Nova (1974–…): Season 42, Episode 16 - Cyberwar Threat - full transcript
Cyber weapons have the ability to inflict physical damage on factories, power plants and pipelines.
Will the next devastating attack
against the United States
be delivered
with the tap of a key?
Instead of bullets and bombs,
you use bits and bytes
Using only a computer,
a terrorist or a nation
can attack
critical infrastructure
like the power grid
That could result in a blackout
for the majority of the U S
that could last weeks or months
The enemies are anonymous
Their reach is global
As internet connections multiply
so does the threat
Imagine a world
with 50 billion microprocessors
attached to the Internet
That's 50 billion
points of attack
The targets are everywhere
Computers are permeating
our environments
There are potential
security risks anywhere
there is one of these
computing devices
And we'll be applying
your brakes shortly
Even in your car
Right about now
Yeah, that worked
Cyber weapons
have already been unleashed
It was the first
real cyber sabotage
that affected the real world
Somebody has used
an entirely new class of weapon
to affect destruction
Is it too late to put the genie
back in the bottle?
When we put the little evil
virus in the big pool,
it tends to escape
and go Jurassic Park on us
Can we survive
the "Cyber War Threat"?
Right now, on NOVA.
The Sayano-Shushenskaya dam
in remote Siberia...
The ninth largest
hydroelectric plant on earth
and the scene
of a catastrophic event
that may foreshadow
the future of war
On August 17, 2009,
all seems normal
in the power plant
at the base of the dam
30 million tons of water
pressure spin massive turbines
generating more than 6,000
megawatts of electric power
Suddenly, without warning,
something goes terribly wrong
A plume of water
Followed by a wave
of destruction
In the end, 75 people perish
In the aftermath,
a hellish vision
One of the 1,500-ton turbines
had burst through the floor,
rocketing 50 feet into the air
Punching a hole
in the base of the dam
Investigators eventually
identify poor maintenance
and worn anchor bolts
as the cause
But at first, this scenario...
A machine self-destructing
with lethal consequences...
Led some to wonder if this might
be a new kind of sabotage,
one that targets the computers
in our most critical machines,
sending them out of control
in a cyber-era attack
We're living in an era now
where we have to wonder
whether people can cause damage
with computer code
that before they could
only cause with a bomb
Computer code that could
even be delivered anonymously
over the internet
We think of the Web
as an indispensable tool
that delivers the world
to our doorstep
But it's also a wide-open
conduit for attack
We've learned to live
with cyber crime...
Identity theft,
credit card fraud,
hacking, and stealing
personal information
But now there's a threat
that's much more frightening
and destructive
You can get into a network
which has control
of some physical thing
Think about a pipeline,
for example
You get into that network
which controls the pipeline,
and you can cause
the pipeline to explode
just as though it were
attacked by a kinetic weapon
And traditional kinetic,
physical weapons
may be impotent
against a cyber-attack
Because digital weapons can be
anonymous and instantaneous...
No reports of troop movements
to signal a threat
or air raid sirens
to give warning
Just a sudden,
out-of-the-blue digital takedown
of dams, power plants,
factories,
air traffic control,
the financial system, and more
Instead of bullets and bombs,
you use bits and bytes
We are in a digital arms race
against nations, hackers,
and terrorists
Cyber is the poor man's
atom bomb
Welcome to the frightening
new world of cyber war
In the United States,
the command center
for cyber operations is here,
at the ultra-secret
National Security Agency
in Fort Meade, Maryland
Some joke NSA should stand for
"No Such Agency"
For most of its history,
the NSA was so shrouded
in secrecy,
most Americans
didn't even know it existed
But that all changed in 2013
when whistleblower
Edward Snowden
walked out the door with a huge
cache of top-secret documents
I've been following NSA
for 30 years or so
and every now and then
there's a little leak here,
a little leak there,
but nothing like this
This is extraordinary
Hundreds of thousands of
documents released all at once
Some of them famously revealed
the existence of programs
that empower the NSA programs
to spy on Americans citizens
by collecting emails, phone
calls, and other personal data
What we've seen
over the last decade
is we've seen a departure from
sort of the traditional work
of the National Security Agency
They've become
the National Hacking Agency
Other documents reveal
that the agency
is moving into new territory,
developing offensive weapons
to penetrate global networks
in preparation
for launching cyber attacks
That's a far cry
from the original mission
intended by President Truman
in 1952
In those days,
the NSA was all ears
Its listening posts eavesdropped
on foreign radio,
and satellite transmissions
and tapped underwater
telephone cables
Traditional signals intelligence
was fairly passive
It was an antenna
or an alligator clip,
and you had to wait for somebody
to send a message,
and you hope you're fortunate
enough to be
in the right place
at the right time
But then the digital revolution
and the internet
gave the NSA new powers
and a way to hack
into distant computer networks
In the cyber domain,
you didn't have to wait
for them to send a message
You could commute
to their target
You could commute to where
the information was stored
and extract it
from that network,
even if they never intended
to transmit it
Today, the agency appears
to have transformed
from a passive listener
into an active spy
Able to infiltrate, steal,
and, when necessary,
attack in cyberspace
General Michael Hayden
helped shape that transformation
beginning in 1999
when he became director
I get to Fort Meade about
the turn of the millennium,
we're focused on cyber
Cyber is espionage,
but also the potential
of cyber as a weapon,
computer network attack
Then came 9/11,
and President George W Bush
ordered the NSA to begin
planning in earnest
for offensive cyber war
Eventually, to meet that need,
the military created
a new strategic unit,
a partner to the NSA called
Cyber Command
Its mission:
to go beyond espionage
using computers as weapons
Site M is the cover name for
its massive new headquarters
It will eventually cover
more than a million square feet,
enough to add to NSA's
headquarters complex
some 14 new buildings
and thousands
of additional staff
Plus a $1 5 billion data center
in Utah
By 2010, Cyber Command
was ready for action
About the same time
that the world got a glimpse
of the first true cyber weapon,
a surprisingly destructive
computer worm,
a self-replicating program
that came to be called Stuxnet
Stuxnet is what we consider
the first confirmed
digital weapon and the first act
of cyber warfare
Stuxnet first showed up
infecting desktop computers
and laptops in Iran
and the Near East,
but it soon spread further,
using the internet
to copy itself
from system to system
Eventually it ended up
in the crosshairs of Symantec,
maker of anti-virus
security software
There it grabbed the attention
of security experts
Liam O'Murchu and Eric Chien
Right away they saw that Stuxnet
was more complicated
than any other malicious
software, so-called malware
We had never seen a threat
that was so large
and so dense
I mean this threat was maybe
20 times the normal size
of any threat
that we had seen before
Normally, we can analyze malware
in a very short period of time,
from five minutes
maybe up to a week
But with Stuxnet,
we spent six months
With computer users
around the world
sending millions
of suspicious pieces of malware
to Symantec's server farm,
Eric and Liam get to examine
a huge variety
But nearly all of them
have one thing in common:
they're all programs
that try to worm themselves
into an unwitting computer
and hide
Most people don't realize that
when they use their computer
for browsing the web
or checking their email
there is a lot more going on
in the background,
lots of hidden programs
For the most part,
they're never seen
Bringing up a list
of these programs
reveals unfamiliar names
They come and go as needed
and there can be dozens running
at any given time
Some carry out simple tasks
deep in the computer's operating
system, hidden from view
Others are complex and obvious,
the applications we see
running on our screens
They all co-exist,
sharing the computer's memory
and constantly communicating
with each other
like a digital ecosystem
Hackers or attackers
take advantage
of all of these hidden programs
on your computer
by hiding
their malicious software,
otherwise known as malware,
in and amongst them
so that you don't even notice
The first challenge
for an attacker
is to get the malware installed
on the victim's computer
A common ploy is to trick users
into doing it themselves
One way hackers
are able to do this
is by simply sending you
an email
with a legitimate document
inside
Even though the document
doesn't look suspicious,
it actually contains
malicious computer code
Liam plays the part
of the victim
So, first thing in the morning,
I'm going to log into my email
and check if I have anything new
So I have received an email
about open enrollment
for my benefits,
and even though I don't know
who the sender is
I'm going to open this up
Downloading and opening
the booby-trapped document
generates an error message
But what the victim
doesn't realize
is that clicking on it
also invisibly installs malware
onto the computer
Once my victim opens up
that document,
that secret computer code inside
has started to run
on his computer
without him even knowing it
and it's connected back
to my computer
to a program that I'm running
called Nuclear RAT
Stealthy programs like this
allow for a shocking
behind-the-lines invasion
where the attacker can spy
or disrupt at will
I can even take screenshots
of his computer
and watch all of his keystrokes
via something called
a key logger
He's logging in
to his email right now
and I can actually get
his username and his password
Not only that,
but we can also get video
by turning on the webcam
and I can actually see
what my victim looks like,
all without him knowing
Nuclear RAT takes advantage
of a well-known weakness
in computers with the Windows
operating system
And security experts have
devised defenses against it
But when Liam and Eric
looked at Stuxnet,
they saw that the program
was taking advantage
of a weakness that no one
had ever seen before
It's what hackers refer to
as a zero-day exploit
A zero-day exploit is
malicious code that is used
against a vulnerability
that is at the time
unknown to the vendor
and unknown
to antivirus companies
Because it's unknown,
the vendor can't patch it
and antivirus companies don't
have signatures to detect it
In other words, it's a flaw
that has been detected
and fixed for "zero days,"
meaning not at all
Stuxnet used a zero-day to take
advantage of a vulnerability
related to USB thumb drives,
also called memory sticks
Plugging in a Stuxnet-infected
thumb drive causes the program
to copy itself
onto the target computer
without the user's knowledge
Zero-days are extremely hard
to find and can command
huge sums on illicit markets
Your average threat doesn't use
any zero-days at all
But Stuxnet represented
a major investment by someone
At the time that Stuxnet
was launched,
zero-days weren't used
that often in attacks
Stuxnet used five zero-days,
and that was really remarkable
And still Stuxnet had an even
bigger surprise in store:
its purpose
What's its payload?
What's its motivation?
What's it actually going to do
when it's on your system?
And it wasn't until November
of 2010 we really uncovered
its primary motivation
The first clue came
from a close examination
of Stuxnet's computer code...
All 15,000 lines of it
When we looked inside the code,
we saw the name
of a German industrial control
equipment manufacturer
We saw Siemens in there
Siemens makes factory
automation equipment
Also in the code was a reference
to a specific model number
of one of its products,
a mysterious device called a PLC
I didn't even know
what a PLC was
I had to Google for
what is a PLC
That even baseline knowledge,
we just did not have
What they learned is that a PLC
is a programmable
logic controller...
Some kind of computer
used in industry
We basically ordered one
off an auction site
And I was expecting something
the size of a mini refrigerator
to show up,
something you might see
in a university dorm room
But instead, what showed up
was one of these:
a tiny, tiny box that basically
has a mini computer inside
that controls things
like the power grid, pipelines,
factories that are building cars
So PLCs are kind of
the unsung component
that makes the world go round
They are used to make elevators
go up and down
They are used
in chemical plants,
they control the recipe
that gets put into drugs
and chemicals
They control
water distribution plants
They're used in the electrical
grid to control equipment
They're used surprisingly in
NASDAQ, in the trading systems
They're used in traffic lights
They're used to control trains
So you can see that these
components are really crucial
and these systems were never
created with security in mind
So what was Stuxnet
ultimately after?
The answer was discovered
in Hamburg, Germany,
by a security expert
I had let's just say,
20 or 30 "holy cow" moments
What really blew my mind
was to see from day one
how sophisticated the thing was
When he examined the code,
Ralph Langner saw that Stuxnet
was not designed
to tamper with Siemens PLCs
wherever it found them
It was hunting
for specialized equipment
in a specific configuration,
likely targeting
a single factory
I was like, "Holy cow,
this is a targeted attack?"
And certainly we started
to wonder,
"Wow, somebody's writing
the most sophisticated worm
"that we have ever seen
only to hit one target?
That must be quite
a significant target"
But where?
Stuxnet had come
to the attention of the world
when a security expert found it
infecting a client's
malfunctioning computer
located in Iran
He then shared it
with other experts
For Langner,
the apparent epicenter
of that original outbreak
proved a vital clue
In Iran, you don't have
an awful lot
of significant
industrial facilities
Then the number of potential
targets that could be worth
such an effort
shrinks down to just a few
And certainly the one
potential target that popped up
was the Iranian nuclear program
Langner turned his attention
to two known nuclear facilities
in Iran:
a power plant at Bushehr,
and an enrichment plant
at Natanz
Natanz is an underground,
fortified facility,
housing cylindrical centrifuges
used to isolate
a rare form of uranium,
a precursor to fueling
a power plant
or making a nuclear weapon
The machines spin
at very high speed
with little room for error,
and their motors
and safety systems
are under the control of PLCs
Examining photos from Natanz
made public
by Iran's press office,
and comparing the equipment in
them to the computer worm's code
helped confirm
the identity of the target
At the end of 2010,
we were able to show
100% proof
that we had a complete match
from the attack codes
with the configuration of the
enrichment cascades in Natanz
This was conclusive proof
that a computer virus
has been unleashed
against a military target
A true digital weapon
Langner circulated his discovery
among other security experts,
who were stunned
We weren't just protecting
16-digit credit card numbers,
but potentially stumbling into
something that had
geopolitical implications
But they still didn't understand
how the weapon worked
So Eric and Liam set out
to hack their own PLC
So here, I have a PLC, a
programmable logic controller
This model is a Siemens S300,
and that's the exact same model
that was targeted by Stuxnet
Inside the PLC,
there's a small computer,
and it's used for controlling
equipment in the real world
like conveyor belts, motors,
and, in this case,
I have an air pump
Turning the knob
starts a program
that turns on the pump,
waits three seconds
and then turns it off
What Stuxnet did
was it targeted this PLC
And even though you'd download
a program that says
"operate an air pump
for three seconds,"
in the background,
Stuxnet changes that code
It intercepts your request
and it puts malicious code
onto the PLC instead
Liam has infected the laptop
with a Stuxnet-like virus
So now when he loads his program
onto the PLC
the virus steps in
And something goes very wrong
In this case,
we popped a balloon,
but imagine if that was
a gas pipeline or a power plant
That's what's at stake
in cyber-attacks like this
Finally they understood enough
to reconstruct the attack
The Natanz plant was not
connected to the internet...
A security measure
That explained why Stuxnet
was designed to copy itself
via thumb drives, which could be
plugged into a computer
on the internal network by a spy
or an unwitting plant worker
Once on the plant's
internal network of computers,
Stuxnet would search for PLCs
in control of centrifuges
When it found a target,
it would lie in wait for weeks
But then Stuxnet would begin
tampering with the centrifuges,
causing them to gradually
speed up and slow down,
operating out of safe limits
until they broke
It's not clear
how long Stuxnet was active
But according to international
nuclear regulatory authorities,
1,000 centrifuges mysteriously
failed over five months
There's no evidence
the Iranians even knew
that they were under attack
But eventually the worm escaped,
spread using the internet,
and was spotted and decoded
by security experts
Suddenly the stakes in
cyber security had gone way up
I'm looking at a piece of code
that could blow something up
in Iran
It was very, very scary
to realize
that that's the destruction
that's possible now
with this type of software
It was the first
real cyber sabotage threat
that we've ever seen
that affected the real world
But unlike
a traditional weapon...
A missile or a bomb...
it's almost impossible to know
for sure who launched it
But its complexity
was a big clue
It was immediately obvious to us
when we began looking
at this code that this was not
two kids in the basement
in Kansas somewhere
who had written
this particular threat
This was multiple teams
with different expertise
who had come together
to create this one weapon
It was very clear to us
that this was at the level
of a nation state
Someone...
probably a nation-state,
because it's too hard to do
from a garage or a basement...
Just used a weapon
comprised of ones and zeros
during a time of peace
to destroy what another nation
could only describe
as critical infrastructure
Who would have the motivation
to do something
against the Iranian
nuclear program?
Obviously not Venezuela
I also say for somebody
of my background...
Director of CIA...
Crashing 1,000 centrifuges
at Natanz,
almost an absolute good
If you think about
who would have the capabilities
to launch such an attack
of that sophistication,
completely unprecedented,
you would certainly think about
the United States
in the first place
I say with great sincerity
that it would be irresponsible
for someone of my background
to even speculate
who may have done this
In June 2012, the New York Times
reported that Stuxnet
was created jointly by the NSA
and Israeli intelligence
Then, in apparent retaliation,
the Saudi oil company Aramco
was hit with a computer virus
in August 2012
They sent what's called
a wiper virus,
which is actually sort of
a Fisher-Price,
baby's first hack
kind of a cyber-campaign
It's not sophisticated,
it's not elegant
But it was effective,
destroying the data
on 30,000 computers
Then followed a coordinated
attack against American targets
- One by one, American banks...
- Citibank, Bank of America,
J P Morgan, SunTrust,
Wells Fargo...
All had their web-facing
customer interface pages
knocked offline
In other words,
if you were a Citibank customer
and you went online
to do some banking,
you couldn't get through
Attack and counterattack
But that's not
the end of the story
In fact, it may be
just the beginning
Stuxnet was the blueprint
that provided proof of concept
that such attack is possible
It's opened the door
onto a new era of warfare
and I don't think
we fully understand now
what the repercussions of it
will be
This is an incredibly important
event in our history
Theoretically,
this smells like August of 1945
Somebody has used
an entirely new class of weapon
to affect destruction
The U S and Soviet Union
took decades to reach agreements
to limit the buildup
of their nuclear arsenals
But with cyber weapons, we
may not have the luxury of time
The capability is spreading and
the number of targets exploding
Stuxnet exposed
the vulnerability
of one kind of embedded computer
in industrial PLCs
But now there are embedded
computers all around us...
From power stations
to pacemakers
Yoshi Kohno
is a security researcher
who has an uncanny ability to
find frightening vulnerabilities
in everyday technology...
Like cars
Modern automobiles have
ten sometimes up to 100
different computers inside them
Essentially,
what we wanted to know,
what might an unauthorized party
be able to do
with an automobile
straight off the lot?
Recently, he and his graduate
students demonstrated
how a hacker could seize control
of a car
The model they chose
had a built-in
emergency communication system
that works like a cell phone
They used that system
to call the car
and remotely force malware
into its embedded computers,
giving them control
over electrical and mechanical
systems like door locks,
and lights
Even the brakes
Okay, Alexei, we've unlocked
the brake controller
and just to verify,
you have your helmet on
and all your safety precautions
in place, right?
That's right, helmet on, gloves
on, strapped in and ready to go
Great, okay, go ahead and go,
and we will apply your brakes
when you get
to the checkered flag area
By sending malicious code
to the car,
they will try
to lock up the brakes
And we'll be applying
your brakes shortly
Right about now
Oh, ooh, yeah, that worked!
Ooh, is he going to go
to the wall?
Are you okay, Alexei?
In some cars, the steering,
air bags and accelerator
are also hackable
And as more cars become
connected to the internet,
the opportunities for attack
will increase
So far, many car-makers
have not made defense
against cyber weapons
a top priority
And the same may be true
for countless other companies,
all racing to connect their
products to what's being called
"the internet of everything"
Tailio turns any litter box
into a smart monitoring system
We have computers
in medical devices
We have computers in automobiles
We have computers in airplanes
and we actually have computers
in our homes
Home automation systems are
becoming increasingly popular
These are systems
that wirelessly link
common appliances
like light switches, furnaces
and door alarms to the internet
for remote control
But Yoshi wonders
if the rush towards convenience
is stampeding over security
You know, there's a lot of drive
towards pushing functionality,
coming out with new technologies
that do, you know,
amazing new and greater things
But not enough people
are stepping back and asking
how might I also abuse it?
And together with some students
that I work with
at the University of Washington,
we wanted to figure out
how secure are these home
automation systems actually
They decide to set up
in a Seattle coffee shop
Got a 16-ounce latte
The kind of place where people
like to hang out
because it offers free Wi-Fi
Alex Takakuwa
has an automation system at home
and plays the innocent victim
Meanwhile, playing the part
of the attackers,
are students Tope Oluwafemi
and Tariq Yusuf
This is an ideal public spot
to demonstrate how an attacker
could gain control
of a complete stranger's home
They've set up a wireless
hotspot that masquerades
as the coffee shop's own Wi-Fi
It's a notorious hacking ploy
and aptly named
It's called an evil twin network
A really evil twin
The victim connects
to the evil twin
and what's called a
man-in-the-middle attack begins
The attackers can now spy on
everything flowing to and from
the victim's laptop
They observe
that Alex is connecting
to a home automation system
They're able to see
his private login information
We're able to get credentials
to access his home automation
system without him knowing
The next phase gives
the location of the house
They insert malicious code
into the home automation system
That code tricks it
into reporting
the victim's GPS coordinates
back to the attackers
every time the victim
logs in on his laptop
It takes a few days,
but eventually they're able
to deduce where the victim lives
We're able to get
his house coordinates,
his GPS coordinates, and paid
him a nice little visit
Even in a simple demonstration
like this,
bad things can happen
With a few key strokes
from their car,
they unlock the doors
and stroll right in
In today's world,
embedded devices tend to be
stripped-down computers
that are meant to do
some set of specific tasks...
Automating things
like locks and lights
Oftentimes,
that means they stripped down
the security as well
In the "internet of everything,"
every new device
connected to the Web
brings both promise and peril
Imagine a world with
50 billion microprocessors
attached to the internet
in just five years
That's 50 billion
vulnerabilities,
50 billion points of entry,
50 billion points of attack
The trick is to find
the right balance
between convenience and security
You can have
a solid concrete structure,
and there's no way to get in,
no way to get out
That's secure,
not necessarily useful
because no one can access it
As you add doors,
as you add windows,
as you add ventilation,
they become multiple points
of entry
and multiple points to monitor
and figure out what's going on
Windows and doors
are easy to lock
Not so for devices
with embedded computers
So let's say that you have
a children's toy
and you suddenly start to add
some computer capabilities to it
or a light switch
and you start adding
computer capabilities to that
And it's the introduction
of computation
and the ability for someone...
If they have the ability to
connect to those computers...
To force those computers
to misbehave
That's kind of the first step
in creating a potential
for an attack scenario
Cyber-attack scenarios
against critical infrastructure
have been a concern for the
Department of Homeland Security
at least since 2007,
when the agency commissioned
an experiment called Aurora
The question experts wanted
to answer was a simple one:
could a purely digital cyber
attack disrupt or disable
a large generator
connected to the power grid?
I was the director of the
control system security program
at the Department
of Homeland Security
And during that time,
I ran the project
that many people are familiar
with called Aurora
A team of electrical engineers
brought a 27-ton, heavy-duty
diesel generator to a specially
built testing facility
at the Idaho National Lab
After connecting the generator
to the power grid,
they challenged a team
of computer security experts
to use computer code
to knock the generator offline
The test was monitored
via closed circuit TV
In the video, you'll see it
running, humming along normally
And then you see the first hit
The first jump
You see the generator shudder
The jump occurred
almost immediately after
the attackers sent
the first packet
of malicious computer code
We wanted to hit it
and then wait and collect data
and see what was happening
and then hit it again,
collect some data and kind of
watch the progression
of the damage to the generator
After the second attack,
the generator lurched again,
belched ominous smoke
and ground to a halt
Not only was it knocked off
the grid,
it was rendered
completely inoperable
What they found when they opened
the generator was just failures
with almost all parts
of the generator,
both mechanical and electrical
So what you're really
talking about is essentially
what you would do
with pieces of dynamite
So this was a tough machine
This was heavy duty
And it was designed to run
in severe conditions
If you were actually
doing that attack,
there's no reason to pause
and wait in between
You simply put your software
on a loop,
and you just keep hitting it
until it breaks
An attack like this could take
less than a minute
But leave consequences
that would last for months
If you damage or destroy these,
you can't just go down to your
neighborhood hardware store
and buy another
It could take you
maybe six to nine months
to get another one of these
And according
to a government study,
a coordinated attack on fewer
than a dozen power stations
could cause a massive outage...
Far more devastating
even than the historic blackout
that hit the Northeast in 2003
The brightness of car headlights
the only visible sight
on 42nd Street tonight
as thousands wait
under a cloud of total darkness
All you would need to do is
take out about nine substations
in an attack that could result
in a blackout
for the majority of the U S
that could last weeks or months
depending on
how the attack was designed
And it's not only the power grid
that's at risk
In 2014,
seven years after Aurora,
DHS inexplicably released
an 800-page report
on the Idaho demonstration
Inside were three alarming maps,
perhaps included by mistake
These were never supposed to be
declassified
The maps identify targets
like refineries
and gas and water lines
that could be destroyed
by rapidly disconnecting
and reconnecting them
to the power grid
This is using the electric grid
as a means of attacking
the industries connected
to the electric grid
You now have essentially a hit
list of critical infrastructure
Surprisingly,
our most critical facilities
like this electric power plant
must fend for themselves
when it comes to defending
against cyber attack
Less than a third of electricity
generating facilities
are big enough
to be required to abide
by the strictest
cyber security rules
Yet the threat from cyber
is so worrisome
that few power company
executives are willing
to discuss the problem
on the record
for fear of being targeted
by hackers
I don't know how real
or how probable
a cyber-attack is
But I do know that protecting
against it is prudent
Just because I don't know
how likely something is
I don't know how likely
an earthquake is
I don't know how likely
a tornado is
I want to make it as hard
as possible for someone
to attack our generators
and disrupt our society
There is a fix available
to defend against
an Aurora-style attack
The cost for new equipment
is relatively low,
but not many utilities
have installed it
Security remains alarmingly lax
at many power stations
I was at a conference
and one of the engineers
showed me how he had his iPhone
set up so he could control
multiple power plants
at the same time
I went to look at it and
he said, "Be really careful
If you push that button,
they'll all trip off"
I was speechless
I asked him,
"What do we do about security?"
And he says,
"I make sure no one gets this"
Until recently,
controls at power stations
were mechanical switches
and immune to cyber attack
But now the drive
to put everything online
has created a hole
in our defenses
that no one seems able to plug
I think the public believes
that the U S government...
Cyber Command, NSA, FBI,
Homeland Security...
Have the capability to defend
the electric power grid,
pipelines, trains,
banks that could be attacked
by other nations through cyber
The truth is the government
doesn't have the capability,
doesn't have
the legal authority,
and doesn't have a plan to do it
And it's not a question
yet of resources
It's a question of policy
What do you want
these guys to do?
What is it will you tolerate
them doing to defend you
on a network in which
your emails and mine
are skidding about freely?
Policymakers have not given
the NSA and Cyber Command
the mission of securing
the internet,
which may be fine with them
Because these agencies
are deploying ambitious
offensive programs that exploit
common security weaknesses
NSA documents contain references
to programs
with fanciful codenames
Like "TREASUREMAP"
an attempt to identify
and track every device
connected to the Web...
Anywhere, all the time
And "QUANTUMTHEORY,"
a suite of programs that aims
to insert malware implants
into computers and networks
around the world
And Quantum you can think of
as almost this sort of
industrial-scale spread
of computer viruses
It's a system that the NSA
developed that allows it to,
in a very quick and efficient
manner, implant viruses,
what are known as malware
or malicious software
on computers around the world
Think of it sort of
as a big launching platform
for cyber weapons
The ultimate goal
is to establish
hundreds of thousands of
stealthy access points globally
to spy or to deal a devastating
cyber counterstrike
But the emphasis on offense
comes at a price
To ensure they'll always
have a back door
into their target's systems,
the NSA and Cyber Command
keep the computer
vulnerabilities
they exploit secret
But that leaves the same
back doors open everywhere...
Even here at home
undefended against attack
Which raises a question...
What's more important:
a good offense
or a good defense?
Defending ourselves
from internet-originated attacks
is much, much more important
than our ability
to launch attacks
because when it comes to the
internet,
when it comes
to our technical economy,
we have more to lose
than any other nation on earth
So we shouldn't be making
the internet a more hostile,
a more aggressive territory
We should be making it a
more trusted environment,
making it a more
secure environment
The U S economy
depends on the internet
Failures to defend it
are already costing us dearly
Every day foreign hackers
make thousands of digital forays
against targets inside the US
Some of these
are like spying on steroids
and can do real
military damage...
Something kept hidden
from the public
A secret document
in the Snowden archive
reveals that the Chinese have
stolen "many terabytes of data"
related to the design
of one of America's
most advanced fighter planes...
The Joint Strike Fighter
And when they investigated this,
they found that hackers
were stealing this information
not from military networks,
but from the companies
that are building these systems
for the military
The extent of damage
was pretty significant
And it's not only
defense contractors
There's a new kind of attack...
A nation-state going after
a purely civilian business...
Using cyber as a weapon
of intimidation and blackmail
In late 2014, Sony Pictures
releases a trailer
for a political comedy
called The Interview.
Three weeks from tonight
I will be traveling to
Pyongyang, North Korea!
Hello, North Korea!
The absurd premise involves
an assassination plot
against Kim Jung Un,
leader of North Korea
You want us to kill
the leader of North Korea?"
Yes
What?
Shortly before the movie's
release... a cyber-attack
The FBI is investigating
that destructive cyber attack
at Sony Pictures
Hackers calling themselves
the "Guardians of Peace"
reveal that they have
broken into
Sony's corporate
computer network
and seem to threaten a 9/11 type
attack on theatergoers
if Sony releases the film
Within weeks, the FBI claimed
to have top-secret intelligence
that pointed to North Korea
as the culprit
There is not much in life
that I have high confidence
about
I have very high confidence
about this attribution
As does the entire
intelligence community
They caused a lot of damage
And we will respond
We will respond proportionally,
and we'll respond
in a place and time
and manner that we choose
The hard part
for the White House
was not attributing
the Sony attack to North Korea
The hard thing
was what do you do about it?
Because if the president
of the United States
is going to come out
and publicly point the finger
at a country for being behind
a cyber-attack,
there are going to have to be
consequences
But calibrating that response
is difficult
The White House has suggested
that one centerpiece of their
response to cyber attacks
would be what they called
naming and shaming
Well, you know,
naming and shaming may work
in a kindergarten class
when somebody steals cookies
that were intended
for another child,
but it's not going to work
with Vladimir Putin,
the supreme leader in Iran,
or the Chinese
Cyber war has plunged the world
into chaotic,
uncharted territory
Today, a single spy
can stealthily steal secrets
in volumes larger
than all the books
in the library of Congress
And nation states
are playing a dangerous game
using cyber weapons
that could trigger a wider war
There have been officials
in the past that have said,
you know, "If you take down
our power grid,
you can expect a missile
down your smokestacks"
I think it's highly likely
that any war that began
as a cyber-war would ultimately
end up being a conventional war,
where the United States
was engaged with bombers
and missiles
The number of nations armed with
cyber weapons is in the dozens,
not to mention terrorists
and criminal hackers
And unless we find a way
to counter these threats,
there is a very real danger
that we will turn
one of our greatest inventions...
The internet...
Into a dangerous battlefield
against the United States
be delivered
with the tap of a key?
Instead of bullets and bombs,
you use bits and bytes
Using only a computer,
a terrorist or a nation
can attack
critical infrastructure
like the power grid
That could result in a blackout
for the majority of the U S
that could last weeks or months
The enemies are anonymous
Their reach is global
As internet connections multiply
so does the threat
Imagine a world
with 50 billion microprocessors
attached to the Internet
That's 50 billion
points of attack
The targets are everywhere
Computers are permeating
our environments
There are potential
security risks anywhere
there is one of these
computing devices
And we'll be applying
your brakes shortly
Even in your car
Right about now
Yeah, that worked
Cyber weapons
have already been unleashed
It was the first
real cyber sabotage
that affected the real world
Somebody has used
an entirely new class of weapon
to affect destruction
Is it too late to put the genie
back in the bottle?
When we put the little evil
virus in the big pool,
it tends to escape
and go Jurassic Park on us
Can we survive
the "Cyber War Threat"?
Right now, on NOVA.
The Sayano-Shushenskaya dam
in remote Siberia...
The ninth largest
hydroelectric plant on earth
and the scene
of a catastrophic event
that may foreshadow
the future of war
On August 17, 2009,
all seems normal
in the power plant
at the base of the dam
30 million tons of water
pressure spin massive turbines
generating more than 6,000
megawatts of electric power
Suddenly, without warning,
something goes terribly wrong
A plume of water
Followed by a wave
of destruction
In the end, 75 people perish
In the aftermath,
a hellish vision
One of the 1,500-ton turbines
had burst through the floor,
rocketing 50 feet into the air
Punching a hole
in the base of the dam
Investigators eventually
identify poor maintenance
and worn anchor bolts
as the cause
But at first, this scenario...
A machine self-destructing
with lethal consequences...
Led some to wonder if this might
be a new kind of sabotage,
one that targets the computers
in our most critical machines,
sending them out of control
in a cyber-era attack
We're living in an era now
where we have to wonder
whether people can cause damage
with computer code
that before they could
only cause with a bomb
Computer code that could
even be delivered anonymously
over the internet
We think of the Web
as an indispensable tool
that delivers the world
to our doorstep
But it's also a wide-open
conduit for attack
We've learned to live
with cyber crime...
Identity theft,
credit card fraud,
hacking, and stealing
personal information
But now there's a threat
that's much more frightening
and destructive
You can get into a network
which has control
of some physical thing
Think about a pipeline,
for example
You get into that network
which controls the pipeline,
and you can cause
the pipeline to explode
just as though it were
attacked by a kinetic weapon
And traditional kinetic,
physical weapons
may be impotent
against a cyber-attack
Because digital weapons can be
anonymous and instantaneous...
No reports of troop movements
to signal a threat
or air raid sirens
to give warning
Just a sudden,
out-of-the-blue digital takedown
of dams, power plants,
factories,
air traffic control,
the financial system, and more
Instead of bullets and bombs,
you use bits and bytes
We are in a digital arms race
against nations, hackers,
and terrorists
Cyber is the poor man's
atom bomb
Welcome to the frightening
new world of cyber war
In the United States,
the command center
for cyber operations is here,
at the ultra-secret
National Security Agency
in Fort Meade, Maryland
Some joke NSA should stand for
"No Such Agency"
For most of its history,
the NSA was so shrouded
in secrecy,
most Americans
didn't even know it existed
But that all changed in 2013
when whistleblower
Edward Snowden
walked out the door with a huge
cache of top-secret documents
I've been following NSA
for 30 years or so
and every now and then
there's a little leak here,
a little leak there,
but nothing like this
This is extraordinary
Hundreds of thousands of
documents released all at once
Some of them famously revealed
the existence of programs
that empower the NSA programs
to spy on Americans citizens
by collecting emails, phone
calls, and other personal data
What we've seen
over the last decade
is we've seen a departure from
sort of the traditional work
of the National Security Agency
They've become
the National Hacking Agency
Other documents reveal
that the agency
is moving into new territory,
developing offensive weapons
to penetrate global networks
in preparation
for launching cyber attacks
That's a far cry
from the original mission
intended by President Truman
in 1952
In those days,
the NSA was all ears
Its listening posts eavesdropped
on foreign radio,
and satellite transmissions
and tapped underwater
telephone cables
Traditional signals intelligence
was fairly passive
It was an antenna
or an alligator clip,
and you had to wait for somebody
to send a message,
and you hope you're fortunate
enough to be
in the right place
at the right time
But then the digital revolution
and the internet
gave the NSA new powers
and a way to hack
into distant computer networks
In the cyber domain,
you didn't have to wait
for them to send a message
You could commute
to their target
You could commute to where
the information was stored
and extract it
from that network,
even if they never intended
to transmit it
Today, the agency appears
to have transformed
from a passive listener
into an active spy
Able to infiltrate, steal,
and, when necessary,
attack in cyberspace
General Michael Hayden
helped shape that transformation
beginning in 1999
when he became director
I get to Fort Meade about
the turn of the millennium,
we're focused on cyber
Cyber is espionage,
but also the potential
of cyber as a weapon,
computer network attack
Then came 9/11,
and President George W Bush
ordered the NSA to begin
planning in earnest
for offensive cyber war
Eventually, to meet that need,
the military created
a new strategic unit,
a partner to the NSA called
Cyber Command
Its mission:
to go beyond espionage
using computers as weapons
Site M is the cover name for
its massive new headquarters
It will eventually cover
more than a million square feet,
enough to add to NSA's
headquarters complex
some 14 new buildings
and thousands
of additional staff
Plus a $1 5 billion data center
in Utah
By 2010, Cyber Command
was ready for action
About the same time
that the world got a glimpse
of the first true cyber weapon,
a surprisingly destructive
computer worm,
a self-replicating program
that came to be called Stuxnet
Stuxnet is what we consider
the first confirmed
digital weapon and the first act
of cyber warfare
Stuxnet first showed up
infecting desktop computers
and laptops in Iran
and the Near East,
but it soon spread further,
using the internet
to copy itself
from system to system
Eventually it ended up
in the crosshairs of Symantec,
maker of anti-virus
security software
There it grabbed the attention
of security experts
Liam O'Murchu and Eric Chien
Right away they saw that Stuxnet
was more complicated
than any other malicious
software, so-called malware
We had never seen a threat
that was so large
and so dense
I mean this threat was maybe
20 times the normal size
of any threat
that we had seen before
Normally, we can analyze malware
in a very short period of time,
from five minutes
maybe up to a week
But with Stuxnet,
we spent six months
With computer users
around the world
sending millions
of suspicious pieces of malware
to Symantec's server farm,
Eric and Liam get to examine
a huge variety
But nearly all of them
have one thing in common:
they're all programs
that try to worm themselves
into an unwitting computer
and hide
Most people don't realize that
when they use their computer
for browsing the web
or checking their email
there is a lot more going on
in the background,
lots of hidden programs
For the most part,
they're never seen
Bringing up a list
of these programs
reveals unfamiliar names
They come and go as needed
and there can be dozens running
at any given time
Some carry out simple tasks
deep in the computer's operating
system, hidden from view
Others are complex and obvious,
the applications we see
running on our screens
They all co-exist,
sharing the computer's memory
and constantly communicating
with each other
like a digital ecosystem
Hackers or attackers
take advantage
of all of these hidden programs
on your computer
by hiding
their malicious software,
otherwise known as malware,
in and amongst them
so that you don't even notice
The first challenge
for an attacker
is to get the malware installed
on the victim's computer
A common ploy is to trick users
into doing it themselves
One way hackers
are able to do this
is by simply sending you
an email
with a legitimate document
inside
Even though the document
doesn't look suspicious,
it actually contains
malicious computer code
Liam plays the part
of the victim
So, first thing in the morning,
I'm going to log into my email
and check if I have anything new
So I have received an email
about open enrollment
for my benefits,
and even though I don't know
who the sender is
I'm going to open this up
Downloading and opening
the booby-trapped document
generates an error message
But what the victim
doesn't realize
is that clicking on it
also invisibly installs malware
onto the computer
Once my victim opens up
that document,
that secret computer code inside
has started to run
on his computer
without him even knowing it
and it's connected back
to my computer
to a program that I'm running
called Nuclear RAT
Stealthy programs like this
allow for a shocking
behind-the-lines invasion
where the attacker can spy
or disrupt at will
I can even take screenshots
of his computer
and watch all of his keystrokes
via something called
a key logger
He's logging in
to his email right now
and I can actually get
his username and his password
Not only that,
but we can also get video
by turning on the webcam
and I can actually see
what my victim looks like,
all without him knowing
Nuclear RAT takes advantage
of a well-known weakness
in computers with the Windows
operating system
And security experts have
devised defenses against it
But when Liam and Eric
looked at Stuxnet,
they saw that the program
was taking advantage
of a weakness that no one
had ever seen before
It's what hackers refer to
as a zero-day exploit
A zero-day exploit is
malicious code that is used
against a vulnerability
that is at the time
unknown to the vendor
and unknown
to antivirus companies
Because it's unknown,
the vendor can't patch it
and antivirus companies don't
have signatures to detect it
In other words, it's a flaw
that has been detected
and fixed for "zero days,"
meaning not at all
Stuxnet used a zero-day to take
advantage of a vulnerability
related to USB thumb drives,
also called memory sticks
Plugging in a Stuxnet-infected
thumb drive causes the program
to copy itself
onto the target computer
without the user's knowledge
Zero-days are extremely hard
to find and can command
huge sums on illicit markets
Your average threat doesn't use
any zero-days at all
But Stuxnet represented
a major investment by someone
At the time that Stuxnet
was launched,
zero-days weren't used
that often in attacks
Stuxnet used five zero-days,
and that was really remarkable
And still Stuxnet had an even
bigger surprise in store:
its purpose
What's its payload?
What's its motivation?
What's it actually going to do
when it's on your system?
And it wasn't until November
of 2010 we really uncovered
its primary motivation
The first clue came
from a close examination
of Stuxnet's computer code...
All 15,000 lines of it
When we looked inside the code,
we saw the name
of a German industrial control
equipment manufacturer
We saw Siemens in there
Siemens makes factory
automation equipment
Also in the code was a reference
to a specific model number
of one of its products,
a mysterious device called a PLC
I didn't even know
what a PLC was
I had to Google for
what is a PLC
That even baseline knowledge,
we just did not have
What they learned is that a PLC
is a programmable
logic controller...
Some kind of computer
used in industry
We basically ordered one
off an auction site
And I was expecting something
the size of a mini refrigerator
to show up,
something you might see
in a university dorm room
But instead, what showed up
was one of these:
a tiny, tiny box that basically
has a mini computer inside
that controls things
like the power grid, pipelines,
factories that are building cars
So PLCs are kind of
the unsung component
that makes the world go round
They are used to make elevators
go up and down
They are used
in chemical plants,
they control the recipe
that gets put into drugs
and chemicals
They control
water distribution plants
They're used in the electrical
grid to control equipment
They're used surprisingly in
NASDAQ, in the trading systems
They're used in traffic lights
They're used to control trains
So you can see that these
components are really crucial
and these systems were never
created with security in mind
So what was Stuxnet
ultimately after?
The answer was discovered
in Hamburg, Germany,
by a security expert
I had let's just say,
20 or 30 "holy cow" moments
What really blew my mind
was to see from day one
how sophisticated the thing was
When he examined the code,
Ralph Langner saw that Stuxnet
was not designed
to tamper with Siemens PLCs
wherever it found them
It was hunting
for specialized equipment
in a specific configuration,
likely targeting
a single factory
I was like, "Holy cow,
this is a targeted attack?"
And certainly we started
to wonder,
"Wow, somebody's writing
the most sophisticated worm
"that we have ever seen
only to hit one target?
That must be quite
a significant target"
But where?
Stuxnet had come
to the attention of the world
when a security expert found it
infecting a client's
malfunctioning computer
located in Iran
He then shared it
with other experts
For Langner,
the apparent epicenter
of that original outbreak
proved a vital clue
In Iran, you don't have
an awful lot
of significant
industrial facilities
Then the number of potential
targets that could be worth
such an effort
shrinks down to just a few
And certainly the one
potential target that popped up
was the Iranian nuclear program
Langner turned his attention
to two known nuclear facilities
in Iran:
a power plant at Bushehr,
and an enrichment plant
at Natanz
Natanz is an underground,
fortified facility,
housing cylindrical centrifuges
used to isolate
a rare form of uranium,
a precursor to fueling
a power plant
or making a nuclear weapon
The machines spin
at very high speed
with little room for error,
and their motors
and safety systems
are under the control of PLCs
Examining photos from Natanz
made public
by Iran's press office,
and comparing the equipment in
them to the computer worm's code
helped confirm
the identity of the target
At the end of 2010,
we were able to show
100% proof
that we had a complete match
from the attack codes
with the configuration of the
enrichment cascades in Natanz
This was conclusive proof
that a computer virus
has been unleashed
against a military target
A true digital weapon
Langner circulated his discovery
among other security experts,
who were stunned
We weren't just protecting
16-digit credit card numbers,
but potentially stumbling into
something that had
geopolitical implications
But they still didn't understand
how the weapon worked
So Eric and Liam set out
to hack their own PLC
So here, I have a PLC, a
programmable logic controller
This model is a Siemens S300,
and that's the exact same model
that was targeted by Stuxnet
Inside the PLC,
there's a small computer,
and it's used for controlling
equipment in the real world
like conveyor belts, motors,
and, in this case,
I have an air pump
Turning the knob
starts a program
that turns on the pump,
waits three seconds
and then turns it off
What Stuxnet did
was it targeted this PLC
And even though you'd download
a program that says
"operate an air pump
for three seconds,"
in the background,
Stuxnet changes that code
It intercepts your request
and it puts malicious code
onto the PLC instead
Liam has infected the laptop
with a Stuxnet-like virus
So now when he loads his program
onto the PLC
the virus steps in
And something goes very wrong
In this case,
we popped a balloon,
but imagine if that was
a gas pipeline or a power plant
That's what's at stake
in cyber-attacks like this
Finally they understood enough
to reconstruct the attack
The Natanz plant was not
connected to the internet...
A security measure
That explained why Stuxnet
was designed to copy itself
via thumb drives, which could be
plugged into a computer
on the internal network by a spy
or an unwitting plant worker
Once on the plant's
internal network of computers,
Stuxnet would search for PLCs
in control of centrifuges
When it found a target,
it would lie in wait for weeks
But then Stuxnet would begin
tampering with the centrifuges,
causing them to gradually
speed up and slow down,
operating out of safe limits
until they broke
It's not clear
how long Stuxnet was active
But according to international
nuclear regulatory authorities,
1,000 centrifuges mysteriously
failed over five months
There's no evidence
the Iranians even knew
that they were under attack
But eventually the worm escaped,
spread using the internet,
and was spotted and decoded
by security experts
Suddenly the stakes in
cyber security had gone way up
I'm looking at a piece of code
that could blow something up
in Iran
It was very, very scary
to realize
that that's the destruction
that's possible now
with this type of software
It was the first
real cyber sabotage threat
that we've ever seen
that affected the real world
But unlike
a traditional weapon...
A missile or a bomb...
it's almost impossible to know
for sure who launched it
But its complexity
was a big clue
It was immediately obvious to us
when we began looking
at this code that this was not
two kids in the basement
in Kansas somewhere
who had written
this particular threat
This was multiple teams
with different expertise
who had come together
to create this one weapon
It was very clear to us
that this was at the level
of a nation state
Someone...
probably a nation-state,
because it's too hard to do
from a garage or a basement...
Just used a weapon
comprised of ones and zeros
during a time of peace
to destroy what another nation
could only describe
as critical infrastructure
Who would have the motivation
to do something
against the Iranian
nuclear program?
Obviously not Venezuela
I also say for somebody
of my background...
Director of CIA...
Crashing 1,000 centrifuges
at Natanz,
almost an absolute good
If you think about
who would have the capabilities
to launch such an attack
of that sophistication,
completely unprecedented,
you would certainly think about
the United States
in the first place
I say with great sincerity
that it would be irresponsible
for someone of my background
to even speculate
who may have done this
In June 2012, the New York Times
reported that Stuxnet
was created jointly by the NSA
and Israeli intelligence
Then, in apparent retaliation,
the Saudi oil company Aramco
was hit with a computer virus
in August 2012
They sent what's called
a wiper virus,
which is actually sort of
a Fisher-Price,
baby's first hack
kind of a cyber-campaign
It's not sophisticated,
it's not elegant
But it was effective,
destroying the data
on 30,000 computers
Then followed a coordinated
attack against American targets
- One by one, American banks...
- Citibank, Bank of America,
J P Morgan, SunTrust,
Wells Fargo...
All had their web-facing
customer interface pages
knocked offline
In other words,
if you were a Citibank customer
and you went online
to do some banking,
you couldn't get through
Attack and counterattack
But that's not
the end of the story
In fact, it may be
just the beginning
Stuxnet was the blueprint
that provided proof of concept
that such attack is possible
It's opened the door
onto a new era of warfare
and I don't think
we fully understand now
what the repercussions of it
will be
This is an incredibly important
event in our history
Theoretically,
this smells like August of 1945
Somebody has used
an entirely new class of weapon
to affect destruction
The U S and Soviet Union
took decades to reach agreements
to limit the buildup
of their nuclear arsenals
But with cyber weapons, we
may not have the luxury of time
The capability is spreading and
the number of targets exploding
Stuxnet exposed
the vulnerability
of one kind of embedded computer
in industrial PLCs
But now there are embedded
computers all around us...
From power stations
to pacemakers
Yoshi Kohno
is a security researcher
who has an uncanny ability to
find frightening vulnerabilities
in everyday technology...
Like cars
Modern automobiles have
ten sometimes up to 100
different computers inside them
Essentially,
what we wanted to know,
what might an unauthorized party
be able to do
with an automobile
straight off the lot?
Recently, he and his graduate
students demonstrated
how a hacker could seize control
of a car
The model they chose
had a built-in
emergency communication system
that works like a cell phone
They used that system
to call the car
and remotely force malware
into its embedded computers,
giving them control
over electrical and mechanical
systems like door locks,
and lights
Even the brakes
Okay, Alexei, we've unlocked
the brake controller
and just to verify,
you have your helmet on
and all your safety precautions
in place, right?
That's right, helmet on, gloves
on, strapped in and ready to go
Great, okay, go ahead and go,
and we will apply your brakes
when you get
to the checkered flag area
By sending malicious code
to the car,
they will try
to lock up the brakes
And we'll be applying
your brakes shortly
Right about now
Oh, ooh, yeah, that worked!
Ooh, is he going to go
to the wall?
Are you okay, Alexei?
In some cars, the steering,
air bags and accelerator
are also hackable
And as more cars become
connected to the internet,
the opportunities for attack
will increase
So far, many car-makers
have not made defense
against cyber weapons
a top priority
And the same may be true
for countless other companies,
all racing to connect their
products to what's being called
"the internet of everything"
Tailio turns any litter box
into a smart monitoring system
We have computers
in medical devices
We have computers in automobiles
We have computers in airplanes
and we actually have computers
in our homes
Home automation systems are
becoming increasingly popular
These are systems
that wirelessly link
common appliances
like light switches, furnaces
and door alarms to the internet
for remote control
But Yoshi wonders
if the rush towards convenience
is stampeding over security
You know, there's a lot of drive
towards pushing functionality,
coming out with new technologies
that do, you know,
amazing new and greater things
But not enough people
are stepping back and asking
how might I also abuse it?
And together with some students
that I work with
at the University of Washington,
we wanted to figure out
how secure are these home
automation systems actually
They decide to set up
in a Seattle coffee shop
Got a 16-ounce latte
The kind of place where people
like to hang out
because it offers free Wi-Fi
Alex Takakuwa
has an automation system at home
and plays the innocent victim
Meanwhile, playing the part
of the attackers,
are students Tope Oluwafemi
and Tariq Yusuf
This is an ideal public spot
to demonstrate how an attacker
could gain control
of a complete stranger's home
They've set up a wireless
hotspot that masquerades
as the coffee shop's own Wi-Fi
It's a notorious hacking ploy
and aptly named
It's called an evil twin network
A really evil twin
The victim connects
to the evil twin
and what's called a
man-in-the-middle attack begins
The attackers can now spy on
everything flowing to and from
the victim's laptop
They observe
that Alex is connecting
to a home automation system
They're able to see
his private login information
We're able to get credentials
to access his home automation
system without him knowing
The next phase gives
the location of the house
They insert malicious code
into the home automation system
That code tricks it
into reporting
the victim's GPS coordinates
back to the attackers
every time the victim
logs in on his laptop
It takes a few days,
but eventually they're able
to deduce where the victim lives
We're able to get
his house coordinates,
his GPS coordinates, and paid
him a nice little visit
Even in a simple demonstration
like this,
bad things can happen
With a few key strokes
from their car,
they unlock the doors
and stroll right in
In today's world,
embedded devices tend to be
stripped-down computers
that are meant to do
some set of specific tasks...
Automating things
like locks and lights
Oftentimes,
that means they stripped down
the security as well
In the "internet of everything,"
every new device
connected to the Web
brings both promise and peril
Imagine a world with
50 billion microprocessors
attached to the internet
in just five years
That's 50 billion
vulnerabilities,
50 billion points of entry,
50 billion points of attack
The trick is to find
the right balance
between convenience and security
You can have
a solid concrete structure,
and there's no way to get in,
no way to get out
That's secure,
not necessarily useful
because no one can access it
As you add doors,
as you add windows,
as you add ventilation,
they become multiple points
of entry
and multiple points to monitor
and figure out what's going on
Windows and doors
are easy to lock
Not so for devices
with embedded computers
So let's say that you have
a children's toy
and you suddenly start to add
some computer capabilities to it
or a light switch
and you start adding
computer capabilities to that
And it's the introduction
of computation
and the ability for someone...
If they have the ability to
connect to those computers...
To force those computers
to misbehave
That's kind of the first step
in creating a potential
for an attack scenario
Cyber-attack scenarios
against critical infrastructure
have been a concern for the
Department of Homeland Security
at least since 2007,
when the agency commissioned
an experiment called Aurora
The question experts wanted
to answer was a simple one:
could a purely digital cyber
attack disrupt or disable
a large generator
connected to the power grid?
I was the director of the
control system security program
at the Department
of Homeland Security
And during that time,
I ran the project
that many people are familiar
with called Aurora
A team of electrical engineers
brought a 27-ton, heavy-duty
diesel generator to a specially
built testing facility
at the Idaho National Lab
After connecting the generator
to the power grid,
they challenged a team
of computer security experts
to use computer code
to knock the generator offline
The test was monitored
via closed circuit TV
In the video, you'll see it
running, humming along normally
And then you see the first hit
The first jump
You see the generator shudder
The jump occurred
almost immediately after
the attackers sent
the first packet
of malicious computer code
We wanted to hit it
and then wait and collect data
and see what was happening
and then hit it again,
collect some data and kind of
watch the progression
of the damage to the generator
After the second attack,
the generator lurched again,
belched ominous smoke
and ground to a halt
Not only was it knocked off
the grid,
it was rendered
completely inoperable
What they found when they opened
the generator was just failures
with almost all parts
of the generator,
both mechanical and electrical
So what you're really
talking about is essentially
what you would do
with pieces of dynamite
So this was a tough machine
This was heavy duty
And it was designed to run
in severe conditions
If you were actually
doing that attack,
there's no reason to pause
and wait in between
You simply put your software
on a loop,
and you just keep hitting it
until it breaks
An attack like this could take
less than a minute
But leave consequences
that would last for months
If you damage or destroy these,
you can't just go down to your
neighborhood hardware store
and buy another
It could take you
maybe six to nine months
to get another one of these
And according
to a government study,
a coordinated attack on fewer
than a dozen power stations
could cause a massive outage...
Far more devastating
even than the historic blackout
that hit the Northeast in 2003
The brightness of car headlights
the only visible sight
on 42nd Street tonight
as thousands wait
under a cloud of total darkness
All you would need to do is
take out about nine substations
in an attack that could result
in a blackout
for the majority of the U S
that could last weeks or months
depending on
how the attack was designed
And it's not only the power grid
that's at risk
In 2014,
seven years after Aurora,
DHS inexplicably released
an 800-page report
on the Idaho demonstration
Inside were three alarming maps,
perhaps included by mistake
These were never supposed to be
declassified
The maps identify targets
like refineries
and gas and water lines
that could be destroyed
by rapidly disconnecting
and reconnecting them
to the power grid
This is using the electric grid
as a means of attacking
the industries connected
to the electric grid
You now have essentially a hit
list of critical infrastructure
Surprisingly,
our most critical facilities
like this electric power plant
must fend for themselves
when it comes to defending
against cyber attack
Less than a third of electricity
generating facilities
are big enough
to be required to abide
by the strictest
cyber security rules
Yet the threat from cyber
is so worrisome
that few power company
executives are willing
to discuss the problem
on the record
for fear of being targeted
by hackers
I don't know how real
or how probable
a cyber-attack is
But I do know that protecting
against it is prudent
Just because I don't know
how likely something is
I don't know how likely
an earthquake is
I don't know how likely
a tornado is
I want to make it as hard
as possible for someone
to attack our generators
and disrupt our society
There is a fix available
to defend against
an Aurora-style attack
The cost for new equipment
is relatively low,
but not many utilities
have installed it
Security remains alarmingly lax
at many power stations
I was at a conference
and one of the engineers
showed me how he had his iPhone
set up so he could control
multiple power plants
at the same time
I went to look at it and
he said, "Be really careful
If you push that button,
they'll all trip off"
I was speechless
I asked him,
"What do we do about security?"
And he says,
"I make sure no one gets this"
Until recently,
controls at power stations
were mechanical switches
and immune to cyber attack
But now the drive
to put everything online
has created a hole
in our defenses
that no one seems able to plug
I think the public believes
that the U S government...
Cyber Command, NSA, FBI,
Homeland Security...
Have the capability to defend
the electric power grid,
pipelines, trains,
banks that could be attacked
by other nations through cyber
The truth is the government
doesn't have the capability,
doesn't have
the legal authority,
and doesn't have a plan to do it
And it's not a question
yet of resources
It's a question of policy
What do you want
these guys to do?
What is it will you tolerate
them doing to defend you
on a network in which
your emails and mine
are skidding about freely?
Policymakers have not given
the NSA and Cyber Command
the mission of securing
the internet,
which may be fine with them
Because these agencies
are deploying ambitious
offensive programs that exploit
common security weaknesses
NSA documents contain references
to programs
with fanciful codenames
Like "TREASUREMAP"
an attempt to identify
and track every device
connected to the Web...
Anywhere, all the time
And "QUANTUMTHEORY,"
a suite of programs that aims
to insert malware implants
into computers and networks
around the world
And Quantum you can think of
as almost this sort of
industrial-scale spread
of computer viruses
It's a system that the NSA
developed that allows it to,
in a very quick and efficient
manner, implant viruses,
what are known as malware
or malicious software
on computers around the world
Think of it sort of
as a big launching platform
for cyber weapons
The ultimate goal
is to establish
hundreds of thousands of
stealthy access points globally
to spy or to deal a devastating
cyber counterstrike
But the emphasis on offense
comes at a price
To ensure they'll always
have a back door
into their target's systems,
the NSA and Cyber Command
keep the computer
vulnerabilities
they exploit secret
But that leaves the same
back doors open everywhere...
Even here at home
undefended against attack
Which raises a question...
What's more important:
a good offense
or a good defense?
Defending ourselves
from internet-originated attacks
is much, much more important
than our ability
to launch attacks
because when it comes to the
internet,
when it comes
to our technical economy,
we have more to lose
than any other nation on earth
So we shouldn't be making
the internet a more hostile,
a more aggressive territory
We should be making it a
more trusted environment,
making it a more
secure environment
The U S economy
depends on the internet
Failures to defend it
are already costing us dearly
Every day foreign hackers
make thousands of digital forays
against targets inside the US
Some of these
are like spying on steroids
and can do real
military damage...
Something kept hidden
from the public
A secret document
in the Snowden archive
reveals that the Chinese have
stolen "many terabytes of data"
related to the design
of one of America's
most advanced fighter planes...
The Joint Strike Fighter
And when they investigated this,
they found that hackers
were stealing this information
not from military networks,
but from the companies
that are building these systems
for the military
The extent of damage
was pretty significant
And it's not only
defense contractors
There's a new kind of attack...
A nation-state going after
a purely civilian business...
Using cyber as a weapon
of intimidation and blackmail
In late 2014, Sony Pictures
releases a trailer
for a political comedy
called The Interview.
Three weeks from tonight
I will be traveling to
Pyongyang, North Korea!
Hello, North Korea!
The absurd premise involves
an assassination plot
against Kim Jung Un,
leader of North Korea
You want us to kill
the leader of North Korea?"
Yes
What?
Shortly before the movie's
release... a cyber-attack
The FBI is investigating
that destructive cyber attack
at Sony Pictures
Hackers calling themselves
the "Guardians of Peace"
reveal that they have
broken into
Sony's corporate
computer network
and seem to threaten a 9/11 type
attack on theatergoers
if Sony releases the film
Within weeks, the FBI claimed
to have top-secret intelligence
that pointed to North Korea
as the culprit
There is not much in life
that I have high confidence
about
I have very high confidence
about this attribution
As does the entire
intelligence community
They caused a lot of damage
And we will respond
We will respond proportionally,
and we'll respond
in a place and time
and manner that we choose
The hard part
for the White House
was not attributing
the Sony attack to North Korea
The hard thing
was what do you do about it?
Because if the president
of the United States
is going to come out
and publicly point the finger
at a country for being behind
a cyber-attack,
there are going to have to be
consequences
But calibrating that response
is difficult
The White House has suggested
that one centerpiece of their
response to cyber attacks
would be what they called
naming and shaming
Well, you know,
naming and shaming may work
in a kindergarten class
when somebody steals cookies
that were intended
for another child,
but it's not going to work
with Vladimir Putin,
the supreme leader in Iran,
or the Chinese
Cyber war has plunged the world
into chaotic,
uncharted territory
Today, a single spy
can stealthily steal secrets
in volumes larger
than all the books
in the library of Congress
And nation states
are playing a dangerous game
using cyber weapons
that could trigger a wider war
There have been officials
in the past that have said,
you know, "If you take down
our power grid,
you can expect a missile
down your smokestacks"
I think it's highly likely
that any war that began
as a cyber-war would ultimately
end up being a conventional war,
where the United States
was engaged with bombers
and missiles
The number of nations armed with
cyber weapons is in the dozens,
not to mention terrorists
and criminal hackers
And unless we find a way
to counter these threats,
there is a very real danger
that we will turn
one of our greatest inventions...
The internet...
Into a dangerous battlefield