Nova (1974–…): Season 42, Episode 16 - Cyberwar Threat - full transcript

Cyber weapons have the ability to inflict physical damage on factories, power plants and pipelines.

Are you wondering how healthy the food you are eating is? Check it - foodval.com
---
Will the next devastating attack
against the United States

be delivered
with the tap of a key?

Instead of bullets and bombs,

you use bits and bytes

Using only a computer,

a terrorist or a nation
can attack

critical infrastructure
like the power grid

That could result in a blackout

for the majority of the U S
that could last weeks or months

The enemies are anonymous

Their reach is global



As internet connections multiply
so does the threat

Imagine a world
with 50 billion microprocessors

attached to the Internet

That's 50 billion
points of attack

The targets are everywhere

Computers are permeating
our environments

There are potential
security risks anywhere

there is one of these
computing devices

And we'll be applying
your brakes shortly

Even in your car

Right about now

Yeah, that worked

Cyber weapons
have already been unleashed

It was the first
real cyber sabotage



that affected the real world

Somebody has used
an entirely new class of weapon

to affect destruction

Is it too late to put the genie
back in the bottle?

When we put the little evil
virus in the big pool,

it tends to escape
and go Jurassic Park on us

Can we survive
the "Cyber War Threat"?

Right now, on NOVA.

The Sayano-Shushenskaya dam
in remote Siberia...

The ninth largest
hydroelectric plant on earth

and the scene
of a catastrophic event

that may foreshadow
the future of war

On August 17, 2009,
all seems normal

in the power plant
at the base of the dam

30 million tons of water
pressure spin massive turbines

generating more than 6,000
megawatts of electric power

Suddenly, without warning,
something goes terribly wrong

A plume of water

Followed by a wave
of destruction

In the end, 75 people perish

In the aftermath,
a hellish vision

One of the 1,500-ton turbines
had burst through the floor,

rocketing 50 feet into the air

Punching a hole
in the base of the dam

Investigators eventually
identify poor maintenance

and worn anchor bolts
as the cause

But at first, this scenario...

A machine self-destructing
with lethal consequences...

Led some to wonder if this might
be a new kind of sabotage,

one that targets the computers
in our most critical machines,

sending them out of control
in a cyber-era attack

We're living in an era now
where we have to wonder

whether people can cause damage
with computer code

that before they could
only cause with a bomb

Computer code that could
even be delivered anonymously

over the internet

We think of the Web
as an indispensable tool

that delivers the world
to our doorstep

But it's also a wide-open
conduit for attack

We've learned to live
with cyber crime...

Identity theft,
credit card fraud,

hacking, and stealing
personal information

But now there's a threat
that's much more frightening

and destructive

You can get into a network

which has control
of some physical thing

Think about a pipeline,
for example

You get into that network

which controls the pipeline,

and you can cause
the pipeline to explode

just as though it were
attacked by a kinetic weapon

And traditional kinetic,
physical weapons

may be impotent
against a cyber-attack

Because digital weapons can be
anonymous and instantaneous...

No reports of troop movements
to signal a threat

or air raid sirens
to give warning

Just a sudden,
out-of-the-blue digital takedown

of dams, power plants,
factories,

air traffic control,
the financial system, and more

Instead of bullets and bombs,
you use bits and bytes

We are in a digital arms race

against nations, hackers,
and terrorists

Cyber is the poor man's
atom bomb

Welcome to the frightening
new world of cyber war

In the United States,

the command center
for cyber operations is here,

at the ultra-secret
National Security Agency

in Fort Meade, Maryland

Some joke NSA should stand for
"No Such Agency"

For most of its history,

the NSA was so shrouded
in secrecy,

most Americans
didn't even know it existed

But that all changed in 2013

when whistleblower
Edward Snowden

walked out the door with a huge
cache of top-secret documents

I've been following NSA
for 30 years or so

and every now and then
there's a little leak here,

a little leak there,
but nothing like this

This is extraordinary

Hundreds of thousands of
documents released all at once

Some of them famously revealed
the existence of programs

that empower the NSA programs
to spy on Americans citizens

by collecting emails, phone
calls, and other personal data

What we've seen
over the last decade

is we've seen a departure from
sort of the traditional work

of the National Security Agency

They've become
the National Hacking Agency

Other documents reveal
that the agency

is moving into new territory,

developing offensive weapons
to penetrate global networks

in preparation
for launching cyber attacks

That's a far cry
from the original mission

intended by President Truman
in 1952

In those days,
the NSA was all ears

Its listening posts eavesdropped
on foreign radio,

and satellite transmissions

and tapped underwater
telephone cables

Traditional signals intelligence
was fairly passive

It was an antenna
or an alligator clip,

and you had to wait for somebody
to send a message,

and you hope you're fortunate
enough to be

in the right place
at the right time

But then the digital revolution
and the internet

gave the NSA new powers

and a way to hack
into distant computer networks

In the cyber domain,
you didn't have to wait

for them to send a message

You could commute
to their target

You could commute to where
the information was stored

and extract it
from that network,

even if they never intended
to transmit it

Today, the agency appears
to have transformed

from a passive listener
into an active spy

Able to infiltrate, steal,

and, when necessary,
attack in cyberspace

General Michael Hayden
helped shape that transformation

beginning in 1999
when he became director

I get to Fort Meade about
the turn of the millennium,

we're focused on cyber

Cyber is espionage,

but also the potential
of cyber as a weapon,

computer network attack

Then came 9/11,
and President George W Bush

ordered the NSA to begin
planning in earnest

for offensive cyber war

Eventually, to meet that need,
the military created

a new strategic unit,
a partner to the NSA called

Cyber Command

Its mission:
to go beyond espionage

using computers as weapons

Site M is the cover name for
its massive new headquarters

It will eventually cover
more than a million square feet,

enough to add to NSA's
headquarters complex

some 14 new buildings

and thousands
of additional staff

Plus a $1 5 billion data center
in Utah

By 2010, Cyber Command
was ready for action

About the same time
that the world got a glimpse

of the first true cyber weapon,

a surprisingly destructive
computer worm,

a self-replicating program
that came to be called Stuxnet

Stuxnet is what we consider
the first confirmed

digital weapon and the first act
of cyber warfare

Stuxnet first showed up
infecting desktop computers

and laptops in Iran
and the Near East,

but it soon spread further,
using the internet

to copy itself
from system to system

Eventually it ended up
in the crosshairs of Symantec,

maker of anti-virus
security software

There it grabbed the attention
of security experts

Liam O'Murchu and Eric Chien

Right away they saw that Stuxnet
was more complicated

than any other malicious
software, so-called malware

We had never seen a threat
that was so large

and so dense

I mean this threat was maybe
20 times the normal size

of any threat
that we had seen before

Normally, we can analyze malware
in a very short period of time,

from five minutes
maybe up to a week

But with Stuxnet,
we spent six months

With computer users
around the world

sending millions
of suspicious pieces of malware

to Symantec's server farm,

Eric and Liam get to examine
a huge variety

But nearly all of them
have one thing in common:

they're all programs
that try to worm themselves

into an unwitting computer
and hide

Most people don't realize that
when they use their computer

for browsing the web
or checking their email

there is a lot more going on
in the background,

lots of hidden programs

For the most part,
they're never seen

Bringing up a list
of these programs

reveals unfamiliar names

They come and go as needed

and there can be dozens running
at any given time

Some carry out simple tasks

deep in the computer's operating
system, hidden from view

Others are complex and obvious,

the applications we see
running on our screens

They all co-exist,
sharing the computer's memory

and constantly communicating
with each other

like a digital ecosystem

Hackers or attackers
take advantage

of all of these hidden programs
on your computer

by hiding
their malicious software,

otherwise known as malware,
in and amongst them

so that you don't even notice

The first challenge
for an attacker

is to get the malware installed
on the victim's computer

A common ploy is to trick users
into doing it themselves

One way hackers
are able to do this

is by simply sending you
an email

with a legitimate document
inside

Even though the document

doesn't look suspicious,

it actually contains
malicious computer code

Liam plays the part
of the victim

So, first thing in the morning,
I'm going to log into my email

and check if I have anything new

So I have received an email

about open enrollment
for my benefits,

and even though I don't know
who the sender is

I'm going to open this up

Downloading and opening
the booby-trapped document

generates an error message

But what the victim
doesn't realize

is that clicking on it
also invisibly installs malware

onto the computer

Once my victim opens up
that document,

that secret computer code inside
has started to run

on his computer
without him even knowing it

and it's connected back
to my computer

to a program that I'm running
called Nuclear RAT

Stealthy programs like this

allow for a shocking
behind-the-lines invasion

where the attacker can spy
or disrupt at will

I can even take screenshots
of his computer

and watch all of his keystrokes

via something called
a key logger

He's logging in
to his email right now

and I can actually get
his username and his password

Not only that,
but we can also get video

by turning on the webcam
and I can actually see

what my victim looks like,
all without him knowing

Nuclear RAT takes advantage
of a well-known weakness

in computers with the Windows
operating system

And security experts have
devised defenses against it

But when Liam and Eric
looked at Stuxnet,

they saw that the program
was taking advantage

of a weakness that no one
had ever seen before

It's what hackers refer to
as a zero-day exploit

A zero-day exploit is

malicious code that is used
against a vulnerability

that is at the time
unknown to the vendor

and unknown
to antivirus companies

Because it's unknown,
the vendor can't patch it

and antivirus companies don't
have signatures to detect it

In other words, it's a flaw
that has been detected

and fixed for "zero days,"
meaning not at all

Stuxnet used a zero-day to take
advantage of a vulnerability

related to USB thumb drives,
also called memory sticks

Plugging in a Stuxnet-infected
thumb drive causes the program

to copy itself
onto the target computer

without the user's knowledge

Zero-days are extremely hard
to find and can command

huge sums on illicit markets

Your average threat doesn't use
any zero-days at all

But Stuxnet represented
a major investment by someone

At the time that Stuxnet
was launched,

zero-days weren't used
that often in attacks

Stuxnet used five zero-days,
and that was really remarkable

And still Stuxnet had an even
bigger surprise in store:

its purpose

What's its payload?

What's its motivation?

What's it actually going to do
when it's on your system?

And it wasn't until November
of 2010 we really uncovered

its primary motivation

The first clue came
from a close examination

of Stuxnet's computer code...
All 15,000 lines of it

When we looked inside the code,

we saw the name

of a German industrial control
equipment manufacturer

We saw Siemens in there

Siemens makes factory
automation equipment

Also in the code was a reference
to a specific model number

of one of its products,

a mysterious device called a PLC

I didn't even know
what a PLC was

I had to Google for
what is a PLC

That even baseline knowledge,
we just did not have

What they learned is that a PLC

is a programmable
logic controller...

Some kind of computer
used in industry

We basically ordered one

off an auction site

And I was expecting something

the size of a mini refrigerator
to show up,

something you might see
in a university dorm room

But instead, what showed up
was one of these:

a tiny, tiny box that basically
has a mini computer inside

that controls things
like the power grid, pipelines,

factories that are building cars

So PLCs are kind of
the unsung component

that makes the world go round

They are used to make elevators
go up and down

They are used
in chemical plants,

they control the recipe

that gets put into drugs
and chemicals

They control
water distribution plants

They're used in the electrical
grid to control equipment

They're used surprisingly in
NASDAQ, in the trading systems

They're used in traffic lights

They're used to control trains

So you can see that these
components are really crucial

and these systems were never
created with security in mind

So what was Stuxnet
ultimately after?

The answer was discovered
in Hamburg, Germany,

by a security expert

I had let's just say,
20 or 30 "holy cow" moments

What really blew my mind
was to see from day one

how sophisticated the thing was

When he examined the code,
Ralph Langner saw that Stuxnet

was not designed
to tamper with Siemens PLCs

wherever it found them

It was hunting
for specialized equipment

in a specific configuration,

likely targeting
a single factory

I was like, "Holy cow,
this is a targeted attack?"

And certainly we started
to wonder,

"Wow, somebody's writing
the most sophisticated worm

"that we have ever seen
only to hit one target?

That must be quite
a significant target"

But where?

Stuxnet had come
to the attention of the world

when a security expert found it

infecting a client's
malfunctioning computer

located in Iran

He then shared it
with other experts

For Langner,
the apparent epicenter

of that original outbreak
proved a vital clue

In Iran, you don't have
an awful lot

of significant
industrial facilities

Then the number of potential
targets that could be worth

such an effort
shrinks down to just a few

And certainly the one
potential target that popped up

was the Iranian nuclear program

Langner turned his attention
to two known nuclear facilities

in Iran:
a power plant at Bushehr,

and an enrichment plant
at Natanz

Natanz is an underground,
fortified facility,

housing cylindrical centrifuges
used to isolate

a rare form of uranium,

a precursor to fueling
a power plant

or making a nuclear weapon

The machines spin
at very high speed

with little room for error,

and their motors
and safety systems

are under the control of PLCs

Examining photos from Natanz
made public

by Iran's press office,

and comparing the equipment in
them to the computer worm's code

helped confirm
the identity of the target

At the end of 2010,
we were able to show

100% proof

that we had a complete match
from the attack codes

with the configuration of the
enrichment cascades in Natanz

This was conclusive proof
that a computer virus

has been unleashed
against a military target

A true digital weapon

Langner circulated his discovery
among other security experts,

who were stunned

We weren't just protecting
16-digit credit card numbers,

but potentially stumbling into

something that had
geopolitical implications

But they still didn't understand
how the weapon worked

So Eric and Liam set out
to hack their own PLC

So here, I have a PLC, a
programmable logic controller

This model is a Siemens S300,
and that's the exact same model

that was targeted by Stuxnet

Inside the PLC,
there's a small computer,

and it's used for controlling
equipment in the real world

like conveyor belts, motors,

and, in this case,
I have an air pump

Turning the knob
starts a program

that turns on the pump,
waits three seconds

and then turns it off

What Stuxnet did
was it targeted this PLC

And even though you'd download
a program that says

"operate an air pump
for three seconds,"

in the background,
Stuxnet changes that code

It intercepts your request
and it puts malicious code

onto the PLC instead

Liam has infected the laptop
with a Stuxnet-like virus

So now when he loads his program
onto the PLC

the virus steps in

And something goes very wrong

In this case,
we popped a balloon,

but imagine if that was
a gas pipeline or a power plant

That's what's at stake
in cyber-attacks like this

Finally they understood enough
to reconstruct the attack

The Natanz plant was not
connected to the internet...

A security measure

That explained why Stuxnet
was designed to copy itself

via thumb drives, which could be
plugged into a computer

on the internal network by a spy
or an unwitting plant worker

Once on the plant's
internal network of computers,

Stuxnet would search for PLCs
in control of centrifuges

When it found a target,
it would lie in wait for weeks

But then Stuxnet would begin
tampering with the centrifuges,

causing them to gradually
speed up and slow down,

operating out of safe limits
until they broke

It's not clear
how long Stuxnet was active

But according to international
nuclear regulatory authorities,

1,000 centrifuges mysteriously
failed over five months

There's no evidence
the Iranians even knew

that they were under attack

But eventually the worm escaped,
spread using the internet,

and was spotted and decoded
by security experts

Suddenly the stakes in
cyber security had gone way up

I'm looking at a piece of code

that could blow something up
in Iran

It was very, very scary
to realize

that that's the destruction
that's possible now

with this type of software

It was the first
real cyber sabotage threat

that we've ever seen
that affected the real world

But unlike
a traditional weapon...

A missile or a bomb...

it's almost impossible to know
for sure who launched it

But its complexity
was a big clue

It was immediately obvious to us

when we began looking
at this code that this was not

two kids in the basement
in Kansas somewhere

who had written
this particular threat

This was multiple teams
with different expertise

who had come together
to create this one weapon

It was very clear to us
that this was at the level

of a nation state

Someone...
probably a nation-state,

because it's too hard to do
from a garage or a basement...

Just used a weapon
comprised of ones and zeros

during a time of peace
to destroy what another nation

could only describe
as critical infrastructure

Who would have the motivation
to do something

against the Iranian
nuclear program?

Obviously not Venezuela

I also say for somebody
of my background...

Director of CIA...

Crashing 1,000 centrifuges
at Natanz,

almost an absolute good

If you think about
who would have the capabilities

to launch such an attack
of that sophistication,

completely unprecedented,

you would certainly think about
the United States

in the first place

I say with great sincerity

that it would be irresponsible
for someone of my background

to even speculate
who may have done this

In June 2012, the New York Times
reported that Stuxnet

was created jointly by the NSA

and Israeli intelligence

Then, in apparent retaliation,
the Saudi oil company Aramco

was hit with a computer virus
in August 2012

They sent what's called
a wiper virus,

which is actually sort of
a Fisher-Price,

baby's first hack
kind of a cyber-campaign

It's not sophisticated,
it's not elegant

But it was effective,

destroying the data
on 30,000 computers

Then followed a coordinated
attack against American targets

- One by one, American banks...
- Citibank, Bank of America,

J P Morgan, SunTrust,
Wells Fargo...

All had their web-facing
customer interface pages

knocked offline

In other words,
if you were a Citibank customer

and you went online
to do some banking,

you couldn't get through

Attack and counterattack

But that's not
the end of the story

In fact, it may be
just the beginning

Stuxnet was the blueprint

that provided proof of concept
that such attack is possible

It's opened the door
onto a new era of warfare

and I don't think
we fully understand now

what the repercussions of it
will be

This is an incredibly important
event in our history

Theoretically,
this smells like August of 1945

Somebody has used
an entirely new class of weapon

to affect destruction

The U S and Soviet Union
took decades to reach agreements

to limit the buildup
of their nuclear arsenals

But with cyber weapons, we
may not have the luxury of time

The capability is spreading and
the number of targets exploding

Stuxnet exposed
the vulnerability

of one kind of embedded computer
in industrial PLCs

But now there are embedded
computers all around us...

From power stations
to pacemakers

Yoshi Kohno
is a security researcher

who has an uncanny ability to
find frightening vulnerabilities

in everyday technology...
Like cars

Modern automobiles have
ten sometimes up to 100

different computers inside them

Essentially,
what we wanted to know,

what might an unauthorized party
be able to do

with an automobile
straight off the lot?

Recently, he and his graduate
students demonstrated

how a hacker could seize control
of a car

The model they chose
had a built-in

emergency communication system
that works like a cell phone

They used that system
to call the car

and remotely force malware
into its embedded computers,

giving them control

over electrical and mechanical
systems like door locks,

and lights

Even the brakes

Okay, Alexei, we've unlocked
the brake controller

and just to verify,
you have your helmet on

and all your safety precautions
in place, right?

That's right, helmet on, gloves
on, strapped in and ready to go

Great, okay, go ahead and go,
and we will apply your brakes

when you get
to the checkered flag area

By sending malicious code
to the car,

they will try
to lock up the brakes

And we'll be applying
your brakes shortly

Right about now

Oh, ooh, yeah, that worked!

Ooh, is he going to go
to the wall?

Are you okay, Alexei?

In some cars, the steering,
air bags and accelerator

are also hackable

And as more cars become
connected to the internet,

the opportunities for attack
will increase

So far, many car-makers
have not made defense

against cyber weapons
a top priority

And the same may be true
for countless other companies,

all racing to connect their
products to what's being called

"the internet of everything"

Tailio turns any litter box
into a smart monitoring system

We have computers
in medical devices

We have computers in automobiles

We have computers in airplanes

and we actually have computers
in our homes

Home automation systems are
becoming increasingly popular

These are systems
that wirelessly link

common appliances
like light switches, furnaces

and door alarms to the internet
for remote control

But Yoshi wonders
if the rush towards convenience

is stampeding over security

You know, there's a lot of drive
towards pushing functionality,

coming out with new technologies

that do, you know,
amazing new and greater things

But not enough people
are stepping back and asking

how might I also abuse it?

And together with some students
that I work with

at the University of Washington,
we wanted to figure out

how secure are these home
automation systems actually

They decide to set up
in a Seattle coffee shop

Got a 16-ounce latte

The kind of place where people
like to hang out

because it offers free Wi-Fi

Alex Takakuwa
has an automation system at home

and plays the innocent victim

Meanwhile, playing the part
of the attackers,

are students Tope Oluwafemi
and Tariq Yusuf

This is an ideal public spot
to demonstrate how an attacker

could gain control
of a complete stranger's home

They've set up a wireless
hotspot that masquerades

as the coffee shop's own Wi-Fi

It's a notorious hacking ploy
and aptly named

It's called an evil twin network

A really evil twin

The victim connects
to the evil twin

and what's called a
man-in-the-middle attack begins

The attackers can now spy on
everything flowing to and from

the victim's laptop

They observe
that Alex is connecting

to a home automation system

They're able to see
his private login information

We're able to get credentials

to access his home automation
system without him knowing

The next phase gives
the location of the house

They insert malicious code
into the home automation system

That code tricks it
into reporting

the victim's GPS coordinates
back to the attackers

every time the victim
logs in on his laptop

It takes a few days,
but eventually they're able

to deduce where the victim lives

We're able to get
his house coordinates,

his GPS coordinates, and paid
him a nice little visit

Even in a simple demonstration
like this,

bad things can happen

With a few key strokes
from their car,

they unlock the doors
and stroll right in

In today's world,
embedded devices tend to be

stripped-down computers
that are meant to do

some set of specific tasks...

Automating things
like locks and lights

Oftentimes,
that means they stripped down

the security as well

In the "internet of everything,"
every new device

connected to the Web
brings both promise and peril

Imagine a world with
50 billion microprocessors

attached to the internet
in just five years

That's 50 billion
vulnerabilities,

50 billion points of entry,
50 billion points of attack

The trick is to find
the right balance

between convenience and security

You can have
a solid concrete structure,

and there's no way to get in,
no way to get out

That's secure,
not necessarily useful

because no one can access it

As you add doors,
as you add windows,

as you add ventilation,

they become multiple points
of entry

and multiple points to monitor
and figure out what's going on

Windows and doors
are easy to lock

Not so for devices
with embedded computers

So let's say that you have
a children's toy

and you suddenly start to add
some computer capabilities to it

or a light switch
and you start adding

computer capabilities to that

And it's the introduction
of computation

and the ability for someone...

If they have the ability to
connect to those computers...

To force those computers
to misbehave

That's kind of the first step
in creating a potential

for an attack scenario

Cyber-attack scenarios
against critical infrastructure

have been a concern for the
Department of Homeland Security

at least since 2007,
when the agency commissioned

an experiment called Aurora

The question experts wanted
to answer was a simple one:

could a purely digital cyber
attack disrupt or disable

a large generator
connected to the power grid?

I was the director of the
control system security program

at the Department
of Homeland Security

And during that time,
I ran the project

that many people are familiar
with called Aurora

A team of electrical engineers
brought a 27-ton, heavy-duty

diesel generator to a specially
built testing facility

at the Idaho National Lab

After connecting the generator
to the power grid,

they challenged a team
of computer security experts

to use computer code
to knock the generator offline

The test was monitored
via closed circuit TV

In the video, you'll see it
running, humming along normally

And then you see the first hit

The first jump

You see the generator shudder

The jump occurred
almost immediately after

the attackers sent
the first packet

of malicious computer code

We wanted to hit it
and then wait and collect data

and see what was happening
and then hit it again,

collect some data and kind of
watch the progression

of the damage to the generator

After the second attack,
the generator lurched again,

belched ominous smoke
and ground to a halt

Not only was it knocked off
the grid,

it was rendered
completely inoperable

What they found when they opened
the generator was just failures

with almost all parts
of the generator,

both mechanical and electrical

So what you're really
talking about is essentially

what you would do
with pieces of dynamite

So this was a tough machine

This was heavy duty

And it was designed to run
in severe conditions

If you were actually
doing that attack,

there's no reason to pause
and wait in between

You simply put your software
on a loop,

and you just keep hitting it
until it breaks

An attack like this could take
less than a minute

But leave consequences
that would last for months

If you damage or destroy these,

you can't just go down to your
neighborhood hardware store

and buy another

It could take you
maybe six to nine months

to get another one of these

And according
to a government study,

a coordinated attack on fewer
than a dozen power stations

could cause a massive outage...
Far more devastating

even than the historic blackout
that hit the Northeast in 2003

The brightness of car headlights
the only visible sight

on 42nd Street tonight
as thousands wait

under a cloud of total darkness

All you would need to do is
take out about nine substations

in an attack that could result
in a blackout

for the majority of the U S
that could last weeks or months

depending on
how the attack was designed

And it's not only the power grid
that's at risk

In 2014,
seven years after Aurora,

DHS inexplicably released
an 800-page report

on the Idaho demonstration

Inside were three alarming maps,
perhaps included by mistake

These were never supposed to be
declassified

The maps identify targets
like refineries

and gas and water lines
that could be destroyed

by rapidly disconnecting
and reconnecting them

to the power grid

This is using the electric grid
as a means of attacking

the industries connected
to the electric grid

You now have essentially a hit
list of critical infrastructure

Surprisingly,
our most critical facilities

like this electric power plant
must fend for themselves

when it comes to defending
against cyber attack

Less than a third of electricity
generating facilities

are big enough
to be required to abide

by the strictest
cyber security rules

Yet the threat from cyber
is so worrisome

that few power company
executives are willing

to discuss the problem
on the record

for fear of being targeted
by hackers

I don't know how real
or how probable

a cyber-attack is

But I do know that protecting
against it is prudent

Just because I don't know
how likely something is

I don't know how likely
an earthquake is

I don't know how likely
a tornado is

I want to make it as hard
as possible for someone

to attack our generators
and disrupt our society

There is a fix available
to defend against

an Aurora-style attack

The cost for new equipment
is relatively low,

but not many utilities
have installed it

Security remains alarmingly lax
at many power stations

I was at a conference
and one of the engineers

showed me how he had his iPhone
set up so he could control

multiple power plants
at the same time

I went to look at it and
he said, "Be really careful

If you push that button,
they'll all trip off"

I was speechless

I asked him,
"What do we do about security?"

And he says,
"I make sure no one gets this"

Until recently,
controls at power stations

were mechanical switches
and immune to cyber attack

But now the drive
to put everything online

has created a hole
in our defenses

that no one seems able to plug

I think the public believes
that the U S government...

Cyber Command, NSA, FBI,
Homeland Security...

Have the capability to defend
the electric power grid,

pipelines, trains,
banks that could be attacked

by other nations through cyber

The truth is the government
doesn't have the capability,

doesn't have
the legal authority,

and doesn't have a plan to do it

And it's not a question
yet of resources

It's a question of policy

What do you want
these guys to do?

What is it will you tolerate
them doing to defend you

on a network in which
your emails and mine

are skidding about freely?

Policymakers have not given
the NSA and Cyber Command

the mission of securing
the internet,

which may be fine with them

Because these agencies
are deploying ambitious

offensive programs that exploit
common security weaknesses

NSA documents contain references
to programs

with fanciful codenames
Like "TREASUREMAP"

an attempt to identify
and track every device

connected to the Web...
Anywhere, all the time

And "QUANTUMTHEORY,"
a suite of programs that aims

to insert malware implants
into computers and networks

around the world

And Quantum you can think of
as almost this sort of

industrial-scale spread
of computer viruses

It's a system that the NSA
developed that allows it to,

in a very quick and efficient
manner, implant viruses,

what are known as malware
or malicious software

on computers around the world

Think of it sort of
as a big launching platform

for cyber weapons

The ultimate goal
is to establish

hundreds of thousands of
stealthy access points globally

to spy or to deal a devastating
cyber counterstrike

But the emphasis on offense
comes at a price

To ensure they'll always
have a back door

into their target's systems,
the NSA and Cyber Command

keep the computer
vulnerabilities

they exploit secret

But that leaves the same
back doors open everywhere...

Even here at home
undefended against attack

Which raises a question...
What's more important:

a good offense
or a good defense?

Defending ourselves
from internet-originated attacks

is much, much more important
than our ability

to launch attacks

because when it comes to the
internet,

when it comes
to our technical economy,

we have more to lose
than any other nation on earth

So we shouldn't be making
the internet a more hostile,

a more aggressive territory

We should be making it a
more trusted environment,

making it a more
secure environment

The U S economy
depends on the internet

Failures to defend it
are already costing us dearly

Every day foreign hackers
make thousands of digital forays

against targets inside the US

Some of these
are like spying on steroids

and can do real
military damage...

Something kept hidden
from the public

A secret document
in the Snowden archive

reveals that the Chinese have
stolen "many terabytes of data"

related to the design
of one of America's

most advanced fighter planes...
The Joint Strike Fighter

And when they investigated this,
they found that hackers

were stealing this information
not from military networks,

but from the companies
that are building these systems

for the military

The extent of damage
was pretty significant

And it's not only
defense contractors

There's a new kind of attack...

A nation-state going after
a purely civilian business...

Using cyber as a weapon
of intimidation and blackmail

In late 2014, Sony Pictures
releases a trailer

for a political comedy
called The Interview.

Three weeks from tonight

I will be traveling to
Pyongyang, North Korea!

Hello, North Korea!

The absurd premise involves
an assassination plot

against Kim Jung Un,
leader of North Korea

You want us to kill
the leader of North Korea?"

Yes

What?

Shortly before the movie's
release... a cyber-attack

The FBI is investigating
that destructive cyber attack

at Sony Pictures

Hackers calling themselves
the "Guardians of Peace"

reveal that they have
broken into

Sony's corporate
computer network

and seem to threaten a 9/11 type
attack on theatergoers

if Sony releases the film

Within weeks, the FBI claimed
to have top-secret intelligence

that pointed to North Korea
as the culprit

There is not much in life

that I have high confidence
about

I have very high confidence
about this attribution

As does the entire
intelligence community

They caused a lot of damage

And we will respond

We will respond proportionally,
and we'll respond

in a place and time
and manner that we choose

The hard part
for the White House

was not attributing
the Sony attack to North Korea

The hard thing
was what do you do about it?

Because if the president
of the United States

is going to come out
and publicly point the finger

at a country for being behind
a cyber-attack,

there are going to have to be
consequences

But calibrating that response
is difficult

The White House has suggested

that one centerpiece of their
response to cyber attacks

would be what they called
naming and shaming

Well, you know,
naming and shaming may work

in a kindergarten class
when somebody steals cookies

that were intended
for another child,

but it's not going to work
with Vladimir Putin,

the supreme leader in Iran,
or the Chinese

Cyber war has plunged the world

into chaotic,
uncharted territory

Today, a single spy
can stealthily steal secrets

in volumes larger
than all the books

in the library of Congress

And nation states
are playing a dangerous game

using cyber weapons
that could trigger a wider war

There have been officials
in the past that have said,

you know, "If you take down
our power grid,

you can expect a missile
down your smokestacks"

I think it's highly likely
that any war that began

as a cyber-war would ultimately
end up being a conventional war,

where the United States

was engaged with bombers
and missiles

The number of nations armed with
cyber weapons is in the dozens,

not to mention terrorists
and criminal hackers

And unless we find a way
to counter these threats,

there is a very real danger
that we will turn

one of our greatest inventions...
The internet...

Into a dangerous battlefield