09:46,449
I got the news about STUXnet
from one of my engineers.
164
00:09:46,451 --> 00:09:49,152
He came to my office,
opened the door,
165
00:09:49,720 --> 00:09:52,722
and he said, so, Eugene,
of course you know that
166
00:09:52,724 --> 00:09:55,325
we are waiting for
something really bad.
167
00:09:55,626 --> 00:09:56,793
It happened.
168
00:10:03,501 --> 00:10:05,669
Give me some sense
of what it was like
169
00:10:05,671 --> 00:10:07,070
in the lab at that time.
170
00:10:07,072 --> 00:10:08,672
Was there a palpable
sense of amazement
171
00:10:08,674 --> 00:10:10,674
that you had something
really different there?
172
00:10:10,975 --> 00:10:12,976
Well, I wouldn't
call it amazement.
173
00:10:12,978 --> 00:10:15,045
It was a kind of a shock.
174
00:10:15,446 --> 00:10:18,581
It went beyond our worst
fears, our worst nightmares,
175
00:10:18,949 --> 00:10:21,951
and this continued
the more we analyzed.
176
00:10:21,953 --> 00:10:23,920
The more we researched,
177
00:10:23,922 --> 00:10:26,923
the more bizarre
the whole story got.
178
00:10:27,258 --> 00:10:28,925
We look at so much
malware every day that
179
00:10:28,927 --> 00:10:30,860
we can just look at the code
and straightaway we can say,
180
00:10:30,862 --> 00:10:32,462
okay, there's something
bad going on here,
181
00:10:32,464 --> 00:10:33,930
and I need to investigate that.
182
00:10:33,932 --> 00:10:34,998
And that's the way it was
183
00:10:35,199 --> 00:10:37,133
when we looked at
STUXnet for the first time.
184
00:10:37,135 --> 00:10:39,636
We opened it up and there was
just bad things everywhere.
185
00:10:39,638 --> 00:10:42,105
Just like, okay,
this is bad and that's bad,
186
00:10:42,107 --> 00:10:43,640
and, you know,
we need to investigate this.
187
00:10:43,642 --> 00:10:45,108
And just suddenly we had, like,
188
00:10:45,110 --> 00:10:46,576
a hundred questions
straightaway.
189
00:10:48,612 --> 00:10:51,047
The most interesting thing
that we do is detective work
190
00:10:51,049 --> 00:10:53,717
where we try to track
down who's behind a threat,
191
00:10:53,719 --> 00:10:55,285
what are they doing,
what's their motivation,
192
00:10:55,287 --> 00:10:57,020
and try to really
stop it at the root.
193
00:10:57,022 --> 00:10:59,389
And it is kind of all-consuming.
194
00:10:59,391 --> 00:11:01,024
You get this new puzzle
195
00:11:01,026 --> 00:11:02,726
and it's very
difficult to put it down,
196
00:11:02,728 --> 00:11:05,161
you know, work until, like,
4:00 a.m. in the morning
197
00:11:05,163 --> 00:11:06,363
and figure these things out.
198
00:11:06,365 --> 00:11:09,165
And I was in that zone where
I was very consumed by this,
199
00:11:09,167 --> 00:11:11,301
very excited about it,
very interested to know
200
00:11:11,303 --> 00:11:12,569
what was happening.
201
00:11:12,571 --> 00:11:15,705
And Eric was also in
that same sort of zone.
202
00:11:15,707 --> 00:11:18,408
So the two of us were, like,
back and forth all the time.
203
00:11:18,410 --> 00:11:21,144
Liam and I continued
to grind at the code,
204
00:11:21,146 --> 00:11:23,246
sharing pieces, comparing notes,
205
00:11:23,248 --> 00:11:25,081
bouncing ideas off of each other.
206
00:11:25,516 --> 00:11:26,983
We realized that we needed to do
207
00:11:26,985 --> 00:11:30,053
what we called deep analysis,
pick apart the threat,
208
00:11:30,055 --> 00:11:32,889
every single byte,
every single zero, one,
209
00:11:32,891 --> 00:11:34,991
and understand everything
that was inside of it.
210
00:11:35,526 --> 00:11:37,327
And just to give
you some context,
211
00:11:37,329 --> 00:11:39,362
we can go through and
understand every line of code
212
00:11:39,364 --> 00:11:41,164
for the average threat in minutes.
213
00:11:41,766 --> 00:11:43,566
And here we are one
month into this threat
214
00:11:43,568 --> 00:11:45,502
and we were just starting
to discover what we call
215
00:11:45,504 --> 00:11:47,404
the payload or its whole purpose.
216
00:11:49,740 --> 00:11:51,274
When looking at
the STUXnet code,
217
00:11:51,276 --> 00:11:53,843
it's 20 times the size of
the average piece of code
218
00:11:54,345 --> 00:11:56,579
but contains almost
no bugs inside of it.
219
00:11:56,581 --> 00:11:58,448
And that's extremely rare.
220
00:11:58,450 --> 00:12:00,350
Malicious code always
has bugs inside of it.
221
00:12:00,352 --> 00:12:02,118
This wasn't the
case with STUXnet.
222
00:12:02,120 --> 00:12:04,954
It's dense and every piece
of code does something
223
00:12:04,956 --> 00:12:07,791
and does something right in
order to conduct its attack.
224
00:12:09,026 --> 00:12:11,094
One of the things
that surprised us
225
00:12:11,096 --> 00:12:13,463
was that STUXnet
utilized what's called
226
00:12:13,465 --> 00:12:16,032
a zero-day exploit, or basically,
227
00:12:16,034 --> 00:12:18,368
a piece of code that
allows it to spread
228
00:12:18,370 --> 00:12:20,203
without you having
to do anything.
229
00:12:20,205 --> 00:12:22,939
You don't have to, for example,
download a file and run it.
230
00:12:22,941 --> 00:12:25,141
A zero-day exploit
is an exploit that
231
00:12:25,143 --> 00:12:26,810
nobody knows about
except the attacker.
232
00:12:26,812 --> 00:12:28,378
So there's no
protection against it.
233
00:12:28,380 --> 00:12:29,813
There's been no patch released.
234
00:12:29,815 --> 00:12:32,115
There's been zero
days protection,
235
00:12:32,117 --> 00:12:33,716
you know, against it.
236
00:12:34,585 --> 00:12:35,985
That's what attackers value,
237
00:12:35,987 --> 00:12:37,787
because they know 100 percent
238
00:12:37,789 --> 00:12:40,123
if they have this zero-day exploit,
239
00:12:40,125 --> 00:12:41,825
they can get in
wherever they want.
240
00:12:41,827 --> 00:12:43,326
They're actually very valuable.
241
00:12:43,328 --> 00:12:44,727
You can sell these
on the underground
242
00:12:44,729 --> 00:12:46,249
for hundreds of
thousands of dollars.
243
00:12:47,598 --> 00:12:48,665
Then we became more worried
244
00:12:48,667 --> 00:12:50,733
because immediately we
discovered more zero days.
245
00:12:50,735 --> 00:12:53,470
And again, these zero
days are extremely rare.
246
00:12:53,472 --> 00:12:55,772
Inside STUXnet we had,
you know, four zero days,
247
00:12:55,774 --> 00:12:57,507
and for the entire
rest of the year,
248
00:12:57,509 --> 00:13:00,076
we only saw 12 zero days used.
249
00:13:00,078 --> 00:13:01,744
It blows all... everything
else out of the water.
250
00:13:01,746 --> 00:13:02,979
We've never seen this before.
251
00:13:02,981 --> 00:13:04,741
Actually, we've never
seen it since, either.
252
00:13:04,815 --> 00:13:07,417
Seeing one in a malware
you could understand
253
00:13:07,419 --> 00:13:10,320
because, you know, the malware
authors are making money,
254
00:13:10,322 --> 00:13:11,921
they're stealing people's
credit cards and making money,
255
00:13:11,923 --> 00:13:13,089
so it's worth their while to use it,
256
00:13:13,091 --> 00:13:15,458
but seeing four zero
days, could be worth
257
00:13:15,460 --> 00:13:16,659
half a million dollars right there,
258
00:13:16,661 --> 00:13:18,428
used in one piece of malware,
259
00:13:18,696 --> 00:13:21,097
this is not your ordinary
criminal gangs doing this.
260
00:13:21,099 --> 00:13:22,699
This is someone bigger.
261
00:13:22,701 --> 00:13:24,601
It's definitely not
traditional crime,
262
00:13:24,603 --> 00:13:28,104
not hacktivists. Who else?
263
00:13:28,973 --> 00:13:31,207
It was evident on
a very early stage
264
00:13:31,709 --> 00:13:33,943
that just given the sophistication
265
00:13:33,945 --> 00:13:35,445
of this malware...
266
00:13:36,680 --> 00:13:39,482
Suggested that
there must have been
267
00:13:39,484 --> 00:13:40,950
a nation-state involved,
268
00:13:40,952 --> 00:13:44,187
at least one nation-state
involved in the development.
269
00:13:44,189 --> 00:13:46,222
When we look at code
that's coming from
270
00:13:46,224 --> 00:13:47,790
what appears to
be a state attacker
271
00:13:47,792 --> 00:13:50,393
or state-sponsored attacker,
usually they're scrubbed clean.
272
00:13:50,395 --> 00:13:52,829
They don't leave
little bits behind.
273
00:13:52,831 --> 00:13:54,564
They don't leave
little hints behind.
274
00:13:54,832 --> 00:13:56,499
But in STUXnet
there were actually
275
00:13:56,501 --> 00:13:57,867
a few hints left behind.
276
00:13:59,136 --> 00:14:02,405
One was that, in order
to get low-level access
277
00:14:02,407 --> 00:14:03,873
to Microsoft Windows,
278
00:14:04,074 --> 00:14:05,874
STUXnet needed to
use a digital certificate,
279
00:14:06,176 --> 00:14:08,578
which certifies that
this piece of code
280
00:14:08,580 --> 00:14:11,447
came from a particular company.
281
00:14:12,349 --> 00:14:14,417
Now, those attackers
obviously couldn't go to Microsoft
282
00:14:14,419 --> 00:14:15,885
and say, hey,
test our code out for us.
283
00:14:15,887 --> 00:14:17,487
And give us a digital certificate.
284
00:14:18,188 --> 00:14:19,789
So they essentially stole them...
285
00:14:21,025 --> 00:14:23,092
From two companies in Taiwan.
286
00:14:23,094 --> 00:14:24,994
And these two companies have
nothing to do with each other
287
00:14:24,996 --> 00:14:26,663
except for their close proximity
288
00:14:26,665 --> 00:14:28,464
in the exact same business park.
289
00:14:31,035 --> 00:14:34,871
Digital certificates are
guarded very, very closely
290
00:14:34,873 --> 00:14:36,406
behind multiple doors
291
00:14:36,408 --> 00:14:38,841
and they require
multiple people to unlock.
292
00:14:38,843 --> 00:14:40,510
To the camera.
293
00:14:40,512 --> 00:14:42,211
And they need to
provide both biometrics
294
00:14:42,213 --> 00:14:44,614
and, as well, pass phrases.
295
00:14:44,616 --> 00:14:46,082
It wasn't like those
certificates were
296
00:14:46,084 --> 00:14:47,784
just sitting on some machine
connected to the Internet.
297
00:14:48,018 --> 00:14:50,820
Some human assets
had to be involved, spies.
298
00:14:51,055 --> 00:14:52,889
Like a cleaner who
comes in at night
299
00:14:52,891 --> 00:14:54,624
and has stolen these certificates
300
00:14:54,626 --> 00:14:55,858
from these companies.
301
00:14:59,263 --> 00:15:01,364
It did feel like
walking onto the set
302
00:15:01,366 --> 00:15:03,866
of this James Bond
movie and you...
303
00:15:03,868 --> 00:15:05,435
You've been embroiled
in this thing that,
304
00:15:05,437 --> 00:15:08,037
you know, you...
you never expected.
305
00:15:10,708 --> 00:15:11,808
We continued to search,
306
00:15:11,810 --> 00:15:13,309
and we continued
to search in code,
307
00:15:13,311 --> 00:15:16,145
and eventually we found
some other bread crumbs left
308
00:15:16,147 --> 00:15:17,547
we were able to follow.
309
00:15:18,248 --> 00:15:19,882
It was doing
something with Siemens,
310
00:15:20,150 --> 00:15:22,952
Siemens software,
possibly Siemens hardware.
311
00:15:23,253 --> 00:15:24,954
We'd never ever seen that
in any malware before,
312
00:15:24,956 --> 00:15:26,289
something targeting Siemens.
313
00:15:26,291 --> 00:15:28,251
We didn't even know why
they would be doing that.
314
00:15:29,827 --> 00:15:32,562
But after googling,
very quickly we understood
315
00:15:32,564 --> 00:15:34,998
it was targeting Siemens PLCs.
316
00:15:35,466 --> 00:15:38,401
STUXnet was targeting a
very specific hardware device,
317
00:15:38,403 --> 00:15:41,804
something called a PLC or a
programmable logic controller.
318
00:15:42,239 --> 00:15:45,141
The PLC is kind of a
very small computer
319
00:15:45,442 --> 00:15:48,177
attached to physical equipment,
320
00:15:48,179 --> 00:15:50,813
like pumps,
like valves, like motors.
321
00:15:51,615 --> 00:15:56,185
So this little box is
running a digital program
322
00:15:56,187 --> 00:15:58,488
and the actions of this program
323
00:15:58,490 --> 00:16:02,592
turns that motor on, off,
or sets a specific speed.
324
00:16:02,594 --> 00:16:04,327
Those program
module controllers
325
00:16:04,329 --> 00:16:06,863
control things like
power plants, power grids.
326
00:16:06,865 --> 00:16:08,598
This is used in factories,
327
00:16:08,600 --> 00:16:11,067
it's used in critical infrastructure.
328
00:16:11,769 --> 00:16:14,804
Critical infrastructure,
it's everywhere around us,
329
00:16:14,806 --> 00:16:17,373
transportation,
telecommunications,
330
00:16:17,375 --> 00:16:19,676
financial services, health care.
331
00:16:20,210 --> 00:16:23,112
So the payload of
STUXnet was designed
332
00:16:23,114 --> 00:16:26,282
to attack some
very important part
333
00:16:26,284 --> 00:16:27,717
of our world.
334
00:16:27,985 --> 00:16:29,519
The payload is
gonna be important.
335
00:16:29,521 --> 00:16:32,288
What happens there
could be very dangerous.
336
00:16:34,492 --> 00:16:37,460
The next very big surprise came
337
00:16:37,462 --> 00:16:39,762
when it infected our lab system.
338
00:16:40,497 --> 00:16:43,499
We figured out that the
malware was probing
339
00:16:43,501 --> 00:16:44,867
for controllers.
340
00:16:45,235 --> 00:16:47,303
It was quite picky on its targets.
341
00:16:47,305 --> 00:16:51,641
It didn't try to manipulate any
given controller in a network
342
00:16:51,643 --> 00:16:52,975
that it would see.
343
00:16:53,210 --> 00:16:57,413
It went through several checks,
and when those checks failed,
344
00:16:57,415 --> 00:16:59,649
it would not
implement the attack.
345
00:17:02,386 --> 00:17:06,255
It was obviously probing
for a specific target.
346
00:17:07,591 --> 00:17:09,759
You've got to put
this in context that,
347
00:17:09,761 --> 00:17:11,561
at the time, we already knew,
348
00:17:11,563 --> 00:17:13,930
well, this is the most
sophisticated piece of malware
349
00:17:13,932 --> 00:17:15,498
that we have ever seen.
350
00:17:16,266 --> 00:17:18,234
So it's kind of strange.
351
00:17:18,236 --> 00:17:23,239
Somebody takes that huge
effort to hit one specific target?
352
00:17:23,507 --> 00:17:25,441
Well, that must be
quite a significant target.
353
00:17:29,046 --> 00:17:31,447
So at Symantec we
have probes on networks
354
00:17:31,449 --> 00:17:32,615
all over the world
355
00:17:32,617 --> 00:17:35,017
watching for malicious activity.
356
00:17:35,419 --> 00:17:37,420
We'd actually seen
infections of STUXnet
357
00:17:37,422 --> 00:17:39,956
all over the world,
in the U.S., Australia,
358
00:17:39,958 --> 00:17:42,592
in the U.K., in France,
Germany, all over Europe.
359
00:17:43,093 --> 00:17:45,493
It spread to any Windows
machine in the entire world.
360
00:17:45,863 --> 00:17:48,097
You know, we had
these organizations
361
00:17:48,099 --> 00:17:50,399
inside the United States
who were in charge of
362
00:17:50,401 --> 00:17:52,101
industrial control
facilities saying,
363
00:17:52,103 --> 00:17:54,103
we're infected.
What's gonna happen?
364
00:17:54,471 --> 00:17:57,140
We didn't know if there
was a deadline coming up
365
00:17:57,142 --> 00:17:58,708
where this threat would trigger
366
00:17:58,710 --> 00:18:01,043
and suddenly would,
like, turn off all, you know,
367
00:18:01,045 --> 00:18:02,612
electricity plants
around the world
368
00:18:02,614 --> 00:18:04,380
or it would start
shutting things down
369
00:18:04,382 --> 00:18:05,715
or launching some attack.
370
00:18:06,550 --> 00:18:09,585
We knew that STUXnet could
have very dire consequences,
371
00:18:09,587 --> 00:18:12,255
and we were very worried about
372
00:18:12,257 --> 00:18:13,723
what the payload contained
373
00:18:13,725 --> 00:18:15,958
and there was an
imperative speed
374
00:18:15,960 --> 00:18:18,060
that we had to race
and try and, you know,
375
00:18:18,062 --> 00:18:19,462
beat this ticking bomb.
376
00:18:20,597 --> 00:18:23,132
Eventually, we were able to
refine the statistics a little
377
00:18:23,134 --> 00:18:24,634
and we saw that Iran
was the number one
378
00:18:24,636 --> 00:18:26,235
infected country in the world.
379
00:18:26,237 --> 00:18:28,805
That immediately
raised our eyebrows.
380
00:18:28,807 --> 00:18:31,073
We had never
seen a threat before
381
00:18:31,075 --> 00:18:33,209
where it was
predominantly in Iran.
382
00:18:34,144 --> 00:18:35,745
And so we began to
follow what was going on
383
00:18:35,747 --> 00:18:36,979
in the geopolitical world,
384
00:18:37,147 --> 00:18:38,747
what was happening
in the general news.
385
00:18:38,916 --> 00:18:42,151
And at that time, there were
actually multiple explosions
386
00:18:42,153 --> 00:18:45,054
of gas pipelines going
in and out of Iran.
387
00:18:46,023 --> 00:18:47,423
Unexplained explosions.
388
00:18:48,959 --> 00:18:51,093
And of course, we did
notice that at the time
389
00:18:51,095 --> 00:18:53,729
there had been assassinations
of nuclear scientists.
390
00:18:54,932 --> 00:18:56,365
So that was worrying.
391
00:18:57,167 --> 00:18:59,368
We knew there was
something bad happening.
392
00:18:59,837 --> 00:19:01,671
Did you get
concerned for yourself?
393
00:19:01,673 --> 00:19:03,606
I mean, did you begin to start
looking over your shoulder
394
00:19:03,608 --> 00:19:04,841
from time to time?
395
00:19:04,843 --> 00:19:06,442
Yeah, definitely looking
over my shoulder
396
00:19:06,444 --> 00:19:09,011
and being careful about
what I spoke about on the phone.
397
00:19:10,013 --> 00:19:13,216
I was... pretty confident
my conversations on my...
398
00:19:13,218 --> 00:19:14,684
On the phone were
being listened to.
399
00:19:15,018 --> 00:19:16,986
We were only half joking
400
00:19:16,988 --> 00:19:19,021
when we would
look at each other
401
00:19:19,023 --> 00:19:20,790
and tell each other things like,
402
00:19:20,792 --> 00:19:23,025
look, I'm not suicidal.
403
00:19:23,360 --> 00:19:26,863
If I show up dead on Monday,
you know, it wasn't me.
404
00:19:35,639 --> 00:19:38,074
We'd been publishing
information about STUXnet
405
00:19:38,076 --> 00:19:39,475
all through that summer.
406
00:19:40,844 --> 00:19:43,479
And then in November,
the industrial control system
407
00:19:43,481 --> 00:19:46,616
sort of expert in
Holland contacted us...
408
00:19:47,885 --> 00:19:50,486
And he said all of these
devices that would be inside of
409
00:19:50,488 --> 00:19:53,556
an industrial control system
hold a unique identifier number
410
00:19:53,558 --> 00:19:56,759
that identified the make
and model of that device.
411
00:19:58,528 --> 00:20:02,198
And we actually had a couple
of these numbers in the code
412
00:20:02,200 --> 00:20:03,640
that we didn't know
what they were.
413
00:20:04,601 --> 00:20:06,502
And so we realized maybe
what he was referring to
414
00:20:06,504 --> 00:20:07,970
was the magic numbers we had.
415
00:20:08,505 --> 00:20:10,039
And then when we searched
for those magic numbers
416
00:20:10,041 --> 00:20:11,207
in that context,
417
00:20:11,209 --> 00:20:13,609
we saw that what
had to be connected
418
00:20:13,611 --> 00:20:15,778
to this industrial control
system that was being targeted
419
00:20:15,780 --> 00:20:17,747
were something called
frequency converters
420
00:20:18,081 --> 00:20:20,249
from two specific manufacturers,
421
00:20:20,251 --> 00:20:22,018
one of which was in Iran.
422
00:20:22,619 --> 00:20:24,387
And so at this time,
we absolutely knew
423
00:20:24,389 --> 00:20:26,722
that the facility that
was being targeted
424
00:20:26,724 --> 00:20:28,190
had to be in Iran
425
00:20:28,525 --> 00:20:31,360
and had equipment made
from Iranian manufacturers.
426
00:20:32,296 --> 00:20:34,063
When we looked up those
frequency converters,
427
00:20:34,065 --> 00:20:35,865
we immediately found
out that they were actually
428
00:20:35,867 --> 00:20:38,267
export controlled by the
nuclear regulatory commission.
429
00:20:38,869 --> 00:20:40,202
And that immediately
lead us then
430
00:20:40,204 --> 00:20:42,471
to some nuclear facility.
431
00:21:00,090 --> 00:21:02,224
This was more than
a computer story,
432
00:21:02,592 --> 00:21:05,027
so I left the world of
the antivirus detectives
433
00:21:05,329 --> 00:21:07,263
and sought out
journalist, David Sanger,
434
00:21:07,265 --> 00:21:09,498
who specialized in the
strange intersection
435
00:21:09,500 --> 00:21:12,501
of cyber, nuclear
weapons, and espionage.
436
00:21:13,470 --> 00:21:15,571
The emergence of the code
437
00:21:15,573 --> 00:21:18,874
is what put me on alert that
an attack was under way.
438
00:21:20,310 --> 00:21:23,479
And because of the covert
nature of the operation,
439
00:21:23,481 --> 00:21:26,482
not only were official
government spokesmen
440
00:21:26,484 --> 00:21:29,385
unable to talk about it,
they didn't even know about it.
441
00:21:30,587 --> 00:21:32,655
Eventually, the more I dug into it,
442
00:21:32,657 --> 00:21:37,259
the more I began
to find individuals
443
00:21:37,494 --> 00:21:39,695
who had been involved
in some piece of it
444
00:21:39,863 --> 00:21:41,931
or who had witnessed
some piece of it.
445
00:21:42,532 --> 00:21:44,934
And that meant
talking to Americans,
446
00:21:44,936 --> 00:21:47,837
talking to Israelis,
talking to Europeans,
447
00:21:47,839 --> 00:21:50,940
because this was
obviously the first, biggest,
448
00:21:50,942 --> 00:21:55,511
and most sophisticated
example of a state
449
00:21:55,513 --> 00:21:58,147
or two states using
a cyber weapon
450
00:21:58,149 --> 00:21:59,682
for offensive purposes.
451
00:22:03,120 --> 00:22:06,022
I came to this with
a fair bit of history,
452
00:22:06,024 --> 00:22:08,791
understanding the
Iranian nuclear program.
453
00:22:09,826 --> 00:22:13,229
How did Iran get its
first nuclear reactor?
454
00:22:13,797 --> 00:22:16,932
We gave it to them...
under the Shah,
455
00:22:17,234 --> 00:22:20,669
because the Shah was
considered an American ally.
456
00:22:22,173 --> 00:22:25,808
Thank you again for your
warm welcome, Mr. President.
457
00:22:26,143 --> 00:22:27,743
During the Nixon administration,
458
00:22:27,745 --> 00:22:31,013
the U.S. was very
enthusiastic about supporting
459
00:22:31,015 --> 00:22:33,115
the Shah's nuclear
power program.
460
00:22:34,017 --> 00:22:36,352
And at one point,
the Nixon administration
461
00:22:36,354 --> 00:22:39,188
was pushing the idea
that Pakistan and Iran
462
00:22:39,190 --> 00:22:43,793
should build a joint
plant together in Iran.
463
00:22:45,162 --> 00:22:46,862
There's at least
some evidence that
464
00:22:46,864 --> 00:22:50,366
the Shah was thinking about
acquisition of nuclear weapons,
465
00:22:50,368 --> 00:22:53,903
because he saw, and we were
encouraging him to see Iran
466
00:22:53,905 --> 00:22:56,205
as the so-called policemen
of the Persian Gulf.
467
00:22:56,207 --> 00:22:58,374
And the Iranians have
always viewed themselves
468
00:22:58,376 --> 00:23:01,610
as naturally the dominant
power in the Middle East.
469
00:23:02,414 --> 00:23:07,794
Why is it normal for you,
the Germans and the British,
470
00:23:08,045 --> 00:23:09,635
to have...
471
00:23:10,964 --> 00:23:14,684
atomic and hydrogen
weapons, and for Iran,
472
00:23:15,302 --> 00:23:17,302
the simple principle
of self-defense
473
00:23:17,596 --> 00:23:20,306
the defense of its
interests, a problem,
474
00:23:20,557 --> 00:23:22,557
while for others it
is totally normal?
475
00:23:24,201 --> 00:23:25,768
But the revolution,
476
00:23:25,770 --> 00:23:27,470
which overthrew the Shah in '79,
477
00:23:27,472 --> 00:23:29,271
really curtailed the program
478
00:23:29,273 --> 00:23:31,640
before it ever got any
head of steam going.
479
00:23:32,742 --> 00:23:37,313
Part of our policy against
Iran after the revolution
480
00:23:37,315 --> 00:23:39,615
was to deny them
nuclear technology.
481
00:23:39,617 --> 00:23:42,918
So most of the period
when I was involved
482
00:23:42,920 --> 00:23:44,920
in the '80s and the '90s
483
00:23:44,922 --> 00:23:47,323
was the U.S. running
around the world
484
00:23:47,325 --> 00:23:50,593
and persuading
potential nuclear suppliers
485
00:23:50,595 --> 00:23:53,996
not to provide even peaceful
nuclear technology to Iran.
486
00:23:54,231 --> 00:23:57,666
And what we missed was
the clandestine transfer
487
00:23:57,668 --> 00:24:00,569
in the mid-1980s
from Pakistan to Iran.
488
00:24:04,575 --> 00:24:05,808
Abdul Qadeer Khan
489
00:24:05,810 --> 00:24:07,143
is what we would call
490
00:24:07,145 --> 00:24:09,145
the father of the
Pakistan nuclear program.
491
00:24:10,580 --> 00:24:13,149
He had the full
authority and confidence
492
00:24:13,151 --> 00:24:15,451
of the Pakistan
government from its inception
493
00:24:15,453 --> 00:24:17,520
to the production
of nuclear weapons.
494
00:24:19,256 --> 00:24:21,590
I was a CIA officer for...
495
00:24:21,592 --> 00:24:24,260
For over two decades,
operations officer,
496
00:24:24,262 --> 00:24:26,061
worked overseas
most of my career.
497
00:24:26,630 --> 00:24:28,697
The A.Q. Khan
network is so notable
498
00:24:28,699 --> 00:24:31,700
because aside from building
499
00:24:31,702 --> 00:24:34,737
the Pakistani
program for decades...
500
00:24:35,972 --> 00:24:39,141
It also was the means
by which other countries
501
00:24:39,143 --> 00:24:41,777
were able to develop
nuclear weapons,
502
00:24:41,779 --> 00:24:43,078
including Iran.
503
00:24:43,680 --> 00:24:45,314
A.Q. Khan acting on behalf
504
00:24:45,316 --> 00:24:46,382
of the Pakistani government
505
00:24:46,384 --> 00:24:49,485
negotiated with officials in Iran
506
00:24:49,487 --> 00:24:52,521
and then there was a
transfer which took place
507
00:24:52,523 --> 00:24:53,589
through Dubai
508
00:24:53,591 --> 00:24:56,825
of blueprints for
nuclear weapons design
509
00:24:56,827 --> 00:24:58,427
as well as some hardware.
510
00:24:59,563 --> 00:25:01,564
Throughout the mid-1980s,
511
00:25:01,566 --> 00:25:04,633
the Iranian program was
not very well-resourced.
512
00:25:04,635 --> 00:25:06,468
It was more of an R&D program.
513
00:25:07,504 --> 00:25:10,706
It wasn't really until the mid-'90s
514
00:25:10,708 --> 00:25:12,975
that it started to take off
when they made the decision
515
00:25:12,977 --> 00:25:15,044
to build the nuclear
weapons program.
516
00:25:21,718 --> 00:25:23,219
You know,
we can speculate what,
517
00:25:23,221 --> 00:25:24,653
in their mind, motivated them.
518
00:25:24,655 --> 00:25:27,823
I think it was the
U.S. invasion of Iraq
519
00:25:27,825 --> 00:25:29,425
after Kuwait.
520
00:25:30,727 --> 00:25:32,194
You know, there was
an eight-year war
521
00:25:32,196 --> 00:25:33,762
between Iraq and Iran,
522
00:25:34,030 --> 00:25:37,433
we had wiped out Saddam's
forces in a matter of weeks.
523
00:25:40,338 --> 00:25:43,072
And I think that was
enough to convince the rulers
524
00:25:43,074 --> 00:25:45,241
in Tehran that they
needed to pursue
525
00:25:45,243 --> 00:25:46,809
nuclear weapons more seriously.
526
00:25:48,845 --> 00:25:51,747
States like these and
their terrorist allies
527
00:25:51,749 --> 00:25:54,583
constitute an axis of evil,
528
00:25:54,585 --> 00:25:57,353
arming to threaten
the peace of the world.
529
00:25:58,755 --> 00:26:01,390
From 2003 to 2005
530
00:26:01,392 --> 00:26:04,693
when they feared that the
U.S. would invade them,
531
00:26:04,695 --> 00:26:07,029
they accepted limits on
their nuclear program.
532
00:26:07,464 --> 00:26:11,100
But by 2006, the Iranians
had come to the conclusion
533
00:26:11,102 --> 00:26:13,969
that the U.S. was bogged
down in Afghanistan and Iraq
534
00:26:13,971 --> 00:26:17,172
and no longer had the
capacity to threaten them,
535
00:26:17,540 --> 00:26:21,277
and so they felt it was safe to
resume their enrichment program
536
00:26:22,045 --> 00:26:24,713
they started producing
low enriched uranium,
537
00:26:24,981 --> 00:26:26,982
producing more
centrifuges, installing them
538
00:26:26,984 --> 00:26:30,819
at the large-scale underground
enrichment facility at Natanz.
539
00:26:42,165 --> 00:26:47,009
For a journalist, passing through
these underground tunnels
540
00:26:47,222 --> 00:26:51,182
and visiting the beating heart of
Iran's nuclear plant is quite an event.
541
00:26:51,393 --> 00:26:57,073
The president's visit to the plant today
had made this event possible for us.
542
00:26:58,025 --> 00:27:01,217
The West tells us that we have to
negotiate with them for like ten years
543
00:27:01,250 --> 00:27:06,661
and then they will decide whether
Iran may have 20 centrifuges or not.
544
00:27:06,909 --> 00:27:08,869
Of course the Iranian
nation says no to them.
545
00:27:09,453 --> 00:27:11,203
Today, about 7,000 of
these machines
546
00:27:11,496 --> 00:27:14,956
are working under the
ground right over there.
547
00:27:35,285 --> 00:27:37,219
How many times have
you been to Natanz?
548
00:27:37,554 --> 00:27:40,956
Not that many, because I
left few years ago, the CIA,
549
00:27:40,958 --> 00:27:43,292
but I was there quite a few times.
550
00:27:46,830 --> 00:27:49,398
Natanz is just in the
middle of the desert.
551
00:27:51,334 --> 00:27:53,302
When they were
building it in secret,
552
00:27:53,536 --> 00:27:57,573
they were calling it
desert irrigation facility.
553
00:27:58,074 --> 00:27:59,641
For the local people,
554
00:27:59,643 --> 00:28:02,211
you want to sell why you
are building a big complex.
555
00:28:05,014 --> 00:28:07,716
There is a lot of
artillery and air force.
556
00:28:07,718 --> 00:28:12,121
It's better protected
against attack from air
557
00:28:12,655 --> 00:28:15,157
than any other nuclear
installation I have seen.
558
00:28:17,927 --> 00:28:20,396
So this is deeply underground.
559
00:28:25,001 --> 00:28:28,904
But then inside, Natanz is like
any other centrifuge facility.
560
00:28:28,906 --> 00:28:33,242
I have been all over the world,
from Brazil to Russia, Japan,
561
00:28:33,244 --> 00:28:37,780
so they are all alike
with their own features,
562
00:28:37,782 --> 00:28:40,182
their own centrifuges,
their own culture,
563
00:28:40,184 --> 00:28:42,785
but basically,
the process is the same.
564
00:28:43,853 --> 00:28:46,922
And so are the monitoring
activities of the IAEA.
565
00:28:46,924 --> 00:28:48,590
There are basic principles.
566
00:28:48,592 --> 00:28:51,326
You want to see what
goes in, what goes out,
567
00:28:51,594 --> 00:28:53,762
and then on top of
that you make sure that
568
00:28:53,764 --> 00:28:56,231
it produces low enriched uranium
569
00:28:56,233 --> 00:28:58,634
instead of anything to do
with the higher enrichments
570
00:28:58,636 --> 00:29:00,803
and nuclear weapon
grade uranium.
571
00:29:06,776 --> 00:29:08,143
Iran's nuclear facilities
572
00:29:08,145 --> 00:29:10,379
are under 24-hour watch
573
00:29:11,080 --> 00:29:13,415
of the United Nations
nuclear watchdog,
574
00:29:13,417 --> 00:29:16,718
the IAEA, the International
Atomic Energy Agency.
575
00:29:18,087 --> 00:29:22,291
Every single gram of
Iranian fissile material...
576
00:29:23,493 --> 00:29:24,860
Is accounted for.
577
00:29:27,664 --> 00:29:30,132
They have, like,
basically seals they put
578
00:29:30,134 --> 00:29:33,702
on fissile materials.
There are IAEA seals.
579
00:29:33,937 --> 00:29:36,238
You can't break it
580
00:29:36,240 --> 00:29:38,073
without getting noticed.
581
00:29:40,076 --> 00:29:42,311
When you look at the uranium
582
00:29:42,313 --> 00:29:46,181
which was there in Natanz,
it was a very special uranium.
583
00:29:46,349 --> 00:29:51,753
This is called Isotope 236,
and that was a puzzle to us,
584
00:29:51,755 --> 00:29:54,189
because you only see
this sort of uranium
585
00:29:54,191 --> 00:29:57,326
in states which have
had nuclear weapons.
586
00:29:59,195 --> 00:30:01,897
We realized that
they had cheated us.
587
00:30:02,599 --> 00:30:05,868
This sort of equipment
has been bought
588
00:30:05,870 --> 00:30:07,669
from what they
call a black market.
589
00:30:07,671 --> 00:30:10,906
They never pointed
out it to A.Q. Khan
590
00:30:11,341 --> 00:30:13,141
at that point of time.
591
00:30:18,014 --> 00:30:21,350
What I was surprised
was the sophistication
592
00:30:21,352 --> 00:30:23,185
and the quality control
593
00:30:23,486 --> 00:30:25,487
and the way they
have the manufacturing
594
00:30:25,489 --> 00:30:26,889
was really professional.
595
00:30:28,024 --> 00:30:30,626
It was not something,
you know, you just create
596
00:30:30,628 --> 00:30:32,160
in a few months' time.
597
00:30:32,162 --> 00:30:34,897
This was a result
of a long process.
598
00:30:42,005 --> 00:30:44,806
A centrifuge,
you feed uranium gas
599
00:30:44,808 --> 00:30:47,910
in and you have a cascade,
thousands of centrifuges,
600
00:30:47,912 --> 00:30:50,913
and from the other end you
get enriched uranium out.
601
00:30:51,648 --> 00:30:55,651
It separates uranium
based on spinning the rotors.
602
00:30:55,653 --> 00:30:59,421
It spins so fast,
300 meters per second,
603
00:30:59,423 --> 00:31:02,457
the same as the
velocity of sound.
604
00:31:03,826 --> 00:31:05,494
These are tremendous forces
605
00:31:05,496 --> 00:31:08,430
and as a result,
the rotor, it twists,
606
00:31:08,432 --> 00:31:10,599
looks like a banana
at one point of time.
607
00:31:12,001 --> 00:31:13,569
So it has to be balanced
608
00:31:13,571 --> 00:31:16,939
because any small
vibration it will blow up.
609
00:31:18,341 --> 00:31:20,275
And here comes another trouble.
610
00:31:20,577 --> 00:31:22,744
You have to raise
the temperature
611
00:31:22,746 --> 00:31:25,847
but this very thin rotor was...
612
00:31:25,849 --> 00:31:27,883
They are made from carbon fiber,
613
00:31:27,885 --> 00:31:30,519
and the other pieces,
they are made from metal.
614
00:31:31,421 --> 00:31:34,923
When you heat
carbon fiber, it shrinks.
615
00:31:36,025 --> 00:31:38,327
When you heat metal, it expands.
616
00:31:38,695 --> 00:31:41,730
So you need to balance
not only that they spin,
617
00:31:41,732 --> 00:31:44,866
they twist, but this
temperature behavior
618
00:31:44,868 --> 00:31:47,102
in such a way that
it doesn't break.
619
00:31:47,104 --> 00:31:49,304
So this has to be very precise.
620
00:31:49,806 --> 00:31:52,274
This is what makes them
very difficult to manufacture.
621
00:31:52,276 --> 00:31:54,943
You can model it,
you can calculate it,
622
00:31:54,945 --> 00:31:57,412
but at the very end,
it's actually based
623
00:31:57,414 --> 00:32:00,048
on practice and experience.
624
00:32:00,050 --> 00:32:03,352
So it's a piece of art, so to say.
625
00:32:13,831 --> 00:32:19,890
Because of the strength of our nation,
our army and our revolutionary guard
626
00:32:21,139 --> 00:32:26,769
Our dawn became eternal
by the glow of success
627
00:32:28,313 --> 00:32:32,193
Morning of dreams
rises from the shores
628
00:32:32,442 --> 00:32:36,362
The branches of
life have sprouted
629
00:32:36,697 --> 00:32:42,327
May this victory be blessed
630
00:32:44,293 --> 00:32:46,628
Iranians are very proud
of their centrifuges.
631
00:32:46,630 --> 00:32:49,598
They have a lot of
public relations videos
632
00:32:49,600 --> 00:32:53,335
given up always in April
when they have what they call
633
00:32:53,337 --> 00:32:54,836
a national nuclear day.
634
00:32:55,257 --> 00:32:58,547
Blessed be this holy spring
635
00:32:58,570 --> 00:33:02,351
Blessed be the gardener
636
00:33:02,639 --> 00:33:05,269
I proudly announce
that from today on,
637
00:33:05,642 --> 00:33:09,152
Iran is among the countries
that can produce nuclear fuel.
638
00:33:09,153 --> 00:33:12,521
Ahmadinejad came into
his presidency saying
639
00:33:12,523 --> 00:33:15,123
if the international
community wants to derail us
640
00:33:15,125 --> 00:33:16,792
we will stand up to it.
641
00:33:17,860 --> 00:33:20,562
If they want us to
sign more inspections
642
00:33:20,564 --> 00:33:23,832
and more additional
protocols and other measures,
643
00:33:23,834 --> 00:33:26,568
no, we will not.
We will fight for our rights.
644
00:33:27,805 --> 00:33:30,872
Iran is a signature to nuclear
non-proliferation treaty,
645
00:33:30,874 --> 00:33:34,476
and under that treaty, Iran has
a right to a nuclear program.
646
00:33:35,044 --> 00:33:38,513
We can have enrichment.
Who are you, world powers,
647
00:33:38,515 --> 00:33:40,982
to come and tell us that we
cannot have enrichment?
648
00:33:41,350 --> 00:33:43,085
This was his mantra,
649
00:33:43,820 --> 00:33:47,189
and it galvanized the public.
650
00:33:50,760 --> 00:33:53,161
By 2007, 2008,
651
00:33:53,163 --> 00:33:55,664
the U.S. government was
in a very bad place with
652
00:33:55,666 --> 00:33:56,965
the Iranian program.
653
00:33:57,934 --> 00:34:00,035
President Bush recognized
654
00:34:00,037 --> 00:34:02,671
that he could not even
come out in public
655
00:34:02,673 --> 00:34:05,173
and declare that the Iranians
were building a nuclear weapon,
656
00:34:05,175 --> 00:34:07,008
because by this time,
he had gone through
657
00:34:07,010 --> 00:34:10,312
the entire WMD fiasco in Iraq.
658
00:34:11,013 --> 00:34:13,281
He could not really
take military action.
659
00:34:13,283 --> 00:34:15,684
Condoleezza Rice said
to him at one point,
660
00:34:15,686 --> 00:34:19,087
you know, Mr. President,
I think you've invaded
661
00:34:19,089 --> 00:34:22,758
your last Muslim country,
even for the best of reasons.
662
00:34:24,594 --> 00:34:26,795
He didn't want to let the Israelis
663
00:34:26,797 --> 00:34:28,630
conduct a military operation.
664
00:34:28,965 --> 00:34:34,703
It's 1938, and Iran is
Germany and it's racing...
665
00:34:35,538 --> 00:34:38,140
to arm itself with atomic bombs.
666
00:34:38,741 --> 00:34:42,310
Iran's nuclear ambitions
must be stopped.
667
00:34:42,979 --> 00:34:47,716
They have to be stopped.
We all have to stop it, now.
668
00:34:47,718 --> 00:34:50,318
That's the one message
I have for you today.
669
00:34:50,320 --> 00:34:52,220
Thank you.
670
00:34:52,222 --> 00:34:55,090
Israel was saying they
were gonna bomb Iran.
671
00:34:55,092 --> 00:34:58,293
And the government
here in Washington
672
00:34:58,295 --> 00:35:00,662
did all sorts of scenarios
about what would happen
673
00:35:00,664 --> 00:35:03,231
if that Israeli attack occurred.
674
00:35:03,633 --> 00:35:05,801
They were all very
ugly scenarios.
675
00:35:05,803 --> 00:35:08,804
Our belief was that if
they went on their own
676
00:35:08,806 --> 00:35:10,605
knowing the limitations...
677
00:35:10,607 --> 00:35:12,507
No, they're a very
good air force, all right?
678
00:35:12,842 --> 00:35:14,910
But it's small and the
distances are great
679
00:35:14,912 --> 00:35:17,312
and the target's disbursed
and hardened, all right?
680
00:35:18,314 --> 00:35:20,882
If they would have
attempted a raid
681
00:35:21,584 --> 00:35:23,318
on a military plane,
682
00:35:23,619 --> 00:35:26,421
we would have been assuming
that they were assuming
683
00:35:26,423 --> 00:35:28,990
we would finish that
which they started.
684
00:35:28,992 --> 00:35:31,626
In other words,
there would be many of us
685
00:35:31,628 --> 00:35:33,662
in government thinking
that the purpose of the raid
686
00:35:33,664 --> 00:35:36,198
wasn't to destroy the
Iranian nuclear system,
687
00:35:36,200 --> 00:35:39,868
but the purpose of the raid
was to put us at war with Iran.
688
00:35:40,803 --> 00:35:42,838
Israel is very much
concerned about
689
00:35:42,840 --> 00:35:45,507
Iran's nuclear program,
more than the United States.
690
00:35:45,509 --> 00:35:48,276
It's only natural because
of the size of the country,
691
00:35:48,278 --> 00:35:50,679
because we live in
this neighborhood,
692
00:35:50,681 --> 00:35:54,316
America lives thousands and
thousands miles away from Iran.
693
00:35:54,318 --> 00:35:57,953
The two countries
agreed on the goal.
694
00:35:58,221 --> 00:36:00,989
There is no page between us
695
00:36:00,991 --> 00:36:06,328
that Iran should not have a
nuclear military capability.
696
00:36:06,330 --> 00:36:08,330
There are some differences
697
00:36:08,332 --> 00:36:10,699
on how to achieve it
698
00:36:10,701 --> 00:36:13,001
and when action is needed.
699
00:36:15,624 --> 00:36:21,254
The origin of corruption will be
wiped off the face of the Earth.
700
00:36:22,511 --> 00:36:24,913
We are taking very seriously
701
00:36:24,915 --> 00:36:27,649
leaders of countries who
call to the destruction
702
00:36:27,651 --> 00:36:30,285
and annihilation of our people.
703
00:36:30,486 --> 00:36:32,988
If Iran will get nuclear weapons,
704
00:36:32,990 --> 00:36:34,456
now or in the future...
705
00:36:35,424 --> 00:36:38,260
It means that for the first
time in human history
706
00:36:39,061 --> 00:36:41,763
Islamic zealots, religious zealots,
707
00:36:42,431 --> 00:36:44,766
will get their hand on
708
00:36:44,768 --> 00:36:47,736
the most dangerous,
devastating weapons,
709
00:36:47,738 --> 00:36:50,505
and the world
should prevent this.
710
00:36:52,675 --> 00:36:56,444
The Israelis believe that
the Iranian leadership
711
00:36:56,446 --> 00:36:59,381
has already made the decision
to build nuclear weapons
712
00:36:59,383 --> 00:37:01,283
when they think they
can get away with it.
713
00:37:01,684 --> 00:37:04,452
The view in the U.S.
is that the Iranians
714
00:37:04,454 --> 00:37:06,621
haven't made that
final decision yet.
715
00:37:07,590 --> 00:37:09,524
To me, that doesn't
make any difference.
716
00:37:09,526 --> 00:37:11,259
I mean, it really doesn't
make any difference,
717
00:37:11,261 --> 00:37:14,429
and it's probably unknowable,
unless you can put, you know,
718
00:37:14,431 --> 00:37:17,799
Supreme Leader Khamenei on
the couch and interview him.
719
00:37:17,801 --> 00:37:20,735
I think, you know,
from our standpoint,
720
00:37:20,737 --> 00:37:23,371
stopping Iran from getting
the threshold capacity
721
00:37:23,373 --> 00:37:26,508
is, you know,
the primary policy objective.
722
00:37:27,810 --> 00:37:29,911
Once they have
the fissile material,
723
00:37:29,913 --> 00:37:32,314
once they have the capacity
to produce nuclear weapons,
724
00:37:32,316 --> 00:37:33,682
then the game is lost.
725
00:37:39,488 --> 00:37:41,289
President Bush once
said to me, he said,
726
00:37:41,291 --> 00:37:44,392
Mike, I don't want any
president ever to be faced
727
00:37:44,394 --> 00:37:48,430
with only two options,
bombing or the bomb.
728
00:37:48,432 --> 00:37:49,664
Right?
729
00:37:49,666 --> 00:37:53,234
He wanted options
that made it...
730
00:37:53,436 --> 00:37:56,404
Made it far less likely
he or his successor
731
00:37:56,406 --> 00:37:58,940
or successors would
ever get to that point
732
00:37:58,942 --> 00:38:00,575
where that's all you've got.
733
00:38:00,910 --> 00:38:04,546
We wanted to be energetic
enough in pursuing this problem
734
00:38:04,914 --> 00:38:07,916
that the Israelis
would certainly believe,
735
00:38:07,918 --> 00:38:09,117
yeah, we get it.
736
00:38:09,119 --> 00:38:11,252
The intelligence
cooperation between Israel
737
00:38:11,254 --> 00:38:14,689
and the United States
is very, very good.
738
00:38:15,458 --> 00:38:17,759
And therefore, the Israelis
went to the Americans
739
00:38:17,761 --> 00:38:21,363
and said, okay, guys,
you don't want us to bomb Iran.
740
00:38:21,365 --> 00:38:24,532
Okay, let's do it differently.
741
00:38:25,034 --> 00:38:28,603
And then the American
intelligence community started
742
00:38:28,605 --> 00:38:30,305
rolling in joint forces
743
00:38:30,307 --> 00:38:32,273
with the Israeli
intelligence community.
744
00:38:32,942 --> 00:38:36,945
One day a group of intelligence
and military officials showed up
745
00:38:37,646 --> 00:38:39,581
in President Bush's office
746
00:38:40,182 --> 00:38:41,716
and said, sir, we have an idea.
747
00:38:42,852 --> 00:38:44,185
It's a big risk.
748
00:38:44,720 --> 00:38:46,521
It might not work, but here it is.
749
00:38:54,063 --> 00:38:57,699
Moving forward in my
analysis of the codes,
750
00:38:57,701 --> 00:39:01,736
I took a closer look
at the photographs
751
00:39:01,738 --> 00:39:03,571
that had been published
752
00:39:03,573 --> 00:39:08,343
by the Iranians themselves
in a press tour from 2008
753
00:39:08,345 --> 00:39:11,479
of Ahmadinejad and
the shiny centrifuges.
754
00:39:13,883 --> 00:39:15,750
Well, photographs
of Ahmadinejad
755
00:39:15,752 --> 00:39:18,553
going through the
centrifuges at Natanz
756
00:39:18,555 --> 00:39:21,990
had provided some
very important clues.
757
00:39:22,691 --> 00:39:24,893
There was a huge
amount to be learned.
758
00:39:33,202 --> 00:39:36,004
First of all, those
photographs showed
759
00:39:36,006 --> 00:39:39,340
many of the individuals who
were guiding Ahmadinejad
760
00:39:39,342 --> 00:39:40,508
through the program.
761
00:39:40,510 --> 00:39:43,111
And there's one very
famous photograph that shows
762
00:39:43,113 --> 00:39:45,113
Ahmadinejad being
shown something.
763
00:39:45,115 --> 00:39:47,682
You see his face, you can't
see what's on the computer.
764
00:39:47,684 --> 00:39:51,119
And one of the scientists
who was behind him
765
00:39:51,121 --> 00:39:53,521
was assassinated
a few months later.
766
00:39:57,893 --> 00:39:59,627
In one of those photographs,
767
00:39:59,895 --> 00:40:03,231
you could see parts
of a computer screen.
768
00:40:03,233 --> 00:40:05,800
We refer to that
as a SCADA screen.
769
00:40:05,802 --> 00:40:08,770
The SCADA system is
basically a piece of software
770
00:40:08,772 --> 00:40:10,371
running on a computer.
771
00:40:10,373 --> 00:40:13,975
It enables the operators
to monitor the processes.
772
00:40:14,977 --> 00:40:19,114
What you could see when
you look close enough
773
00:40:19,648 --> 00:40:23,985
was a more detailed
view of the configuration
774
00:40:24,787 --> 00:40:28,089
there were these six
groups of centrifuges
775
00:40:28,091 --> 00:40:31,526
and each group had 164 entries.
776
00:40:32,094 --> 00:40:33,661
And guess what?
777
00:40:33,963 --> 00:40:36,297
That was a perfect
match to what we saw
778
00:40:36,299 --> 00:40:37,665
in the attack code.
779
00:40:39,001 --> 00:40:42,403
It was absolutely clear
that this piece of code
780
00:40:42,405 --> 00:40:45,974
was attacking an array
of six different groups
781
00:40:45,976 --> 00:40:49,811
of, let's just say,
thingies, physical objects,
782
00:40:49,813 --> 00:40:55,717
and in those six groups,
there were 164 elements.
783
00:40:59,421 --> 00:41:01,756
Were you able to do any
actual physical tests?
784
00:41:01,758 --> 00:41:03,992
Or it was all just code analysis?
785
00:41:03,994 --> 00:41:05,927
Yeah, so, you know, we obviously
786
00:41:05,929 --> 00:41:08,997
couldn't set up our own sort
of nuclear enrichment facility.
787
00:41:09,165 --> 00:41:11,466
So... but what we did was
we did obtain some PLCs,
788
00:41:11,468 --> 00:41:12,700
the exact models.
789
00:41:19,875 --> 00:41:22,277
We then ordered an air pump,
and that's what we used
790
00:41:22,279 --> 00:41:23,945
sort of as our sort
of proof of concept.
791
00:41:24,780 --> 00:41:26,514
We needed a
visual demonstration
792
00:41:26,516 --> 00:41:28,716
to show people
what we discovered.
793
00:41:29,018 --> 00:41:31,052
So we thought of different
things that we could do,
794
00:41:31,054 --> 00:41:33,188
and we settled on
blowing up a balloon.
795
00:41:37,526 --> 00:41:39,494
We were able to write a program
that would inflate a balloon,
796
00:41:39,496 --> 00:41:42,397
and it was set to stop
after five seconds.
797
00:41:52,374 --> 00:41:54,142
So it would inflate the
balloon to a certain size
798
00:41:54,144 --> 00:41:55,643
but it wouldn't burst the balloon
799
00:41:55,645 --> 00:41:57,078
and it was all safe.
800
00:41:57,080 --> 00:41:59,180
And we showed
everybody, this is the code
801
00:41:59,182 --> 00:42:00,415
that's on the PLC.
802
00:42:00,849 --> 00:42:02,817
And the timer says,
stop after five seconds.
803
00:42:03,052 --> 00:42:04,612
We know that's
what's going to happen.
804
00:42:05,187 --> 00:42:07,455
And then we would infect
the computer with STUXnet,
805
00:42:07,990 --> 00:42:10,258
and we would run the test again.
806
00:42:41,457 --> 00:42:43,057
Here is a piece of software
807
00:42:43,059 --> 00:42:46,027
that should only
exist in a cyber realm
808
00:42:46,029 --> 00:42:49,130
and it is able to affect
physical equipment
809
00:42:49,132 --> 00:42:52,867
in a plant or factory and
cause physical damage.
810
00:42:52,869 --> 00:42:54,936
Real-world physical destruction.
811
00:42:59,441 --> 00:43:02,110
At that time, things
became very scary to us.
812
00:43:02,112 --> 00:43:04,612
Here you had malware
potentially killing people
813
00:43:04,614 --> 00:43:06,914
and that was something that was
always Hollywood-esque to us
814
00:43:06,916 --> 00:43:08,082
that we'd always laugh at
815
00:43:08,084 --> 00:43:10,118
when people made
that kind of assertion.
816
00:43:15,724 --> 00:43:18,226
At this point, you had to
have started developing
817
00:43:18,228 --> 00:43:20,995
theories as to who
had built STUXnet.
818
00:43:21,930 --> 00:43:23,498
It wasn't lost on us that
819
00:43:23,500 --> 00:43:26,734
there were probably
only a few countries
820
00:43:26,736 --> 00:43:29,070
in the world that would want
821
00:43:29,072 --> 00:43:31,939
and have the
motivation to sabotage
822
00:43:31,941 --> 00:43:34,075
Iran's nuclear enrichment facility.
823
00:43:34,077 --> 00:43:35,977
The U.S. government
would be up there.
824
00:43:35,979 --> 00:43:38,146
Israeli government certainly
would be up there.
825
00:43:38,148 --> 00:43:40,248
You know, maybe U.K.,
France, Germany,
826
00:43:40,250 --> 00:43:41,683
those sorts of countries,
827
00:43:41,685 --> 00:43:43,985
but we never found
any information that
828
00:43:43,987 --> 00:43:47,021
would tie it back 100
percent to those countries.
829
00:43:47,023 --> 00:43:48,956
There are no telltale signs.
830
00:43:48,958 --> 00:43:51,526
You know, the attackers
don't leave a message inside
831
00:43:51,528 --> 00:43:53,695
saying, you know, it was me.
832
00:43:54,596 --> 00:43:57,865
And even if they did,
all of that stuff can be faked.
833
00:43:58,200 --> 00:44:00,868
So it's very, very
difficult to do attribution
834
00:44:00,870 --> 00:44:02,603
when looking at computer code.
835
00:44:03,472 --> 00:44:05,006
Subsequent work
that's been done
836
00:44:05,008 --> 00:44:07,442
leads us to believe that
this was the work of
837
00:44:07,444 --> 00:44:08,976
a collaboration between
Israel and the United States.
838
00:44:08,978 --> 00:44:10,044
Yeah, yeah.
839
00:44:10,046 --> 00:44:11,179
Did you have any evidence
840
00:44:11,181 --> 00:44:12,447
in terms of your analysis
841
00:44:12,449 --> 00:44:14,449
that would lead
you to believe that
842
00:44:14,451 --> 00:44:15,783
that's correct also?
843
00:44:15,785 --> 00:44:17,885
Nothing that I could
talk about on camera.
844
00:44:19,388 --> 00:44:22,190
Well, can I ask why?
845
00:44:22,192 --> 00:44:24,025
No.
846
00:44:24,027 --> 00:44:25,727
Well, you can, but I won't answer.
847
00:44:28,164 --> 00:44:30,465
But even in the
case of nation-states,
848
00:44:30,467 --> 00:44:31,966
I mean, one of the concerns is...
849
00:44:31,968 --> 00:44:34,102
This was beginning
to really piss me off.
850
00:44:34,536 --> 00:44:37,872
Even civilians with an interest
in telling the STUXnet story
851
00:44:37,874 --> 00:44:40,808
were refusing to address
the role of Tel Aviv
852
00:44:40,810 --> 00:44:44,045
and Washington.
But luckily for me,
853
00:44:44,313 --> 00:44:46,147
while D.C. is a city of secrets,
854
00:44:46,482 --> 00:44:48,249
it is also a city of leaks.
855
00:44:48,717 --> 00:44:50,418
They're as regular as a heartbeat
856
00:44:50,420 --> 00:44:52,153
and just as hard to stop.
857
00:44:53,155 --> 00:44:54,722
That's what I was counting on.
858
00:44:59,896 --> 00:45:03,431
Finally, after speaking to a
number of people on background,
859
00:45:03,433 --> 00:45:06,033
I did find a way of
confirming, on the record,
860
00:45:06,035 --> 00:45:07,902
the American role in STUXnet.
861
00:45:08,871 --> 00:45:11,005
In exchange for
details of the operation,
862
00:45:11,007 --> 00:45:13,074
I had to agree to find a way
863
00:45:13,076 --> 00:45:15,376
to disguise the source
of the information.
864
00:45:15,378 --> 00:45:17,145
- We're good?
- We're on.
865
00:45:18,714 --> 00:45:20,381
So the first question
I have to ask you
866
00:45:20,383 --> 00:45:21,783
is about secrecy.
867
00:45:22,284 --> 00:45:25,353
I mean, at this point,
everyone knows about STUXnet.
868
00:45:25,355 --> 00:45:27,021
Why can't we talk about it?
869
00:45:27,523 --> 00:45:28,890
It's a covert operation.
870
00:45:28,892 --> 00:45:30,691
Not anymore.
871
00:45:30,693 --> 00:45:32,994
I mean, we know what
happened, we know who did it.
872
00:45:33,228 --> 00:45:35,930
Well, maybe you don't know
as much as you think you know.
873
00:45:36,732 --> 00:45:39,300
Well, I'm talking to
you because I want to
874
00:45:39,302 --> 00:45:40,701
get the story right.
875
00:45:40,703 --> 00:45:42,663
Well, that's the same
reason I'm talking to you.
876
00:45:44,907 --> 00:45:46,707
Even though it's a
covert operation?
877
00:45:47,743 --> 00:45:51,579
Look, this is not a
Snowden kind of thing, okay?
878
00:45:51,581 --> 00:45:52,914
I think what he did was wrong.
879
00:45:52,916 --> 00:45:56,050
He went too far.
He gave away too much.
880
00:45:56,552 --> 00:45:58,553
Unlike Snowden,
who was a contractor,
881
00:45:58,555 --> 00:46:00,321
I was in NSA.
882
00:46:00,956 --> 00:46:03,157
I believe in the agency,
so what I'm willing to give you
883
00:46:03,159 --> 00:46:04,792
will be limited, but we're talking
884
00:46:04,794 --> 00:46:06,627
because everyone's
getting the story wrong
885
00:46:06,629 --> 00:46:08,229
and we have to get it right.
886
00:46:08,231 --> 00:46:09,997
We have to understand
these new weapons.
887
00:46:09,999 --> 00:46:11,265
The stakes are too high.
888
00:46:11,267 --> 00:46:12,567
What do you mean?
889
00:46:14,670 --> 00:46:16,637
We did STUXnet.
890
00:46:17,840 --> 00:46:19,006
It's a fact.
891
00:46:19,008 --> 00:46:22,743
You know, we came so
fucking close to disaster,
892
00:46:22,745 --> 00:46:24,412
and we're still on the edge.
893
00:46:25,948 --> 00:46:31,018
It was a huge multinational,
interagency operation.
894
00:46:32,287 --> 00:46:34,989
In the U.S. it was CIA,
895
00:46:35,457 --> 00:46:38,926
NSA, and the military
Cyber Command.
896
00:46:39,428 --> 00:46:43,097
From Britain, we used
Iran intel out of GCHQ,
897
00:46:43,699 --> 00:46:45,533
but the main partner was Israel.
898
00:46:45,535 --> 00:46:47,034
Over there, Mossad ran the show,
899
00:46:47,036 --> 00:46:49,770
and the technical work
was done by Unit 8200.
900
00:46:50,706 --> 00:46:53,708
Israel is really the
key to the story.
901
00:46:58,146 --> 00:47:01,215
Oh, traffic in Israel
is so unpredictable.
902
00:47:03,318 --> 00:47:06,387
Yossi, how did you get into
this whole STUXnet story?
903
00:47:07,556 --> 00:47:10,558
I have been covering
the Israeli intelligence
904
00:47:10,560 --> 00:47:12,860
in general, in the
Mossad in particular
905
00:47:12,862 --> 00:47:16,264
for nearly 30 years.
906
00:47:16,665 --> 00:47:19,734
In '82, I was a
London-based correspondent
907
00:47:19,736 --> 00:47:23,170
and I covered a trial of terrorists,
908
00:47:23,172 --> 00:47:27,475
and I became more familiar
with this topic of terrorism,
909
00:47:27,477 --> 00:47:31,646
and slowly but surely,
I started covering it as a beat.
910
00:47:34,516 --> 00:47:37,552
Israel, we live in a very
rough neighborhood
911
00:47:37,554 --> 00:47:39,921
where the Democratic values,
912
00:47:39,923 --> 00:47:43,224
western values, are very rare.
913
00:47:43,659 --> 00:47:47,562
But Israel pretends to
be a free, Democratic,
914
00:47:47,564 --> 00:47:49,630
westernized society,
915
00:47:50,098 --> 00:47:53,401
posh neighborhoods, rich people,
916
00:47:53,569 --> 00:47:56,571
youngsters who are having
917
00:47:56,573 --> 00:47:59,607
almost similar mind-set
to their American
918
00:47:59,609 --> 00:48:01,842
or western
European counterparts.
919
00:48:01,844 --> 00:48:04,579
On the other hand,
you see a lot of scenes
920
00:48:04,581 --> 00:48:08,783
and events which resemble
the real Middle East,
921
00:48:08,785 --> 00:48:14,555
terror attacks, radicals,
fanatics, religious zealots.
922
00:48:18,928 --> 00:48:22,029
I knew that Israel is
trying to slow down
923
00:48:22,031 --> 00:48:23,698
Iran's nuclear program,
924
00:48:23,700 --> 00:48:26,467
and therefore,
I came to the conclusion that
925
00:48:26,469 --> 00:48:29,637
if there was a virus
infecting Iran's computers,
926
00:48:29,639 --> 00:48:35,443
it's one more element
in this larger picture
927
00:48:36,144 --> 00:48:38,579
based on past precedents.
928
00:48:43,152 --> 00:48:46,821
1981 I was an F-16 pilot,
929
00:48:47,255 --> 00:48:50,758
and we were told that,
unlike our dream
930
00:48:50,760 --> 00:48:54,195
to do dogfights and to kill MIGs,
931
00:48:54,763 --> 00:48:58,399
we have to be prepared
for a long-range mission
932
00:48:59,067 --> 00:49:01,702
to destroy a valuable target.
933
00:49:02,471 --> 00:49:04,171
Nobody told us what is
934
00:49:04,173 --> 00:49:06,574
this very valuable
strategic target.
935
00:49:07,576 --> 00:49:10,745
It was 600 miles from Israel.
936
00:49:12,114 --> 00:49:15,583
So we train our self to do the job,
937
00:49:15,585 --> 00:49:19,420
which was very difficult.
No air refueling at that time.
938
00:49:19,821 --> 00:49:21,889
No satellites for reconnaissance.
939
00:49:23,825 --> 00:49:26,227
Fuel was on the limit.
940
00:49:26,795 --> 00:49:29,096
What? Whoa! Whoa!
941
00:49:32,034 --> 00:49:33,434
At the end of the day,
942
00:49:34,169 --> 00:49:35,903
we accomplished the mission.
943
00:49:36,371 --> 00:49:37,672
Which was?
944
00:49:38,140 --> 00:49:41,042
To destroy the
Iraqi nuclear reactor
945
00:49:41,044 --> 00:49:44,879
near Baghdad,
which was called Osirak.
946
00:49:45,113 --> 00:49:51,152
And Iraq never was
able to accomplish
947
00:49:51,154 --> 00:49:53,721
its ambition to have
a nuclear bomb.
948
00:49:55,724 --> 00:49:58,325
Amos Yadlin, General Yadlin,
949
00:49:58,327 --> 00:50:01,128
he was the head of the
military intelligence.
950
00:50:01,530 --> 00:50:04,999
The biggest unit
within that organization
951
00:50:05,001 --> 00:50:06,801
was Unit 8200.
952
00:50:07,502 --> 00:50:09,904
They'd block telephones,
they'd block faxes,
953
00:50:09,906 --> 00:50:12,073
they're breaking into computers.
954
00:50:14,409 --> 00:50:16,711
A decade ago,
when Yadlin became
955
00:50:16,713 --> 00:50:18,646
the chief of military intelligence,
956
00:50:19,147 --> 00:50:23,651
there was no cyber
warfare unit in 8200.
957
00:50:26,588 --> 00:50:30,357
So they started recruiting
very talented people,
958
00:50:30,359 --> 00:50:32,927
hackers either from the military
959
00:50:32,929 --> 00:50:35,496
or outside the military
that can contribute
960
00:50:35,498 --> 00:50:38,666
to the project of building
a cyber warfare unit.
961
00:50:41,403 --> 00:50:45,906
In the 19th century,
there were only Army and Navy.
962
00:50:45,908 --> 00:50:49,710
In the 20th century,
we got air power
963
00:50:49,712 --> 00:50:51,445
as a third dimension of war.
964
00:50:52,080 --> 00:50:54,048
In the 21st century,
965
00:50:54,050 --> 00:50:57,585
cyber will be the
fourth dimension of war.
966
00:50:58,553 --> 00:51:00,087
It's another kind of weapon
967
00:51:00,089 --> 00:51:04,692
and it is for unlimited
range in a very high speed
968
00:51:05,093 --> 00:51:07,228
and in a very low signature.
969
00:51:07,230 --> 00:51:09,764
So this give you a
huge opportunity...
970
00:51:10,866 --> 00:51:14,135
And the superpowers
have to change
971
00:51:14,137 --> 00:51:16,203
the way we think about warfare.
972
00:51:18,441 --> 00:51:20,474
Finally we are
transforming our military
973
00:51:20,476 --> 00:51:23,144
for a new kind of war
that we're fighting now...
974
00:51:24,613 --> 00:51:26,046
And for wars of tomorrow.
975
00:51:27,382 --> 00:51:29,483
We have made our
military better trained,
976
00:51:29,485 --> 00:51:32,386
better equipped,
and better prepared
977
00:51:32,388 --> 00:51:35,156
to meet the threats
facing America today
978
00:51:35,158 --> 00:51:37,391
and tomorrow and
long in the future.
979
00:51:41,163 --> 00:51:43,798
Back in the end of the
Bush Administration,
980
00:51:43,800 --> 00:51:45,733
people within the
U.S. government
981
00:51:45,735 --> 00:51:48,936
were just beginning to
convince President Bush
982
00:51:48,938 --> 00:51:51,839
to pour money into
offensive cyber weapons.
983
00:51:52,808 --> 00:51:55,843
STUXnet started off in
the defense department.
984
00:51:56,511 --> 00:51:58,813
Then Robert Gates,
Secretary of Defense,
985
00:51:59,281 --> 00:52:01,448
reviewed this
program and he said,
986
00:52:01,450 --> 00:52:03,651
this program shouldn't be
in the defense department.
987
00:52:03,653 --> 00:52:06,153
This should really be
under the covert authorities
988
00:52:06,155 --> 00:52:07,988
over in the intelligence world.
989
00:52:08,957 --> 00:52:12,092
So the CIA was
very deeply involved
990
00:52:12,094 --> 00:52:13,561
in this operation,
991
00:52:13,862 --> 00:52:16,497
while much of the
coding work was done
992
00:52:16,499 --> 00:52:18,899
by The National Security Agency
993
00:52:19,100 --> 00:52:22,169
and Unit 8200,
its Israeli equivalent,
994
00:52:22,171 --> 00:52:26,006
working together with a
newly created military position
995
00:52:26,008 --> 00:52:28,342
called U.S. Cyber Command.
996
00:52:29,144 --> 00:52:33,347
And interestingly, the director
of The National Security Agency
997
00:52:33,349 --> 00:52:35,950
would also have a second role
998
00:52:35,952 --> 00:52:39,687
as the commander of
U.S. Cyber Command.
999
00:52:40,155 --> 00:52:43,824
And U.S. Cyber
Command is located
1000
00:52:43,826 --> 00:52:47,695
at Fort Meade in the
same building as the NSA.
1001
00:52:51,900 --> 00:52:53,934
I was deployed for a year
1002
00:52:54,202 --> 00:52:57,371
giving advice on air operations
in Iraq and Afghanistan,
1003
00:52:57,373 --> 00:53:00,207
and when I was
returning home after that,
1004
00:53:00,209 --> 00:53:02,209
the assignment I
was given was to go
1005
00:53:02,211 --> 00:53:03,644
to U.S. Cyber Command.
1006
00:53:04,813 --> 00:53:06,380
Cyber Command is a...
1007
00:53:06,681 --> 00:53:10,050
Is the military command
that's responsible for
1008
00:53:10,052 --> 00:53:13,087
essentially the conducting of
the nation's military affairs
1009
00:53:13,089 --> 00:53:14,488
in cyberspace.
1010
00:53:14,990 --> 00:53:17,391
The stated reason
the United States
1011
00:53:17,393 --> 00:53:19,560
decided it needed
a Cyber Command
1012
00:53:19,562 --> 00:53:22,763
was because of an event called
Operation Buckshot Yankee.
1013
00:53:23,231 --> 00:53:24,832
In the fall of 2008,
1014
00:53:24,834 --> 00:53:27,668
we found some
adversaries inside
1015
00:53:27,670 --> 00:53:29,270
of our classified networks.
1016
00:53:30,205 --> 00:53:31,772
While it wasn't completely true
1017
00:53:31,774 --> 00:53:34,375
that we always assumed
that we were successful
1018
00:53:34,377 --> 00:53:36,110
at defending things at the barrier,
1019
00:53:36,112 --> 00:53:38,279
at the... at the kind of
perimeter that we might have
1020
00:53:38,281 --> 00:53:40,281
between our networks
and the outside world,
1021
00:53:40,283 --> 00:53:42,349
there was a large confidence
1022
00:53:42,351 --> 00:53:44,518
that we'd been
mostly successful.
1023
00:53:44,853 --> 00:53:46,420
But that was a moment
in time when we came to
1024
00:53:46,422 --> 00:53:49,990
the quick conclusion that it...
it's not really ever secure.
1025
00:53:50,859 --> 00:53:53,560
That then accelerated The
Department of Defense's
1026
00:53:53,562 --> 00:53:55,129
progress towards what ultimately
1027
00:53:55,131 --> 00:53:56,263
became Cyber Command.
1028
00:53:59,567 --> 00:54:00,768
Good morning.
1029
00:54:02,070 --> 00:54:03,270
Good morning.
1030
00:54:03,438 --> 00:54:05,518
Good morning, sir.
Cyber has one item for you today.
1031
00:54:05,974 --> 00:54:07,641
Earlier this week, Antok analysts
1032
00:54:07,643 --> 00:54:09,977
detected a foreign adversary
using known methods
1033
00:54:09,979 --> 00:54:11,812
to access the U.S.
military network.
1034
00:54:12,280 --> 00:54:13,881
We identified the
malicious activity
1035
00:54:13,883 --> 00:54:15,816
via data collected through
our information assurance
1036
00:54:15,818 --> 00:54:17,318
and signals from
intelligence authorities
1037
00:54:17,320 --> 00:54:19,486
and confirmed it was
a cyber adversary.
1038
00:54:19,488 --> 00:54:22,156
We provided data to our cyber
partners within the DOD...
1039
00:54:22,158 --> 00:54:24,425
You think of NSA as an institution
1040
00:54:24,427 --> 00:54:27,294
that essentially uses its
abilities in cyberspace
1041
00:54:27,662 --> 00:54:30,064
to help defend
communications in that space.
1042
00:54:30,398 --> 00:54:32,333
Cyber Command
extends that capability
1043
00:54:32,335 --> 00:54:35,703
by saying that they will then
take responsibility to attack.
1044
00:54:37,172 --> 00:54:40,174
NSA has no legal
authority to attack.
1045
00:54:40,176 --> 00:54:42,409
It's never had it,
I doubt that it ever will.
1046
00:54:42,911 --> 00:54:44,979
It might explain why
U.S. Cyber Command
1047
00:54:44,981 --> 00:54:46,680
is sitting out at
Fort Meade on top of
1048
00:54:46,682 --> 00:54:48,415
The National Security Agency,
1049
00:54:48,417 --> 00:54:51,185
because NSA has the
abilities to do these things.
1050
00:54:51,486 --> 00:54:54,288
Cyber Command has the
authority to do these things.
1051
00:54:54,290 --> 00:54:57,524
And "these things" here
refer to the cyber-attack.
1052
00:54:57,526 --> 00:54:59,560
This is a huge change
1053
00:55:00,195 --> 00:55:03,864
for the nature of the
intelligence agencies.
1054
00:55:04,299 --> 00:55:07,101
The NSA was supposed
to be a code-making
1055
00:55:07,103 --> 00:55:09,470
and code-breaking operation
1056
00:55:09,472 --> 00:55:13,640
to monitor the communications
of foreign powers
1057
00:55:13,642 --> 00:55:15,042
and American adversaries
1058
00:55:15,044 --> 00:55:17,378
in the defense of
the United States.
1059
00:55:17,879 --> 00:55:21,382
But creating a Cyber
Command meant using
1060
00:55:21,384 --> 00:55:24,418
the same technology
to do offense.
1061
00:55:26,554 --> 00:55:30,557
Once you get inside an
adversary's computer networks,
1062
00:55:30,559 --> 00:55:33,394
you put an implant
in that network.
1063
00:55:33,628 --> 00:55:36,230
And we have tens of
thousands of foreign computers
1064
00:55:36,232 --> 00:55:38,966
and networks that the
United States put implants in.
1065
00:55:39,734 --> 00:55:42,736
You can use it to monitor
what's going across
1066
00:55:42,738 --> 00:55:44,738
that network and you can use it
1067
00:55:44,740 --> 00:55:47,975
to insert cyber
weapons, malware.
1068
00:55:49,077 --> 00:55:52,279
If you can spy on a network,
you can manipulate it.
1069
00:55:52,981 --> 00:55:54,715
It's already included.
1070
00:55:54,916 --> 00:55:57,251
The only thing you
need is an act of will.
1071
00:56:01,257 --> 00:56:03,057
I played a role in Iraq.
1072
00:56:03,059 --> 00:56:05,426
I can't tell you whether
it was military or not,
1073
00:56:05,428 --> 00:56:07,027
but I can tell you
1074
00:56:07,029 --> 00:56:09,363
NSA had combat
support teams in country.
1075
00:56:10,900 --> 00:56:13,567
And for the first time,
units in the field
1076
00:56:13,569 --> 00:56:15,969
had direct access to NSA intel.
1077
00:56:18,541 --> 00:56:20,407
Over time, we thought
more about offense
1078
00:56:20,409 --> 00:56:21,875
than defense, you know,
1079
00:56:21,877 --> 00:56:23,610
more about attacking
than intelligence.
1080
00:56:24,913 --> 00:56:27,948
In the old days, sigint units
would try to track radios,
1081
00:56:27,950 --> 00:56:30,217
but through NSA in Iraq,
1082
00:56:30,219 --> 00:56:32,252
we had access to
all the networks
1083
00:56:32,254 --> 00:56:33,787
going in and out of the country.
1084
00:56:33,789 --> 00:56:35,856
And we hoovered up
every text message,
1085
00:56:35,858 --> 00:56:37,357
email, and phone call.
1086
00:56:37,892 --> 00:56:40,294
A complete surveillance state.
1087
00:56:41,196 --> 00:56:45,265
We could find the bad guys,
say, a gang making IEDs,
1088
00:56:45,267 --> 00:56:48,802
map their networks,
and follow them in real time.
1089
00:56:48,804 --> 00:56:50,104
Roger.
1090
00:56:50,106 --> 00:56:51,905
And we could lock
into cell phones
1091
00:56:51,907 --> 00:56:53,974
even when they were
off and send a fake text
1092
00:56:53,976 --> 00:56:56,410
from a friend,
suggest a meeting place,
1093
00:56:56,412 --> 00:56:58,278
and then capture...
1094
00:56:58,280 --> 00:56:59,646
1A, clear to fire.
1095
00:57:00,115 --> 00:57:01,415
...or kill.
1096
00:57:01,417 --> 00:57:02,516
Good shot.
1097
00:57:05,553 --> 00:57:07,821
A lot of the people that
came to Cyber Command,
1098
00:57:07,823 --> 00:57:09,656
the military guys,
came directly from
1099
00:57:09,658 --> 00:57:11,658
an assignment in
Afghanistan or Iraq,
1100
00:57:11,660 --> 00:57:14,228
'cause those are the
people with experience
1101
00:57:14,230 --> 00:57:16,163
and expertise in operations,
1102
00:57:16,165 --> 00:57:18,098
and those are the ones
you want looking at this
1103
00:57:18,100 --> 00:57:20,134
to see how cyber could facilitate
1104
00:57:20,136 --> 00:57:22,369
traditional military operations.
1105
00:57:34,082 --> 00:57:35,916
Fresh from the surge,
1106
00:57:35,918 --> 00:57:40,420
I went to work at NSA in
'07 in a supervisory capacity.
1107
00:57:40,422 --> 00:57:42,589
Exactly where did you work?
1108
00:57:42,591 --> 00:57:43,924
Fort Meade.
1109
00:57:43,926 --> 00:57:45,659
You know, I commuted
to that massive complex
1110
00:57:45,661 --> 00:57:47,094
every single day.
1111
00:57:48,429 --> 00:57:52,733
I was in TAO-S321, "The Roc".
1112
00:57:53,301 --> 00:57:55,369
Okay, the TAO, The Roc?
1113
00:57:55,537 --> 00:57:58,772
Right, sorry.
TAO is tailored access operations.
1114
00:57:58,774 --> 00:58:00,807
It's where NSA's hackers work.
1115
00:58:00,809 --> 00:58:02,576
Of course,
we didn't call them that.
1116
00:58:02,844 --> 00:58:04,178
What did you call them?
1117
00:58:04,345 --> 00:58:05,712
On net operators.
1118
00:58:06,014 --> 00:58:08,549
They're the only people
at NSA allowed to break in
1119
00:58:08,551 --> 00:58:10,050
or attack on the Internet.
1120
00:58:11,052 --> 00:58:13,153
Inside TAO
headquarters is The Roc,
1121
00:58:13,155 --> 00:58:14,755
remote operations center.
1122
00:58:15,557 --> 00:58:18,759
If the U.S. government
wants to get in somewhere,
1123
00:58:19,827 --> 00:58:21,228
it goes to The Roc.
1124
00:58:21,396 --> 00:58:24,264
I mean, we were
flooded with requests.
1125
00:58:24,999 --> 00:58:27,534
So many that we could
only do about,
1126
00:58:27,536 --> 00:58:30,704
30% of the missions that were
requested of us at one time,
1127
00:58:30,706 --> 00:58:32,339
through the web
1128
00:58:32,341 --> 00:58:35,209
but also by hijacking
shipments of parts.
1129
00:58:36,077 --> 00:58:38,078
You know, sometimes
the CIA would assist
1130
00:58:38,080 --> 00:58:40,714
inputting implants in machines,
1131
00:58:41,916 --> 00:58:44,651
so once inside a target network,
1132
00:58:45,520 --> 00:58:46,787
we could just...
1133
00:58:47,755 --> 00:58:48,956
Watch...
1134
00:58:50,692 --> 00:58:52,259
Or we could attack.
1135
00:58:56,064 --> 00:58:59,600
Inside NSA was a
strange kind of culture,
1136
00:58:59,602 --> 00:59:02,002
like, two parts macho military
1137
00:59:02,004 --> 00:59:06,106
and two parts cyber geek.
I mean, I came from Iraq,
1138
00:59:06,108 --> 00:59:08,008
so I was used to,
"Yes, sir. No, sir."
1139
00:59:08,010 --> 00:59:10,110
But for the weapons
programmers
1140
00:59:10,112 --> 00:59:12,679
we needed more "think
outside the box" types.
1141
00:59:13,514 --> 00:59:15,249
From cubicle to cubicle,
1142
00:59:15,251 --> 00:59:18,518
you'd see lightsabers, Tribbles,
1143
00:59:18,520 --> 00:59:20,687
those Naruto action figures,
1144
00:59:20,689 --> 00:59:22,990
lots of Aqua Teen Hunger Force.
1145
00:59:25,727 --> 00:59:29,329
This one guy,
they were mostly guys,
1146
00:59:30,298 --> 00:59:32,432
who liked to wear a
yellow hooded cape,
1147
00:59:32,900 --> 00:59:36,503
he used a ton of gray Legos
to build a massive Death Star.
1148
00:59:39,540 --> 00:59:41,708
Were they all
working on STUXnet?
1149
00:59:42,277 --> 00:59:44,311
We never called it STUXnet.
1150
00:59:44,313 --> 00:59:47,080
That was the name
invented by the antivirus guys.
1151
00:59:47,082 --> 00:59:49,082
When it hit the papers,
1152
00:59:49,084 --> 00:59:51,084
we're not allowed to read
about classified operations,
1153
00:59:51,086 --> 00:59:52,586
even if it's in The
New York Times.
1154
00:59:52,588 --> 00:59:54,288
We went out of our
way to avoid the term.
1155
00:59:54,290 --> 00:59:56,223
I mean, saying
"STUXnet" out loud
1156
00:59:56,225 --> 00:59:58,392
was like saying
"Voldemort" in Harry Potter.
1157
00:59:58,394 --> 01:00:00,027
The name that
shall not be spoken.
1158
01:00:00,328 --> 01:00:01,828
What did you call it then?
1159
01:00:10,305 --> 01:00:13,840
The Natanz attack,
and this is out there already,
1160
01:00:14,742 --> 01:00:18,712
was called Olympic
Games or OG.
1161
01:00:22,250 --> 01:00:24,685
There was a huge
operation to test the code
1162
01:00:24,687 --> 01:00:27,054
on PLCs here are Fort Meade
1163
01:00:27,622 --> 01:00:30,057
and in Sandia, New Mexico.
1164
01:00:31,826 --> 01:00:33,260
Remember during the Bush era
1165
01:00:33,262 --> 01:00:35,696
when Libya turned
over all the centrifuges?
1166
01:00:36,130 --> 01:00:38,298
Those were the same
models the Iranians got
1167
01:00:38,300 --> 01:00:40,600
from A.Q. Khan. P1s.
1168
01:00:42,003 --> 01:00:44,471
We took them to Oak
Ridge and used them
1169
01:00:44,473 --> 01:00:48,008
to test the code which
demolished the insides.
1170
01:00:49,043 --> 01:00:52,913
At Dimona, the Israelis
also tested on the P1s.
1171
01:00:54,349 --> 01:00:56,950
Then, partly by
using our intel on Iran,
1172
01:00:56,952 --> 01:01:00,187
we got the plans for the
newer models, the IR-2s.
1173
01:01:01,055 --> 01:01:03,290
We tried out different
attack vectors.
1174
01:01:03,292 --> 01:01:07,594
We ended up focusing on
ways to destroy the rotor tubes.
1175
01:01:08,496 --> 01:01:11,932
In the tests we ran,
we blew them apart.
1176
01:01:13,401 --> 01:01:15,335
They swept up the pieces,
1177
01:01:15,337 --> 01:01:18,038
they put it on an airplane,
they flew it to Washington,
1178
01:01:18,040 --> 01:01:19,740
they stuck it in the truck,
1179
01:01:19,742 --> 01:01:21,708
they drove it through the
gates of the White House,
1180
01:01:21,710 --> 01:01:25,846
and dumped the shards out
on the conference room table
1181
01:01:25,848 --> 01:01:27,547
in the Situation Room.
1182
01:01:27,549 --> 01:01:29,082
And then they
invited President Bush
1183
01:01:29,084 --> 01:01:30,650
to come down and take a look.
1184
01:01:30,652 --> 01:01:32,486
And when he could
pick up the shard
1185
01:01:32,488 --> 01:01:34,254
of a piece of centrifuge...
1186
01:01:35,223 --> 01:01:37,457
He was convinced
this might be worth it,
1187
01:01:37,759 --> 01:01:39,559
and he said, "go ahead and try".
1188
01:01:40,395 --> 01:01:43,330
Was there legal concern
inside the Bush Administration
1189
01:01:43,332 --> 01:01:45,732
that this might be an
act of undeclared war?
1190
01:01:46,667 --> 01:01:50,437
If there were concerns,
I haven't found them.
1191
01:01:51,706 --> 01:01:54,374
That doesn't mean
that they didn't exist
1192
01:01:54,376 --> 01:01:56,376
and that some
lawyers somewhere
1193
01:01:56,378 --> 01:01:57,944
weren't concerned about it,
1194
01:01:57,946 --> 01:02:01,281
but this was an
entirely new territory.
1195
01:02:01,883 --> 01:02:04,384
At the time, there were
really very few people
1196
01:02:04,386 --> 01:02:08,522
who had expertise specifically
on the law of war and cyber.
1197
01:02:08,923 --> 01:02:11,191
And basically what we
did was looking at, okay,
1198
01:02:11,193 --> 01:02:12,659
here's our broad direction.
1199
01:02:13,227 --> 01:02:15,829
Now, let's look...
technically what can we do
1200
01:02:16,230 --> 01:02:18,098
to facilitate this broad direction?
1201
01:02:18,366 --> 01:02:21,234
After that, maybe
the... I would come in
1202
01:02:21,236 --> 01:02:23,804
or one of my lawyers
would come in and say,
1203
01:02:23,806 --> 01:02:27,774
okay, this is what
we may do. Okay.
1204
01:02:28,877 --> 01:02:29,976
There are many
things we can do,
1205
01:02:29,978 --> 01:02:31,978
but we are not
allowed to do them.
1206
01:02:31,980 --> 01:02:34,114
And then after that,
there's still a final level
1207
01:02:34,116 --> 01:02:36,016
that we look at and that's,
what should we do?
1208
01:02:36,417 --> 01:02:38,385
Because there are many
things that would be
1209
01:02:38,387 --> 01:02:41,655
technically possible
and technically legal
1210
01:02:41,657 --> 01:02:43,190
but a bad idea.
1211
01:02:43,724 --> 01:02:47,427
For Natanz,
it was a CIA-led operation,
1212
01:02:47,429 --> 01:02:49,863
so we had to have
agency sign-off.
1213
01:02:50,164 --> 01:02:51,331
Really?
1214
01:02:51,499 --> 01:02:54,334
Someone from the agency
1215
01:02:55,169 --> 01:02:57,304
stood behind the
operator and the analyst
1216
01:02:57,306 --> 01:03:00,240
and gave the order to
launch every attack.
1217
01:03:07,849 --> 01:03:09,683
Before they had even
started this attack,
1218
01:03:09,685 --> 01:03:11,918
they put inside of
the code the kill date,
1219
01:03:12,253 --> 01:03:14,020
a date at which it
would stop operating.
1220
01:03:14,589 --> 01:03:16,690
Cutoff dates,
we don't normally see that
1221
01:03:16,692 --> 01:03:18,358
in other threats,
and you have to think,
1222
01:03:18,360 --> 01:03:20,260
well, why is there a
cutoff date in there?
1223
01:03:20,695 --> 01:03:23,129
And when you realize that,
well, STUXnet was probably
1224
01:03:23,131 --> 01:03:26,333
written by government
and that there are laws
1225
01:03:26,335 --> 01:03:29,202
regarding how you can
use this sort of software,
1226
01:03:29,204 --> 01:03:31,838
that there may have been a
legal team who said, no, you...
1227
01:03:31,840 --> 01:03:34,040
You need to have a
cutoff date in there,
1228
01:03:34,042 --> 01:03:36,142
and you can only do this
and you can only go that far
1229
01:03:36,144 --> 01:03:37,944
and we need to check
if this is legal or not.
1230
01:03:39,814 --> 01:03:43,083
That date is a few days
before Obama's inauguration.
1231
01:03:44,118 --> 01:03:46,987
So the theory was that
this was an operation
1232
01:03:46,989 --> 01:03:49,389
that needed to be
stopped at a certain time
1233
01:03:49,391 --> 01:03:51,791
because there was
gonna be a handover
1234
01:03:51,793 --> 01:03:54,127
and that more
approval was needed.
1235
01:03:57,366 --> 01:03:59,232
Are you prepared to
take the oath, senator?
1236
01:03:59,234 --> 01:04:00,467
I am.
1237
01:04:00,835 --> 01:04:02,802
I, Barack Hussein Obama...
1238
01:04:02,804 --> 01:04:04,337
- I, Barack...
- do solemnly swear...
1239
01:04:04,339 --> 01:04:06,940
I, Barack Hussein Obama,
do solemnly swear...
1240
01:04:07,141 --> 01:04:10,677
Olympic Games was
reauthorized by President Obama
1241
01:04:10,679 --> 01:04:12,479
in his first year in office, 2009.
1242
01:04:16,984 --> 01:04:19,085
It was fascinating because
it was the first year of
1243
01:04:19,087 --> 01:04:21,087
the Obama administration
and they would talk to you
1244
01:04:21,089 --> 01:04:23,890
endlessly about cyber defense.
1245
01:04:24,659 --> 01:04:25,825
We count on computer networks
1246
01:04:25,827 --> 01:04:28,962
to deliver our oil and gas,
our power, and our water.
1247
01:04:29,263 --> 01:04:32,499
We rely on them for
public transportation
1248
01:04:32,501 --> 01:04:34,067
and air traffic control.
1249
01:04:34,435 --> 01:04:36,536
But just as we failed in the past
1250
01:04:36,538 --> 01:04:38,572
to invest in our
physical infrastructure,
1251
01:04:38,873 --> 01:04:41,241
our roads, our bridges, and rails,
1252
01:04:41,576 --> 01:04:43,276
we failed to invest in the security
1253
01:04:43,278 --> 01:04:45,145
of our digital infrastructure.
1254
01:04:45,346 --> 01:04:47,747
He was running
East Room events
1255
01:04:47,949 --> 01:04:50,684
trying to get people to
focus on the need to
1256
01:04:50,686 --> 01:04:52,619
defend cyber networks
1257
01:04:52,621 --> 01:04:54,354
and defend American
infrastructure.
1258
01:04:54,722 --> 01:04:58,258
But when you asked
questions about the use of
1259
01:04:58,260 --> 01:05:01,861
offensive cyber weapons,
everything went dead.
1260
01:05:01,863 --> 01:05:03,597
No cooperation.
1261
01:05:03,599 --> 01:05:05,699
White House wouldn't help,
Pentagon wouldn't help,
1262
01:05:05,701 --> 01:05:06,866
NSA wouldn't help.
1263
01:05:07,101 --> 01:05:08,535
Nobody would
talk to you about it.
1264
01:05:09,437 --> 01:05:11,071
But when you dug into the budget
1265
01:05:11,073 --> 01:05:14,307
for cyber spending during
the Obama administration,
1266
01:05:14,309 --> 01:05:16,242
what you discovered was
1267
01:05:16,244 --> 01:05:19,646
much of it was being spent
on offensive cyber weapons.
1268
01:05:21,449 --> 01:05:25,952
You see phrases
like "Title 10 CNO".
1269
01:05:26,387 --> 01:05:29,656
Title 10 means operations
for the U.S. military,
1270
01:05:29,924 --> 01:05:34,194
and CNO means Computer
Network Operations.
1271
01:05:34,895 --> 01:05:36,463
This is considerable evidence
1272
01:05:36,465 --> 01:05:39,065
that STUXnet was just
the opening wedge
1273
01:05:39,734 --> 01:05:43,536
of what is a much broader
U.S. government effort now
1274
01:05:43,971 --> 01:05:47,007
to develop an entire
new class of weapons.
1275
01:05:52,580 --> 01:05:55,315
STUXnet wasn't just an evolution.
1276
01:05:55,317 --> 01:05:57,984
It was really a revolution
in the threat landscape.
1277
01:05:59,787 --> 01:06:02,756
In the past, the vast majority
of threats that we saw
1278
01:06:02,758 --> 01:06:04,758
were always controlled by
an operator somewhere.
1279
01:06:04,760 --> 01:06:06,459
They would infect your machines,
1280
01:06:06,461 --> 01:06:08,294
but they would have
what's called a callback
1281
01:06:08,296 --> 01:06:09,829
or a
command-and-control channel.
1282
01:06:09,997 --> 01:06:12,132
The threats would
actually contact the operator
1283
01:06:12,134 --> 01:06:13,533
and say, what do you
want me to do next?
1284
01:06:13,535 --> 01:06:15,101
And the operator would
send down commands
1285
01:06:15,103 --> 01:06:17,037
and say, maybe,
search through this directory,
1286
01:06:17,039 --> 01:06:18,972
find these folders, find these files,
1287
01:06:18,974 --> 01:06:20,807
upload these files to me,
spread to this other machine,
1288
01:06:20,809 --> 01:06:22,275
things of that nature.
1289
01:06:22,810 --> 01:06:25,879
But STUXnet couldn't have a
command-and-control channel
1290
01:06:26,347 --> 01:06:29,115
because once it
got inside in Natanz
1291
01:06:29,117 --> 01:06:31,851
it would not have been able to
reach back out to the attackers.
1292
01:06:31,853 --> 01:06:34,154
The Natanz network is
completely air gapped
1293
01:06:34,156 --> 01:06:35,355
from the rest of the Internet.
1294
01:06:35,357 --> 01:06:36,723
It's not connected to the Internet.
1295
01:06:36,725 --> 01:06:38,191
It's its own isolated network.
1296
01:06:38,193 --> 01:06:39,959
Generally, getting
across an air gap is...
1297
01:06:39,961 --> 01:06:41,561
Is one of the more
difficult challenges
1298
01:06:41,563 --> 01:06:43,830
that attackers will face
just because of the fact that
1299
01:06:43,832 --> 01:06:46,733
there... everything is in
place to prevent that.
1300
01:06:46,735 --> 01:06:49,302
You know, everything, you know,
the policies and procedures
1301
01:06:49,304 --> 01:06:51,204
and the physical
network that's in place is
1302
01:06:51,206 --> 01:06:54,674
specifically designed to
prevent you crossing the air gap.
1303
01:06:54,676 --> 01:06:57,143
But there's no truly
air-gapped network
1304
01:06:57,145 --> 01:06:59,412
in these real-world
production environments.
1305
01:06:59,414 --> 01:07:01,481
People gotta get
new code into Natanz.
1306
01:07:01,483 --> 01:07:04,384
People have to get log files
off of this network in Natanz.
1307
01:07:04,386 --> 01:07:05,852
People have to
upgrade equipment.
1308
01:07:05,854 --> 01:07:07,554
People have to
upgrade computers.
1309
01:07:07,755 --> 01:07:10,890
This highlights one of the major
1310
01:07:11,392 --> 01:07:14,327
security issues that
we have in the field.
1311
01:07:14,329 --> 01:07:17,230
If you think, well,
nobody can attack
1312
01:07:17,232 --> 01:07:19,499
this power plant or
this chemical plant
1313
01:07:19,501 --> 01:07:21,234
because it's not
connected to the Internet,
1314
01:07:21,236 --> 01:07:23,103
that's a bizarre illusion.
1315
01:07:26,741 --> 01:07:30,076
The first time we introduced
the code into Natanz
1316
01:07:30,611 --> 01:07:32,412
we used human assets,
1317
01:07:33,280 --> 01:07:36,850
maybe CIA, more likely Mossad,
1318
01:07:36,852 --> 01:07:40,253
but our team was kept in the
dark about the trade craft.
1319
01:07:41,188 --> 01:07:43,690
We heard rumors in Moscow,
1320
01:07:43,692 --> 01:07:47,527
an Iranian laptop infected by
a phony Siemens technician
1321
01:07:47,529 --> 01:07:48,828
with a flash drive...
1322
01:07:50,364 --> 01:07:53,500
A double agent in Iran
with access to Natanz,
1323
01:07:54,068 --> 01:07:55,802
but I don't really know.
1324
01:07:55,804 --> 01:07:58,505
What we had to focus
on was to write the code
1325
01:07:59,106 --> 01:08:02,542
so that, once inside,
the worm acted on its own.
1326
01:08:02,743 --> 01:08:05,111
They built in all the
code and all the logic
1327
01:08:05,113 --> 01:08:07,914
into the threat to be able
to operate all by itself.
1328
01:08:07,916 --> 01:08:10,150
It had the ability
to spread by itself.
1329
01:08:10,152 --> 01:08:13,219
It had the ability to figure out,
do I have the right PLCs?
1330
01:08:13,221 --> 01:08:16,156
Have I arrived in Natanz?
Am I at the target?
1331
01:08:16,158 --> 01:08:17,724
And when it's on target,
1332
01:08:17,726 --> 01:08:19,893
it executes autonomously.
1333
01:08:20,261 --> 01:08:23,563
That also means you...
cannot call off the attack.
1334
01:08:24,231 --> 01:08:25,965
It was definitely
the type of attack
1335
01:08:26,567 --> 01:08:28,067
where someone had decided
1336
01:08:28,769 --> 01:08:30,570
that this is what
they wanted to do.
1337
01:08:31,105 --> 01:08:33,907
There was no turning back
once STUXnet was released.
1338
01:08:39,113 --> 01:08:41,247
When it began to actually
execute its payload,
1339
01:08:41,249 --> 01:08:43,516
you would have a whole
bunch of centrifuges
1340
01:08:43,518 --> 01:08:46,619
in a huge array of
cascades sitting in a big hall.
1341
01:08:46,621 --> 01:08:48,822
And then just off that hall
1342
01:08:48,824 --> 01:08:50,623
you would have
an operators room,
1343
01:08:50,625 --> 01:08:52,492
the control panels in front
of them, a big window
1344
01:08:52,494 --> 01:08:53,934
where they could
see into the hall.
1345
01:08:54,495 --> 01:08:56,696
Computers monitor the activities
1346
01:08:56,698 --> 01:08:58,064
of all these centrifuges.
1347
01:08:58,933 --> 01:09:03,002
So a centrifuge, it's driven
by an electrical motor.
1348
01:09:03,604 --> 01:09:06,506
And the speed of
this electrical motor
1349
01:09:06,508 --> 01:09:09,709
is controlled by another PLC,
1350
01:09:09,711 --> 01:09:11,411
by another programmable
logic controller.
1351
01:09:13,614 --> 01:09:17,317
STUXnet would wait for 13 days
1352
01:09:17,319 --> 01:09:18,618
before doing anything,
1353
01:09:18,620 --> 01:09:20,720
because 13 days is
about the time it takes
1354
01:09:20,722 --> 01:09:23,690
to actually fill an entire
cascade of centrifuges
1355
01:09:23,692 --> 01:09:25,225
with uranium.
1356
01:09:25,526 --> 01:09:28,361
They didn't want to attack
when the centrifuges essentially
1357
01:09:28,363 --> 01:09:30,730
were empty or at the beginning
of the enrichment process.
1358
01:09:31,999 --> 01:09:34,367
What STUXnet did was it
actually would sit there
1359
01:09:34,369 --> 01:09:37,070
during the 13 days
and basically record
1360
01:09:37,072 --> 01:09:39,072
all of the normal activities
1361
01:09:39,074 --> 01:09:40,607
that were happening and save it.
1362
01:09:41,408 --> 01:09:43,743
And once they saw them
spinning for 13 days,
1363
01:09:43,745 --> 01:09:45,378
then the attack occurred.
1364
01:09:46,146 --> 01:09:48,414
Centrifuges spin at
incredible speeds,
1365
01:09:48,416 --> 01:09:50,350
about 1,000 hertz.
1366
01:09:50,352 --> 01:09:52,719
They have a safe
operating speed,
1367
01:09:52,721 --> 01:09:55,555
63,000 revolutions per minute.
1368
01:09:55,856 --> 01:09:58,424
STUXnet caused the uranium
enrichment centrifuges
1369
01:09:58,426 --> 01:10:00,727
to spin up to 1,400 hertz.
1370
01:10:00,729 --> 01:10:03,463
Up to 80,000
revolutions per minute.
1371
01:10:06,934 --> 01:10:09,369
What would happen
was those centrifuges
1372
01:10:09,371 --> 01:10:11,638
would go through what's
called a resonance frequency.
1373
01:10:12,172 --> 01:10:14,407
It would go through a frequency
at which the metal would
1374
01:10:14,409 --> 01:10:16,276
basically vibrate uncontrollably
1375
01:10:16,278 --> 01:10:17,577
and essentially shatter.
1376
01:10:17,745 --> 01:10:19,946
There'd be uranium
gas everywhere.
1377
01:10:21,081 --> 01:10:22,949
And then the second
attack they attempted
1378
01:10:22,951 --> 01:10:25,251
was they actually tried
to lower it to two hertz.
1379
01:10:25,253 --> 01:10:28,955
They were slowed down
to almost standstill.
1380
01:10:29,723 --> 01:10:32,258
And at two hertz, sort of
an opposite effect occurs.
1381
01:10:32,260 --> 01:10:34,527
You can imagine a
toy top that you spin
1382
01:10:34,529 --> 01:10:37,430
and as the top begins to slow
down, it begins to wobble.
1383
01:10:37,432 --> 01:10:39,432
That's what would happen
to these centrifuges.
1384
01:10:39,434 --> 01:10:41,467
They'd begin to wobble
and essentially shatter
1385
01:10:41,469 --> 01:10:42,702
and fall apart.
1386
01:10:46,474 --> 01:10:49,309
And instead of sending
back to the computer
1387
01:10:49,311 --> 01:10:50,944
what was really happening,
it would send back
1388
01:10:50,946 --> 01:10:52,912
that old data that it had recorded.
1389
01:10:52,914 --> 01:10:54,714
So the computer's
sitting there thinking,
1390
01:10:54,716 --> 01:10:56,416
yep, running at 1,000
hertz, everything is fine.
1391
01:10:56,418 --> 01:10:58,318
Running at 1,000 hertz,
everything is fine.
1392
01:10:58,320 --> 01:11:01,154
But those centrifuges are
potentially spinning up wildly,
1393
01:11:01,156 --> 01:11:02,956
a huge noise would occur.
1394
01:11:02,958 --> 01:11:04,958
It'd be like,
you know, a jet engine.
1395
01:11:08,496 --> 01:11:10,096
So the operators then
would know, whoa,
1396
01:11:10,098 --> 01:11:11,731
something is going wrong here.
1397
01:11:11,733 --> 01:11:13,666
They might look at their
monitors and say, hmm,
1398
01:11:13,668 --> 01:11:16,135
it says it's 1,000 hertz, but
they would hear that in the room
1399
01:11:16,137 --> 01:11:17,937
something gravely
bad was happening.
1400
01:11:17,939 --> 01:11:21,307
Not only are the operators
fooled into thinking
1401
01:11:21,309 --> 01:11:23,109
everything's normal,
1402
01:11:23,111 --> 01:11:27,447
but also any kind of
automated protective logic
1403
01:11:27,449 --> 01:11:29,215
is fooled.
1404
01:11:30,084 --> 01:11:32,044
You can't just turn
these centrifuges off.
1405
01:11:32,286 --> 01:11:34,921
They have to be brought down
in a very controlled manner.
1406
01:11:34,923 --> 01:11:37,090
And so they would hit,
literally, the big red button
1407
01:11:37,092 --> 01:11:38,691
to initiate a graceful shutdown,
1408
01:11:39,026 --> 01:11:41,127
and STUXnet
intercepts that code.
1409
01:11:41,129 --> 01:11:42,695
So you would have
these operators
1410
01:11:42,697 --> 01:11:44,831
slamming on that button
over and over again
1411
01:11:44,833 --> 01:11:45,999
and nothing would happen.
1412
01:11:47,301 --> 01:11:50,870
If your cyber weapon
is good enough,
1413
01:11:50,872 --> 01:11:53,606
if your enemy is not aware of it,
1414
01:11:53,874 --> 01:11:57,510
it is an ideal weapon,
because the enemy
1415
01:11:57,512 --> 01:11:59,579
even don't understand
what is happening to it.
1416
01:12:00,147 --> 01:12:02,115
Maybe even better if the
enemy begins to doubt
1417
01:12:02,117 --> 01:12:04,417
- their own capability.
- Absolutely.
1418
01:12:05,119 --> 01:12:07,987
Certainly one must conclude
1419
01:12:07,989 --> 01:12:10,790
that what happened at Natanz
1420
01:12:10,792 --> 01:12:13,192
must have driven
the engineers crazy,
1421
01:12:13,194 --> 01:12:15,661
because the worst
thing that can happen
1422
01:12:15,663 --> 01:12:19,565
to a maintenance engineer
is not being able to figure out
1423
01:12:19,567 --> 01:12:22,368
what the cause of
specific trouble is.
1424
01:12:22,370 --> 01:12:25,738
So they must have been
analyzing themselves to death.
1425
01:12:28,475 --> 01:12:31,277
You know, you see
centrifuges blowing up.
1426
01:12:31,645 --> 01:12:35,448
You look the computer screens,
they go with the proper speed.
1427
01:12:35,816 --> 01:12:39,485
There's a proper gas pressure.
Everything looks beautiful.
1428
01:12:42,089 --> 01:12:45,224
Through 2009 it was
going pretty smoothly.
1429
01:12:45,226 --> 01:12:47,060
Centrifuges were blowing up.
1430
01:12:47,062 --> 01:12:49,729
The International Atomic
Energy Agency inspectors
1431
01:12:49,731 --> 01:12:52,231
would go in to Natanz
and they would see that
1432
01:12:52,233 --> 01:12:55,134
whole sections of the
centrifuges had been removed.
1433
01:12:56,370 --> 01:12:59,439
The United States knew
from its intelligence channels
1434
01:12:59,441 --> 01:13:02,942
that some Iranian
scientists and engineers
1435
01:13:02,944 --> 01:13:06,712
were being fired because the
centrifuges were blowing up
1436
01:13:06,714 --> 01:13:09,849
and the Iranians had
assumed that this was because
1437
01:13:09,851 --> 01:13:13,352
they had been making errors
or manufacturing mistakes.
1438
01:13:13,354 --> 01:13:14,987
Clearly this was
somebody's fault.
1439
01:13:16,090 --> 01:13:18,124
So the program was doing
1440
01:13:18,126 --> 01:13:19,959
exactly what it was
supposed to be doing,
1441
01:13:20,260 --> 01:13:23,029
which was it was
blowing up centrifuges
1442
01:13:23,263 --> 01:13:25,098
and it was leaving no trace
1443
01:13:25,766 --> 01:13:27,867
and leaving the
Iranians to wonder
1444
01:13:28,302 --> 01:13:29,669
what they got hit by.
1445
01:13:30,137 --> 01:13:32,772
This was the brilliance
of Olympic Games.
1446
01:13:33,073 --> 01:13:34,774
You know, as a former
director of a couple of big
1447
01:13:34,776 --> 01:13:36,042
3-letter agencies,
1448
01:13:36,410 --> 01:13:38,845
slowing down 1,000
centrifuges in Natanz...
1449
01:13:39,713 --> 01:13:41,047
Abnormally good.
1450
01:13:41,049 --> 01:13:43,649
There was a need for...
buying time.
1451
01:13:43,651 --> 01:13:46,285
There was a need for
slowing them down.
1452
01:13:46,287 --> 01:13:48,221
There was the need
to try to push them
1453
01:13:48,223 --> 01:13:49,589
to the negotiating table.
1454
01:13:49,591 --> 01:13:51,891
I mean, there are a lot
of variables at play here.
1455
01:13:56,230 --> 01:13:59,866
President Obama would go
down into the Situation Room,
1456
01:14:00,300 --> 01:14:03,569
and he would have
laid out in front of him
1457
01:14:03,571 --> 01:14:05,238
what they called
the horse blanket,
1458
01:14:05,240 --> 01:14:07,440
which was a giant schematic
1459
01:14:07,442 --> 01:14:10,910
of the Natanz nuclear
enrichment plan.
1460
01:14:11,478 --> 01:14:14,580
And the designers
of Olympic Games
1461
01:14:14,582 --> 01:14:17,750
would describe to him what
kind of progress they made
1462
01:14:17,752 --> 01:14:20,019
and look for him
for the authorization
1463
01:14:20,021 --> 01:14:22,255
to move on ahead
to the next attack.
1464
01:14:24,091 --> 01:14:26,125
And at one point
during those discussions,
1465
01:14:26,127 --> 01:14:27,860
he said to a number of his aides,
1466
01:14:27,862 --> 01:14:29,462
you know, I have some concerns
1467
01:14:29,464 --> 01:14:31,931
because once word
of this gets out,
1468
01:14:31,933 --> 01:14:33,599
and eventually he
knew it would get out,
1469
01:14:33,601 --> 01:14:35,601
the Chinese may
use it as an excuse
1470
01:14:35,603 --> 01:14:38,938
for their attacks on us.
The Russians might or others.
1471
01:14:39,473 --> 01:14:42,508
So he clearly had
some misgivings,
1472
01:14:43,143 --> 01:14:44,944
but they weren't big
enough to stop him
1473
01:14:44,946 --> 01:14:46,345
from going ahead
with the program.
1474
01:14:47,548 --> 01:14:50,716
And then in 2010,
1475
01:14:51,051 --> 01:14:54,287
a decision was made
to change the code.
1476
01:15:00,127 --> 01:15:01,561
Our human assets
1477
01:15:02,196 --> 01:15:05,665
weren't always able to get
code updates into Natanz
1478
01:15:05,667 --> 01:15:07,800
and we weren't told exactly why,
1479
01:15:08,368 --> 01:15:12,405
but we were told we had
to have a cyber solution
1480
01:15:12,407 --> 01:15:13,906
for delivering the code.
1481
01:15:14,341 --> 01:15:16,909
But the delivery
systems were tricky.
1482
01:15:17,211 --> 01:15:19,879
If they weren't aggressive
enough, they wouldn't get in.
1483
01:15:20,180 --> 01:15:22,548
If they were too aggressive,
they could spread
1484
01:15:22,983 --> 01:15:24,217
and be discovered.
1485
01:15:26,220 --> 01:15:27,987
When we got the first sample,
1486
01:15:27,989 --> 01:15:30,323
there was some configuration
information inside of it.
1487
01:15:30,325 --> 01:15:33,559
And one of the pieces in there
was a version number, 1.1
1488
01:15:34,561 --> 01:15:35,861
and that made us realize,
1489
01:15:35,863 --> 01:15:38,097
well, look, this likely
isn't the only copy.
1490
01:15:38,099 --> 01:15:40,333
We went back through
our databases looking for
1491
01:15:40,335 --> 01:15:42,802
anything that looks
similar to STUXnet.
1492
01:15:44,538 --> 01:15:46,239
As we began to
collect more samples,
1493
01:15:46,241 --> 01:15:48,140
we found a few earlier
versions of STUXnet.
1494
01:15:49,209 --> 01:15:50,910
And when we analyzed that code,
1495
01:15:50,912 --> 01:15:53,579
we saw that versions
previous to 1.1
1496
01:15:53,581 --> 01:15:55,248
were a lot less aggressive.
1497
01:15:55,716 --> 01:15:57,550
The earlier version of STUXnet,
1498
01:15:57,552 --> 01:15:59,719
it basically required
humans to do a little bit
1499
01:15:59,721 --> 01:16:02,054
of double clicking in
order for it to spread
1500
01:16:02,056 --> 01:16:03,589
from one computer to another.
1501
01:16:03,591 --> 01:16:05,858
And, so, what we believe
after looking at that code
1502
01:16:05,860 --> 01:16:06,993
is two things,
1503
01:16:07,394 --> 01:16:09,695
one, either they
didn't get in to Natanz
1504
01:16:09,697 --> 01:16:10,930
with that earlier version,
1505
01:16:10,932 --> 01:16:12,531
because it simply
wasn't aggressive enough,
1506
01:16:12,533 --> 01:16:14,267
wasn't able to jump
over that air gap,
1507
01:16:15,235 --> 01:16:18,070
and... or two, that payload as well
1508
01:16:18,072 --> 01:16:21,374
didn't work properly,
didn't work to their satisfaction,
1509
01:16:21,642 --> 01:16:23,476
maybe was not
explosive enough.
1510
01:16:24,044 --> 01:16:26,279
There were slightly
different versions
1511
01:16:26,281 --> 01:16:28,614
which were aimed
at different parts
1512
01:16:28,616 --> 01:16:30,249
of the centrifuge cascade.
1513
01:16:30,251 --> 01:16:33,252
But the guys at Symantec
figured you changed the code
1514
01:16:33,254 --> 01:16:35,054
because the first
variations couldn't get in
1515
01:16:35,056 --> 01:16:36,222
and didn't work right.
1516
01:16:36,490 --> 01:16:37,490
Bullshit.
1517
01:16:38,292 --> 01:16:40,559
We always found a way
to get across the air gap.
1518
01:16:40,561 --> 01:16:42,828
At TAO, we laughed when
people thought they were
1519
01:16:42,830 --> 01:16:44,497
protected by an air gap.
1520
01:16:45,165 --> 01:16:48,200
And for OG, the early versions
of the payload did work.
1521
01:16:48,669 --> 01:16:50,469
But what NSA did...
1522
01:16:52,072 --> 01:16:54,874
Was always low-key and subtle.
1523
01:16:55,976 --> 01:16:59,245
The problem was that
Unit 8200, the Israelis,
1524
01:16:59,247 --> 01:17:01,380
kept pushing us to
be more aggressive.
1525
01:17:03,016 --> 01:17:05,651
The later version of STUXnet 1.1,
1526
01:17:05,653 --> 01:17:07,787
that version had multiple
ways of spreading.
1527
01:17:07,789 --> 01:17:09,989
Had the four zero days
inside of it, for example,
1528
01:17:09,991 --> 01:17:11,791
that allowed it to
spread all by itself
1529
01:17:11,793 --> 01:17:12,925
without you doing anything.
1530
01:17:12,927 --> 01:17:14,527
It could spread via
network shares.
1531
01:17:14,529 --> 01:17:16,429
It could spread via USB keys.
1532
01:17:16,431 --> 01:17:18,831
It was able to spread
via network exploits.
1533
01:17:18,833 --> 01:17:20,366
That's the sample
that introduced us
1534
01:17:20,368 --> 01:17:22,368
to stolen digital certificates.
1535
01:17:22,370 --> 01:17:24,804
That is the sample that,
all of a sudden,
1536
01:17:24,806 --> 01:17:26,972
became so noisy
1537
01:17:26,974 --> 01:17:30,076
and caught the attention
of the antivirus guys.
1538
01:17:30,977 --> 01:17:33,612
In the first sample
we don't find that.
1539
01:17:34,948 --> 01:17:41,020
And this is very strange,
because it tells us that
1540
01:17:41,022 --> 01:17:43,289
in the process of
this development
1541
01:17:43,824 --> 01:17:46,392
the attackers were
less concerned
1542
01:17:46,394 --> 01:17:48,227
with operational security.
1543
01:17:53,700 --> 01:17:56,268
STUXnet actually kept
a log inside of itself
1544
01:17:56,970 --> 01:17:59,405
of all the machines that
it infected along the way
1545
01:17:59,407 --> 01:18:01,474
as it jumped from one
machine to another
1546
01:18:01,476 --> 01:18:02,641
to another to another.
1547
01:18:03,076 --> 01:18:05,044
And we were able to gather up
1548
01:18:05,046 --> 01:18:07,079
all the samples that
we could acquire,
1549
01:18:07,247 --> 01:18:10,516
tens of thousands of samples.
We extracted all of those logs.
1550
01:18:10,518 --> 01:18:13,219
We could see the exact
path that STUXnet took.
1551
01:18:15,355 --> 01:18:17,390
Eventually, we were
able to trace back
1552
01:18:17,392 --> 01:18:19,558
this version of
STUXnet to ground zero,
1553
01:18:19,860 --> 01:18:22,395
to the first five
infections in the world.
1554
01:18:23,230 --> 01:18:26,065
The first five infections are
all outside a Natanz plant,
1555
01:18:26,233 --> 01:18:29,068
all inside of
organizations inside of Iran,
1556
01:18:29,836 --> 01:18:32,104
all organizations
that are involved in
1557
01:18:32,106 --> 01:18:34,540
industrial control
systems and construction
1558
01:18:34,542 --> 01:18:36,175
of industrial control facilities,
1559
01:18:36,443 --> 01:18:40,012
clearly contractors who were
working on the Natanz facility.
1560
01:18:40,014 --> 01:18:41,747
And the attackers knew that.
1561
01:18:42,349 --> 01:18:45,084
They were electrical companies.
They were piping companies.
1562
01:18:45,086 --> 01:18:46,685
They were, you know,
these sorts of companies.
1563
01:18:46,887 --> 01:18:48,521
And they knew... the technicians
1564
01:18:48,523 --> 01:18:50,256
from those companies
would visit Natanz.
1565
01:18:50,258 --> 01:18:51,824
So they would infect
these companies
1566
01:18:52,025 --> 01:18:55,060
and then technicians
would take their computer
1567
01:18:55,062 --> 01:18:56,362
or their laptop or their USB...
1568
01:18:56,364 --> 01:18:58,130
That operator then
goes down to Natanz
1569
01:18:58,132 --> 01:19:00,299
and he plugs in his USB key,
which has some code
1570
01:19:00,301 --> 01:19:02,201
that he needs to
update into Natanz,
1571
01:19:02,203 --> 01:19:03,769
into the Natanz network,
1572
01:19:03,771 --> 01:19:05,438
and now STUXnet is
able to get inside Natanz
1573
01:19:05,440 --> 01:19:06,806
and conduct its attack.
1574
01:19:08,041 --> 01:19:10,409
These five companies
were specifically targeted
1575
01:19:10,411 --> 01:19:12,278
to spread STUXnet into Natanz
1576
01:19:12,479 --> 01:19:15,714
and that it wasn't that...
STUXnet escaped out of Natanz
1577
01:19:15,716 --> 01:19:17,216
and then spread
all over the world
1578
01:19:17,218 --> 01:19:19,652
and it was this big mistake
and, oh, it wasn't meant
1579
01:19:19,654 --> 01:19:21,387
to spread that far
but it really did.
1580
01:19:21,389 --> 01:19:23,122
No, that's not the way we see it.
1581
01:19:23,124 --> 01:19:26,058
The way we see it is that
they wanted it to spread far
1582
01:19:26,060 --> 01:19:27,726
so that they could
get it into Natanz.
1583
01:19:27,928 --> 01:19:31,831
Someone decided that we're
gonna create something new,
1584
01:19:32,065 --> 01:19:33,132
something evolved,
1585
01:19:33,767 --> 01:19:35,901
that's gonna be far, far,
far more aggressive.
1586
01:19:36,570 --> 01:19:40,005
And we're okay, frankly,
1587
01:19:40,007 --> 01:19:42,708
with it spreading all over the
world to innocent machines
1588
01:19:42,943 --> 01:19:44,510
in order to go after our target.
1589
01:19:50,251 --> 01:19:55,421
The Mossad had the role,
had the... assignment
1590
01:19:56,122 --> 01:20:02,027
to deliver the virus to
make sure that STUXnet
1591
01:20:02,029 --> 01:20:06,899
would be put in place in
Natanz to affect the centrifuges.
1592
01:20:08,768 --> 01:20:10,970
Meir Dagan, the head of Mossad,
1593
01:20:10,972 --> 01:20:14,273
was under growing pressure
from the prime minister,
1594
01:20:14,275 --> 01:20:17,142
Benjamin Netanyahu,
to produce results.
1595
01:20:19,046 --> 01:20:20,212
Inside The Roc,
1596
01:20:20,214 --> 01:20:22,281
we were furious.
1597
01:20:24,017 --> 01:20:26,852
The Israelis took our code
for the delivery system
1598
01:20:27,454 --> 01:20:28,754
and changed it.
1599
01:20:30,156 --> 01:20:32,658
Then, on their own,
without our agreement,
1600
01:20:32,660 --> 01:20:34,460
they just fucking launched it.
1601
01:20:35,128 --> 01:20:37,029
2010 around the same time
1602
01:20:37,031 --> 01:20:38,831
they started killing
Iranian scientists...
1603
01:20:38,833 --> 01:20:40,566
And they fucked up the code!
1604
01:20:41,001 --> 01:20:42,535
Instead of hiding,
1605
01:20:42,537 --> 01:20:45,004
the code started
shutting down computers,
1606
01:20:45,006 --> 01:20:46,772
so naturally, people noticed.
1607
01:20:48,708 --> 01:20:51,710
Because they were in a hurry,
they opened Pandora's Box.
1608
01:20:52,746 --> 01:20:53,846
They let it out
1609
01:20:53,848 --> 01:20:57,149
and it spread all over the world.
1610
01:21:02,322 --> 01:21:04,123
The worm spread quickly
1611
01:21:04,391 --> 01:21:06,225
but somehow it remained unseen
1612
01:21:06,227 --> 01:21:08,260
until it was identified in Belarus.
1613
01:21:09,262 --> 01:21:11,830
Soon after, Israeli
intelligence confirmed
1614
01:21:11,832 --> 01:21:13,832
that it had made its
way into the hands
1615
01:21:13,834 --> 01:21:15,834
of the Russian federal
security service,
1616
01:21:15,836 --> 01:21:17,803
a successor to the KGB.
1617
01:21:19,372 --> 01:21:22,775
So it happened that the formula
for a secret cyber weapon
1618
01:21:22,777 --> 01:21:24,443
designed by the U.S. and Israel
1619
01:21:24,445 --> 01:21:25,978
fell into the hands of Russia
1620
01:21:26,513 --> 01:21:28,514
and the very country
it was meant to attack.
1621
01:21:31,256 --> 01:21:35,466
They managed to create minor
problems for a few of our centrifuges
1622
01:21:35,844 --> 01:21:39,974
through the software that they
had installed on electronic parts.
1623
01:21:40,933 --> 01:21:43,313
It was a naughty and
immoral move by them
1624
01:21:43,518 --> 01:21:46,188
but fortunately our
experts discovered it
1625
01:21:46,480 --> 01:21:49,110
and today they are not
capable of ever doing it again.
1626
01:21:51,072 --> 01:21:52,605
In international law,
1627
01:21:52,607 --> 01:21:56,141
when some country or
a coalition of countries
1628
01:21:56,376 --> 01:22:00,846
targets a nuclear facility,
it's a act of war.
1629
01:22:01,748 --> 01:22:04,650
Please, let's be frank here.
1630
01:22:05,318 --> 01:22:08,020
If it wasn't Iran,
1631
01:22:08,655 --> 01:22:11,357
let's say a nuclear
facility in United States...
1632
01:22:12,626 --> 01:22:14,360
Was targeted in the same way...
1633
01:22:16,563 --> 01:22:18,197
The American government
1634
01:22:18,598 --> 01:22:21,333
would not sit by and let this go.
1635
01:22:22,168 --> 01:22:24,737
STUXnet is an
attack in peacetime
1636
01:22:24,739 --> 01:22:25,859
on critical infrastructures.
1637
01:22:26,006 --> 01:22:29,108
Yes, it is. I'm... look,
when I read about it,
1638
01:22:29,110 --> 01:22:31,810
I read it, I go,
whoa, this is a big deal.
1639
01:22:31,812 --> 01:22:33,545
Yeah.
1640
01:22:35,248 --> 01:22:37,783
The people who were
running this program,
1641
01:22:37,785 --> 01:22:39,251
including Leon Panetta,
1642
01:22:39,253 --> 01:22:41,253
the Director of the
CIA at the time,
1643
01:22:41,855 --> 01:22:44,490
had to go down into
the Situation Room
1644
01:22:44,492 --> 01:22:46,692
and face President Obama,
1645
01:22:46,694 --> 01:22:50,229
Vice President Biden and
explain that this program
1646
01:22:50,497 --> 01:22:53,065
was suddenly on the loose.
1647
01:22:54,367 --> 01:22:55,868
Vice President Biden,
1648
01:22:55,870 --> 01:22:58,437
at one point during
this discussion,
1649
01:22:59,272 --> 01:23:01,974
sort of exploded in
Biden-esque fashion
1650
01:23:01,976 --> 01:23:03,542
and blamed the Israelis.
1651
01:23:03,544 --> 01:23:05,944
He said, it must
have been the Israelis
1652
01:23:05,946 --> 01:23:08,013
who made a change in the code
1653
01:23:08,015 --> 01:23:10,115
that enabled it to get out.
1654
01:23:11,985 --> 01:23:14,186
President Obama said
to the senior leadership,
1655
01:23:14,188 --> 01:23:17,222
you told me it wouldn't get
out of the network. It did.
1656
01:23:17,224 --> 01:23:19,391
You told me the Iranians
would never figure out
1657
01:23:19,393 --> 01:23:21,360
it was the United
States. They did.
1658
01:23:21,661 --> 01:23:23,362
You told me it would
have a huge affect
1659
01:23:23,364 --> 01:23:27,032
on their nuclear
program, and it didn't.
1660
01:23:28,735 --> 01:23:32,237
The Natanz plant is inspected
every couple of weeks
1661
01:23:32,539 --> 01:23:35,741
by the International Atomic
Energy Agency inspectors.
1662
01:23:36,176 --> 01:23:38,877
And if you line up what
you know about the attacks
1663
01:23:39,145 --> 01:23:42,047
with the inspection reports,
you can see the effects.
1664
01:23:43,383 --> 01:23:45,584
If you go to the IAEA reports,
1665
01:23:45,586 --> 01:23:47,853
they really show that
all of those centrifuges
1666
01:23:47,855 --> 01:23:50,756
were switched off and
they were removed.
1667
01:23:51,357 --> 01:23:54,727
As much as almost couple of
thousand got compromised.
1668
01:23:55,895 --> 01:23:57,362
When you put this altogether,
1669
01:23:57,364 --> 01:24:00,165
I wouldn't be surprised if
their program got delayed
1670
01:24:00,167 --> 01:24:01,333
by the one year.
1671
01:24:01,701 --> 01:24:05,504
But go then to year 2012-13
1672
01:24:05,506 --> 01:24:08,807
and looking how the centrifuges
started to come up again.
1673
01:24:09,075 --> 01:24:10,676
Iran's number of centrifuges
1674
01:24:10,678 --> 01:24:12,544
went up exponentially,
1675
01:24:12,546 --> 01:24:16,615
to 20,000, with a stockpile
of low enriched uranium.
1676
01:24:16,617 --> 01:24:18,917
This isn't... these
are high numbers.
1677
01:24:19,786 --> 01:24:22,254
Iran's nuclear facilities expanded
1678
01:24:22,256 --> 01:24:24,857
with the construction of Fordow
1679
01:24:24,859 --> 01:24:27,459
and other highly
protected facilities.
1680
01:24:29,529 --> 01:24:32,297
So ironically, cyber warfare...
1681
01:24:33,099 --> 01:24:35,701
Assassination of its
nuclear scientists,
1682
01:24:36,136 --> 01:24:39,404
economic sanctions,
political isolation...
1683
01:24:41,275 --> 01:24:43,776
Iran has gone through "a" to "x"
1684
01:24:43,778 --> 01:24:48,380
of every chorus of
policy that the U.S., Israel,
1685
01:24:48,382 --> 01:24:52,518
and those who ally with
them have placed on Iran,
1686
01:24:53,052 --> 01:24:55,988
and they have actually
made Iran's nuclear program
1687
01:24:55,990 --> 01:24:58,724
more advanced today
than it was ever before.
1688
01:25:02,897 --> 01:25:04,630
This is a very
1689
01:25:04,632 --> 01:25:07,766
very dangerous minefield
that we are walking,
1690
01:25:07,768 --> 01:25:10,669
and nations who decide
1691
01:25:10,671 --> 01:25:12,871
to take these covert actions
1692
01:25:14,007 --> 01:25:17,042
should be taking
into consideration
1693
01:25:17,677 --> 01:25:22,481
all the effects,
including the moral effects.
1694
01:25:23,116 --> 01:25:27,152
I would say that this is the price
1695
01:25:27,154 --> 01:25:31,490
that we have to pay
in this... war,
1696
01:25:31,825 --> 01:25:34,359
and our blade of righteousness
1697
01:25:34,361 --> 01:25:35,761
shouldn't be so sharp.
1698
01:25:41,601 --> 01:25:44,002
In Israel and in the United States,
1699
01:25:44,004 --> 01:25:46,338
the blade of
righteousness cut both ways,
1700
01:25:46,873 --> 01:25:49,408
wounding the targets
and the attackers.
1701
01:25:50,476 --> 01:25:52,878
When STUXnet infected
American computers,
1702
01:25:52,880 --> 01:25:54,947
the Department of
Homeland Security,
1703
01:25:55,281 --> 01:25:58,217
unaware of the cyber
weapons launch by the NSA,
1704
01:25:58,484 --> 01:26:01,653
devoted enormous resources
trying to protect Americans
1705
01:26:01,655 --> 01:26:02,955
from their own government.
1706
01:26:03,456 --> 01:26:05,891
We had met the
enemy and it was us.
1707
01:26:11,664 --> 01:26:13,332
The purpose of the
watch stations that
1708
01:26:13,334 --> 01:26:15,500
you see in front of you
is to aggregate the data
1709
01:26:15,502 --> 01:26:16,969
coming in from multiple feeds
1710
01:26:16,971 --> 01:26:18,704
of what the cyber
threats could be,
1711
01:26:18,706 --> 01:26:20,138
so if we see threats
1712
01:26:20,140 --> 01:26:22,708
we can provide real-time
recommendations
1713
01:26:22,710 --> 01:26:25,944
for both private companies,
as well as federal agencies.
1714
01:26:26,833 --> 01:26:30,308
Can you give us a readout
on this Stuxnet virus?
1715
01:26:30,550 --> 01:26:32,985
Yep, absolutely. We'd be more
than happy to discuss that.
1716
01:26:32,987 --> 01:26:34,052
Seán, is it...
1717
01:26:34,054 --> 01:26:36,655
Early July of 2010 we
received a call
1718
01:26:36,657 --> 01:26:39,258
that said that this piece of
malware was discovered
1719
01:26:39,260 --> 01:26:40,659
and could we take a look at it.
1720
01:26:42,263 --> 01:26:43,762
When we first
started the analysis,
1721
01:26:43,764 --> 01:26:46,098
there was that 'oh crap'
moment, you know,
1722
01:26:46,100 --> 01:26:47,933
where we sat there and
said, this is something
1723
01:26:47,935 --> 01:26:49,067
that's significant.
1724
01:26:49,069 --> 01:26:50,802
It's impacting industrial control.
1725
01:26:51,037 --> 01:26:53,505
It can disrupt it to the point
where it could cause harm
1726
01:26:53,507 --> 01:26:55,574
and not only damage
to the equipment,
1727
01:26:55,576 --> 01:26:57,643
but potentially
harm or loss of life.
1728
01:26:58,411 --> 01:27:00,612
We were very concerned
because STUXnet
1729
01:27:00,614 --> 01:27:02,381
was something that
we had not seen before.
1730
01:27:02,383 --> 01:27:04,516
So there wasn't a lot
of sleep that night.
1731
01:27:04,518 --> 01:27:07,419
Basically, light up the phones,
call everybody we know,
1732
01:27:07,421 --> 01:27:10,656
inform the secretary,
inform the White House,
1733
01:27:10,857 --> 01:27:12,925
inform the other
departments and agencies,
1734
01:27:13,092 --> 01:27:15,794
wake up the world,
and figure out what's going on
1735
01:27:15,796 --> 01:27:17,996
with this particular malware.
1736
01:27:19,799 --> 01:27:21,066
Good morning,
Chairman Lieberman,
1737
01:27:21,068 --> 01:27:22,334
ranking member Collins.
1738
01:27:22,902 --> 01:27:24,703
Something as simple
and innocuous as this
1739
01:27:24,705 --> 01:27:26,872
becomes a challenge
for all of us to maintain
1740
01:27:26,874 --> 01:27:29,841
accountability control of our
critical infrastructure systems.
1741
01:27:30,310 --> 01:27:32,444
This actually contains
the STUXnet virus.
1742
01:27:32,645 --> 01:27:34,112
I've been asked on a
number of occasions,
1743
01:27:34,114 --> 01:27:35,948
did you ever think this was us?
1744
01:27:35,950 --> 01:27:39,651
And at... no point did that
ever really cross our mind,
1745
01:27:39,653 --> 01:27:42,454
because we were looking
at it from the standpoint of,
1746
01:27:42,789 --> 01:27:44,756
is this something that's
coming after the homeland?
1747
01:27:44,758 --> 01:27:47,326
You know,... what's
going to potentially impact,
1748
01:27:47,328 --> 01:27:50,128
you know, our industrial control
based here in the United States?
1749
01:27:50,563 --> 01:27:53,498
You know, I liken it to,
you know, field of battle.
1750
01:27:53,666 --> 01:27:55,634
You don't think the
sniper that's behind you
1751
01:27:55,636 --> 01:27:57,135
is gonna be shooting at you,
1752
01:27:57,303 --> 01:27:58,943
'cause you expect
him to be on your side.
1753
01:27:59,439 --> 01:28:03,141
We really don't know
who the attacker was
1754
01:28:03,143 --> 01:28:04,543
in the STUXnet case.
1755
01:28:04,744 --> 01:28:06,979
So help us
understand a little more
1756
01:28:07,246 --> 01:28:09,414
what this thing is
1757
01:28:10,116 --> 01:28:15,520
whose origin and destination
we don't understand.
1758
01:28:16,756 --> 01:28:18,857
Did anybody ever
give you any indication
1759
01:28:18,859 --> 01:28:21,026
that it was something that
they already knew about?
1760
01:28:21,028 --> 01:28:23,762
No, at no time did I get the
impression from someone
1761
01:28:23,764 --> 01:28:26,631
that that's okay, you know,
get the little pat on the head,
1762
01:28:26,633 --> 01:28:28,100
and... scooted out the door.
1763
01:28:28,102 --> 01:28:29,968
I never received a
stand-down order.
1764
01:28:29,970 --> 01:28:33,605
I never... no one ever asked,
stop looking at this.
1765
01:28:34,207 --> 01:28:38,010
Do we think that this
was a nation-state actor
1766
01:28:38,012 --> 01:28:40,445
and that there are a limited
number of nation-states
1767
01:28:40,447 --> 01:28:43,849
that have such
advanced capacity?
1768
01:28:45,685 --> 01:28:47,953
Seán McGurk,
the Director of Cyber
1769
01:28:47,955 --> 01:28:49,688
for the Department
of Homeland Security,
1770
01:28:49,690 --> 01:28:52,524
testified before the Senate
about how he thought
1771
01:28:52,526 --> 01:28:55,627
STUXnet was a terrifying
threat to the United States.
1772
01:28:55,895 --> 01:28:57,162
Is that not a problem?
1773
01:28:57,164 --> 01:28:59,064
I don't... and... and
how... how do you mean?
1774
01:28:59,332 --> 01:29:01,733
That STUXnet was a bad idea?
1775
01:29:02,135 --> 01:29:04,803
No, no, no, just that
before he knew what it was
1776
01:29:04,805 --> 01:29:06,638
- and what it attacks...
- Oh, I... I get it.
1777
01:29:06,640 --> 01:29:08,040
- Yeah...
- Yeah,
1778
01:29:08,042 --> 01:29:09,641
he was responding to
something that we...
1779
01:29:09,643 --> 01:29:10,143
He thought it was a threat
1780
01:29:10,977 --> 01:29:12,844
to critical infrastructure
in the United States.
1781
01:29:12,846 --> 01:29:14,546
Yeah. The worm is loose!
1782
01:29:14,548 --> 01:29:16,415
The worm is loose. I understand.
1783
01:29:16,417 --> 01:29:19,418
But there's... a further theory
1784
01:29:19,420 --> 01:29:21,019
having to do with whether or not,
1785
01:29:21,021 --> 01:29:23,255
following upon David Sanger...
1786
01:29:23,257 --> 01:29:25,157
I got the subplot,
and who did that?
1787
01:29:25,159 --> 01:29:27,059
Was it the Israelis? And, yeah, I...
1788
01:29:27,660 --> 01:29:30,562
I truly don't know,
and even though I don't know,
1789
01:29:30,564 --> 01:29:32,264
I still can't talk about it, all right?
1790
01:29:32,565 --> 01:29:36,101
STUXnet was somebody's
covert action, all right?
1791
01:29:36,335 --> 01:29:38,003
And the definition
of covert action
1792
01:29:38,005 --> 01:29:40,906
is an activity in which
you want to have the hand
1793
01:29:40,908 --> 01:29:42,908
of the actor forever hidden.
1794
01:29:43,276 --> 01:29:46,445
So by definition,
it's gonna end up in this
1795
01:29:46,447 --> 01:29:48,346
we don't talk about
these things box.
1796
01:29:54,020 --> 01:29:56,888
To this day, the United
States government
1797
01:29:56,890 --> 01:29:59,024
has never acknowledged
1798
01:29:59,026 --> 01:30:03,495
conducting any offensive cyber
attack anywhere in the world.
1799
01:30:05,531 --> 01:30:10,435
But thanks to Mr.
Snowden, we know that in 2012
1800
01:30:10,437 --> 01:30:12,838
President Obama
issued an Executive Order
1801
01:30:13,039 --> 01:30:15,774
that laid out some
of the conditions
1802
01:30:15,776 --> 01:30:18,243
under which cyber
weapons can be used.
1803
01:30:18,245 --> 01:30:21,813
And interestingly,
every use of a cyber weapon
1804
01:30:21,815 --> 01:30:24,850
requires presidential sign-off.
1805
01:30:26,085 --> 01:30:29,921
That is only true in
the physical world
1806
01:30:29,923 --> 01:30:31,790
for nuclear weapons.
1807
01:30:43,102 --> 01:30:45,403
Nuclear war and nuclear
weapons are vastly different
1808
01:30:45,405 --> 01:30:47,272
from cyber war
and cyber weapons.
1809
01:30:47,274 --> 01:30:50,242
Having said that,
there are some similarities.
1810
01:30:50,244 --> 01:30:52,644
And in the early 1960s,
1811
01:30:53,079 --> 01:30:54,980
the United States
government suddenly realized
1812
01:30:54,982 --> 01:30:57,048
it had thousands of
nuclear weapons,
1813
01:30:57,250 --> 01:30:58,917
big ones and little ones,
1814
01:30:58,919 --> 01:31:01,253
weapons on jeeps,
weapons on submarines,
1815
01:31:02,121 --> 01:31:04,256
and it really didn't
have a doctrine.
1816
01:31:04,258 --> 01:31:06,091
It really didn't have a strategy.
1817
01:31:06,093 --> 01:31:07,859
It really didn't have
an understanding
1818
01:31:08,127 --> 01:31:10,262
at the policy level about
how he was going to use
1819
01:31:10,264 --> 01:31:11,429
all of these things.
1820
01:31:11,998 --> 01:31:13,999
And so academics
1821
01:31:14,001 --> 01:31:16,835
started publishing
unclassified documents
1822
01:31:16,837 --> 01:31:20,705
about nuclear war
and nuclear weapons.
1823
01:31:23,177 --> 01:31:24,442
And the result was
1824
01:31:24,810 --> 01:31:27,145
more than 20 years,
in the United States,
1825
01:31:27,147 --> 01:31:29,848
of very vigorous national debates
1826
01:31:30,383 --> 01:31:33,919
about how we want to
go use nuclear weapons.
1827
01:31:37,291 --> 01:31:39,558
And not only did that
cause the Congress
1828
01:31:39,560 --> 01:31:41,960
and people in the executive
branch in Washington
1829
01:31:41,962 --> 01:31:43,695
to think about these things,
1830
01:31:43,697 --> 01:31:46,965
it caused the Russians to
think about these things.
1831
01:31:47,900 --> 01:31:51,136
And out of that grew
nuclear doctrine,
1832
01:31:51,138 --> 01:31:52,804
mutual assured destruction,
1833
01:31:52,806 --> 01:31:57,943
all of that complicated
set of nuclear dynamics.
1834
01:31:58,544 --> 01:32:01,513
Today, on this vital issue at least,
1835
01:32:01,515 --> 01:32:03,582
we have seen what
can be accomplished
1836
01:32:03,584 --> 01:32:05,250
when we pull together.
1837
01:32:05,252 --> 01:32:09,421
We can't have that discussion
in a sensible way right now
1838
01:32:09,689 --> 01:32:11,756
about cyber war
and cyber weapons
1839
01:32:11,758 --> 01:32:13,124
because everything is secret.
1840
01:32:14,060 --> 01:32:17,262
And when you get
into a discussion
1841
01:32:17,264 --> 01:32:20,365
with people in the government,
people still in the government,
1842
01:32:20,367 --> 01:32:21,900
people who have
security clearances,
1843
01:32:22,168 --> 01:32:23,401
you run into a brick wall.
1844
01:32:23,669 --> 01:32:25,003
Trying to stop Iran
1845
01:32:25,005 --> 01:32:28,340
is really the... my number
one job, and I think...
1846
01:32:28,342 --> 01:32:29,741
And let me ask you,
in that context,
1847
01:32:29,743 --> 01:32:31,776
about the STUXnet
computer virus potentially...
1848
01:32:31,778 --> 01:32:33,345
You can ask,
but I won't comment.
1849
01:32:34,414 --> 01:32:35,513
Can you tell us anything?
1850
01:32:35,515 --> 01:32:36,681
No.
1851
01:32:36,683 --> 01:32:39,117
What do you think has
had the most impact
1852
01:32:39,119 --> 01:32:41,253
on their nuclear decision-making,
1853
01:32:41,255 --> 01:32:42,954
the STUXnet virus?
1854
01:32:42,956 --> 01:32:45,223
I can't talk about STUXnet.
1855
01:32:45,225 --> 01:32:49,628
I can't even talk about the
operation of Iran centrifuges.
1856
01:32:49,795 --> 01:32:52,030
Was the U.S. involved in any way
1857
01:32:52,032 --> 01:32:53,632
in the development of STUXnet?
1858
01:32:54,100 --> 01:32:56,801
It's hard to get into any
kind of comment on that
1859
01:32:56,803 --> 01:32:58,937
till we've finished
any... our examination.
1860
01:32:59,772 --> 01:33:01,106
But, sir, I'm not asking you
1861
01:33:01,108 --> 01:33:03,074
if you think another
country was involved.
1862
01:33:03,076 --> 01:33:05,076
I'm asking you if the
U.S. was involved.
1863
01:33:05,078 --> 01:33:07,445
And we're... this is not something
1864
01:33:07,447 --> 01:33:09,407
that we're gonna be able
to answer at this point.
1865
01:33:09,749 --> 01:33:12,083
Look, for the longest
time, I was in fear that
1866
01:33:12,085 --> 01:33:13,585
I couldn't actually say the phrase
1867
01:33:13,587 --> 01:33:15,253
computer network attack.
1868
01:33:15,255 --> 01:33:18,123
This stuff is hideously
overclassified,
1869
01:33:18,125 --> 01:33:20,258
and it gets into the way of a...
1870
01:33:20,260 --> 01:33:23,061
Of a mature public discussion
1871
01:33:23,063 --> 01:33:25,597
as to what it is we
as a democracy
1872
01:33:25,599 --> 01:33:29,768
want our nation to be doing
up here in the cyber domain.
1873
01:33:29,770 --> 01:33:32,604
Now, this is a former
director of NSA and CIA
1874
01:33:32,606 --> 01:33:34,572
saying this stuff is overclassified.
1875
01:33:34,807 --> 01:33:38,310
One of the reasons this
is highly classified as it is
1876
01:33:38,312 --> 01:33:39,911
this is a peculiar
weapons system.
1877
01:33:39,913 --> 01:33:41,913
This is a weapons
system that's come out of
1878
01:33:41,915 --> 01:33:43,248
the espionage community,
1879
01:33:43,250 --> 01:33:46,518
and... and so those people
have a habit of secrecy.
1880
01:33:46,520 --> 01:33:48,820
Secrecy is still
justifiable in certain cases
1881
01:33:48,822 --> 01:33:52,023
to protect sources or to
protect national security
1882
01:33:52,025 --> 01:33:55,193
but when we deal with
secrecy, don't hide behind it
1883
01:33:55,195 --> 01:33:59,130
to use as an excuse to not
disclose something properly
1884
01:33:59,132 --> 01:34:01,166
that you know should be
1885
01:34:01,168 --> 01:34:02,434
or that the American people
1886
01:34:02,436 --> 01:34:03,702
need ultimately to see.
1887
01:34:06,372 --> 01:34:08,440
While most government
officials refused
1888
01:34:08,442 --> 01:34:09,908
to acknowledge the operation,
1889
01:34:10,509 --> 01:34:13,278
at least one key insider
did leak parts of the story
1890
01:34:13,280 --> 01:34:14,379
to the press.
1891
01:34:14,381 --> 01:34:18,283
In 2012, David Sanger
wrote a detailed account
1892
01:34:18,285 --> 01:34:21,619
of Olympic Games that unmasked
the extensive joint operation
1893
01:34:21,621 --> 01:34:23,555
between the U.S. and Israel
1894
01:34:23,557 --> 01:34:25,790
to launch cyber
attacks on Natanz.
1895
01:34:26,659 --> 01:34:28,526
The publication of this story
1896
01:34:28,528 --> 01:34:30,562
coming at a time that
turned out that there were
1897
01:34:30,564 --> 01:34:33,365
a number of other unrelated
national security stories
1898
01:34:33,367 --> 01:34:36,034
being published,
lead to the announcement
1899
01:34:36,036 --> 01:34:39,404
of investigations by
the Attorney General.
1900
01:34:39,872 --> 01:34:42,173
In... into the press
and into the leaks?
1901
01:34:42,175 --> 01:34:43,708
Into the press and into the leaks.
1902
01:34:46,178 --> 01:34:47,345
Soon after the article,
1903
01:34:47,347 --> 01:34:49,514
the Obama
administration targeted
1904
01:34:49,516 --> 01:34:52,550
General James Cartwright
in a criminal investigation
1905
01:34:52,552 --> 01:34:53,818
for allegedly leaking
1906
01:34:53,820 --> 01:34:56,154
classified details about STUXnet.
1907
01:34:57,523 --> 01:34:59,023
There are reports
of cyber attacks
1908
01:34:59,025 --> 01:35:01,826
on the Iranian nuclear
program that you ordered.
1909
01:35:01,828 --> 01:35:03,328
What's your reaction to
this information getting out?
1910
01:35:03,330 --> 01:35:04,929
Well, first of all, I'm not
gonna comment on the...
1911
01:35:04,931 --> 01:35:08,299
The details of... what are...
1912
01:35:10,669 --> 01:35:14,973
Supposed to be classified items.
1913
01:35:15,775 --> 01:35:18,143
Since I've been in office,
my attitude has been
1914
01:35:18,377 --> 01:35:21,646
zero tolerance for
these kinds of leaks.
1915
01:35:22,248 --> 01:35:23,915
We have mechanisms in place
1916
01:35:24,216 --> 01:35:27,752
where, if we can root out
folks who have leaked,
1917
01:35:28,554 --> 01:35:29,988
they will suffer consequences.
1918
01:35:30,356 --> 01:35:32,757
It became a significant issue
1919
01:35:32,759 --> 01:35:35,026
and a very
wide-ranging investigation
1920
01:35:35,028 --> 01:35:37,462
in which I think most of the
people who were cleared
1921
01:35:37,464 --> 01:35:39,030
for Olympic Games at some point
1922
01:35:39,032 --> 01:35:40,899
had been, you know,
interviewed and so forth.
1923
01:35:40,901 --> 01:35:42,600
When STUXnet hit the media,
1924
01:35:42,602 --> 01:35:44,803
they polygraphed
everyone in our office,
1925
01:35:44,805 --> 01:35:46,404
including people
who didn't know shit.
1926
01:35:46,406 --> 01:35:48,540
You know, they polyed
the interns, for God's sake.
1927
01:35:49,074 --> 01:35:50,475
These are criminal acts
1928
01:35:50,477 --> 01:35:52,110
when they release
information like this,
1929
01:35:52,645 --> 01:35:56,481
and we will conduct
thorough investigations
1930
01:35:57,082 --> 01:35:58,850
as we have in the past.
1931
01:36:00,886 --> 01:36:03,121
The administration
never filed charges,
1932
01:36:03,456 --> 01:36:05,256
possibly afraid that a prosecution
1933
01:36:05,258 --> 01:36:08,126
would reveal classified
details about STUXnet.
1934
01:36:09,061 --> 01:36:12,497
To this day, no one in the
U.S. or Israeli governments
1935
01:36:12,499 --> 01:36:14,566
has officially
acknowledged the existence
1936
01:36:14,568 --> 01:36:16,034
of the joint operation.
1937
01:36:18,003 --> 01:36:19,471
I would never compromise
1938
01:36:19,473 --> 01:36:21,239
ongoing operations in the field,
1939
01:36:21,241 --> 01:36:25,310
but we should be able
to talk about capability.
1940
01:36:26,679 --> 01:36:28,179
We can talk about our...
1941
01:36:29,315 --> 01:36:32,083
Bunker busters,
why not our cyber weapons?
1942
01:36:32,451 --> 01:36:33,518
I mean, the secrecy
1943
01:36:33,520 --> 01:36:35,220
of the operation has been blown.
1944
01:36:36,755 --> 01:36:38,790
Our friends in
Israel took a weapon
1945
01:36:38,792 --> 01:36:40,258
that we jointly developed,
1946
01:36:40,260 --> 01:36:42,393
in part to keep Israel from
doing something crazy,
1947
01:36:42,828 --> 01:36:44,629
and then used it on
their own in a way
1948
01:36:44,631 --> 01:36:45,997
that blew the cover
of the operation
1949
01:36:45,999 --> 01:36:47,165
and could have led to war.
1950
01:36:47,167 --> 01:36:48,600
And we can't talk about that?
1951
01:36:53,138 --> 01:36:55,218
There's a way to
talk about STUXnet.
1952
01:36:55,608 --> 01:36:56,975
It happened.
1953
01:36:56,977 --> 01:36:59,844
That... to deny that it
happened is... is foolish.
1954
01:36:59,846 --> 01:37:01,779
So the fact it happened
1955
01:37:01,781 --> 01:37:03,281
is really what we're
talking about here.
1956
01:37:03,283 --> 01:37:05,116
What does... what
are the implications
1957
01:37:05,118 --> 01:37:07,952
of the fact that we now are
in a post-STUXnet world?
1958
01:37:08,454 --> 01:37:10,889
What I said to David Sanger was,
1959
01:37:10,891 --> 01:37:13,591
I understand the difference
in destruction is dramatic,
1960
01:37:13,826 --> 01:37:16,294
but this has the
whiff of August 1945.
1961
01:37:17,129 --> 01:37:18,696
Somebody just
used a new weapon,
1962
01:37:19,064 --> 01:37:21,799
and this weapon will not
be put back into the box.
1963
01:37:22,234 --> 01:37:24,903
I know no operational details
1964
01:37:24,905 --> 01:37:27,839
and don't know what
anyone did or didn't do
1965
01:37:27,841 --> 01:37:30,475
before someone decided
to use the weapon, all right.
1966
01:37:30,809 --> 01:37:32,043
I do know this.
1967
01:37:32,045 --> 01:37:33,945
If we go out and do something,
1968
01:37:34,713 --> 01:37:36,814
most of the rest of
the world now thinks
1969
01:37:37,016 --> 01:37:38,396
that's the new standard
1970
01:37:38,584 --> 01:37:41,452
and it's something that they now
feel legitimated to do as well.
1971
01:37:42,855 --> 01:37:44,322
But the rules of engagement,
1972
01:37:44,324 --> 01:37:46,891
international norms,
treaty standards,
1973
01:37:46,893 --> 01:37:48,726
they don't exist right now.
1974
01:37:52,565 --> 01:37:55,733
The law of war, because it
began to develop so long ago
1975
01:37:55,735 --> 01:37:59,304
is really dependent on
thinking of things kinetically
1976
01:37:59,672 --> 01:38:01,172
and the physical realm.
1977
01:38:01,440 --> 01:38:04,842
So for example,
we think in terms of attacks.
1978
01:38:05,778 --> 01:38:08,012
You know an attack when it
happens in the kinetic world.
1979
01:38:08,014 --> 01:38:09,747
It's not really much of a mystery.
1980
01:38:09,749 --> 01:38:12,684
But in cyberspace it is
sort of confusing to think,
1981
01:38:13,252 --> 01:38:14,719
how far do we have to go
1982
01:38:14,721 --> 01:38:16,921
before something is
considered an attack?
1983
01:38:17,089 --> 01:38:20,858
So we have to take
all the vocabulary
1984
01:38:21,360 --> 01:38:24,195
and the terms that
we use in strategy
1985
01:38:24,197 --> 01:38:25,830
and military operations
1986
01:38:26,065 --> 01:38:29,133
and adapt them
into the cyber realm.
1987
01:38:30,469 --> 01:38:31,903
For nuclear we have these
1988
01:38:31,905 --> 01:38:33,838
extensive inspection regimes.
1989
01:38:34,139 --> 01:38:36,207
The Russians come
and look at our silos.
1990
01:38:36,542 --> 01:38:38,142
We go and look at their silos.
1991
01:38:38,611 --> 01:38:40,612
Bad as things get
between the two countries,
1992
01:38:40,813 --> 01:38:42,714
those inspection
regimes have held up.
1993
01:38:42,716 --> 01:38:45,617
But working that
our for... for cyber
1994
01:38:45,619 --> 01:38:47,185
would be virtually impossible.
1995
01:38:47,486 --> 01:38:48,853
Where do you send
your inspector?
1996
01:38:49,221 --> 01:38:51,289
Inside the laptop of, you know...
1997
01:38:51,624 --> 01:38:53,984
How many laptops are there in
the United States and Russia?
1998
01:38:54,259 --> 01:38:56,461
It's much more
difficult in the cyber area
1999
01:38:56,463 --> 01:38:58,796
to construct an
international regime
2000
01:38:58,798 --> 01:39:01,833
based on treaty commitments
and rules of the road
2001
01:39:01,835 --> 01:39:03,001
and so forth.
2002
01:39:03,003 --> 01:39:06,304
Although, we've tried to have
discussions with the Chinese
2003
01:39:06,306 --> 01:39:08,339
and Russians and
so forth about that,
2004
01:39:08,341 --> 01:39:09,707
but it's very difficult.
2005
01:39:10,809 --> 01:39:14,312
Right now,
the norm in cyberspace is
2006
01:39:14,314 --> 01:39:15,674
do whatever you
can get away with.
2007
01:39:16,649 --> 01:39:19,050
That's not a good norm,
but it's the norm that we have.
2008
01:39:19,618 --> 01:39:21,686
That's the norm that's
preferred by states
2009
01:39:21,688 --> 01:39:24,322
that are engaging in lots of
different kinds of activities
2010
01:39:24,324 --> 01:39:26,564
that they feel are benefitting
their national security.
2011
01:39:27,593 --> 01:39:30,194
Those who excel in cyber
2012
01:39:30,196 --> 01:39:32,997
are trying to slow
down the process
2013
01:39:32,999 --> 01:39:34,666
of creating regulation.
2014
01:39:35,134 --> 01:39:38,970
Those who are victims
we like the regulation
2015
01:39:38,972 --> 01:39:42,707
to be in the open as...
as soon as possible.
2016
01:39:44,877 --> 01:39:47,712
International law in this
area is written by custom,
2017
01:39:47,714 --> 01:39:50,815
and customary law
requires a nation to say,
2018
01:39:50,817 --> 01:39:52,697
this is what we did and
this is why we did it.
2019
01:39:53,352 --> 01:39:56,287
And the U.S. doesn't want to
push the law in that direction
2020
01:39:56,289 --> 01:39:58,723
and so it chooses not to
disclose its involvement.
2021
01:39:59,291 --> 01:40:01,492
And one of the reasons that
I thought it was important
2022
01:40:01,494 --> 01:40:04,362
to tell the story
of Olympic Games
2023
01:40:04,364 --> 01:40:07,165
was not simply because
it's a cool spy story,
2024
01:40:07,167 --> 01:40:10,401
it is, but it's
because as a nation...
2025
01:40:11,570 --> 01:40:15,139
We need to have a debate about
how we want to use cyber weapons
2026
01:40:15,374 --> 01:40:18,876
because we are the most
vulnerable nation on earth
2027
01:40:19,044 --> 01:40:20,878
to cyber-attack ourselves.
2028
01:40:24,850 --> 01:40:27,351
If you get up in the morning
and turn off your alarm
2029
01:40:27,353 --> 01:40:31,723
and make coffee and
pump gas and use the ATM,
2030
01:40:32,257 --> 01:40:34,058
you've touched
industrial control systems.
2031
01:40:34,060 --> 01:40:35,727
It's what powers our lives.
2032
01:40:36,061 --> 01:40:38,696
And unfortunately,
these systems are connected
2033
01:40:38,698 --> 01:40:42,366
and interconnected in some
ways that make them vulnerable.
2034
01:40:42,368 --> 01:40:45,103
Critical infrastructure
systems generally were built
2035
01:40:45,105 --> 01:40:47,739
years and years and years
ago without security in mind
2036
01:40:47,741 --> 01:40:49,841
and they didn't realize how
things were gonna change,
2037
01:40:49,843 --> 01:40:52,076
maybe they weren't even meant
to be connected to the Internet.
2038
01:40:52,078 --> 01:40:55,179
And we've seen, through
a lot of experimentation
2039
01:40:55,181 --> 01:40:57,815
and through also,
unfortunately, a lot of attacks
2040
01:40:58,117 --> 01:41:00,451
that most of these
systems are relatively easy
2041
01:41:00,453 --> 01:41:03,121
for a sophisticated
hacker to get into.
2042
01:41:05,091 --> 01:41:06,891
Let's say you took
over the control system
2043
01:41:06,893 --> 01:41:09,627
of a railway.
You could switch tracks.
2044
01:41:10,095 --> 01:41:12,396
You could cause
derailments of trains
2045
01:41:12,398 --> 01:41:14,198
carrying explosive materials.
2046
01:41:15,400 --> 01:41:18,636
What if you were in the
control system of gas pipelines
2047
01:41:18,971 --> 01:41:21,539
and when a valve was
supposed to be open,
2048
01:41:21,541 --> 01:41:24,208
it was closed and
the pressure built up
2049
01:41:24,409 --> 01:41:25,943
and the pipeline exploded?
2050
01:41:26,912 --> 01:41:30,848
There are companies that
run electric power generation
2051
01:41:31,250 --> 01:41:33,151
or electric power distribution
2052
01:41:33,418 --> 01:41:35,453
that we know have been hacked
2053
01:41:35,821 --> 01:41:38,256
by foreign entities
that have the ability
2054
01:41:38,258 --> 01:41:39,891
to shut down the power grid.
2055
01:41:40,459 --> 01:41:42,560
Imagine for a moment
2056
01:41:42,562 --> 01:41:45,329
that not only all the power
went off on the east coast,
2057
01:41:45,631 --> 01:41:47,665
but the entire
Internet came down.
2058
01:41:48,333 --> 01:41:50,868
Imagine what the
economic impact of that is
2059
01:41:51,336 --> 01:41:53,471
even if it only lasted for 24 hours.
2060
01:41:55,841 --> 01:41:57,508
According to the officials,
2061
01:41:57,510 --> 01:42:00,745
Iran is the first country
ever in the Middle East
2062
01:42:00,747 --> 01:42:03,247
to actually be
engaged in a cyber war
2063
01:42:03,249 --> 01:42:05,449
with the United States and Israel.
2064
01:42:05,451 --> 01:42:08,820
If anything they said
the recent cyber attacks
2065
01:42:08,822 --> 01:42:10,988
were what encouraged
them to plan to set up
2066
01:42:10,990 --> 01:42:14,325
the cyber army, which will
gather computer scientists,
2067
01:42:14,327 --> 01:42:17,161
programmers,
software engineers...
2068
01:42:17,163 --> 01:42:20,097
If you are a youth and
you see assassination
2069
01:42:20,099 --> 01:42:21,732
of a nuclear scientist,
2070
01:42:22,134 --> 01:42:24,602
your nuclear facilities
are getting attacked,
2071
01:42:25,304 --> 01:42:28,606
wouldn't you join your
national cyber Army?
2072
01:42:29,308 --> 01:42:30,608
Well, many did.
2073
01:42:30,876 --> 01:42:34,045
And that's why today,
Iran has one of the largest...
2074
01:42:35,214 --> 01:42:37,615
Cyber armies in the world.
2075
01:42:38,116 --> 01:42:40,518
So whoever initiated this
2076
01:42:40,520 --> 01:42:43,020
and was very proud of
themselves to see that little dip
2077
01:42:43,522 --> 01:42:47,758
in Iran's centrifuge numbers,
should look back now
2078
01:42:48,227 --> 01:42:51,796
and acknowledge that
it was a major mistake.
2079
01:42:52,397 --> 01:42:55,633
Very quickly, Iran sent a message
2080
01:42:55,635 --> 01:42:59,337
to the United States,
very sophisticated message,
2081
01:42:59,339 --> 01:43:02,139
and they did that
with two attacks.
2082
01:43:02,808 --> 01:43:05,610
First, they attacked
Saudi Aramco,
2083
01:43:05,911 --> 01:43:07,879
the biggest oil
company in the world,
2084
01:43:08,213 --> 01:43:10,915
and wiped out every
piece of software,
2085
01:43:10,917 --> 01:43:15,319
every line of code,
on 30,000 computer devices.
2086
01:43:16,688 --> 01:43:22,260
Then Iran did a surge attack
on the American banks.
2087
01:43:22,262 --> 01:43:25,196
The most extensive attack
on American banks ever
2088
01:43:25,198 --> 01:43:28,032
launched from the Middle
East, happening right now.
2089
01:43:28,034 --> 01:43:29,354
Millions of customers
2090
01:43:29,568 --> 01:43:32,937
trying to bank online this week
blocked, among the targets,
2091
01:43:33,171 --> 01:43:36,007
Bank of America,
PNC, and Wells Fargo.
2092
01:43:36,275 --> 01:43:39,677
The U.S. suspects hackers
in Iran may be involved.
2093
01:43:41,580 --> 01:43:43,614
When Iran hit our banks,
2094
01:43:43,616 --> 01:43:46,017
we could have shut
down their botnet,
2095
01:43:46,019 --> 01:43:48,185
but the state
department got nervous,
2096
01:43:48,387 --> 01:43:51,088
because the servers
weren't actually in Iran.
2097
01:43:51,757 --> 01:43:54,091
So until there was a
diplomatic solution,
2098
01:43:54,526 --> 01:43:57,161
Obama let the private
sector deal with the problem.
2099
01:43:57,763 --> 01:44:00,698
I imagine that in the White
House Situation Room
2100
01:44:01,033 --> 01:44:03,100
people sat around and said...
2101
01:44:03,769 --> 01:44:06,804
Let me be clear,
I don't imagine, I know.
2102
01:44:07,139 --> 01:44:09,707
People sat around in the
White House Situation Room
2103
01:44:09,709 --> 01:44:12,743
and said, the Iranians
have sent us a message
2104
01:44:12,745 --> 01:44:16,981
which is essentially,
stop attacking us in cyberspace
2105
01:44:16,983 --> 01:44:19,517
the way you did at
Natanz with STUXnet.
2106
01:44:19,952 --> 01:44:21,319
We can do it, too.
2107
01:44:23,221 --> 01:44:25,790
There are unintended
consequences
2108
01:44:25,792 --> 01:44:27,858
of the STUXnet attack.
2109
01:44:28,293 --> 01:44:32,063
You wanted to cause confusion
and damage to the other side,
2110
01:44:32,065 --> 01:44:34,832
but then the other side
can do the same to you.
2111
01:44:35,600 --> 01:44:38,502
The monster turned
against its creators,
2112
01:44:38,504 --> 01:44:40,905
and now everyone
is in this game.
2113
01:44:41,807 --> 01:44:44,275
They did a good job
in showing the world,
2114
01:44:44,277 --> 01:44:47,678
including the bad guys,
what you would need to do
2115
01:44:47,680 --> 01:44:49,814
in order to cause serious trouble
2116
01:44:50,082 --> 01:44:52,583
that could lead to
injuries and death.
2117
01:44:52,851 --> 01:44:55,653
It's inevitable that more
countries will acquire
2118
01:44:55,655 --> 01:44:57,955
the capacity to use cyber,
2119
01:44:57,957 --> 01:45:01,425
both for espionage and
for destructive activities.
2120
01:45:02,194 --> 01:45:04,528
And we've seen this in
some of the recent conflicts
2121
01:45:04,530 --> 01:45:05,997
that Russia's been involved in.
2122
01:45:06,198 --> 01:45:08,866
If there's a war, then
somebody will try to knock out
2123
01:45:08,868 --> 01:45:11,268
our communication
system or the radar.
2124
01:45:11,270 --> 01:45:13,838
State-sponsored
cyber sleeper cells,
2125
01:45:14,272 --> 01:45:16,107
they're out there
everywhere today.
2126
01:45:16,341 --> 01:45:18,676
It could be for
communications purposes.
2127
01:45:18,678 --> 01:45:20,878
It could be for data exfiltration.
2128
01:45:21,146 --> 01:45:24,749
It could be to, you know,
Shepherd in the next STUXnet.
2129
01:45:25,150 --> 01:45:27,018
I mean, you've been
focusing on STUXnet,
2130
01:45:27,020 --> 01:45:28,552
but that was just a small part
2131
01:45:28,554 --> 01:45:30,721
of a much larger Iranian mission.
2132
01:45:31,456 --> 01:45:33,176
There was a larger
Iranian mission?
2133
01:45:36,228 --> 01:45:39,463
Nitro Zeus. NZ.
2134
01:45:40,832 --> 01:45:45,036
We spent hundreds of
millions, maybe billions on it.
2135
01:45:47,639 --> 01:45:51,208
In the event the
Israelis did attack Iran,
2136
01:45:51,210 --> 01:45:53,878
we assumed we would
be drawn into the conflict.
2137
01:45:55,247 --> 01:45:58,716
We built in attacks on Iran's
command-and-control system
2138
01:45:58,718 --> 01:46:01,085
so the Iranians couldn't
talk to each other in a fight.
2139
01:46:01,586 --> 01:46:05,122
We infiltrated their iads,
military air defense systems,
2140
01:46:05,424 --> 01:46:07,664
so they couldn't shoot down
our planes if we flew over.
2141
01:46:08,226 --> 01:46:11,328
We also went after their
civilian support systems,
2142
01:46:11,330 --> 01:46:13,898
power grids, transportation,
2143
01:46:14,266 --> 01:46:17,068
communications,
financial systems.
2144
01:46:17,669 --> 01:46:20,971
We were inside
waiting, watching,
2145
01:46:21,239 --> 01:46:24,241
ready to disrupt, degrade,
and destroy those systems
2146
01:46:24,243 --> 01:46:25,576
with cyber-attacks.
2147
01:46:29,214 --> 01:46:30,681
And in comparison,
2148
01:46:30,916 --> 01:46:33,150
STUXnet was a
back alley operation.
2149
01:46:34,286 --> 01:46:37,788
NZ was the plan for
a full-scale cyber war
2150
01:46:37,790 --> 01:46:39,657
with no attribution.
2151
01:46:40,425 --> 01:46:41,926
The question is,
is that the kind of world
2152
01:46:41,928 --> 01:46:43,068
we want to live in?
2153
01:46:43,462 --> 01:46:47,231
And if we don't, as citizens,
how do we go about a process
2154
01:46:47,233 --> 01:46:49,233
where we have a
more sane discussion?
2155
01:46:49,235 --> 01:46:51,635
We need an entirely new
way of thinking about
2156
01:46:51,637 --> 01:46:53,204
how we're gonna
solve this problem.
2157
01:46:54,139 --> 01:46:56,273
You're not going to get
an entirely new way
2158
01:46:56,275 --> 01:46:57,675
of solving this problem
2159
01:46:57,976 --> 01:47:00,778
until you begin to have an
open acknowledgement
2160
01:47:01,279 --> 01:47:03,614
that we have cyber
weapons as well,
2161
01:47:04,483 --> 01:47:07,518
and that we may have to agree
to some limits on their use
2162
01:47:08,053 --> 01:47:10,387
if we're going to get other
nations to limit their use.
2163
01:47:10,389 --> 01:47:11,956
It's not gonna be
a one-way street.
2164
01:47:12,157 --> 01:47:14,825
I'm old enough to have
worked on nuclear arms control
2165
01:47:15,160 --> 01:47:17,661
and biological
weapons arms control
2166
01:47:17,663 --> 01:47:19,830
and chemical
weapons arms control.
2167
01:47:20,999 --> 01:47:25,469
And I was told in each of
those types of arms control,
2168
01:47:25,471 --> 01:47:26,804
when we were beginning,
2169
01:47:27,105 --> 01:47:30,074
it's too hard,
there are all these problems.
2170
01:47:30,342 --> 01:47:32,443
It's technical.
There's engineering.
2171
01:47:32,445 --> 01:47:34,111
There's science involved.
2172
01:47:34,113 --> 01:47:36,447
There are real
verification difficulties.
2173
01:47:36,449 --> 01:47:37,982
You'll never get there.
2174
01:47:38,416 --> 01:47:40,818
Well, it took 20,
30 years in some cases,
2175
01:47:41,253 --> 01:47:43,020
but we have a
biological weapons treaty
2176
01:47:43,022 --> 01:47:44,421
that's pretty damn good.
2177
01:47:44,423 --> 01:47:45,923
We have a chemical
weapons treaty
2178
01:47:45,925 --> 01:47:47,324
that's pretty damn good.
2179
01:47:47,492 --> 01:47:49,827
We've got three or four
nuclear weapons treaties.
2180
01:47:50,128 --> 01:47:51,729
Yes, it may be hard,
2181
01:47:51,997 --> 01:47:54,098
and it may take 20 or 30 years,
2182
01:47:54,499 --> 01:47:57,067
but it'll never happen unless
you get serious about it,
2183
01:47:57,536 --> 01:47:59,503
and it'll never happen
unless you start it.
2184
01:48:05,310 --> 01:48:08,279
Today, after two
years of negotiations,
2185
01:48:08,713 --> 01:48:12,016
the United States, together
with our international partners,
2186
01:48:12,484 --> 01:48:15,886
has achieved something that
decades of animosity has not,
2187
01:48:16,521 --> 01:48:18,422
a comprehensive, long-term deal
2188
01:48:18,857 --> 01:48:22,526
with Iran that will prevent it
from obtaining a nuclear weapon.
2189
01:48:22,727 --> 01:48:25,196
It was reached in
Lausanne, Switzerland,
2190
01:48:25,198 --> 01:48:27,698
by Iran, the U.S., Britain, France,
2191
01:48:27,700 --> 01:48:29,633
Germany, Russia, and China.
2192
01:48:29,635 --> 01:48:32,736
It is a deal in which Iran will cut
2193
01:48:32,738 --> 01:48:36,941
its installed centrifuges
by more than two thirds.
2194
01:48:37,142 --> 01:48:40,377
Iran will not enrich uranium
with its advanced centrifuges
2195
01:48:40,379 --> 01:48:42,379
for at least the next ten years.
2196
01:48:42,381 --> 01:48:45,015
It will make our
country, our allies,
2197
01:48:45,017 --> 01:48:46,650
and our world safer.
2198
01:48:47,552 --> 01:48:51,555
Seventy years after the
murder of 6 million Jews
2199
01:48:51,557 --> 01:48:56,627
Iran's rulers promised
to destroy my country,
2200
01:48:56,928 --> 01:49:00,664
and the response from nearly
every one of the governments
2201
01:49:00,666 --> 01:49:04,735
represented here has
been utter silence.
2202
01:49:05,370 --> 01:49:07,171
Deafening silence.
2203
01:49:14,879 --> 01:49:16,947
Perhaps you can now understand
2204
01:49:17,682 --> 01:49:21,185
why Israel is not joining
you in celebrating this deal.
2205
01:49:22,354 --> 01:49:24,755
History shows that
America must lead,
2206
01:49:24,757 --> 01:49:27,691
not just with our might,
but with our principles.
2207
01:49:28,627 --> 01:49:31,795
It shows we're are stronger,
not when we are alone,
2208
01:49:31,797 --> 01:49:33,964
but when we bring
the world together.
2209
01:49:35,133 --> 01:49:37,401
Today's announcement
marks one more chapter
2210
01:49:37,403 --> 01:49:41,672
in this pursuit of a
safer and more helpful,
2211
01:49:42,040 --> 01:49:45,376
more hopeful world. Thank you.
2212
01:49:45,910 --> 01:49:49,146
God bless you, and God bless
the United States of America.
2213
01:49:53,551 --> 01:49:55,319
Everyone I know is basically
2214
01:49:55,321 --> 01:49:56,854
thrilled with the Iran deal.
2215
01:49:57,422 --> 01:49:59,290
Sanctions and diplomacy worked.
2216
01:49:59,658 --> 01:50:01,925
But behind that deal
was a lot of confidence
2217
01:50:01,927 --> 01:50:03,527
in our cyber capability.
2218
01:50:04,596 --> 01:50:07,464
We were everywhere
inside Iran. Still are.
2219
01:50:08,333 --> 01:50:10,567
I'm not gonna tell you
the operational details
2220
01:50:10,569 --> 01:50:13,203
of what we can do
going forward or where...
2221
01:50:14,739 --> 01:50:18,842
But the science fiction
cyber war scenario is here.
2222
01:50:18,844 --> 01:50:20,311
That's Nitro Zeus.
2223
01:50:21,746 --> 01:50:24,415
But my concern and
the reason I'm talking...
2224
01:50:25,917 --> 01:50:28,852
Is because when you shut
down a country's power grid...
2225
01:50:30,155 --> 01:50:33,123
It doesn't just pop
back up, you know?
2226
01:50:33,125 --> 01:50:34,925
It's more like humpty-dumpty...
2227
01:50:36,294 --> 01:50:40,164
And if all the king's men
can't turn the lights back on
2228
01:50:40,166 --> 01:50:42,066
or filter the water for weeks,
2229
01:50:42,267 --> 01:50:44,168
then lots of people die.
2230
01:50:46,438 --> 01:50:48,372
And something we
can do to others,
2231
01:50:48,673 --> 01:50:50,207
they can do to us too.
2232
01:50:51,609 --> 01:50:54,278
Is that something that
we should keep quiet?
2233
01:50:55,447 --> 01:50:57,114
Or should we talk about it?
2234
01:50:58,049 --> 01:50:59,950
I've gone to many
people in this film,
2235
01:50:59,952 --> 01:51:01,719
even friends of mine,
who won't talk to me
2236
01:51:01,721 --> 01:51:03,887
about the NSA or
STUXnet even off the record
2237
01:51:03,889 --> 01:51:05,189
for fear of going to jail.
2238
01:51:05,557 --> 01:51:07,358
Is that fear protecting us?
2239
01:51:08,526 --> 01:51:11,128
No, but it protects me.
2240
01:51:11,896 --> 01:51:13,297
Or should I say we?
2241
01:51:14,632 --> 01:51:16,367
I'm an actor playing a role
2242
01:51:16,369 --> 01:51:18,502
written from the testimony
of a small number of people
2243
01:51:18,504 --> 01:51:20,037
from NSA and CIA,
2244
01:51:20,372 --> 01:51:22,740
all of whom are angry
about the secrecy
2245
01:51:22,742 --> 01:51:24,475
but too scared to come forward.
2246
01:51:24,809 --> 01:51:26,243
Now, we're forward.
2247
01:51:27,512 --> 01:51:30,314
Well, forward-leaning.