0 00:00:11,000 --> 00:00:20,000 1 00:00:46,912 --> 00:00:49,013 Through the darkness 2 00:00:49,015 --> 00:00:53,250 of the pathways that we marched, 3 00:00:54,319 --> 00:00:57,354 evil and good lived side by side. 4 00:00:57,356 --> 00:01:00,424 And this is the nature of... of life. 5 00:01:16,541 --> 00:01:18,842 We are in an unbalanced 6 00:01:18,844 --> 00:01:23,047 and inequivalent confrontation between democracies 7 00:01:23,049 --> 00:01:25,416 who are obliged to play by the rules 8 00:01:26,051 --> 00:01:29,486 and entities who think democracy is a joke. 9 00:01:31,590 --> 00:01:33,958 You can't convince fanatics 10 00:01:33,960 --> 00:01:38,562 by saying, "hey, hatred paralyzes you, 11 00:01:38,564 --> 00:01:40,164 love releases you." 12 00:01:41,266 --> 00:01:45,536 There are different rules that we have to play by. 13 00:02:01,119 --> 00:02:03,787 Female newsreader: Today, two of Iran's top nuclear scientists 14 00:02:03,789 --> 00:02:05,756 were targeted by hit squads. 15 00:02:05,758 --> 00:02:07,791 Female newsreader 2: ...In the capital Tehran. 16 00:02:07,793 --> 00:02:09,426 Male newsreader: ...The latest in a string of attacks. 17 00:02:09,428 --> 00:02:11,662 Female newsreader 3: Today's attack has all the hallmarks 18 00:02:11,664 --> 00:02:13,831 of major strategic sabotage. 19 00:02:13,833 --> 00:02:14,932 Female newsreader 4: Iran immediately accused 20 00:02:14,934 --> 00:02:16,166 the U.S. and Israel 21 00:02:16,168 --> 00:02:18,035 of trying to damage its nuclear program. 22 00:02:18,336 --> 00:02:19,700 Mahmoud Ahmadinejad: 23 00:02:19,700 --> 00:02:20,889 Unfortunately, and without any doubt, 24 00:02:21,140 --> 00:02:23,600 in the assassinations which took place today 25 00:02:23,934 --> 00:02:27,774 Western countries and the Zionist regime were involved. 26 00:02:28,080 --> 00:02:33,817 I want to categorically deny any United States involvement 27 00:02:33,819 --> 00:02:38,756 in any kind of act of violence inside Iran. 28 00:02:38,758 --> 00:02:41,925 Covert actions can help, 29 00:02:41,927 --> 00:02:43,927 can assist. 30 00:02:45,196 --> 00:02:48,098 They are needed, they are not all the time essential, 31 00:02:48,333 --> 00:02:52,770 and they, in no way, can replace political wisdom. 32 00:02:53,138 --> 00:02:55,372 Alex Gibney: Were the assassinations in Iran 33 00:02:55,374 --> 00:02:57,775 related to the STUXnet computer attacks? 34 00:02:58,943 --> 00:03:00,778 Uh, next question, please. 35 00:03:02,380 --> 00:03:03,947 Male newsreader: Iran's infrastructure 36 00:03:03,949 --> 00:03:05,049 is being targeted 37 00:03:05,051 --> 00:03:08,218 by a new and dangerously powerful cyber worm. 38 00:03:08,220 --> 00:03:10,854 The so-called STUXnet worm is specifically designed, 39 00:03:10,856 --> 00:03:13,190 it seems, to infiltrate and sabotage 40 00:03:13,192 --> 00:03:16,326 real-world power plants and factories and refineries. 41 00:03:16,328 --> 00:03:17,728 Male newsreader 2: It's not trying to steal information 42 00:03:17,730 --> 00:03:18,896 or grab your credit card, 43 00:03:18,898 --> 00:03:21,699 they're trying to get into some sort of industrial plant 44 00:03:21,701 --> 00:03:24,085 and wreak havoc trying to blow up an engine or... 45 00:03:24,085 --> 00:03:25,376 The Stuxnet virus has made attacks worldwide. 46 00:03:25,376 --> 00:03:26,788 Male newsreader 3: 47 00:03:26,788 --> 00:03:31,585 In Iran alone it was identified 30 thousand times. 48 00:03:32,336 --> 00:03:37,336 A super computer virus has put on alert several countries' secret services. 49 00:03:37,591 --> 00:03:40,551 The information could be in the reach of terrorists. 50 00:03:40,552 --> 00:03:41,652 Male newsreader 4: No one knows 51 00:03:41,654 --> 00:03:42,820 who's behind the worm 52 00:03:42,822 --> 00:03:44,488 and the exact nature of its mission, 53 00:03:44,490 --> 00:03:47,357 but there are fears Iran will hold Israel 54 00:03:47,359 --> 00:03:50,728 or America responsible and seek retaliation. 55 00:03:50,730 --> 00:03:51,829 Male newsreader 5: It's not impossible that 56 00:03:51,831 --> 00:03:53,163 some group of hackers did it, 57 00:03:53,165 --> 00:03:55,232 but the security experts that are studying this 58 00:03:55,234 --> 00:03:58,001 really think this required the resource of a nation-state. 59 00:04:03,942 --> 00:04:05,876 Man: Okay, and spinning. 60 00:04:05,878 --> 00:04:07,344 Gibney: Okay, good. Here we go. 61 00:04:08,580 --> 00:04:11,882 What impact, ultimately, did the STUXnet attack have? 62 00:04:11,884 --> 00:04:13,150 Can you say? 63 00:04:13,952 --> 00:04:16,120 I don't want to get into the details. 64 00:04:16,354 --> 00:04:18,856 Gibney: Since the event has already happened, 65 00:04:18,858 --> 00:04:22,559 why can't we talk more openly and publicly about STUXnet? 66 00:04:22,561 --> 00:04:25,462 Yeah, I mean, my answer is because it's classified. 67 00:04:25,930 --> 00:04:29,032 I... I won't knowledge... you know, knowingly 68 00:04:29,034 --> 00:04:31,135 offer up anything I consider classified. 69 00:04:31,137 --> 00:04:33,370 Gibney: I know that you can't talk much about STUXnet, 70 00:04:33,372 --> 00:04:36,774 because STUXnet is officially classified. 71 00:04:36,776 --> 00:04:38,142 You're right on both those counts. 72 00:04:38,610 --> 00:04:39,943 Gibney: But there has been 73 00:04:39,945 --> 00:04:42,045 a lot reported about it in the press. 74 00:04:42,047 --> 00:04:44,281 I don't want to comment on this. 75 00:04:44,283 --> 00:04:48,552 I read it in the newspaper, the media, like you, 76 00:04:48,554 --> 00:04:51,555 but I'm unable to elaborate upon it. 77 00:04:51,790 --> 00:04:53,957 People might find it frustrating 78 00:04:53,959 --> 00:04:56,493 not to be able to talk about it when it's in the public domain, 79 00:04:56,495 --> 00:04:57,895 but... 80 00:04:57,897 --> 00:04:59,396 Gibney: I find it frustrating. 81 00:04:59,398 --> 00:05:00,898 Yeah, I'm sure you do. 82 00:05:00,900 --> 00:05:02,466 I don't answer that question. 83 00:05:02,468 --> 00:05:03,834 Unfortunately, I can't comment. 84 00:05:03,836 --> 00:05:05,469 I do not know how to answer that. 85 00:05:05,471 --> 00:05:07,638 Two answers before you even get started, I don't know, 86 00:05:07,640 --> 00:05:10,440 and if I did, we wouldn't talk about it anyway. 87 00:05:10,442 --> 00:05:12,276 Gibney: How can you have a debate if everything's secret? 88 00:05:12,278 --> 00:05:14,311 I think right now that's just where we are. 89 00:05:14,612 --> 00:05:16,079 No one wants to... 90 00:05:16,081 --> 00:05:18,482 Countries aren't happy about confessing 91 00:05:18,484 --> 00:05:21,285 or owning up to what they did because they're not quite sure 92 00:05:21,287 --> 00:05:23,153 where they want the system to go. 93 00:05:23,788 --> 00:05:25,756 And so whoever was behind STUXnet 94 00:05:25,758 --> 00:05:27,257 hasn't admitted they were behind it. 95 00:05:31,095 --> 00:05:32,963 Gibney: Asking officials about STUXnet 96 00:05:32,965 --> 00:05:34,498 was frustrating and surreal, 97 00:05:34,799 --> 00:05:37,334 like asking the emperor about his new clothes. 98 00:05:38,036 --> 00:05:41,138 Even after the cyber weapon had penetrated computers 99 00:05:41,140 --> 00:05:42,539 all over the world, 100 00:05:42,807 --> 00:05:45,108 no one was willing to admit it was loose 101 00:05:45,110 --> 00:05:47,511 or talk about the dangers it posed. 102 00:05:48,379 --> 00:05:50,647 What was it about the STUXnet operation 103 00:05:50,649 --> 00:05:52,449 that was hiding in plain sight? 104 00:05:53,885 --> 00:05:55,652 Maybe there was a way the computer code 105 00:05:55,654 --> 00:05:57,287 could speak for itself. 106 00:05:58,056 --> 00:06:00,424 STUXnet first surfaced in Belarus. 107 00:06:00,992 --> 00:06:03,360 I started with a call to the man who discovered it 108 00:06:03,362 --> 00:06:06,363 when his clients in Iran began to panic 109 00:06:06,365 --> 00:06:09,032 over an epidemic of computer shutdowns. 110 00:06:09,834 --> 00:06:13,070 Had you ever seen anything quite so sophisticated before? 111 00:06:13,664 --> 00:06:17,424 I have seen very sophisticated viruses before, 112 00:06:17,668 --> 00:06:21,548 but they didn't have... 113 00:06:24,008 --> 00:06:25,378 this kind of... 114 00:06:26,969 --> 00:06:27,719 zero day. 115 00:06:29,054 --> 00:06:32,524 It was the first time in my practice. 116 00:06:33,350 --> 00:06:36,440 That led me to understand 117 00:06:37,813 --> 00:06:44,783 that I should notify web security companies ASAP 118 00:06:46,530 --> 00:06:51,030 about the fact that such a danger exists. 119 00:07:36,487 --> 00:07:38,322 Eric Chien: On a daily basis, basically 120 00:07:38,324 --> 00:07:40,390 we are sifting through 121 00:07:40,392 --> 00:07:43,894 a massive haystack looking for that proverbial needle. 122 00:07:44,762 --> 00:07:47,731 We get millions of pieces of new malicious threats 123 00:07:47,733 --> 00:07:49,599 and there are millions of attacks going on 124 00:07:49,601 --> 00:07:50,801 every single day. 125 00:07:50,969 --> 00:07:53,403 And only way are trying to protect people 126 00:07:53,405 --> 00:07:55,005 and their computers and... and their systems 127 00:07:55,007 --> 00:07:57,674 and countries' infrastructure 128 00:07:57,676 --> 00:07:59,776 from being taken down by those attacks. 129 00:07:59,778 --> 00:08:03,113 But more importantly, we have to find the attacks that matter. 130 00:08:03,115 --> 00:08:04,848 When you're talking about that many, 131 00:08:05,149 --> 00:08:07,417 impact is extremely important. 132 00:08:19,797 --> 00:08:21,498 Eugene Kaspersky: Twenty years ago, the antivirus companies, 133 00:08:21,500 --> 00:08:23,200 they were hunting for computer viruses 134 00:08:23,202 --> 00:08:24,468 because there were not so many. 135 00:08:24,470 --> 00:08:27,771 So we had, like, tens of dozens a month, 136 00:08:27,972 --> 00:08:30,540 and there was just little numbers. 137 00:08:30,542 --> 00:08:34,745 Now, we collect millions of unique attacks every month. 138 00:08:36,114 --> 00:08:38,548 Vitaly Kamluk: This room we call a woodpecker's room 139 00:08:38,550 --> 00:08:39,883 or a virus lab, 140 00:08:40,118 --> 00:08:42,052 and this is where virus analysts sit. 141 00:08:42,054 --> 00:08:44,021 We call them woodpeckers because they are 142 00:08:44,023 --> 00:08:46,523 pecking the worms, network worms, and viruses. 143 00:08:47,392 --> 00:08:50,627 And we see, like, three different groups of hackers 144 00:08:50,629 --> 00:08:52,195 behind cyber-attacks. 145 00:08:52,964 --> 00:08:54,731 They are traditional cyber criminals. 146 00:08:54,899 --> 00:08:58,735 Those guys are interested only in illegal profit. 147 00:08:58,737 --> 00:09:00,137 And quick and dirty money. 148 00:09:00,139 --> 00:09:02,305 Activists, or hacktivists, 149 00:09:02,307 --> 00:09:04,674 they are hacking for fun or hacking to push 150 00:09:04,676 --> 00:09:05,942 some political message. 151 00:09:06,177 --> 00:09:08,545 And the third group is nation-states. 152 00:09:08,746 --> 00:09:11,648 They're interested in high-quality intelligence 153 00:09:11,650 --> 00:09:13,083 or sabotage activity. 154 00:09:14,352 --> 00:09:16,853 Chien: Security companies not only share information 155 00:09:16,855 --> 00:09:18,588 but we also share binary samples. 156 00:09:18,590 --> 00:09:20,190 So when this threat was found 157 00:09:20,192 --> 00:09:22,025 by a Belarusian security company 158 00:09:22,027 --> 00:09:24,361 on one of their customer's machines in Iran, 159 00:09:24,363 --> 00:09:26,963 the sample was shared amongst the security community. 160 00:09:27,865 --> 00:09:29,433 When we try to name threats, we just try to pick 161 00:09:29,435 --> 00:09:31,501 some sort of string, some sort of words, 162 00:09:31,503 --> 00:09:34,071 that are inside of the binary. 163 00:09:35,239 --> 00:09:37,607 In this case, there was a couple of words in there 164 00:09:37,609 --> 00:09:40,577 and we took pieces of each, and that formed STUXnet. 165 00:09:43,047 --> 00:09:46,249 I got the news about STUXnet from one of my engineers. 166 00:09:46,251 --> 00:09:48,952 He came to my office, opened the door, 167 00:09:49,520 --> 00:09:52,522 and he said, "so, Eugene, of course you know that 168 00:09:52,524 --> 00:09:55,125 we are waiting for something really bad. 169 00:09:55,426 --> 00:09:56,593 It happened." 170 00:10:03,301 --> 00:10:05,469 Gibney: Give me some sense of what it was like 171 00:10:05,471 --> 00:10:06,870 in the lab at that time. 172 00:10:06,872 --> 00:10:08,472 Was there a palpable sense of amazement 173 00:10:08,474 --> 00:10:10,474 that you had something really different there? 174 00:10:10,775 --> 00:10:12,776 Well, I wouldn't call it amazement. 175 00:10:12,778 --> 00:10:14,845 It was a kind of a shock. 176 00:10:15,246 --> 00:10:18,381 It went beyond our worst fears, our worst nightmares, 177 00:10:18,749 --> 00:10:21,751 and this continued the more we analyzed. 178 00:10:21,753 --> 00:10:23,720 The more we researched, 179 00:10:23,722 --> 00:10:26,723 the more bizarre the whole story got. 180 00:10:27,058 --> 00:10:28,725 We look at so much malware every day that 181 00:10:28,727 --> 00:10:30,660 we can just look at the code and straightaway we can say, 182 00:10:30,662 --> 00:10:32,262 "okay, there's something bad going on here, 183 00:10:32,264 --> 00:10:33,730 and I need to investigate that." 184 00:10:33,732 --> 00:10:34,798 And that's the way it was 185 00:10:34,999 --> 00:10:36,933 when we looked at STUXnet for the first time. 186 00:10:36,935 --> 00:10:39,436 We opened it up and there was just bad things everywhere. 187 00:10:39,438 --> 00:10:41,905 Just like, okay, this is bad and that's bad, 188 00:10:41,907 --> 00:10:43,440 and, you know, we need to investigate this. 189 00:10:43,442 --> 00:10:44,908 And just suddenly we had, like, 190 00:10:44,910 --> 00:10:46,376 a hundred questions straightaway. 191 00:10:48,412 --> 00:10:50,847 The most interesting thing that we do is detective work 192 00:10:50,849 --> 00:10:53,517 where we try to track down who's behind a threat, 193 00:10:53,519 --> 00:10:55,085 what are they doing, what's their motivation, 194 00:10:55,087 --> 00:10:56,820 and try to really stop it at the root. 195 00:10:56,822 --> 00:10:59,189 And it is kind of all-consuming. 196 00:10:59,191 --> 00:11:00,824 You get this new puzzle 197 00:11:00,826 --> 00:11:02,526 and it's very difficult to put it down, 198 00:11:02,528 --> 00:11:04,961 you know, work until, like, 4:00 am in the morning 199 00:11:04,963 --> 00:11:06,163 and figure these things out. 200 00:11:06,165 --> 00:11:08,965 And I was in that zone where I was very consumed by this, 201 00:11:08,967 --> 00:11:11,101 very excited about it, very interested to know 202 00:11:11,103 --> 00:11:12,369 what was happening. 203 00:11:12,371 --> 00:11:15,505 And Eric was also in that same sort of zone. 204 00:11:15,507 --> 00:11:18,208 So the two of us were, like, back and forth all the time. 205 00:11:18,210 --> 00:11:20,944 Chien: Liam and I continued to grind at the code, 206 00:11:20,946 --> 00:11:23,046 sharing pieces, comparing notes, 207 00:11:23,048 --> 00:11:24,881 bouncing ideas off of each other. 208 00:11:25,316 --> 00:11:26,783 We realized that we needed to do 209 00:11:26,785 --> 00:11:29,853 what we called deep analysis, pick apart the threat, 210 00:11:29,855 --> 00:11:32,689 every single byte, every single zero, one, 211 00:11:32,691 --> 00:11:34,791 and understand everything that was inside of it. 212 00:11:35,326 --> 00:11:37,127 And just to give you some context, 213 00:11:37,129 --> 00:11:39,162 we can go through and understand every line of code 214 00:11:39,164 --> 00:11:40,964 for the average threat in minutes. 215 00:11:41,566 --> 00:11:43,366 And here we are one month into this threat 216 00:11:43,368 --> 00:11:45,302 and we were just starting to discover what we call 217 00:11:45,304 --> 00:11:47,204 the payload or its whole purpose. 218 00:11:49,540 --> 00:11:51,074 When looking at the STUXnet code, 219 00:11:51,076 --> 00:11:53,643 it's 20 times the size of the average piece of code 220 00:11:54,145 --> 00:11:56,379 but contains almost no bugs inside of it. 221 00:11:56,381 --> 00:11:58,248 And that's extremely rare. 222 00:11:58,250 --> 00:12:00,150 Malicious code always has bugs inside of it. 223 00:12:00,152 --> 00:12:01,918 This wasn't the case with STUXnet. 224 00:12:01,920 --> 00:12:04,754 It's dense and every piece of code does something 225 00:12:04,756 --> 00:12:07,591 and does something right in order to conduct its attack. 226 00:12:08,826 --> 00:12:10,894 One of the things that surprised us 227 00:12:10,896 --> 00:12:13,263 was that STUXnet utilized what's called 228 00:12:13,265 --> 00:12:15,832 a zero-day exploit, or basically, 229 00:12:15,834 --> 00:12:18,168 a piece of code that allows it to spread 230 00:12:18,170 --> 00:12:20,003 without you having to do anything. 231 00:12:20,005 --> 00:12:22,739 You don't have to, for example, download a file and run it. 232 00:12:22,741 --> 00:12:24,941 A zero-day exploit is an exploit that 233 00:12:24,943 --> 00:12:26,610 nobody knows about except the attacker. 234 00:12:26,612 --> 00:12:28,178 So there's no protection against it. 235 00:12:28,180 --> 00:12:29,613 There's been no patch released. 236 00:12:29,615 --> 00:12:31,915 There's been zero days protection, 237 00:12:31,917 --> 00:12:33,516 you know, against it. 238 00:12:34,385 --> 00:12:35,785 That's what attackers value, 239 00:12:35,787 --> 00:12:37,587 because they know 100 percent 240 00:12:37,589 --> 00:12:39,923 if they have this zero-day exploit, 241 00:12:39,925 --> 00:12:41,625 they can get in wherever they want. 242 00:12:41,627 --> 00:12:43,126 They're actually very valuable. 243 00:12:43,128 --> 00:12:44,527 You can sell these on the underground 244 00:12:44,529 --> 00:12:46,049 for hundreds of thousands of dollars. 245 00:12:47,398 --> 00:12:48,465 Chien: Then we became more worried 246 00:12:48,467 --> 00:12:50,533 because immediately we discovered more zero days. 247 00:12:50,535 --> 00:12:53,270 And again, these zero days are extremely rare. 248 00:12:53,272 --> 00:12:55,572 Inside STUXnet we had, you know, four zero days, 249 00:12:55,574 --> 00:12:57,307 and for the entire rest of the year, 250 00:12:57,309 --> 00:12:59,876 we only saw 12 zero days used. 251 00:12:59,878 --> 00:13:01,544 It blows all... everything else out of the water. 252 00:13:01,546 --> 00:13:02,779 We've never seen this before. 253 00:13:02,781 --> 00:13:04,541 Actually, we've never seen it since, either. 254 00:13:04,615 --> 00:13:07,217 Seeing one in a malware you could understand 255 00:13:07,219 --> 00:13:10,120 because, you know, the malware authors are making money, 256 00:13:10,122 --> 00:13:11,721 they're stealing people's credit cards and making money, 257 00:13:11,723 --> 00:13:12,889 so it's worth their while to use it, 258 00:13:12,891 --> 00:13:15,258 but seeing four zero days, could be worth 259 00:13:15,260 --> 00:13:16,459 half a million dollars right there, 260 00:13:16,461 --> 00:13:18,228 used in one piece of malware, 261 00:13:18,496 --> 00:13:20,897 this is not your ordinary criminal gangs doing this. 262 00:13:20,899 --> 00:13:22,499 This is... this is someone bigger. 263 00:13:22,501 --> 00:13:24,401 It's definitely not traditional crime, 264 00:13:24,403 --> 00:13:27,904 not hacktivists. Who else? 265 00:13:28,773 --> 00:13:31,007 It was evident on a very early stage 266 00:13:31,509 --> 00:13:33,743 that just given the sophistication 267 00:13:33,745 --> 00:13:35,245 of this malware... 268 00:13:36,480 --> 00:13:39,282 Suggested that there must have been 269 00:13:39,284 --> 00:13:40,750 a nation-state involved, 270 00:13:40,752 --> 00:13:43,987 at least one nation-state involved in the development. 271 00:13:43,989 --> 00:13:46,022 When we look at code that's coming from 272 00:13:46,024 --> 00:13:47,590 what appears to be a state attacker 273 00:13:47,592 --> 00:13:50,193 or state-sponsored attacker, usually they're scrubbed clean. 274 00:13:50,195 --> 00:13:52,629 They don't... they don't leave little bits behind. 275 00:13:52,631 --> 00:13:54,364 They don't leave little hints behind. 276 00:13:54,632 --> 00:13:56,299 But in STUXnet there were actually 277 00:13:56,301 --> 00:13:57,667 a few hints left behind. 278 00:13:58,936 --> 00:14:02,205 One was that, in order to get low-level access 279 00:14:02,207 --> 00:14:03,673 to Microsoft Windows, 280 00:14:03,874 --> 00:14:05,674 STUXnet needed to use a digital certificate, 281 00:14:05,976 --> 00:14:08,378 which certifies that this piece of code 282 00:14:08,380 --> 00:14:11,247 came from a particular company. 283 00:14:12,149 --> 00:14:14,217 Now, those attackers obviously couldn't go to Microsoft 284 00:14:14,219 --> 00:14:15,685 and say, "hey, test our code out for us. 285 00:14:15,687 --> 00:14:17,287 And give us a digital certificate." 286 00:14:17,988 --> 00:14:19,589 So they essentially stole them... 287 00:14:20,825 --> 00:14:22,892 From two companies in Taiwan. 288 00:14:22,894 --> 00:14:24,794 And these two companies have nothing to do with each other 289 00:14:24,796 --> 00:14:26,463 except for their close proximity 290 00:14:26,465 --> 00:14:28,264 in the exact same business park. 291 00:14:30,835 --> 00:14:34,671 Digital certificates are guarded very, very closely 292 00:14:34,673 --> 00:14:36,206 behind multiple doors 293 00:14:36,208 --> 00:14:38,641 and they require multiple people to unlock. 294 00:14:38,643 --> 00:14:40,310 Security: ...To the camera. 295 00:14:40,312 --> 00:14:42,011 Chien: And they need to provide both biometrics 296 00:14:42,013 --> 00:14:44,414 - and, as well, pass phrases. 297 00:14:44,416 --> 00:14:45,882 It wasn't like those certificates were 298 00:14:45,884 --> 00:14:47,584 just sitting on some machine connected to the Internet. 299 00:14:47,818 --> 00:14:50,620 Some human assets had to be involved, spies. 300 00:14:50,855 --> 00:14:52,689 O'Murchu: Like a cleaner who comes in at night 301 00:14:52,691 --> 00:14:54,424 and has stolen these certificates 302 00:14:54,426 --> 00:14:55,658 from these companies. 303 00:14:59,063 --> 00:15:01,164 It did feel like walking onto the set 304 00:15:01,166 --> 00:15:03,666 of this James Bond movie and you... 305 00:15:03,668 --> 00:15:05,235 You've been embroiled in this thing that, 306 00:15:05,237 --> 00:15:07,837 you know, you... you never expected. 307 00:15:10,508 --> 00:15:11,608 We continued to search, 308 00:15:11,610 --> 00:15:13,109 and we continued to search in code, 309 00:15:13,111 --> 00:15:15,945 and eventually we found some other bread crumbs left 310 00:15:15,947 --> 00:15:17,347 we were able to follow. 311 00:15:18,048 --> 00:15:19,682 It was doing something with Siemens, 312 00:15:19,950 --> 00:15:22,752 Siemens software, possibly Siemens hardware. 313 00:15:23,053 --> 00:15:24,754 We'd never ever seen that in any malware before, 314 00:15:24,756 --> 00:15:26,089 something targeting Siemens. 315 00:15:26,091 --> 00:15:28,051 We didn't even know why they would be doing that. 316 00:15:29,627 --> 00:15:32,362 But after googling, very quickly we understood 317 00:15:32,364 --> 00:15:34,798 it was targeting Siemens PLCs. 318 00:15:35,266 --> 00:15:38,201 STUXnet was targeting a very specific hardware device, 319 00:15:38,203 --> 00:15:41,604 something called a PLC or a programmable logic controller. 320 00:15:42,039 --> 00:15:44,941 Langner: The PLC is kind of a very small computer 321 00:15:45,242 --> 00:15:47,977 attached to physical equipment, 322 00:15:47,979 --> 00:15:50,613 like pumps, like valves, like motors. 323 00:15:51,415 --> 00:15:55,985 So this little box is running a digital program 324 00:15:55,987 --> 00:15:58,288 and the actions of this program 325 00:15:58,290 --> 00:16:02,392 turns that motor on, off, or sets a specific speed. 326 00:16:02,394 --> 00:16:04,127 Chien: Those program module controllers 327 00:16:04,129 --> 00:16:06,663 control things like power plants, power grids. 328 00:16:06,665 --> 00:16:08,398 O'Murchu: This is used in factories, 329 00:16:08,400 --> 00:16:10,867 it's used in critical infrastructure. 330 00:16:11,569 --> 00:16:14,604 Critical infrastructure, it's everywhere around us, 331 00:16:14,606 --> 00:16:17,173 transportation, telecommunications, 332 00:16:17,175 --> 00:16:19,476 financial services, health care. 333 00:16:20,010 --> 00:16:22,912 So the payload of STUXnet was designed 334 00:16:22,914 --> 00:16:26,082 to attack some very important part 335 00:16:26,084 --> 00:16:27,517 of our world. 336 00:16:27,785 --> 00:16:29,319 The payload is gonna be important. 337 00:16:29,321 --> 00:16:32,088 What happens there could be very dangerous. 338 00:16:34,292 --> 00:16:37,260 Langner: The next very big surprise came 339 00:16:37,262 --> 00:16:39,562 when it infected our lab system. 340 00:16:40,297 --> 00:16:43,299 We figured out that the malware was probing 341 00:16:43,301 --> 00:16:44,667 for controllers. 342 00:16:45,035 --> 00:16:47,103 It was quite picky on its targets. 343 00:16:47,105 --> 00:16:51,441 It didn't try to manipulate any given controller in a network 344 00:16:51,443 --> 00:16:52,775 that it would see. 345 00:16:53,010 --> 00:16:57,213 It went through several checks, and when those checks failed, 346 00:16:57,215 --> 00:16:59,449 it would not implement the attack. 347 00:17:02,186 --> 00:17:06,055 It was obviously probing for a specific target. 348 00:17:07,391 --> 00:17:09,559 You've got to put this in context that, 349 00:17:09,561 --> 00:17:11,361 at the time, we already knew, 350 00:17:11,363 --> 00:17:13,730 well, this is the most sophisticated piece of malware 351 00:17:13,732 --> 00:17:15,298 that we have ever seen. 352 00:17:16,066 --> 00:17:18,034 So it's kind of strange. 353 00:17:18,036 --> 00:17:23,039 Somebody takes that huge effort to hit one specific target? 354 00:17:23,307 --> 00:17:25,241 Well, that must be quite a significant target. 355 00:17:28,846 --> 00:17:31,247 Chien: So at Symantec we have probes on networks 356 00:17:31,249 --> 00:17:32,415 all over the world 357 00:17:32,417 --> 00:17:34,817 watching for malicious activity. 358 00:17:35,219 --> 00:17:37,220 O'Murchu: We'd actually seen infections of STUXnet 359 00:17:37,222 --> 00:17:39,756 all over the world, in the U.S., Australia, 360 00:17:39,758 --> 00:17:42,392 in the U.K., in France, Germany, all over Europe. 361 00:17:42,893 --> 00:17:45,293 Chien: It spread to any Windows machine in the entire world. 362 00:17:45,663 --> 00:17:47,897 You know, we had these organizations 363 00:17:47,899 --> 00:17:50,199 inside the United States who were in charge of 364 00:17:50,201 --> 00:17:51,901 industrial control facilities saying, 365 00:17:51,903 --> 00:17:53,903 "we're infected. What's gonna happen?" 366 00:17:54,271 --> 00:17:56,940 O'Murchu: We didn't know if there was a deadline coming up 367 00:17:56,942 --> 00:17:58,508 where this threat would trigger 368 00:17:58,510 --> 00:18:00,843 and suddenly would, like, turn off all, you know, 369 00:18:00,845 --> 00:18:02,412 electricity plants around the world 370 00:18:02,414 --> 00:18:04,180 or it would start shutting things down 371 00:18:04,182 --> 00:18:05,515 or launching some attack. 372 00:18:06,350 --> 00:18:09,385 We knew that STUXnet could have very dire consequences, 373 00:18:09,387 --> 00:18:12,055 and we were very worried about 374 00:18:12,057 --> 00:18:13,523 what the payload contained 375 00:18:13,525 --> 00:18:15,758 and there was an imperative speed 376 00:18:15,760 --> 00:18:17,860 that we had to race and try and, you know, 377 00:18:17,862 --> 00:18:19,262 beat this ticking bomb. 378 00:18:20,397 --> 00:18:22,932 Eventually, we were able to refine the statistics a little 379 00:18:22,934 --> 00:18:24,434 and we saw that Iran was the number one 380 00:18:24,436 --> 00:18:26,035 infected country in the world. 381 00:18:26,037 --> 00:18:28,605 Chien: That immediately raised our eyebrows. 382 00:18:28,607 --> 00:18:30,873 We had never seen a threat before 383 00:18:30,875 --> 00:18:33,009 where it was predominantly in Iran. 384 00:18:33,944 --> 00:18:35,545 And so we began to follow what was going on 385 00:18:35,547 --> 00:18:36,779 in the geopolitical world, 386 00:18:36,947 --> 00:18:38,547 what was happening in the general news. 387 00:18:38,716 --> 00:18:41,951 And at that time, there were actually multiple explosions 388 00:18:41,953 --> 00:18:44,854 of gas pipelines going in and out of Iran. 389 00:18:45,823 --> 00:18:47,223 Unexplained explosions. 390 00:18:48,759 --> 00:18:50,893 O'Murchu: And of course, we did notice that at the time 391 00:18:50,895 --> 00:18:53,529 there had been assassinations of nuclear scientists. 392 00:18:54,732 --> 00:18:56,165 So that was worrying. 393 00:18:56,967 --> 00:18:59,168 We knew there was something bad happening. 394 00:18:59,637 --> 00:19:01,471 Gibney: Did you get concerned for yourself? 395 00:19:01,473 --> 00:19:03,406 I mean, did you begin to start looking over your shoulder 396 00:19:03,408 --> 00:19:04,641 from time to time? 397 00:19:04,643 --> 00:19:06,242 Yeah, definitely looking over my shoulder 398 00:19:06,244 --> 00:19:08,811 and... and being careful about what I spoke about on the phone. 399 00:19:09,813 --> 00:19:13,016 I was... pretty confident my conversations on my... 400 00:19:13,018 --> 00:19:14,484 On the phone were being listened to. 401 00:19:14,818 --> 00:19:16,786 We were only half joking 402 00:19:16,788 --> 00:19:18,821 when we would look at each other 403 00:19:18,823 --> 00:19:20,590 and tell each other things like, 404 00:19:20,592 --> 00:19:22,825 "look, I'm not suicidal. 405 00:19:23,160 --> 00:19:26,663 If I show up dead on Monday, you know, it wasn't me." 406 00:19:35,439 --> 00:19:37,874 We'd been publishing information about STUXnet 407 00:19:37,876 --> 00:19:39,275 all through that summer. 408 00:19:40,644 --> 00:19:43,279 And then in November, the industrial control system 409 00:19:43,281 --> 00:19:46,416 sort of expert in Holland contacted us... 410 00:19:47,685 --> 00:19:50,286 And he said all of these devices that would be inside of 411 00:19:50,288 --> 00:19:53,356 an industrial control system hold a unique identifier number 412 00:19:53,358 --> 00:19:56,559 that identified the make and model of that device. 413 00:19:58,328 --> 00:20:01,998 And we actually had a couple of these numbers in the code 414 00:20:02,000 --> 00:20:03,440 that we didn't know what they were. 415 00:20:04,401 --> 00:20:06,302 And so we realized maybe what he was referring to 416 00:20:06,304 --> 00:20:07,770 was the magic numbers we had. 417 00:20:08,305 --> 00:20:09,839 And then when we searched for those magic numbers 418 00:20:09,841 --> 00:20:11,007 in that context, 419 00:20:11,009 --> 00:20:13,409 we saw that what had to be connected 420 00:20:13,411 --> 00:20:15,578 to this industrial control system that was being targeted 421 00:20:15,580 --> 00:20:17,547 were something called frequency converters 422 00:20:17,881 --> 00:20:20,049 from two specific manufacturers, 423 00:20:20,051 --> 00:20:21,818 one of which was in Iran. 424 00:20:22,419 --> 00:20:24,187 And so at this time, we absolutely knew 425 00:20:24,189 --> 00:20:26,522 that the facility that was being targeted 426 00:20:26,524 --> 00:20:27,990 had to be in Iran 427 00:20:28,325 --> 00:20:31,160 and had equipment made from Iranian manufacturers. 428 00:20:32,096 --> 00:20:33,863 When we looked up those frequency converters, 429 00:20:33,865 --> 00:20:35,665 we immediately found out that they were actually 430 00:20:35,667 --> 00:20:38,067 export controlled by the nuclear regulatory commission. 431 00:20:38,669 --> 00:20:40,002 And that immediately lead us then 432 00:20:40,004 --> 00:20:42,271 to some nuclear facility. 433 00:20:59,890 --> 00:21:02,024 Gibney: This was more than a computer story, 434 00:21:02,392 --> 00:21:04,827 so I left the world of the antivirus detectives 435 00:21:05,129 --> 00:21:07,063 and sought out journalist, David Sanger, 436 00:21:07,065 --> 00:21:09,298 who specialized in the strange intersection 437 00:21:09,300 --> 00:21:12,301 of cyber, nuclear weapons, and espionage. 438 00:21:13,270 --> 00:21:15,371 Sanger: The emergence of the code 439 00:21:15,373 --> 00:21:18,674 is what put me on alert that an attack was under way. 440 00:21:20,110 --> 00:21:23,279 And because of the covert nature of the operation, 441 00:21:23,281 --> 00:21:26,282 not only were official government spokesmen 442 00:21:26,284 --> 00:21:29,185 unable to talk about it, they didn't even know about it. 443 00:21:30,387 --> 00:21:32,455 Eventually, the more I dug into it, 444 00:21:32,457 --> 00:21:37,059 the more I began to find individuals 445 00:21:37,294 --> 00:21:39,495 who had been involved in some piece of it 446 00:21:39,663 --> 00:21:41,731 or who had witnessed some piece of it. 447 00:21:42,332 --> 00:21:44,734 And that meant talking to Americans, 448 00:21:44,736 --> 00:21:47,637 talking to Israelis, talking to Europeans, 449 00:21:47,639 --> 00:21:50,740 because this was obviously the first, biggest, 450 00:21:50,742 --> 00:21:55,311 and most sophisticated example of a state 451 00:21:55,313 --> 00:21:57,947 or two states using a cyber weapon 452 00:21:57,949 --> 00:21:59,482 for offensive purposes. 453 00:22:02,920 --> 00:22:05,822 I came to this with a fair bit of history, 454 00:22:05,824 --> 00:22:08,591 understanding the Iranian nuclear program. 455 00:22:09,626 --> 00:22:13,029 How did Iran get its first nuclear reactor? 456 00:22:13,597 --> 00:22:16,732 We gave it to them... under the Shah, 457 00:22:17,034 --> 00:22:20,469 because the Shah was considered an American ally. 458 00:22:21,973 --> 00:22:25,608 Thank you again for your warm welcome, Mr. President. 459 00:22:25,943 --> 00:22:27,543 Gary Samore: During the Nixon administration, 460 00:22:27,545 --> 00:22:30,813 the U.S. was very enthusiastic about supporting 461 00:22:30,815 --> 00:22:32,915 the Shah's nuclear power program. 462 00:22:33,817 --> 00:22:36,152 And at one point, the Nixon administration 463 00:22:36,154 --> 00:22:38,988 was pushing the idea that Pakistan and Iran 464 00:22:38,990 --> 00:22:43,593 should build a joint plant together in Iran. 465 00:22:44,962 --> 00:22:46,662 There's at least some evidence that 466 00:22:46,664 --> 00:22:50,166 the Shah was thinking about acquisition of nuclear weapons, 467 00:22:50,168 --> 00:22:53,703 because he saw, and we were encouraging him to see Iran 468 00:22:53,705 --> 00:22:56,005 as the so-called policemen of the Persian Gulf. 469 00:22:56,007 --> 00:22:58,174 And the Iranians have always viewed themselves 470 00:22:58,176 --> 00:23:01,410 as naturally the dominant power in the Middle East. 471 00:23:02,214 --> 00:23:07,594 Why is it normal for you, the Germans and the British, 472 00:23:07,845 --> 00:23:09,435 to have... 473 00:23:10,764 --> 00:23:14,484 atomic and hydrogen weapons, and for Iran, 474 00:23:15,102 --> 00:23:17,102 the simple principle of self-defense 475 00:23:17,396 --> 00:23:20,106 the defense of its interests, a problem, 476 00:23:20,357 --> 00:23:22,357 while for others it is totally normal? 477 00:23:24,001 --> 00:23:25,568 Samore: But the revolution, 478 00:23:25,570 --> 00:23:27,270 which overthrew the Shah in '79, 479 00:23:27,272 --> 00:23:29,071 really curtailed the program 480 00:23:29,073 --> 00:23:31,440 before it ever got any head of steam going. 481 00:23:32,542 --> 00:23:37,113 Part of our policy against Iran after the revolution 482 00:23:37,115 --> 00:23:39,415 was to deny them nuclear technology. 483 00:23:39,417 --> 00:23:42,718 So most of the period when I was involved 484 00:23:42,720 --> 00:23:44,720 in the '80s and the '90s 485 00:23:44,722 --> 00:23:47,123 was the U.S. running around the world 486 00:23:47,125 --> 00:23:50,393 and persuading potential nuclear suppliers 487 00:23:50,395 --> 00:23:53,796 not to provide even peaceful nuclear technology to Iran. 488 00:23:54,031 --> 00:23:57,466 And what we missed was the clandestine transfer 489 00:23:57,468 --> 00:24:00,369 in the mid-1980s from Pakistan to Iran. 490 00:24:04,375 --> 00:24:05,608 Rolf Mowatt-Larssen: Abdul Qadeer Khan 491 00:24:05,610 --> 00:24:06,943 is what we would call 492 00:24:06,945 --> 00:24:08,945 the father of the Pakistan nuclear program. 493 00:24:10,380 --> 00:24:12,949 He had the full authority and confidence 494 00:24:12,951 --> 00:24:15,251 of the Pakistan government from its inception 495 00:24:15,253 --> 00:24:17,320 to the production of nuclear weapons. 496 00:24:19,056 --> 00:24:21,390 I was a CIA officer for... for... 497 00:24:21,392 --> 00:24:24,060 For over two decades, operations officer, 498 00:24:24,062 --> 00:24:25,861 worked overseas most of my career. 499 00:24:26,430 --> 00:24:28,497 The A.Q. Khan network is so notable 500 00:24:28,499 --> 00:24:31,500 because aside from building 501 00:24:31,502 --> 00:24:34,537 the Pakistani program for decades... 502 00:24:35,772 --> 00:24:38,941 It also was the means by which other countries 503 00:24:38,943 --> 00:24:41,577 were able to develop nuclear weapons, 504 00:24:41,579 --> 00:24:42,878 including Iran. 505 00:24:43,480 --> 00:24:45,114 Samore: A.Q. Khan acting on behalf 506 00:24:45,116 --> 00:24:46,182 of the Pakistani government 507 00:24:46,184 --> 00:24:49,285 negotiated with officials in Iran 508 00:24:49,287 --> 00:24:52,321 and then there was a transfer which took place 509 00:24:52,323 --> 00:24:53,389 through Dubai 510 00:24:53,391 --> 00:24:56,625 of blueprints for nuclear weapons design 511 00:24:56,627 --> 00:24:58,227 as well as some hardware. 512 00:24:59,363 --> 00:25:01,364 Throughout the mid-1980s, 513 00:25:01,366 --> 00:25:04,433 the Iranian program was not very well-resourced. 514 00:25:04,435 --> 00:25:06,268 It was more of an R & D program. 515 00:25:07,304 --> 00:25:10,506 It wasn't really until the mid-'90s 516 00:25:10,508 --> 00:25:12,775 that it started to take off when they made the decision 517 00:25:12,777 --> 00:25:14,844 to build the nuclear weapons program. 518 00:25:21,518 --> 00:25:23,019 You know, we can speculate what, 519 00:25:23,021 --> 00:25:24,453 in their mind, motivated them. 520 00:25:24,455 --> 00:25:27,623 I think it was the U.S. invasion of Iraq 521 00:25:27,625 --> 00:25:29,225 after Kuwait. 522 00:25:30,527 --> 00:25:31,994 You know, there was an eight-year war 523 00:25:31,996 --> 00:25:33,562 between Iraq and Iran, 524 00:25:33,830 --> 00:25:37,233 we had wiped out Saddam's forces in a matter of weeks. 525 00:25:40,138 --> 00:25:42,872 And I think that was enough to convince the rulers 526 00:25:42,874 --> 00:25:45,041 in Tehran that they needed to pursue 527 00:25:45,043 --> 00:25:46,609 nuclear weapons more seriously. 528 00:25:48,645 --> 00:25:51,547 George Bush: States like these and their terrorist allies 529 00:25:51,549 --> 00:25:54,383 constitute an axis of evil, 530 00:25:54,385 --> 00:25:57,153 arming to threaten the peace of the world. 531 00:25:58,555 --> 00:26:01,190 Samore: From 2003 to 2005 532 00:26:01,192 --> 00:26:04,493 when they feared that the U.S. would invade them, 533 00:26:04,495 --> 00:26:06,829 they accepted limits on their nuclear program. 534 00:26:07,264 --> 00:26:10,900 But by 2006, the Iranians had come to the conclusion 535 00:26:10,902 --> 00:26:13,769 that the U.S. was bogged down in Afghanistan and Iraq 536 00:26:13,771 --> 00:26:16,972 and no longer had the capacity to threaten them, 537 00:26:17,340 --> 00:26:21,077 and so they felt it was safe to resume their enrichment program 538 00:26:21,845 --> 00:26:24,513 they started producing low enriched uranium, 539 00:26:24,781 --> 00:26:26,782 producing more centrifuges, installing them 540 00:26:26,784 --> 00:26:30,619 at the large-scale underground enrichment facility at Natanz. 541 00:26:41,965 --> 00:26:44,414 Journalist: 542 00:26:44,414 --> 00:26:46,809 For a journalist, passing through these underground tunnels 543 00:26:47,022 --> 00:26:50,982 and visiting the beating heart of Iran's nuclear plant is quite an event. 544 00:26:51,193 --> 00:26:56,873 The president's visit to the plant today had made this event possible for us. 545 00:26:57,825 --> 00:27:00,017 The West tells us that we have to negotiate with them for like ten years 546 00:27:00,017 --> 00:27:02,051 Ahmadinejad: 547 00:27:02,371 --> 00:27:06,461 and then they will decide whether Iran may have 20 centrifuges or not. 548 00:27:06,709 --> 00:27:08,669 Of course the Iranian nation says no to them. 549 00:27:09,253 --> 00:27:11,003 Today, about 7,000 of these machines 550 00:27:11,296 --> 00:27:14,756 are working under the ground right over there. 551 00:27:35,085 --> 00:27:37,019 Gibney: How many times have you been to Natanz? 552 00:27:37,354 --> 00:27:40,756 Not that many, because I left few years ago, the CIA, 553 00:27:40,758 --> 00:27:43,092 but I was there quite... quite a few times. 554 00:27:46,630 --> 00:27:49,198 Natanz is just in the middle of the desert. 555 00:27:51,134 --> 00:27:53,102 When they were building it in secret, 556 00:27:53,336 --> 00:27:57,373 they were calling it desert irrigation facility. 557 00:27:57,874 --> 00:27:59,441 For the local people, 558 00:27:59,443 --> 00:28:02,011 you want to sell why you are building a big complex. 559 00:28:04,814 --> 00:28:07,516 There is a lot of artillery and air force. 560 00:28:07,518 --> 00:28:11,921 It's better protected against attack from air 561 00:28:12,455 --> 00:28:14,957 than any other nuclear installation I have seen. 562 00:28:17,727 --> 00:28:20,196 So this is deeply underground. 563 00:28:24,801 --> 00:28:28,704 But then inside, Natanz is like any other centrifuge facility. 564 00:28:28,706 --> 00:28:33,042 I have been all over the world, from Brazil to Russia, Japan, 565 00:28:33,044 --> 00:28:37,580 so they are all alike with their own features, 566 00:28:37,582 --> 00:28:39,982 their own centrifuges, their own culture, 567 00:28:39,984 --> 00:28:42,585 but basically, the process is the same. 568 00:28:43,653 --> 00:28:46,722 And so are the monitoring activities of the IAEA. 569 00:28:46,724 --> 00:28:48,390 There are basic principles. 570 00:28:48,392 --> 00:28:51,126 You want to see what goes in, what goes out, 571 00:28:51,394 --> 00:28:53,562 and then on top of that you make sure that 572 00:28:53,564 --> 00:28:56,031 it produces low enriched uranium 573 00:28:56,033 --> 00:28:58,434 instead of anything to do with the higher enrichments 574 00:28:58,436 --> 00:29:00,603 and nuclear weapon grade uranium. 575 00:29:06,576 --> 00:29:07,943 Emad Kiyaei: Iran's nuclear facilities 576 00:29:07,945 --> 00:29:10,179 are under 24-hour watch. 577 00:29:10,880 --> 00:29:13,215 Of the United Nations nuclear watchdog, 578 00:29:13,217 --> 00:29:16,518 the IAEA, the International Atomic Energy Agency. 579 00:29:17,887 --> 00:29:22,091 Every single gram of Iranian fissile material... 580 00:29:23,293 --> 00:29:24,660 Is accounted for. 581 00:29:27,464 --> 00:29:29,932 They have, like, basically seals they put 582 00:29:29,934 --> 00:29:33,502 on fissile materials. There are IAEA seals. 583 00:29:33,737 --> 00:29:36,038 You can't break it 584 00:29:36,040 --> 00:29:37,873 without getting noticed. 585 00:29:39,876 --> 00:29:42,111 Heinonen: When you look at the uranium 586 00:29:42,113 --> 00:29:45,981 which was there in Natanz, it was a very special uranium. 587 00:29:46,149 --> 00:29:51,553 This is called Isotope 236, and that was a puzzle to us, 588 00:29:51,555 --> 00:29:53,989 because you only see this sort of uranium 589 00:29:53,991 --> 00:29:57,126 in states which have had nuclear weapons. 590 00:29:58,995 --> 00:30:01,697 We realized that they had cheated us. 591 00:30:02,399 --> 00:30:05,668 This sort of equipment has been bought 592 00:30:05,670 --> 00:30:07,469 from what they call a black market. 593 00:30:07,471 --> 00:30:10,706 They never pointed out it to A.Q. Khan 594 00:30:11,141 --> 00:30:12,941 at that point of time. 595 00:30:17,814 --> 00:30:21,150 What I was surprised was the sophistication 596 00:30:21,152 --> 00:30:22,985 and the quality control 597 00:30:23,286 --> 00:30:25,287 and the way they have the manufacturing 598 00:30:25,289 --> 00:30:26,689 was really professional. 599 00:30:27,824 --> 00:30:30,426 It was not something, you know, you just create 600 00:30:30,428 --> 00:30:31,960 in a few months' time. 601 00:30:31,962 --> 00:30:34,697 This was a result of a long process. 602 00:30:41,805 --> 00:30:44,606 A centrifuge, you feed uranium gas 603 00:30:44,608 --> 00:30:47,710 in and you have a cascade, thousands of centrifuges, 604 00:30:47,712 --> 00:30:50,713 and from the other end you get enriched uranium out. 605 00:30:51,448 --> 00:30:55,451 It separates uranium based on spinning the rotors. 606 00:30:55,453 --> 00:30:59,221 It spins so fast, 300 meters per second, 607 00:30:59,223 --> 00:31:02,257 the same as the velocity of sound. 608 00:31:03,626 --> 00:31:05,294 These are tremendous forces 609 00:31:05,296 --> 00:31:08,230 and as a result, the rotor, it twists, 610 00:31:08,232 --> 00:31:10,399 looks like a banana at one point of time. 611 00:31:11,801 --> 00:31:13,369 So it has to be balanced 612 00:31:13,371 --> 00:31:16,739 because any small vibration it will blow up. 613 00:31:18,141 --> 00:31:20,075 And here comes another trouble. 614 00:31:20,377 --> 00:31:22,544 You have to raise the temperature 615 00:31:22,546 --> 00:31:25,647 but this very thin rotor was... 616 00:31:25,649 --> 00:31:27,683 They are made from carbon fiber, 617 00:31:27,685 --> 00:31:30,319 and the other pieces, they are made from metal. 618 00:31:31,221 --> 00:31:34,723 When you heat carbon fiber, it shrinks. 619 00:31:35,825 --> 00:31:38,127 When you heat metal, it expands. 620 00:31:38,495 --> 00:31:41,530 So you need to balance not only that they spin, 621 00:31:41,532 --> 00:31:44,666 they twist, but this temperature behavior 622 00:31:44,668 --> 00:31:46,902 in such a way that it doesn't break. 623 00:31:46,904 --> 00:31:49,104 So this has to be very precise. 624 00:31:49,606 --> 00:31:52,074 This is what makes them very difficult to manufacture. 625 00:31:52,076 --> 00:31:54,743 You can model it, you can calculate it, 626 00:31:54,745 --> 00:31:57,212 but at the very end, it's actually based 627 00:31:57,214 --> 00:31:59,848 on practice and experience. 628 00:31:59,850 --> 00:32:03,152 So it's a... it's a piece of art, so to say. 629 00:32:13,631 --> 00:32:16,454 Man: 630 00:32:16,454 --> 00:32:19,690 Because of the strength of our nation, our army and our revolutionary guard 631 00:32:20,939 --> 00:32:26,569 Our dawn became eternal by the glow of success 632 00:32:28,113 --> 00:32:31,993 Morning of dreams rises from the shores 633 00:32:32,242 --> 00:32:36,162 The branches of life have sprouted 634 00:32:36,497 --> 00:32:42,127 May this victory be Blessed 635 00:32:44,093 --> 00:32:46,428 Heinonen: Iranians are very proud of their centrifuges. 636 00:32:46,430 --> 00:32:49,398 They have a lot of public relations videos 637 00:32:49,400 --> 00:32:53,135 given up always in April when they have what they call 638 00:32:53,137 --> 00:32:54,636 a national nuclear day. 639 00:32:55,057 --> 00:32:57,347 Blessed be this holy spring 640 00:32:57,347 --> 00:32:59,141 Man: 641 00:32:59,311 --> 00:33:02,151 Blessed be the gardener 642 00:33:02,439 --> 00:33:05,069 I proudly announce that from today on, 643 00:33:05,442 --> 00:33:08,952 Iran is among the countries that can produce nuclear fuel. 644 00:33:08,953 --> 00:33:12,321 Kiyaei: Ahmadinejad came into his presidency saying 645 00:33:12,323 --> 00:33:14,923 if the international community wants to derail us 646 00:33:14,925 --> 00:33:16,592 we will stand up to it. 647 00:33:17,660 --> 00:33:20,362 If they want us to sign more inspections 648 00:33:20,364 --> 00:33:23,632 and more additional protocols and other measures, 649 00:33:23,634 --> 00:33:26,368 no, we will not. We will fight for our rights. 650 00:33:27,605 --> 00:33:30,672 Iran is a signature to nuclear non-proliferation treaty, 651 00:33:30,674 --> 00:33:34,276 and under that treaty, Iran has a right to a nuclear program. 652 00:33:34,844 --> 00:33:38,313 We can have enrichment. Who are you, world powers, 653 00:33:38,315 --> 00:33:40,782 to come and tell us that we cannot have enrichment? 654 00:33:41,150 --> 00:33:42,885 This was his mantra, 655 00:33:43,620 --> 00:33:46,989 and it galvanized the public. 656 00:33:50,560 --> 00:33:52,961 Sanger: By 2007, 2008, 657 00:33:52,963 --> 00:33:55,464 the U.S. government was in a very bad place with 658 00:33:55,466 --> 00:33:56,765 the Iranian program. 659 00:33:57,734 --> 00:33:59,835 President Bush recognized 660 00:33:59,837 --> 00:34:02,471 that he could not even come out in public 661 00:34:02,473 --> 00:34:04,973 and declare that the Iranians were building a nuclear weapon, 662 00:34:04,975 --> 00:34:06,808 because by this time, he had gone through 663 00:34:06,810 --> 00:34:10,112 the entire WMD fiasco in Iraq. 664 00:34:10,813 --> 00:34:13,081 He could not really take military action. 665 00:34:13,083 --> 00:34:15,484 Condoleezza Rice said to him at one point, 666 00:34:15,486 --> 00:34:18,887 "you know, Mr. President, I think you've invaded 667 00:34:18,889 --> 00:34:22,558 your last Muslim country, even for the best of reasons." 668 00:34:24,394 --> 00:34:26,595 He didn't want to let the Israelis 669 00:34:26,597 --> 00:34:28,430 conduct a military operation. 670 00:34:28,765 --> 00:34:34,503 It's 1938, and Iran is Germany and it's racing... 671 00:34:35,338 --> 00:34:37,940 To arm itself with atomic bombs. 672 00:34:38,541 --> 00:34:42,110 Iran's nuclear ambitions must be stopped. 673 00:34:42,779 --> 00:34:47,516 They have to be stopped. We all have to stop it, now. 674 00:34:47,518 --> 00:34:50,118 That's the one message I have for you today. 675 00:34:50,120 --> 00:34:52,020 - Thank you. 676 00:34:52,022 --> 00:34:54,890 Israel was saying they were gonna bomb Iran. 677 00:34:54,892 --> 00:34:58,093 And the government here in Washington 678 00:34:58,095 --> 00:35:00,462 did all sorts of scenarios about what would happen 679 00:35:00,464 --> 00:35:03,031 if that Israeli attack occurred. 680 00:35:03,433 --> 00:35:05,601 They were all very ugly scenarios. 681 00:35:05,603 --> 00:35:08,604 Our belief was that if they went on their own 682 00:35:08,606 --> 00:35:10,405 knowing the limitations... 683 00:35:10,407 --> 00:35:12,307 No, they're a very good air force, all right? 684 00:35:12,642 --> 00:35:14,710 But it's small and the distances are great 685 00:35:14,712 --> 00:35:17,112 and the target's disbursed and hardened, all right? 686 00:35:18,114 --> 00:35:20,682 If they would have attempted a raid 687 00:35:21,384 --> 00:35:23,118 on a military plane, 688 00:35:23,419 --> 00:35:26,221 we would have been assuming that they were assuming 689 00:35:26,223 --> 00:35:28,790 we would finish that which they started. 690 00:35:28,792 --> 00:35:31,426 In other words, there would be many of us 691 00:35:31,428 --> 00:35:33,462 in government thinking that the purpose of the raid 692 00:35:33,464 --> 00:35:35,998 wasn't to destroy the Iranian nuclear system, 693 00:35:36,000 --> 00:35:39,668 but the purpose of the raid was to put us at war with Iran. 694 00:35:40,603 --> 00:35:42,638 Israel is very much concerned about 695 00:35:42,640 --> 00:35:45,307 Iran's nuclear program, more than the United States. 696 00:35:45,309 --> 00:35:48,076 It's only natural because of the size of the country, 697 00:35:48,078 --> 00:35:50,479 because we live in this neighborhood, 698 00:35:50,481 --> 00:35:54,116 America lives thousands and thousands miles away from Iran. 699 00:35:54,118 --> 00:35:57,753 The two countries agreed on the goal. 700 00:35:58,021 --> 00:36:00,789 There is no page between us 701 00:36:00,791 --> 00:36:06,128 that Iran should not have a nuclear military capability. 702 00:36:06,130 --> 00:36:08,130 There are some differences 703 00:36:08,132 --> 00:36:10,499 on how to... how to achieve it 704 00:36:10,501 --> 00:36:12,801 and when action is needed. 705 00:36:15,424 --> 00:36:21,054 The origin of corruption (Israel) will be wiped off the face of the Earth. 706 00:36:22,311 --> 00:36:24,713 Yadlin: We are taking very seriously 707 00:36:24,715 --> 00:36:27,449 leaders of countries who call to the destruction 708 00:36:27,451 --> 00:36:30,085 and annihilation of our people. 709 00:36:30,286 --> 00:36:32,788 If Iran will get nuclear weapons, 710 00:36:32,790 --> 00:36:34,256 now or in the future... 711 00:36:35,224 --> 00:36:38,060 It means that for the first time in human history 712 00:36:38,861 --> 00:36:41,563 Islamic zealots, religious zealots, 713 00:36:42,231 --> 00:36:44,566 will get their hand on 714 00:36:44,568 --> 00:36:47,536 the most dangerous, devastating weapons, 715 00:36:47,538 --> 00:36:50,305 and the world should prevent this. 716 00:36:52,475 --> 00:36:56,244 Samore: The Israelis believe that the Iranian leadership 717 00:36:56,246 --> 00:36:59,181 has already made the decision to build nuclear weapons 718 00:36:59,183 --> 00:37:01,083 when they think they can get away with it. 719 00:37:01,484 --> 00:37:04,252 The view in the U.S. is that the Iranians 720 00:37:04,254 --> 00:37:06,421 haven't made that final decision yet. 721 00:37:07,390 --> 00:37:09,324 To me, that doesn't make any difference. 722 00:37:09,326 --> 00:37:11,059 I mean, it really doesn't make any difference, 723 00:37:11,061 --> 00:37:14,229 and it's probably unknowable, unless you can put, you know, 724 00:37:14,231 --> 00:37:17,599 Supreme Leader Khamenei on the couch and interview him. 725 00:37:17,601 --> 00:37:20,535 I think, you know, from our standpoint, 726 00:37:20,537 --> 00:37:23,171 stopping Iran from getting the threshold capacity 727 00:37:23,173 --> 00:37:26,308 is, you know, the primary policy objective. 728 00:37:27,610 --> 00:37:29,711 Once they have the fissile material, 729 00:37:29,713 --> 00:37:32,114 once they have the capacity to produce nuclear weapons, 730 00:37:32,116 --> 00:37:33,482 then the game is lost. 731 00:37:39,288 --> 00:37:41,089 Hayden: President Bush once said to me, he said, 732 00:37:41,091 --> 00:37:44,192 "Mike, I don't want any president ever to be faced 733 00:37:44,194 --> 00:37:48,230 with only two options, bombing or the bomb." 734 00:37:48,232 --> 00:37:49,464 Right? 735 00:37:49,466 --> 00:37:53,034 He... he wanted options that... that made it... 736 00:37:53,236 --> 00:37:56,204 Made it far less likely he or his successor 737 00:37:56,206 --> 00:37:58,740 or successors would ever get to that point 738 00:37:58,742 --> 00:38:00,375 where that's... that's all you've got. 739 00:38:00,710 --> 00:38:04,346 We wanted to be energetic enough in pursuing this problem 740 00:38:04,714 --> 00:38:07,716 that... that the Israelis would certainly believe, 741 00:38:07,718 --> 00:38:08,917 "yeah, we get it." 742 00:38:08,919 --> 00:38:11,052 The intelligence cooperation between Israel 743 00:38:11,054 --> 00:38:14,489 and the United States is very, very good. 744 00:38:15,258 --> 00:38:17,559 And therefore, the Israelis went to the Americans 745 00:38:17,561 --> 00:38:21,163 and said, "okay, guys, you don't want us to bomb Iran. 746 00:38:21,165 --> 00:38:24,332 Okay, let's do it differently." 747 00:38:24,834 --> 00:38:28,403 And then the American intelligence community started 748 00:38:28,405 --> 00:38:30,105 rolling in joint forces 749 00:38:30,107 --> 00:38:32,073 with the Israeli intelligence community. 750 00:38:32,742 --> 00:38:36,745 One day a group of intelligence and military officials showed up 751 00:38:37,446 --> 00:38:39,381 in President Bush's office 752 00:38:39,982 --> 00:38:41,516 and said, "sir, we have an idea. 753 00:38:42,652 --> 00:38:43,985 It's a big risk. 754 00:38:44,520 --> 00:38:46,321 It might not work, but here it is." 755 00:38:53,863 --> 00:38:57,499 Langner: Moving forward in my analysis of the codes, 756 00:38:57,501 --> 00:39:01,536 I took a closer look at the photographs 757 00:39:01,538 --> 00:39:03,371 that had been published 758 00:39:03,373 --> 00:39:08,143 by the Iranians themselves in a press tour from 2008 759 00:39:08,145 --> 00:39:11,279 of Ahmadinejad and the shiny centrifuges. 760 00:39:13,683 --> 00:39:15,550 Sanger: Well, photographs of Ahmadinejad 761 00:39:15,552 --> 00:39:18,353 going through the centrifuges at Natanz 762 00:39:18,355 --> 00:39:21,790 had provided some very important clues. 763 00:39:22,491 --> 00:39:24,693 There was a huge amount to be learned. 764 00:39:33,002 --> 00:39:35,804 First of all, those photographs showed 765 00:39:35,806 --> 00:39:39,140 many of the individuals who were guiding Ahmadinejad 766 00:39:39,142 --> 00:39:40,308 through the program. 767 00:39:40,310 --> 00:39:42,911 And there's one very famous photograph that shows 768 00:39:42,913 --> 00:39:44,913 Ahmadinejad being shown something. 769 00:39:44,915 --> 00:39:47,482 You see his face, you can't see what's on the computer. 770 00:39:47,484 --> 00:39:50,919 And one of the scientists who was behind him 771 00:39:50,921 --> 00:39:53,321 was assassinated a few months later. 772 00:39:57,693 --> 00:39:59,427 Langner: In one of those photographs, 773 00:39:59,695 --> 00:40:03,031 you could see parts of a computer screen. 774 00:40:03,033 --> 00:40:05,600 We... we refer to that as a SCADA screen. 775 00:40:05,602 --> 00:40:08,570 The SCADA system is basically a piece of software 776 00:40:08,572 --> 00:40:10,171 running on a computer. 777 00:40:10,173 --> 00:40:13,775 It enables the operators to monitor the processes. 778 00:40:14,777 --> 00:40:18,914 What you could see when you look close enough 779 00:40:19,448 --> 00:40:23,785 was a more detailed view of the configuration 780 00:40:24,587 --> 00:40:27,889 there were these six groups of centrifuges 781 00:40:27,891 --> 00:40:31,326 and each group had 164 entries. 782 00:40:31,894 --> 00:40:33,461 And guess what? 783 00:40:33,763 --> 00:40:36,097 That was a perfect match to what we saw 784 00:40:36,099 --> 00:40:37,465 in the attack code. 785 00:40:38,801 --> 00:40:42,203 It was absolutely clear that this piece of code 786 00:40:42,205 --> 00:40:45,774 was attacking an array of six different groups 787 00:40:45,776 --> 00:40:49,611 of, let's just say, thingies, physical objects, 788 00:40:49,613 --> 00:40:55,517 and in those six groups, there were 164 elements. 789 00:40:59,221 --> 00:41:01,556 Gibney: Were you able to do any actual physical tests? 790 00:41:01,558 --> 00:41:03,792 Or it was all just code analysis? 791 00:41:03,794 --> 00:41:05,727 Yeah, so, you know, we obviously 792 00:41:05,729 --> 00:41:08,797 couldn't set up our own sort of nuclear enrichment facility. 793 00:41:08,965 --> 00:41:11,266 So... but what we did was we did obtain some PLCs, 794 00:41:11,268 --> 00:41:12,500 the exact models. 795 00:41:19,675 --> 00:41:22,077 We then ordered an air pump, and that's what we used 796 00:41:22,079 --> 00:41:23,745 sort of as our sort of proof of concept. 797 00:41:24,580 --> 00:41:26,314 O'Murchu: We needed a visual demonstration 798 00:41:26,316 --> 00:41:28,516 to show people what we discovered. 799 00:41:28,818 --> 00:41:30,852 So we thought of different things that we could do, 800 00:41:30,854 --> 00:41:32,988 and we... we settled on blowing up a balloon. 801 00:41:37,326 --> 00:41:39,294 We were able to write a program that would inflate a balloon, 802 00:41:39,296 --> 00:41:42,197 and it was set to stop after five seconds. 803 00:41:52,174 --> 00:41:53,942 So it would inflate the balloon to a certain size 804 00:41:53,944 --> 00:41:55,443 but it wouldn't burst the balloon 805 00:41:55,445 --> 00:41:56,878 and it was all safe. 806 00:41:56,880 --> 00:41:58,980 And we showed everybody, this is the code 807 00:41:58,982 --> 00:42:00,215 that's on the PLC. 808 00:42:00,649 --> 00:42:02,617 And the timer says, "stop after five seconds." 809 00:42:02,852 --> 00:42:04,412 We know that's what's going to happen. 810 00:42:04,987 --> 00:42:07,255 And then we would infect the computer with STUXnet, 811 00:42:07,790 --> 00:42:10,058 and we would run the test again. 812 00:42:41,257 --> 00:42:42,857 Here is a piece of software 813 00:42:42,859 --> 00:42:45,827 that should only exist in a cyber realm 814 00:42:45,829 --> 00:42:48,930 and it is able to affect physical equipment 815 00:42:48,932 --> 00:42:52,667 in a plant or factory and cause physical damage. 816 00:42:52,669 --> 00:42:54,736 Real-world physical destruction. 817 00:42:59,241 --> 00:43:01,910 At that time, things became very scary to us. 818 00:43:01,912 --> 00:43:04,412 Here you had malware potentially killing people 819 00:43:04,414 --> 00:43:06,714 and that was something that was always Hollywood-esque to us 820 00:43:06,716 --> 00:43:07,882 that we'd always laugh at 821 00:43:07,884 --> 00:43:09,918 when people made that kind of assertion. 822 00:43:15,524 --> 00:43:18,026 Gibney: At this point, you had to have started developing 823 00:43:18,028 --> 00:43:20,795 theories as to who had built STUXnet. 824 00:43:21,730 --> 00:43:23,298 It wasn't lost on us that 825 00:43:23,300 --> 00:43:26,534 there were probably only a few countries 826 00:43:26,536 --> 00:43:28,870 in the world that would want 827 00:43:28,872 --> 00:43:31,739 and have the motivation to sabotage 828 00:43:31,741 --> 00:43:33,875 Iran's nuclear enrichment facility. 829 00:43:33,877 --> 00:43:35,777 The U.S. government would be up there. 830 00:43:35,779 --> 00:43:37,946 Israeli government certainly would be... would be up there. 831 00:43:37,948 --> 00:43:40,048 You know, maybe U.K., France, Germany, 832 00:43:40,050 --> 00:43:41,483 those sorts of countries, 833 00:43:41,485 --> 00:43:43,785 but we never found any information that 834 00:43:43,787 --> 00:43:46,821 would tie it back 100 percent to... to those countries. 835 00:43:46,823 --> 00:43:48,756 There are no telltale signs. 836 00:43:48,758 --> 00:43:51,326 You know, the attackers don't leave a message inside 837 00:43:51,328 --> 00:43:53,495 saying, you know, "it was me." 838 00:43:54,396 --> 00:43:57,665 And even if they did, all of that stuff can be faked. 839 00:43:58,000 --> 00:44:00,668 So it's very, very difficult to do attribution 840 00:44:00,670 --> 00:44:02,403 when looking at computer code. 841 00:44:03,272 --> 00:44:04,806 Gibney: Subsequent work that's been done 842 00:44:04,808 --> 00:44:07,242 leads us to believe that this was the work of 843 00:44:07,244 --> 00:44:08,776 a collaboration between Israel and the United States. 844 00:44:08,778 --> 00:44:09,844 Yeah, yeah. 845 00:44:09,846 --> 00:44:10,979 Gibney: Did you have any evidence 846 00:44:10,981 --> 00:44:12,247 in terms of your analysis 847 00:44:12,249 --> 00:44:14,249 that would lead you to believe that 848 00:44:14,251 --> 00:44:15,583 that's correct also? 849 00:44:15,585 --> 00:44:17,685 Nothing that I could talk about on camera. 850 00:44:19,188 --> 00:44:21,990 Gibney: Well, can I ask why? 851 00:44:21,992 --> 00:44:23,825 No. 852 00:44:23,827 --> 00:44:25,527 Well, you can, but I won't answer. 853 00:44:27,964 --> 00:44:30,265 Gibney: But even in the case of nation-states, 854 00:44:30,267 --> 00:44:31,766 I mean, one of the concerns is... 855 00:44:31,768 --> 00:44:33,902 Gibney: This was beginning to really piss me off. 856 00:44:34,336 --> 00:44:37,672 Even civilians with an interest in telling the STUXnet story 857 00:44:37,674 --> 00:44:40,608 were refusing to address the role of Tel Aviv 858 00:44:40,610 --> 00:44:43,845 and Washington. But luckily for me, 859 00:44:44,113 --> 00:44:45,947 while D.C. is a city of secrets, 860 00:44:46,282 --> 00:44:48,049 it is also a city of leaks. 861 00:44:48,517 --> 00:44:50,218 They're as regular as a heartbeat 862 00:44:50,220 --> 00:44:51,953 and just as hard to stop. 863 00:44:52,955 --> 00:44:54,522 That's what I was counting on. 864 00:44:59,696 --> 00:45:03,231 Finally, after speaking to a number of people on background, 865 00:45:03,233 --> 00:45:05,833 I did find a way of confirming, on the record, 866 00:45:05,835 --> 00:45:07,702 the American role in STUXnet. 867 00:45:08,671 --> 00:45:10,805 In exchange for details of the operation, 868 00:45:10,807 --> 00:45:12,874 I had to agree to find a way 869 00:45:12,876 --> 00:45:15,176 to disguise the source of the information. 870 00:45:15,178 --> 00:45:16,945 - Gibney: We're good? - Man: We're on. 871 00:45:18,514 --> 00:45:20,181 Gibney: So the first question I have to ask you 872 00:45:20,183 --> 00:45:21,583 is about secrecy. 873 00:45:22,084 --> 00:45:25,153 I mean, at this point, everyone knows about STUXnet. 874 00:45:25,155 --> 00:45:26,821 Why can't we talk about it? 875 00:45:27,323 --> 00:45:28,690 It's a covert operation. 876 00:45:28,692 --> 00:45:30,491 Gibney: Not anymore. 877 00:45:30,493 --> 00:45:32,794 I mean, we know what happened, we know who did it. 878 00:45:33,028 --> 00:45:35,730 Well, maybe you don't know as much as you think you know. 879 00:45:36,532 --> 00:45:39,100 Gibney: Well, I'm talking to you because I want to 880 00:45:39,102 --> 00:45:40,501 get the story right. 881 00:45:40,503 --> 00:45:42,463 Well, that's the same reason I'm talking to you. 882 00:45:44,707 --> 00:45:46,507 Gibney: Even though it's a covert operation? 883 00:45:47,543 --> 00:45:51,379 Look, this is not a Snowden kind of thing, okay? 884 00:45:51,381 --> 00:45:52,714 I think what he did was wrong. 885 00:45:52,716 --> 00:45:55,850 He went too far. He gave away too much. 886 00:45:56,352 --> 00:45:58,353 Unlike Snowden, who was a contractor, 887 00:45:58,355 --> 00:46:00,121 I was in NSA. 888 00:46:00,756 --> 00:46:02,957 I believe in the agency, so what I'm willing to give you 889 00:46:02,959 --> 00:46:04,592 will be limited, but we're talking 890 00:46:04,594 --> 00:46:06,427 because everyone's getting the story wrong 891 00:46:06,429 --> 00:46:08,029 and we have to get it right. 892 00:46:08,031 --> 00:46:09,797 We have to understand these new weapons. 893 00:46:09,799 --> 00:46:11,065 The stakes are too high. 894 00:46:11,067 --> 00:46:12,367 Gibney: What do you mean? 895 00:46:14,470 --> 00:46:16,437 We did STUXnet. 896 00:46:17,640 --> 00:46:18,806 It's a fact. 897 00:46:18,808 --> 00:46:22,543 You know, we came so fucking close to disaster, 898 00:46:22,545 --> 00:46:24,212 and we're still on the edge. 899 00:46:25,748 --> 00:46:30,818 It was a huge multinational, interagency operation. 900 00:46:32,087 --> 00:46:34,789 In the U.S. it was CIA, 901 00:46:35,257 --> 00:46:38,726 NSA, and the military Cyber Command. 902 00:46:39,228 --> 00:46:42,897 From Britain, we used Iran intel out of GCHQ, 903 00:46:43,499 --> 00:46:45,333 but the main partner was Israel. 904 00:46:45,335 --> 00:46:46,834 Over there, Mossad ran the show, 905 00:46:46,836 --> 00:46:49,570 and the technical work was done by Unit 8200. 906 00:46:50,506 --> 00:46:53,508 Israel is really the key to the story. 907 00:46:57,946 --> 00:47:01,015 Melman: Oh, traffic in Israel is so unpredictable. 908 00:47:03,118 --> 00:47:06,187 Gibney: Yossi, how did you get into this whole STUXnet story? 909 00:47:07,356 --> 00:47:10,358 I have been covering the Israeli intelligence 910 00:47:10,360 --> 00:47:12,660 in general, in the Mossad in particular 911 00:47:12,662 --> 00:47:16,064 for nearly 30 years. 912 00:47:16,465 --> 00:47:19,534 In '82, I was a London-based correspondent 913 00:47:19,536 --> 00:47:22,970 and I covered a trial of terrorists, 914 00:47:22,972 --> 00:47:27,275 and I became more familiar with this topic of terrorism, 915 00:47:27,277 --> 00:47:31,446 and slowly but surely, I started covering it as a beat. 916 00:47:34,316 --> 00:47:37,352 Israel, we live in a very rough neighborhood 917 00:47:37,354 --> 00:47:39,721 where the... the Democratic values, 918 00:47:39,723 --> 00:47:43,024 western values, are very rare. 919 00:47:43,459 --> 00:47:47,362 But Israel pretends to be a free, Democratic, 920 00:47:47,364 --> 00:47:49,430 westernized society, 921 00:47:49,898 --> 00:47:53,201 posh neighborhoods, rich people, 922 00:47:53,369 --> 00:47:56,371 youngsters who are having 923 00:47:56,373 --> 00:47:59,407 almost similar mind-set to their American 924 00:47:59,409 --> 00:48:01,642 or western European counterparts. 925 00:48:01,644 --> 00:48:04,379 On the other hand, you see a lot of scenes 926 00:48:04,381 --> 00:48:08,583 and events which resemble the real Middle East, 927 00:48:08,585 --> 00:48:14,355 terror attacks, radicals, fanatics, religious zealots. 928 00:48:18,728 --> 00:48:21,829 I knew that Israel is trying to slow down 929 00:48:21,831 --> 00:48:23,498 Iran's nuclear program, 930 00:48:23,500 --> 00:48:26,267 and therefore, I came to the conclusion that 931 00:48:26,269 --> 00:48:29,437 if there was a virus infecting Iran's computers, 932 00:48:29,439 --> 00:48:35,243 it's... it's one more element in... in this larger picture 933 00:48:35,944 --> 00:48:38,379 based on past precedents. 934 00:48:42,952 --> 00:48:46,621 Yadlin: 1981 I was an F-16 pilot, 935 00:48:47,055 --> 00:48:50,558 and we were told that, unlike our dream 936 00:48:50,560 --> 00:48:53,995 to do dogfights and to kill MIGs, 937 00:48:54,563 --> 00:48:58,199 we have to be prepared for a long-range mission 938 00:48:58,867 --> 00:49:01,502 to destroy a valuable target. 939 00:49:02,271 --> 00:49:03,971 Nobody told us what is 940 00:49:03,973 --> 00:49:06,374 this very valuable strategic target. 941 00:49:07,376 --> 00:49:10,545 It was 600 miles from Israel. 942 00:49:11,914 --> 00:49:15,383 So we train our self to do the job, 943 00:49:15,385 --> 00:49:19,220 which was very difficult. No air refueling at that time. 944 00:49:19,621 --> 00:49:21,689 No satellites for reconnaissance. 945 00:49:23,625 --> 00:49:26,027 Fuel was on the limit. 946 00:49:26,595 --> 00:49:28,896 Pilot: What? Whoa! Whoa! 947 00:49:31,834 --> 00:49:33,234 Yadlin: At the end of the day, 948 00:49:33,969 --> 00:49:35,703 we accomplished the mission. 949 00:49:36,171 --> 00:49:37,472 Gibney: Which was? 950 00:49:37,940 --> 00:49:40,842 Yadlin: To destroy the Iraqi nuclear reactor 951 00:49:40,844 --> 00:49:44,679 near Baghdad, which was called Osirak. 952 00:49:44,913 --> 00:49:50,952 And Iraq never was able to accomplish 953 00:49:50,954 --> 00:49:53,521 its ambition to have a nuclear bomb. 954 00:49:55,524 --> 00:49:58,125 Melman: Amos Yadlin, General Yadlin, 955 00:49:58,127 --> 00:50:00,928 he was the head of the military intelligence. 956 00:50:01,330 --> 00:50:04,799 The biggest unit within that organization 957 00:50:04,801 --> 00:50:06,601 was Unit 8200. 958 00:50:07,302 --> 00:50:09,704 They'd block telephones, they'd block faxes, 959 00:50:09,706 --> 00:50:11,873 they're breaking into computers. 960 00:50:14,209 --> 00:50:16,511 A decade ago, when Yadlin became 961 00:50:16,513 --> 00:50:18,446 the chief of military intelligence, 962 00:50:18,947 --> 00:50:23,451 there was no cyber warfare unit in 8200. 963 00:50:26,388 --> 00:50:30,157 So they started recruiting very talented people, 964 00:50:30,159 --> 00:50:32,727 hackers either from the military 965 00:50:32,729 --> 00:50:35,296 or outside the military that can contribute 966 00:50:35,298 --> 00:50:38,466 to the project of building a cyber warfare unit. 967 00:50:41,203 --> 00:50:45,706 Yadlin: In the 19th century, there were only Army and Navy. 968 00:50:45,708 --> 00:50:49,510 In the 20th century, we got air power 969 00:50:49,512 --> 00:50:51,245 as a third dimension of war. 970 00:50:51,880 --> 00:50:53,848 In the 21st century, 971 00:50:53,850 --> 00:50:57,385 cyber will be the fourth dimension of war. 972 00:50:58,353 --> 00:50:59,887 It's another kind of weapon 973 00:50:59,889 --> 00:51:04,492 and it is for unlimited range in a very high speed 974 00:51:04,893 --> 00:51:07,028 and in a very low signature. 975 00:51:07,030 --> 00:51:09,564 So this give you a huge opportunity... 976 00:51:10,666 --> 00:51:13,935 And the superpowers have to change 977 00:51:13,937 --> 00:51:16,003 the way we think about warfare. 978 00:51:18,241 --> 00:51:20,274 Finally we are transforming our military 979 00:51:20,276 --> 00:51:22,944 for a new kind of war that we're fighting now... 980 00:51:24,413 --> 00:51:25,846 And for wars of tomorrow. 981 00:51:27,182 --> 00:51:29,283 We have made our military better trained, 982 00:51:29,285 --> 00:51:32,186 better equipped, and better prepared 983 00:51:32,188 --> 00:51:34,956 to meet the threats facing America today 984 00:51:34,958 --> 00:51:37,191 and tomorrow and long in the future. 985 00:51:40,963 --> 00:51:43,598 Sanger: Back in the end of the Bush Administration, 986 00:51:43,600 --> 00:51:45,533 people within the U.S. government 987 00:51:45,535 --> 00:51:48,736 were just beginning to convince President Bush 988 00:51:48,738 --> 00:51:51,639 to pour money into offensive cyber weapons. 989 00:51:52,608 --> 00:51:55,643 STUXnet started off in the defense department. 990 00:51:56,311 --> 00:51:58,613 Then Robert Gates, Secretary of Defense, 991 00:51:59,081 --> 00:52:01,248 reviewed this program and he said, 992 00:52:01,250 --> 00:52:03,451 "this program shouldn't be in the defense department. 993 00:52:03,453 --> 00:52:05,953 This should really be under the covert authorities 994 00:52:05,955 --> 00:52:07,788 over in the intelligence world." 995 00:52:08,757 --> 00:52:11,892 So the CIA was very deeply involved 996 00:52:11,894 --> 00:52:13,361 in this operation, 997 00:52:13,662 --> 00:52:16,297 while much of the coding work was done 998 00:52:16,299 --> 00:52:18,699 by The National Security Agency 999 00:52:18,900 --> 00:52:21,969 and Unit 8200, its Israeli equivalent, 1000 00:52:21,971 --> 00:52:25,806 working together with a newly created military position 1001 00:52:25,808 --> 00:52:28,142 called U.S. Cyber Command. 1002 00:52:28,944 --> 00:52:33,147 And interestingly, the director of The National Security Agency 1003 00:52:33,149 --> 00:52:35,750 would also have a second role 1004 00:52:35,752 --> 00:52:39,487 as the commander of U.S. Cyber Command. 1005 00:52:39,955 --> 00:52:43,624 And U.S. Cyber Command is located 1006 00:52:43,626 --> 00:52:47,495 at Fort Meade in the same building as the NSA. 1007 00:52:51,700 --> 00:52:53,734 Col. Gary D. Brown: I was deployed for a year 1008 00:52:54,002 --> 00:52:57,171 giving advice on air operations in Iraq and Afghanistan, 1009 00:52:57,173 --> 00:53:00,007 and when I was returning home after that, 1010 00:53:00,009 --> 00:53:02,009 the assignment I was given was to go 1011 00:53:02,011 --> 00:53:03,444 to U.S. Cyber Command. 1012 00:53:04,613 --> 00:53:06,180 Cyber Command is a... 1013 00:53:06,481 --> 00:53:09,850 Is the military command that's responsible for 1014 00:53:09,852 --> 00:53:12,887 essentially the conducting of the nation's military affairs 1015 00:53:12,889 --> 00:53:14,288 in cyberspace. 1016 00:53:14,790 --> 00:53:17,191 The stated reason the United States 1017 00:53:17,193 --> 00:53:19,360 decided it needed a Cyber Command 1018 00:53:19,362 --> 00:53:22,563 was because of an event called Operation Buckshot Yankee. 1019 00:53:23,031 --> 00:53:24,632 Chris Inglis: In the fall of 2008, 1020 00:53:24,634 --> 00:53:27,468 we found some adversaries inside 1021 00:53:27,470 --> 00:53:29,070 of our classified networks. 1022 00:53:30,005 --> 00:53:31,572 While it wasn't completely true 1023 00:53:31,574 --> 00:53:34,175 that we always assumed that we were successful 1024 00:53:34,177 --> 00:53:35,910 at defending things at the barrier, 1025 00:53:35,912 --> 00:53:38,079 at the... at the kind of perimeter that we might have 1026 00:53:38,081 --> 00:53:40,081 between our networks and the outside world, 1027 00:53:40,083 --> 00:53:42,149 there was a large confidence 1028 00:53:42,151 --> 00:53:44,318 that we'd been mostly successful. 1029 00:53:44,653 --> 00:53:46,220 But that was a moment in time when we came to 1030 00:53:46,222 --> 00:53:49,790 the quick conclusion that it... it's not really ever secure. 1031 00:53:50,659 --> 00:53:53,360 That then accelerated The Department of Defense's 1032 00:53:53,362 --> 00:53:54,929 progress towards what ultimately 1033 00:53:54,931 --> 00:53:56,063 became Cyber Command. 1034 00:53:59,367 --> 00:54:00,568 Good morning. 1035 00:54:01,870 --> 00:54:03,070 Good morning. 1036 00:54:03,238 --> 00:54:05,318 Good morning, sir. Cyber has one item for you today. 1037 00:54:05,774 --> 00:54:07,441 Earlier this week, Antok analysts 1038 00:54:07,443 --> 00:54:09,777 detected a foreign adversary using known methods 1039 00:54:09,779 --> 00:54:11,612 to access the U.S. military network. 1040 00:54:12,080 --> 00:54:13,681 We identified the malicious activity 1041 00:54:13,683 --> 00:54:15,616 via data collected through our information assurance 1042 00:54:15,618 --> 00:54:17,118 and signals from intelligence authorities 1043 00:54:17,120 --> 00:54:19,286 and confirmed it was a cyber adversary. 1044 00:54:19,288 --> 00:54:21,956 We provided data to our cyber partners within the DOD... 1045 00:54:21,958 --> 00:54:24,225 You think of NSA as an institution 1046 00:54:24,227 --> 00:54:27,094 that essentially uses its abilities in cyberspace 1047 00:54:27,462 --> 00:54:29,864 to help defend communications in that space. 1048 00:54:30,198 --> 00:54:32,133 Cyber Command extends that capability 1049 00:54:32,135 --> 00:54:35,503 by saying that they will then take responsibility to attack. 1050 00:54:36,972 --> 00:54:39,974 Hayden: NSA has no legal authority to attack. 1051 00:54:39,976 --> 00:54:42,209 It's never had it, I doubt that it ever will. 1052 00:54:42,711 --> 00:54:44,779 It might explain why U.S. Cyber Command 1053 00:54:44,781 --> 00:54:46,480 is sitting out at Fort Meade on top of 1054 00:54:46,482 --> 00:54:48,215 The National Security Agency, 1055 00:54:48,217 --> 00:54:50,985 because NSA has the abilities to do these things. 1056 00:54:51,286 --> 00:54:54,088 Cyber Command has the authority to do these things. 1057 00:54:54,090 --> 00:54:57,324 And "these things" here refer to the cyber-attack. 1058 00:54:57,326 --> 00:54:59,360 This is a huge change 1059 00:54:59,995 --> 00:55:03,664 for the nature of the intelligence agencies. 1060 00:55:04,099 --> 00:55:06,901 The NSA was supposed to be a code-making 1061 00:55:06,903 --> 00:55:09,270 and code-breaking operation 1062 00:55:09,272 --> 00:55:13,440 to monitor the communications of foreign powers 1063 00:55:13,442 --> 00:55:14,842 and American adversaries 1064 00:55:14,844 --> 00:55:17,178 in the defense of the United States. 1065 00:55:17,679 --> 00:55:21,182 But creating a Cyber Command meant using 1066 00:55:21,184 --> 00:55:24,218 the same technology to do offense. 1067 00:55:26,354 --> 00:55:30,357 Once you get inside an adversary's computer networks, 1068 00:55:30,359 --> 00:55:33,194 you put an implant in that network. 1069 00:55:33,428 --> 00:55:36,030 And we have tens of thousands of foreign computers 1070 00:55:36,032 --> 00:55:38,766 and networks that the United States put implants in. 1071 00:55:39,534 --> 00:55:42,536 You can use it to monitor what's going across 1072 00:55:42,538 --> 00:55:44,538 that network and you can use it 1073 00:55:44,540 --> 00:55:47,775 to insert cyber weapons, malware. 1074 00:55:48,877 --> 00:55:52,079 If you can spy on a network, you can manipulate it. 1075 00:55:52,781 --> 00:55:54,515 It's already included. 1076 00:55:54,716 --> 00:55:57,051 The only thing you need is an act of will. 1077 00:56:01,057 --> 00:56:02,857 NSA source: I played a role in Iraq. 1078 00:56:02,859 --> 00:56:05,226 I can't tell you whether it was military or not, 1079 00:56:05,228 --> 00:56:06,827 but I can tell you 1080 00:56:06,829 --> 00:56:09,163 NSA had combat support teams in country. 1081 00:56:10,700 --> 00:56:13,367 And for the first time, units in the field 1082 00:56:13,369 --> 00:56:15,769 had direct access to NSA intel. 1083 00:56:18,341 --> 00:56:20,207 Over time, we thought more about offense 1084 00:56:20,209 --> 00:56:21,675 than defense, you know, 1085 00:56:21,677 --> 00:56:23,410 more about attacking than intelligence. 1086 00:56:24,713 --> 00:56:27,748 In the old days, sigint units would try to track radios, 1087 00:56:27,750 --> 00:56:30,017 but through NSA in Iraq, 1088 00:56:30,019 --> 00:56:32,052 we had access to all the networks 1089 00:56:32,054 --> 00:56:33,587 going in and out of the country. 1090 00:56:33,589 --> 00:56:35,656 And we hoovered up every text message, 1091 00:56:35,658 --> 00:56:37,157 email, and phone call. 1092 00:56:37,692 --> 00:56:40,094 A complete surveillance state. 1093 00:56:40,996 --> 00:56:45,065 We could find the bad guys, say, a gang making IEDs, 1094 00:56:45,067 --> 00:56:48,602 map their networks, and follow them in real time. 1095 00:56:48,604 --> 00:56:49,904 Soldier: Roger. 1096 00:56:49,906 --> 00:56:51,705 NSA source: And we could lock into cell phones 1097 00:56:51,707 --> 00:56:53,774 even when they were off and send a fake text 1098 00:56:53,776 --> 00:56:56,210 from a friend, suggest a meeting place, 1099 00:56:56,212 --> 00:56:58,078 and then capture... 1100 00:56:58,080 --> 00:56:59,446 Soldier: 1A, clear to fire. 1101 00:56:59,915 --> 00:57:01,215 ...or kill. 1102 00:57:01,217 --> 00:57:02,316 Soldier: Good shot. 1103 00:57:05,353 --> 00:57:07,621 Brown: A lot of the people that came to Cyber Command, 1104 00:57:07,623 --> 00:57:09,456 the military guys, came directly from 1105 00:57:09,458 --> 00:57:11,458 an assignment in Afghanistan or Iraq, 1106 00:57:11,460 --> 00:57:14,028 'cause those are the people with experience 1107 00:57:14,030 --> 00:57:15,963 and expertise in operations, 1108 00:57:15,965 --> 00:57:17,898 and those are the ones you want looking at this 1109 00:57:17,900 --> 00:57:19,934 to see how cyber could facilitate 1110 00:57:19,936 --> 00:57:22,169 traditional military operations. 1111 00:57:33,882 --> 00:57:35,716 NSA source: Fresh from the surge, 1112 00:57:35,718 --> 00:57:40,220 I went to work at NSA in '07 in a supervisory capacity. 1113 00:57:40,222 --> 00:57:42,389 Gibney: Exactly where did you work? 1114 00:57:42,391 --> 00:57:43,724 NSA source: Fort Meade. 1115 00:57:43,726 --> 00:57:45,459 You know, I commuted to that massive complex 1116 00:57:45,461 --> 00:57:46,894 every single day. 1117 00:57:48,229 --> 00:57:52,533 I was in TAO-S321, "The Roc." 1118 00:57:53,101 --> 00:57:55,169 Gibney: Okay, the TAO, The Roc? 1119 00:57:55,337 --> 00:57:58,572 Right, sorry. TAO is tailored access operations. 1120 00:57:58,574 --> 00:58:00,607 It's where NSA's hackers work. 1121 00:58:00,609 --> 00:58:02,376 Of course, we didn't call them that. 1122 00:58:02,644 --> 00:58:03,978 Gibney: What did you call them? 1123 00:58:04,145 --> 00:58:05,512 NSA source: On net operators. 1124 00:58:05,814 --> 00:58:08,349 They're the only people at NSA allowed to break in 1125 00:58:08,351 --> 00:58:09,850 or attack on the Internet. 1126 00:58:10,852 --> 00:58:12,953 Inside TAO headquarters is The Roc, 1127 00:58:12,955 --> 00:58:14,555 remote operations center. 1128 00:58:15,357 --> 00:58:18,559 If the U.S. government wants to get in somewhere, 1129 00:58:19,627 --> 00:58:21,028 it goes to The Roc. 1130 00:58:21,196 --> 00:58:24,064 I mean, we were flooded with requests. 1131 00:58:24,799 --> 00:58:27,334 So many that we could only do about, mm, 1132 00:58:27,336 --> 00:58:30,504 30% of the missions that were requested of us at one time, 1133 00:58:30,506 --> 00:58:32,139 through the web 1134 00:58:32,141 --> 00:58:35,009 but also by hijacking shipments of parts. 1135 00:58:35,877 --> 00:58:37,878 You know, sometimes the CIA would assist 1136 00:58:37,880 --> 00:58:40,514 inputting implants in machines, 1137 00:58:41,716 --> 00:58:44,451 so once inside a target network, 1138 00:58:45,320 --> 00:58:46,587 we could just... 1139 00:58:47,555 --> 00:58:48,756 Watch... 1140 00:58:50,492 --> 00:58:52,059 Or we could attack. 1141 00:58:55,864 --> 00:58:59,400 Inside NSA was a strange kind of culture, 1142 00:58:59,402 --> 00:59:01,802 like, two parts macho military 1143 00:59:01,804 --> 00:59:05,906 and two parts cyber geek. I mean, I came from Iraq, 1144 00:59:05,908 --> 00:59:07,808 so I was used to, "Yes, sir. No, sir." 1145 00:59:07,810 --> 00:59:09,910 But for the weapons programmers 1146 00:59:09,912 --> 00:59:12,479 we needed more "think outside the box" types. 1147 00:59:13,314 --> 00:59:15,049 From cubicle to cubicle, 1148 00:59:15,051 --> 00:59:18,318 you'd see lightsabers, Tribbles, 1149 00:59:18,320 --> 00:59:20,487 those Naruto action figures, 1150 00:59:20,489 --> 00:59:22,790 lots of Aqua Teen Hunger Force. 1151 00:59:25,527 --> 00:59:29,129 This one guy, they were mostly guys, 1152 00:59:30,098 --> 00:59:32,232 who liked to wear a yellow hooded cape, 1153 00:59:32,700 --> 00:59:36,303 he used a ton of gray Legos to build a massive Death Star. 1154 00:59:39,340 --> 00:59:41,508 Gibney: Were they all working on STUXnet? 1155 00:59:42,077 --> 00:59:44,111 NSA source: We never called it STUXnet. 1156 00:59:44,113 --> 00:59:46,880 That was the name invented by the antivirus guys. 1157 00:59:46,882 --> 00:59:48,882 When it hit the papers, 1158 00:59:48,884 --> 00:59:50,884 we're not allowed to read about classified operations, 1159 00:59:50,886 --> 00:59:52,386 even if it's in The New York Times. 1160 00:59:52,388 --> 00:59:54,088 We went out of our way to avoid the term. 1161 00:59:54,090 --> 00:59:56,023 I mean, saying "STUXnet" out loud 1162 00:59:56,025 --> 00:59:58,192 was like saying "Voldemort" in Harry Potter. 1163 00:59:58,194 --> 00:59:59,827 The name that shall not be spoken. 1164 01:00:00,128 --> 01:00:01,628 Gibney: What did you call it then? 1165 01:00:10,105 --> 01:00:13,640 The Natanz attack, and this is out there already, 1166 01:00:14,542 --> 01:00:18,512 was called Olympic Games or OG. 1167 01:00:22,050 --> 01:00:24,485 There was a huge operation to test the code 1168 01:00:24,487 --> 01:00:26,854 on PLCs here are Fort Meade 1169 01:00:27,422 --> 01:00:29,857 and in Sandia, New Mexico. 1170 01:00:31,626 --> 01:00:33,060 Remember during the Bush era 1171 01:00:33,062 --> 01:00:35,496 when Libya turned over all the centrifuges? 1172 01:00:35,930 --> 01:00:38,098 Those were the same models the Iranians got 1173 01:00:38,100 --> 01:00:40,400 from A.Q. Khan. P1s. 1174 01:00:41,803 --> 01:00:44,271 We took them to Oak Ridge and used them 1175 01:00:44,273 --> 01:00:47,808 to test the code which demolished the insides. 1176 01:00:48,843 --> 01:00:52,713 At Dimona, the Israelis also tested on the P1s. 1177 01:00:54,149 --> 01:00:56,750 Then, partly by using our intel on Iran, 1178 01:00:56,752 --> 01:00:59,987 we got the plans for the newer models, the IR-2s. 1179 01:01:00,855 --> 01:01:03,090 We tried out different attack vectors. 1180 01:01:03,092 --> 01:01:07,394 We ended up focusing on ways to destroy the rotor tubes. 1181 01:01:08,296 --> 01:01:11,732 In the tests we ran, we blew them apart. 1182 01:01:13,201 --> 01:01:15,135 They swept up the pieces, 1183 01:01:15,137 --> 01:01:17,838 they put it on an airplane, they flew it to Washington, 1184 01:01:17,840 --> 01:01:19,540 they stuck it in the truck, 1185 01:01:19,542 --> 01:01:21,508 they drove it through the gates of the White House, 1186 01:01:21,510 --> 01:01:25,646 and dumped the shards out on the conference room table 1187 01:01:25,648 --> 01:01:27,347 in the Situation Room. 1188 01:01:27,349 --> 01:01:28,882 And then they invited President Bush 1189 01:01:28,884 --> 01:01:30,450 to come down and take a look. 1190 01:01:30,452 --> 01:01:32,286 And when he could pick up the shard 1191 01:01:32,288 --> 01:01:34,054 of a piece of centrifuge... 1192 01:01:35,023 --> 01:01:37,257 He was convinced this might be worth it, 1193 01:01:37,559 --> 01:01:39,359 and he said, "go ahead and try." 1194 01:01:40,195 --> 01:01:43,130 Gibney: Was there legal concern inside the Bush Administration 1195 01:01:43,132 --> 01:01:45,532 that this might be an act of undeclared war? 1196 01:01:46,467 --> 01:01:50,237 If there were concerns, I haven't found them. 1197 01:01:51,506 --> 01:01:54,174 That doesn't mean that they didn't exist 1198 01:01:54,176 --> 01:01:56,176 and that some lawyers somewhere 1199 01:01:56,178 --> 01:01:57,744 weren't concerned about it, 1200 01:01:57,746 --> 01:02:01,081 but this was an entirely new territory. 1201 01:02:01,683 --> 01:02:04,184 At the time, there were really very few people 1202 01:02:04,186 --> 01:02:08,322 who had expertise specifically on the law of war and cyber. 1203 01:02:08,723 --> 01:02:10,991 And basically what we did was looking at, okay, 1204 01:02:10,993 --> 01:02:12,459 here's our broad direction. 1205 01:02:13,027 --> 01:02:15,629 Now, let's look... technically what can we do 1206 01:02:16,030 --> 01:02:17,898 to facilitate this broad direction? 1207 01:02:18,166 --> 01:02:21,034 After that, maybe the... I would come in 1208 01:02:21,036 --> 01:02:23,604 or one of my lawyers would come in and say, 1209 01:02:23,606 --> 01:02:27,574 "okay, this is what we may do." Okay. 1210 01:02:28,677 --> 01:02:29,776 There are many things we can do, 1211 01:02:29,778 --> 01:02:31,778 but we are not allowed to do them. 1212 01:02:31,780 --> 01:02:33,914 And then after that, there's still a final level 1213 01:02:33,916 --> 01:02:35,816 that we look at and that's, what should we do? 1214 01:02:36,217 --> 01:02:38,185 Because there are many things that would be 1215 01:02:38,187 --> 01:02:41,455 technically possible and technically legal 1216 01:02:41,457 --> 01:02:42,990 but a bad idea. 1217 01:02:43,524 --> 01:02:47,227 For Natanz, it was a CIA-led operation, 1218 01:02:47,229 --> 01:02:49,663 so we had to have agency sign-off. 1219 01:02:49,964 --> 01:02:51,131 Gibney: Really? 1220 01:02:51,299 --> 01:02:54,134 Someone from the agency 1221 01:02:54,969 --> 01:02:57,104 stood behind the operator and the analyst 1222 01:02:57,106 --> 01:03:00,040 and gave the order to launch every attack. 1223 01:03:07,649 --> 01:03:09,483 Chien: Before they had even started this attack, 1224 01:03:09,485 --> 01:03:11,718 they put inside of the code the kill date, 1225 01:03:12,053 --> 01:03:13,820 a date at which it would stop operating. 1226 01:03:14,389 --> 01:03:16,490 O'Murchu: Cutoff dates, we don't normally see that 1227 01:03:16,492 --> 01:03:18,158 in other threats, and you have to think, 1228 01:03:18,160 --> 01:03:20,060 "well, why is there a cutoff date in there?" 1229 01:03:20,495 --> 01:03:22,929 And when you realize that, well, STUXnet was probably 1230 01:03:22,931 --> 01:03:26,133 written by government and that there are laws 1231 01:03:26,135 --> 01:03:29,002 regarding how you can use this sort of software, 1232 01:03:29,004 --> 01:03:31,638 that there may have been a legal team who said, "no, you... 1233 01:03:31,640 --> 01:03:33,840 You need to have a cutoff date in there, 1234 01:03:33,842 --> 01:03:35,942 and you can only do this and you can only go that far 1235 01:03:35,944 --> 01:03:37,744 and we need to check if this is legal or not. 1236 01:03:39,614 --> 01:03:42,883 That date is a few days before Obama's inauguration. 1237 01:03:43,918 --> 01:03:46,787 So the theory was that this was an operation 1238 01:03:46,789 --> 01:03:49,189 that needed to be stopped at a certain time 1239 01:03:49,191 --> 01:03:51,591 because there was gonna be a handover 1240 01:03:51,593 --> 01:03:53,927 and that more approval was needed. 1241 01:03:57,166 --> 01:03:59,032 Are you prepared to take the oath, senator? 1242 01:03:59,034 --> 01:04:00,267 I am. 1243 01:04:00,635 --> 01:04:02,602 I, Barack Hussein Obama... 1244 01:04:02,604 --> 01:04:04,137 - I, Barack... - Do solemnly swear... 1245 01:04:04,139 --> 01:04:06,740 I, Barack Hussein Obama, do solemnly swear... 1246 01:04:06,941 --> 01:04:10,477 Sanger: Olympic Games was reauthorized by President Obama 1247 01:04:10,479 --> 01:04:12,279 in his first year in office, 2009. 1248 01:04:16,784 --> 01:04:18,885 It was fascinating because it was the first year of 1249 01:04:18,887 --> 01:04:20,887 the Obama administration and they would talk to you 1250 01:04:20,889 --> 01:04:23,690 endlessly about cyber defense. 1251 01:04:24,459 --> 01:04:25,625 Obama: We count on computer networks 1252 01:04:25,627 --> 01:04:28,762 to deliver our oil and gas, our power, and our water. 1253 01:04:29,063 --> 01:04:32,299 We rely on them for public transportation 1254 01:04:32,301 --> 01:04:33,867 and air traffic control. 1255 01:04:34,235 --> 01:04:36,336 But just as we failed in the past 1256 01:04:36,338 --> 01:04:38,372 to invest in our physical infrastructure, 1257 01:04:38,673 --> 01:04:41,041 our roads, our Bridges, and rails, 1258 01:04:41,376 --> 01:04:43,076 we failed to invest in the security 1259 01:04:43,078 --> 01:04:44,945 of our digital infrastructure. 1260 01:04:45,146 --> 01:04:47,547 Sanger: He was running East Room events 1261 01:04:47,749 --> 01:04:50,484 trying to get people to focus on the need to 1262 01:04:50,486 --> 01:04:52,419 defend cyber networks 1263 01:04:52,421 --> 01:04:54,154 and defend American infrastructure. 1264 01:04:54,522 --> 01:04:58,058 But when you asked questions about the use of 1265 01:04:58,060 --> 01:05:01,661 offensive cyber weapons, everything went dead. 1266 01:05:01,663 --> 01:05:03,397 No cooperation. 1267 01:05:03,399 --> 01:05:05,499 White House wouldn't help, Pentagon wouldn't help, 1268 01:05:05,501 --> 01:05:06,666 NSA wouldn't help. 1269 01:05:06,901 --> 01:05:08,335 Nobody would talk to you about it. 1270 01:05:09,237 --> 01:05:10,871 But when you dug into the budget 1271 01:05:10,873 --> 01:05:14,107 for cyber spending during the Obama administration, 1271 01:05:10,873 --> 01:06:14,107 .:: HDMovie8.Com ::. 1272 01:05:14,109 --> 01:05:16,042 what you discovered was 1273 01:05:16,044 --> 01:05:19,446 much of it was being spent on offensive cyber weapons. 1274 01:05:21,249 --> 01:05:25,752 You see phrases like "Title 10 CNO." 1275 01:05:26,187 --> 01:05:29,456 Title 10 means operations for the U.S. military, 1276 01:05:29,724 --> 01:05:33,994 and CNO means computer network operations. 1277 01:05:34,695 --> 01:05:36,263 This is considerable evidence 1278 01:05:36,265 --> 01:05:38,865 that STUXnet was just the opening wedge 1279 01:05:39,534 --> 01:05:43,336 of what is a much broader U.S. government effort now 1280 01:05:43,771 --> 01:05:46,807 to develop an entire new class of weapons. 1281 01:05:52,380 --> 01:05:55,115 Chien: STUXnet wasn't just an evolution. 1282 01:05:55,117 --> 01:05:57,784 It was really a revolution in the threat landscape. 1283 01:05:59,587 --> 01:06:02,556 In the past, the vast majority of threats that we saw 1284 01:06:02,558 --> 01:06:04,558 were always controlled by an operator somewhere. 1285 01:06:04,560 --> 01:06:06,259 They would infect your machines, 1286 01:06:06,261 --> 01:06:08,094 but they would have what's called a callback 1287 01:06:08,096 --> 01:06:09,629 or a command-and-control channel. 1288 01:06:09,797 --> 01:06:11,932 The threats would actually contact the operator 1289 01:06:11,934 --> 01:06:13,333 and say, what do you want me to do next? 1290 01:06:13,335 --> 01:06:14,901 And the operator would send down commands 1291 01:06:14,903 --> 01:06:16,837 and say, maybe, search through this directory, 1292 01:06:16,839 --> 01:06:18,772 find these folders, find these files, 1293 01:06:18,774 --> 01:06:20,607 upload these files to me, spread to this other machine, 1294 01:06:20,609 --> 01:06:22,075 things of that nature. 1295 01:06:22,610 --> 01:06:25,679 But STUXnet couldn't have a command-and-control channel 1296 01:06:26,147 --> 01:06:28,915 because once it got inside in Natanz 1297 01:06:28,917 --> 01:06:31,651 it would not have been able to reach back out to the attackers. 1298 01:06:31,653 --> 01:06:33,954 The Natanz network is completely air gapped 1299 01:06:33,956 --> 01:06:35,155 from the rest of the Internet. 1300 01:06:35,157 --> 01:06:36,523 It's not connected to the Internet. 1301 01:06:36,525 --> 01:06:37,991 It's its own isolated network. 1302 01:06:37,993 --> 01:06:39,759 Generally, getting across an air gap is... 1303 01:06:39,761 --> 01:06:41,361 Is one of the more difficult challenges 1304 01:06:41,363 --> 01:06:43,630 that attackers will face just because of the fact that 1305 01:06:43,632 --> 01:06:46,533 there... everything is in place to prevent that. 1306 01:06:46,535 --> 01:06:49,102 You know, everything, you know, the policies and procedures 1307 01:06:49,104 --> 01:06:51,004 and the physical network that's in place is 1308 01:06:51,006 --> 01:06:54,474 specifically designed to prevent you crossing the air gap. 1309 01:06:54,476 --> 01:06:56,943 But there's no truly air-gapped network 1310 01:06:56,945 --> 01:06:59,212 in these real-world production environments. 1311 01:06:59,214 --> 01:07:01,281 People gotta get new code into Natanz. 1312 01:07:01,283 --> 01:07:04,184 People have to get log files off of this network in Natanz. 1313 01:07:04,186 --> 01:07:05,652 People have to upgrade equipment. 1314 01:07:05,654 --> 01:07:07,354 People have to upgrade computers. 1315 01:07:07,555 --> 01:07:10,690 This highlights one of the major 1316 01:07:11,192 --> 01:07:14,127 security issues that we have in the field. 1317 01:07:14,129 --> 01:07:17,030 If you think, "well, nobody can attack 1318 01:07:17,032 --> 01:07:19,299 this power plant or this chemical plant 1319 01:07:19,301 --> 01:07:21,034 because it's not connected to the Internet," 1320 01:07:21,036 --> 01:07:22,903 that's a bizarre illusion. 1321 01:07:26,541 --> 01:07:29,876 NSA source: The first time we introduced the code into Natanz 1322 01:07:30,411 --> 01:07:32,212 we used human assets, 1323 01:07:33,080 --> 01:07:36,650 maybe CIA, more likely Mossad, 1324 01:07:36,652 --> 01:07:40,053 but our team was kept in the dark about the trade craft. 1325 01:07:40,988 --> 01:07:43,490 We heard rumors in Moscow, 1326 01:07:43,492 --> 01:07:47,327 an Iranian laptop infected by a phony Siemens technician 1327 01:07:47,329 --> 01:07:48,628 with a flash drive... 1328 01:07:50,164 --> 01:07:53,300 A double agent in Iran with access to Natanz, 1329 01:07:53,868 --> 01:07:55,602 but I don't really know. 1330 01:07:55,604 --> 01:07:58,305 What we had to focus on was to write the code 1331 01:07:58,906 --> 01:08:02,342 so that, once inside, the worm acted on its own. 1332 01:08:02,543 --> 01:08:04,911 They built in all the code and all the logic 1333 01:08:04,913 --> 01:08:07,714 into the threat to be able to operate all by itself. 1334 01:08:07,716 --> 01:08:09,950 It had the ability to spread by itself. 1335 01:08:09,952 --> 01:08:13,019 It had the ability to figure out, do I have the right PLCs? 1336 01:08:13,021 --> 01:08:15,956 Have I arrived in Natanz? Am I at the target? 1337 01:08:15,958 --> 01:08:17,524 Langner: And when it's on target, 1338 01:08:17,526 --> 01:08:19,693 it executes autonomously. 1339 01:08:20,061 --> 01:08:23,363 That also means you... you cannot call off the attack. 1340 01:08:24,031 --> 01:08:25,765 It was definitely the type of attack 1341 01:08:26,367 --> 01:08:27,867 where someone had decided 1342 01:08:28,569 --> 01:08:30,370 that this is what they wanted to do. 1343 01:08:30,905 --> 01:08:33,707 There was no turning back once STUXnet was released. 1344 01:08:38,913 --> 01:08:41,047 When it began to actually execute its payload, 1345 01:08:41,049 --> 01:08:43,316 you would have a whole bunch of centrifuges 1346 01:08:43,318 --> 01:08:46,419 in a huge array of cascades sitting in a big hall. 1347 01:08:46,421 --> 01:08:48,622 And then just off that hall 1348 01:08:48,624 --> 01:08:50,423 you would have an operators room, 1349 01:08:50,425 --> 01:08:52,292 the control panels in front of them, a big window 1350 01:08:52,294 --> 01:08:53,734 where they could see into the hall. 1351 01:08:54,295 --> 01:08:56,496 Computers monitor the activities 1352 01:08:56,498 --> 01:08:57,864 of all these centrifuges. 1353 01:08:58,733 --> 01:09:02,802 So a centrifuge, it's driven by an electrical motor. 1354 01:09:03,404 --> 01:09:06,306 And the speed of this electrical motor 1355 01:09:06,308 --> 01:09:09,509 is controlled by another PLC, 1356 01:09:09,511 --> 01:09:11,211 by another programmable logic controller. 1357 01:09:13,414 --> 01:09:17,117 Chien: STUXnet would wait for 13 days 1358 01:09:17,119 --> 01:09:18,418 before doing anything, 1359 01:09:18,420 --> 01:09:20,520 because 13 days is about the time it takes 1360 01:09:20,522 --> 01:09:23,490 to actually fill an entire cascade of centrifuges 1361 01:09:23,492 --> 01:09:25,025 with uranium. 1362 01:09:25,326 --> 01:09:28,161 They didn't want to attack when the centrifuges essentially 1363 01:09:28,163 --> 01:09:30,530 were empty or at the beginning of the enrichment process. 1364 01:09:31,799 --> 01:09:34,167 What STUXnet did was it actually would sit there 1365 01:09:34,169 --> 01:09:36,870 during the 13 days and basically record 1366 01:09:36,872 --> 01:09:38,872 all of the normal activities 1367 01:09:38,874 --> 01:09:40,407 that were happening and save it. 1368 01:09:41,208 --> 01:09:43,543 And once they saw them spinning for 13 days, 1369 01:09:43,545 --> 01:09:45,178 then the attack occurred. 1370 01:09:45,946 --> 01:09:48,214 Centrifuges spin at incredible speeds, 1371 01:09:48,216 --> 01:09:50,150 about 1,000 hertz. 1372 01:09:50,152 --> 01:09:52,519 Langner: They have a safe operating speed, 1373 01:09:52,521 --> 01:09:55,355 63,000 revolutions per minute. 1374 01:09:55,656 --> 01:09:58,224 Chien: STUXnet caused the uranium enrichment centrifuges 1375 01:09:58,226 --> 01:10:00,527 to spin up to 1,400 hertz. 1376 01:10:00,529 --> 01:10:03,263 Langner: Up to 80,000 revolutions per minute. 1377 01:10:06,734 --> 01:10:09,169 What would happen was those centrifuges 1378 01:10:09,171 --> 01:10:11,438 would go through what's called a resonance frequency. 1379 01:10:11,972 --> 01:10:14,207 It would go through a frequency at which the metal would 1380 01:10:14,209 --> 01:10:16,076 basically vibrate uncontrollably 1381 01:10:16,078 --> 01:10:17,377 and essentially shatter. 1382 01:10:17,545 --> 01:10:19,746 There'd be uranium gas everywhere. 1383 01:10:20,881 --> 01:10:22,749 And then the second attack they attempted 1384 01:10:22,751 --> 01:10:25,051 was they actually tried to lower it to two hertz. 1385 01:10:25,053 --> 01:10:28,755 They were slowed down to almost standstill. 1386 01:10:29,523 --> 01:10:32,058 Chien: And at two hertz, sort of an opposite effect occurs. 1387 01:10:32,060 --> 01:10:34,327 You can imagine a toy top that you spin 1388 01:10:34,329 --> 01:10:37,230 and as the top begins to slow down, it begins to wobble. 1389 01:10:37,232 --> 01:10:39,232 That's what would happen to these centrifuges. 1390 01:10:39,234 --> 01:10:41,267 They'd begin to wobble and essentially shatter 1391 01:10:41,269 --> 01:10:42,502 and fall apart. 1392 01:10:46,274 --> 01:10:49,109 And instead of sending back to the computer 1393 01:10:49,111 --> 01:10:50,744 what was really happening, it would send back 1394 01:10:50,746 --> 01:10:52,712 that old data that it had recorded. 1395 01:10:52,714 --> 01:10:54,514 So the computer's sitting there thinking, 1396 01:10:54,516 --> 01:10:56,216 "yep, running at 1,000 hertz, everything is fine. 1397 01:10:56,218 --> 01:10:58,118 Running at 1,000 hertz, everything is fine." 1398 01:10:58,120 --> 01:11:00,954 But those centrifuges are potentially spinning up wildly, 1399 01:11:00,956 --> 01:11:02,756 a huge noise would occur. 1400 01:11:02,758 --> 01:11:04,758 It'd be like, you know, a jet engine. 1401 01:11:08,296 --> 01:11:09,896 So the operators then would know, "whoa, 1402 01:11:09,898 --> 01:11:11,531 something is going wrong here." 1403 01:11:11,533 --> 01:11:13,466 They might look at their monitors and say, "hmm, 1404 01:11:13,468 --> 01:11:15,935 it says it's 1,000 hertz," but they would hear that in the room 1405 01:11:15,937 --> 01:11:17,737 something gravely bad was happening. 1406 01:11:17,739 --> 01:11:21,107 Not only are the operators fooled into thinking 1407 01:11:21,109 --> 01:11:22,909 everything's normal, 1408 01:11:22,911 --> 01:11:27,247 but also any kind of automated protective logic 1409 01:11:27,249 --> 01:11:29,015 is fooled. 1410 01:11:29,884 --> 01:11:31,844 Chien: You can't just turn these centrifuges off. 1411 01:11:32,086 --> 01:11:34,721 They have to be brought down in a very controlled manner. 1412 01:11:34,723 --> 01:11:36,890 And so they would hit, literally, the big red button 1413 01:11:36,892 --> 01:11:38,491 to initiate a graceful shutdown, 1414 01:11:38,826 --> 01:11:40,927 and STUXnet intercepts that code. 1415 01:11:40,929 --> 01:11:42,495 So you would have these operators 1416 01:11:42,497 --> 01:11:44,631 slamming on that button over and over again 1417 01:11:44,633 --> 01:11:45,799 and nothing would happen. 1418 01:11:47,101 --> 01:11:50,670 Yadlin: If your cyber weapon is good enough, 1419 01:11:50,672 --> 01:11:53,406 if your enemy is not aware of it, 1420 01:11:53,674 --> 01:11:57,310 it is an ideal weapon, because the enemy 1421 01:11:57,312 --> 01:11:59,379 even don't understand what is happening to it. 1422 01:11:59,947 --> 01:12:01,915 Gibney: Maybe even better if the enemy begins to doubt 1423 01:12:01,917 --> 01:12:04,217 - their own capability. - Absolutely. 1424 01:12:04,919 --> 01:12:07,787 Certainly one must conclude 1425 01:12:07,789 --> 01:12:10,590 that what happened at Natanz 1426 01:12:10,592 --> 01:12:12,992 must have driven the engineers crazy, 1427 01:12:12,994 --> 01:12:15,461 because the worst thing that can happen 1428 01:12:15,463 --> 01:12:19,365 to a maintenance engineer is not being able to figure out 1429 01:12:19,367 --> 01:12:22,168 what the cause of specific trouble is. 1430 01:12:22,170 --> 01:12:25,538 So they must have been analyzing themselves to death. 1431 01:12:28,275 --> 01:12:31,077 Heinonen: You know, you see centrifuges blowing up. 1432 01:12:31,445 --> 01:12:35,248 You look the computer screens, they go with the proper speed. 1433 01:12:35,616 --> 01:12:39,285 There's a proper gas pressure. Everything looks beautiful. 1434 01:12:41,889 --> 01:12:45,024 Sanger: Through 2009 it was going pretty smoothly. 1435 01:12:45,026 --> 01:12:46,860 Centrifuges were blowing up. 1436 01:12:46,862 --> 01:12:49,529 The International Atomic Energy Agency inspectors 1437 01:12:49,531 --> 01:12:52,031 would go in to Natanz and they would see that 1438 01:12:52,033 --> 01:12:54,934 whole sections of the centrifuges had been removed. 1439 01:12:56,170 --> 01:12:59,239 The United States knew from its intelligence channels 1440 01:12:59,241 --> 01:13:02,742 that some Iranian scientists and engineers 1441 01:13:02,744 --> 01:13:06,512 were being fired because the centrifuges were blowing up 1442 01:13:06,514 --> 01:13:09,649 and the Iranians had assumed that this was because 1443 01:13:09,651 --> 01:13:13,152 they had been making errors or manufacturing mistakes. 1444 01:13:13,154 --> 01:13:14,787 Clearly this was somebody's fault. 1445 01:13:15,890 --> 01:13:17,924 So the program was doing 1446 01:13:17,926 --> 01:13:19,759 exactly what it was supposed to be doing, 1447 01:13:20,060 --> 01:13:22,829 which was it was blowing up centrifuges 1448 01:13:23,063 --> 01:13:24,898 and it was leaving no trace 1449 01:13:25,566 --> 01:13:27,667 and leaving the Iranians to wonder 1450 01:13:28,102 --> 01:13:29,469 what they got hit by. 1451 01:13:29,937 --> 01:13:32,572 This was the brilliance of Olympic Games. 1452 01:13:32,873 --> 01:13:34,574 You know, as a former director of a couple of big 1453 01:13:34,576 --> 01:13:35,842 3-letter agencies, 1454 01:13:36,210 --> 01:13:38,645 slowing down 1,000 centrifuges in Natanz... 1455 01:13:39,513 --> 01:13:40,847 Abnormally good. 1456 01:13:40,849 --> 01:13:43,449 There was a need for... for... for buying time. 1457 01:13:43,451 --> 01:13:46,085 There was a need for slowing them down. 1458 01:13:46,087 --> 01:13:48,021 There was the need to try to push them 1459 01:13:48,023 --> 01:13:49,389 to the negotiating table. 1460 01:13:49,391 --> 01:13:51,691 I mean, there are a lot of variables at play here. 1461 01:13:56,030 --> 01:13:59,666 Sanger: President Obama would go down into the Situation Room, 1462 01:14:00,100 --> 01:14:03,369 and he would have laid out in front of him 1463 01:14:03,371 --> 01:14:05,038 what they called the horse blanket, 1464 01:14:05,040 --> 01:14:07,240 which was a giant schematic 1465 01:14:07,242 --> 01:14:10,710 of the Natanz nuclear enrichment plan. 1466 01:14:11,278 --> 01:14:14,380 And the designers of Olympic Games 1467 01:14:14,382 --> 01:14:17,550 would describe to him what kind of progress they made 1468 01:14:17,552 --> 01:14:19,819 and look for him for the authorization 1469 01:14:19,821 --> 01:14:22,055 to move on ahead to the next attack. 1470 01:14:23,891 --> 01:14:25,925 And at one point during those discussions, 1471 01:14:25,927 --> 01:14:27,660 he said to a number of his aides, 1472 01:14:27,662 --> 01:14:29,262 "you know, I have some concerns 1473 01:14:29,264 --> 01:14:31,731 because once word of this gets out," 1474 01:14:31,733 --> 01:14:33,399 and eventually he knew it would get out, 1475 01:14:33,401 --> 01:14:35,401 "the Chinese may use it as an excuse 1476 01:14:35,403 --> 01:14:38,738 for their attacks on us. The Russians might or others." 1477 01:14:39,273 --> 01:14:42,308 So he clearly had some misgivings, 1478 01:14:42,943 --> 01:14:44,744 but they weren't big enough to stop him 1479 01:14:44,746 --> 01:14:46,145 from going ahead with the program. 1480 01:14:47,348 --> 01:14:50,516 And then in 2010, 1481 01:14:50,851 --> 01:14:54,087 a decision was made to change the code. 1482 01:14:59,927 --> 01:15:01,361 Our human assets 1483 01:15:01,996 --> 01:15:05,465 weren't always able to get code updates into Natanz 1484 01:15:05,467 --> 01:15:07,600 and we weren't told exactly why, 1485 01:15:08,168 --> 01:15:12,205 but we were told we had to have a cyber solution 1486 01:15:12,207 --> 01:15:13,706 for delivering the code. 1487 01:15:14,141 --> 01:15:16,709 But the delivery systems were tricky. 1488 01:15:17,011 --> 01:15:19,679 If they weren't aggressive enough, they wouldn't get in. 1489 01:15:19,980 --> 01:15:22,348 If they were too aggressive, they could spread 1490 01:15:22,783 --> 01:15:24,017 and be discovered. 1491 01:15:26,020 --> 01:15:27,787 Chien: When we got the first sample, 1492 01:15:27,789 --> 01:15:30,123 there was some configuration information inside of it. 1493 01:15:30,125 --> 01:15:33,359 And one of the pieces in there was a version number, 1.1 1494 01:15:34,361 --> 01:15:35,661 and that made us realize, 1495 01:15:35,663 --> 01:15:37,897 well, look, this likely isn't the only copy. 1496 01:15:37,899 --> 01:15:40,133 We went back through our databases looking for 1497 01:15:40,135 --> 01:15:42,602 anything that looks similar to STUXnet. 1498 01:15:44,338 --> 01:15:46,039 Chien: As we began to collect more samples, 1499 01:15:46,041 --> 01:15:47,940 we found a few earlier versions of STUXnet. 1500 01:15:49,009 --> 01:15:50,710 O'Murchu: And when we analyzed that code, 1501 01:15:50,712 --> 01:15:53,379 we saw that versions previous to 1.1 1502 01:15:53,381 --> 01:15:55,048 were a lot less aggressive. 1503 01:15:55,516 --> 01:15:57,350 The earlier version of STUXnet, 1504 01:15:57,352 --> 01:15:59,519 it basically required humans to do a little bit 1505 01:15:59,521 --> 01:16:01,854 of double clicking in order for it to spread 1506 01:16:01,856 --> 01:16:03,389 from one computer to another. 1507 01:16:03,391 --> 01:16:05,658 And, so, what we believe after looking at that code 1508 01:16:05,660 --> 01:16:06,793 is two things, 1509 01:16:07,194 --> 01:16:09,495 one, either they didn't get in to Natanz 1510 01:16:09,497 --> 01:16:10,730 with that earlier version, 1511 01:16:10,732 --> 01:16:12,331 because it simply wasn't aggressive enough, 1512 01:16:12,333 --> 01:16:14,067 wasn't able to jump over that air gap, 1513 01:16:15,035 --> 01:16:17,870 and/or two, that payload as well 1514 01:16:17,872 --> 01:16:21,174 didn't work properly, didn't work to their satisfaction, 1515 01:16:21,442 --> 01:16:23,276 maybe was not explosive enough. 1516 01:16:23,844 --> 01:16:26,079 There were slightly different versions 1517 01:16:26,081 --> 01:16:28,414 which were aimed at different parts 1518 01:16:28,416 --> 01:16:30,049 of the centrifuge cascade. 1519 01:16:30,051 --> 01:16:33,052 Gibney: But the guys at Symantec figured you changed the code 1520 01:16:33,054 --> 01:16:34,854 because the first variations couldn't get in 1521 01:16:34,856 --> 01:16:36,022 and didn't work right. 1522 01:16:36,290 --> 01:16:37,290 Bullshit. 1523 01:16:38,092 --> 01:16:40,359 We always found a way to get across the air gap. 1524 01:16:40,361 --> 01:16:42,628 At TAO, we laughed when people thought they were 1525 01:16:42,630 --> 01:16:44,297 protected by an air gap. 1526 01:16:44,965 --> 01:16:48,000 And for OG, the early versions of the payload did work. 1527 01:16:48,469 --> 01:16:50,269 But what NSA did... 1528 01:16:51,872 --> 01:16:54,674 Was always low-key and subtle. 1529 01:16:55,776 --> 01:16:59,045 The problem was that Unit 8200, the Israelis, 1530 01:16:59,047 --> 01:17:01,180 kept pushing us to be more aggressive. 1531 01:17:02,816 --> 01:17:05,451 Chien: The later version of STUXnet 1.1, 1532 01:17:05,453 --> 01:17:07,587 that version had multiple ways of spreading. 1533 01:17:07,589 --> 01:17:09,789 Had the four zero days inside of it, for example, 1534 01:17:09,791 --> 01:17:11,591 that allowed it to spread all by itself 1535 01:17:11,593 --> 01:17:12,725 without you doing anything. 1536 01:17:12,727 --> 01:17:14,327 It could spread via network shares. 1537 01:17:14,329 --> 01:17:16,229 It could spread via USB keys. 1538 01:17:16,231 --> 01:17:18,631 It was able to spread via network exploits. 1539 01:17:18,633 --> 01:17:20,166 That's the sample that introduced us 1540 01:17:20,168 --> 01:17:22,168 to stolen digital certificates. 1541 01:17:22,170 --> 01:17:24,604 That is the sample that, all of a sudden, 1542 01:17:24,606 --> 01:17:26,772 became so noisy 1543 01:17:26,774 --> 01:17:29,876 and caught the attention of the antivirus guys. 1544 01:17:30,777 --> 01:17:33,412 In the first sample we don't find that. 1545 01:17:34,748 --> 01:17:40,820 And this is very strange, because it tells us that 1546 01:17:40,822 --> 01:17:43,089 in the process of this development 1547 01:17:43,624 --> 01:17:46,192 the attackers were less concerned 1548 01:17:46,194 --> 01:17:48,027 with operational security. 1549 01:17:53,500 --> 01:17:56,068 Chien: STUXnet actually kept a log inside of itself 1550 01:17:56,770 --> 01:17:59,205 of all the machines that it infected along the way 1551 01:17:59,207 --> 01:18:01,274 as it jumped from one machine to another 1552 01:18:01,276 --> 01:18:02,441 to another to another. 1553 01:18:02,876 --> 01:18:04,844 And we were able to gather up 1554 01:18:04,846 --> 01:18:06,879 all the samples that we could acquire, 1555 01:18:07,047 --> 01:18:10,316 tens of thousands of samples. We extracted all of those logs. 1556 01:18:10,318 --> 01:18:13,019 O'Murchu: We could see the exact path that STUXnet took. 1557 01:18:15,155 --> 01:18:17,190 Chien: Eventually, we were able to trace back 1558 01:18:17,192 --> 01:18:19,358 this version of STUXnet to ground zero, 1559 01:18:19,660 --> 01:18:22,195 to the first five infections in the world. 1560 01:18:23,030 --> 01:18:25,865 The first five infections are all outside a Natanz plant, 1561 01:18:26,033 --> 01:18:28,868 all inside of organizations inside of Iran, 1562 01:18:29,636 --> 01:18:31,904 all organizations that are involved in 1563 01:18:31,906 --> 01:18:34,340 industrial control systems and construction 1564 01:18:34,342 --> 01:18:35,975 of industrial control facilities, 1565 01:18:36,243 --> 01:18:39,812 clearly contractors who were working on the Natanz facility. 1566 01:18:39,814 --> 01:18:41,547 And the attackers knew that. 1567 01:18:42,149 --> 01:18:44,884 They were electrical companies. They were piping companies. 1568 01:18:44,886 --> 01:18:46,485 They were, you know, these sorts of companies. 1569 01:18:46,687 --> 01:18:48,321 And they knew... they knew the technicians 1570 01:18:48,323 --> 01:18:50,056 from those companies would visit Natanz. 1571 01:18:50,058 --> 01:18:51,624 So they would infect these companies 1572 01:18:51,825 --> 01:18:54,860 and then technicians would take their computer 1573 01:18:54,862 --> 01:18:56,162 or their laptop or their USB... 1574 01:18:56,164 --> 01:18:57,930 That operator then goes down to Natanz 1575 01:18:57,932 --> 01:19:00,099 and he plugs in his USB key, which has some code 1576 01:19:00,101 --> 01:19:02,001 that he needs to update into Natanz, 1577 01:19:02,003 --> 01:19:03,569 into the Natanz network, 1578 01:19:03,571 --> 01:19:05,238 and now STUXnet is able to get inside Natanz 1579 01:19:05,240 --> 01:19:06,606 and conduct its attack. 1580 01:19:07,841 --> 01:19:10,209 These five companies were specifically targeted 1581 01:19:10,211 --> 01:19:12,078 to spread STUXnet into Natanz 1582 01:19:12,279 --> 01:19:15,514 and that it wasn't that... that STUXnet escaped out of Natanz 1583 01:19:15,516 --> 01:19:17,016 and then spread all over the world 1584 01:19:17,018 --> 01:19:19,452 and it was this big mistake and "oh, it wasn't meant 1585 01:19:19,454 --> 01:19:21,187 to spread that far but it really did." 1586 01:19:21,189 --> 01:19:22,922 No, that's not the way we see it. 1587 01:19:22,924 --> 01:19:25,858 The way we see it is that they wanted it to spread far 1588 01:19:25,860 --> 01:19:27,526 so that they could get it into Natanz. 1589 01:19:27,728 --> 01:19:31,631 Someone decided that we're gonna create something new, 1590 01:19:31,865 --> 01:19:32,932 something evolved, 1591 01:19:33,567 --> 01:19:35,701 that's gonna be far, far, far more aggressive. 1592 01:19:36,370 --> 01:19:39,805 And we're okay, frankly, 1593 01:19:39,807 --> 01:19:42,508 with it spreading all over the world to innocent machines 1594 01:19:42,743 --> 01:19:44,310 in order to go after our target. 1595 01:19:50,051 --> 01:19:55,221 The Mossad had the role, had the... the assignment 1596 01:19:55,922 --> 01:20:01,827 to deliver the virus to make sure that STUXnet 1597 01:20:01,829 --> 01:20:06,699 would be put in place in Natanz to affect the centrifuges. 1598 01:20:08,568 --> 01:20:10,770 Meir Dagan, the head of Mossad, 1599 01:20:10,772 --> 01:20:14,073 was under growing pressure from the prime minister, 1600 01:20:14,075 --> 01:20:16,942 Benjamin Netanyahu, to produce results. 1601 01:20:18,846 --> 01:20:20,012 Inside The Roc, 1602 01:20:20,014 --> 01:20:22,081 we were furious. 1603 01:20:23,817 --> 01:20:26,652 The Israelis took our code for the delivery system 1604 01:20:27,254 --> 01:20:28,554 and changed it. 1605 01:20:29,956 --> 01:20:32,458 Then, on their own, without our agreement, 1606 01:20:32,460 --> 01:20:34,260 they just fucking launched it. 1607 01:20:34,928 --> 01:20:36,829 2010 around the same time 1608 01:20:36,831 --> 01:20:38,631 they started killing Iranian scientists... 1609 01:20:38,633 --> 01:20:40,366 And they fucked up the code! 1610 01:20:40,801 --> 01:20:42,335 Instead of hiding, 1611 01:20:42,337 --> 01:20:44,804 the code started shutting down computers, 1612 01:20:44,806 --> 01:20:46,572 so naturally, people noticed. 1613 01:20:48,508 --> 01:20:51,510 Because they were in a hurry, they opened Pandora's Box. 1614 01:20:52,546 --> 01:20:53,646 They let it out 1615 01:20:53,648 --> 01:20:56,949 and it spread all over the world. 1616 01:21:02,122 --> 01:21:03,923 Gibney: The worm spread quickly 1617 01:21:04,191 --> 01:21:06,025 but somehow it remained unseen 1618 01:21:06,027 --> 01:21:08,060 until it was identified in Belarus. 1619 01:21:09,062 --> 01:21:11,630 Soon after, Israeli intelligence confirmed 1620 01:21:11,632 --> 01:21:13,632 that it had made its way into the hands 1621 01:21:13,634 --> 01:21:15,634 of the Russian federal security service, 1622 01:21:15,636 --> 01:21:17,603 a successor to the KGB. 1623 01:21:19,172 --> 01:21:22,575 So it happened that the formula for a secret cyber weapon 1624 01:21:22,577 --> 01:21:24,243 designed by the U.S. and Israel 1625 01:21:24,245 --> 01:21:25,778 fell into the hands of Russia 1626 01:21:26,313 --> 01:21:28,314 and the very country it was meant to attack. 1627 01:21:31,056 --> 01:21:35,266 They managed to create minor problems for a few of our centrifuges 1628 01:21:35,644 --> 01:21:39,774 through the software that they had installed on electronic parts. 1629 01:21:40,733 --> 01:21:43,113 It was a naughty and immoral move by them 1630 01:21:43,318 --> 01:21:45,988 but fortunately our experts discovered it 1631 01:21:46,280 --> 01:21:48,910 and today they are not capable of ever doing it again. 1632 01:21:50,872 --> 01:21:52,405 Kiyaei: In international law, 1633 01:21:52,407 --> 01:21:55,941 when some country or a coalition of countries 1634 01:21:56,176 --> 01:22:00,646 targets a nuclear facility, it's a act of war. 1635 01:22:01,548 --> 01:22:04,450 Please, let's be frank here. 1636 01:22:05,118 --> 01:22:07,820 If it wasn't Iran, 1637 01:22:08,455 --> 01:22:11,157 let's say a nuclear facility in United States... 1638 01:22:12,426 --> 01:22:14,160 Was targeted in the same way... 1639 01:22:16,363 --> 01:22:17,997 The American government 1640 01:22:18,398 --> 01:22:21,133 would not sit by and let this go. 1641 01:22:21,968 --> 01:22:24,537 Gibney: STUXnet is an attack in peacetime 1642 01:22:24,539 --> 01:22:25,659 on critical infrastructures. 1643 01:22:25,806 --> 01:22:28,908 Yes, it is. I'm... look, when I read about it, 1644 01:22:28,910 --> 01:22:31,610 I read it, I go, "whoa, this is a big deal." 1645 01:22:31,612 --> 01:22:33,345 Yeah. 1646 01:22:35,048 --> 01:22:37,583 Sanger: The people who were running this program, 1647 01:22:37,585 --> 01:22:39,051 including Leon Panetta, 1648 01:22:39,053 --> 01:22:41,053 the Director of the CIA at the time, 1649 01:22:41,655 --> 01:22:44,290 had to go down into the Situation Room 1650 01:22:44,292 --> 01:22:46,492 and face President Obama, 1651 01:22:46,494 --> 01:22:50,029 Vice President Biden and explain that this program 1652 01:22:50,297 --> 01:22:52,865 was suddenly on the loose. 1653 01:22:54,167 --> 01:22:55,668 Vice President Biden, 1654 01:22:55,670 --> 01:22:58,237 at one point during this discussion, 1655 01:22:59,072 --> 01:23:01,774 sort of exploded in Biden-esque fashion 1656 01:23:01,776 --> 01:23:03,342 and blamed the Israelis. 1657 01:23:03,344 --> 01:23:05,744 He said, "it must have been the Israelis 1658 01:23:05,746 --> 01:23:07,813 who made a change in the code 1659 01:23:07,815 --> 01:23:09,915 that enabled it to get out." 1660 01:23:11,785 --> 01:23:13,986 Richard Clarke: President Obama said to the senior leadership, 1661 01:23:13,988 --> 01:23:17,022 "you told me it wouldn't get out of the network. It did. 1662 01:23:17,024 --> 01:23:19,191 You told me the Iranians would never figure out 1663 01:23:19,193 --> 01:23:21,160 it was the United States. They did. 1664 01:23:21,461 --> 01:23:23,162 You told me it would have a huge affect 1665 01:23:23,164 --> 01:23:26,832 on their nuclear program, and it didn't." 1666 01:23:28,535 --> 01:23:32,037 Sanger: The Natanz plant is inspected every couple of weeks 1667 01:23:32,339 --> 01:23:35,541 by the International Atomic Energy Agency inspectors. 1668 01:23:35,976 --> 01:23:38,677 And if you line up what you know about the attacks 1669 01:23:38,945 --> 01:23:41,847 with the inspection reports, you can see the effects. 1670 01:23:43,183 --> 01:23:45,384 Heinonen: If you go to the IAEA reports, 1671 01:23:45,386 --> 01:23:47,653 they really show that all of those centrifuges 1672 01:23:47,655 --> 01:23:50,556 were switched off and they were removed. 1673 01:23:51,157 --> 01:23:54,527 As much as almost couple of thousand got compromised. 1674 01:23:55,695 --> 01:23:57,162 When you put this altogether, 1675 01:23:57,164 --> 01:23:59,965 I wouldn't be surprised if their program got delayed 1676 01:23:59,967 --> 01:24:01,133 by the one year. 1677 01:24:01,501 --> 01:24:05,304 But go then to year 2012-13 1678 01:24:05,306 --> 01:24:08,607 and looking how the centrifuges started to come up again. 1679 01:24:08,875 --> 01:24:10,476 Kiyaei: Iran's number of centrifuges 1680 01:24:10,478 --> 01:24:12,344 went up exponentially, 1681 01:24:12,346 --> 01:24:16,415 to 20,000, with a stockpile of low enriched uranium. 1682 01:24:16,417 --> 01:24:18,717 This isn't... these are high numbers. 1683 01:24:19,586 --> 01:24:22,054 Iran's nuclear facilities expanded 1684 01:24:22,056 --> 01:24:24,657 with the construction of Fordow 1685 01:24:24,659 --> 01:24:27,259 and other highly protected facilities. 1686 01:24:29,329 --> 01:24:32,097 So ironically, cyber warfare... 1687 01:24:32,899 --> 01:24:35,501 Assassination of its nuclear scientists, 1688 01:24:35,936 --> 01:24:39,204 economic sanctions, political isolation... 1689 01:24:41,075 --> 01:24:43,576 Iran has gone through "a" to "x" 1690 01:24:43,578 --> 01:24:48,180 of every chorus of policy that the U.S., Israel, 1691 01:24:48,182 --> 01:24:52,318 and those who ally with them have placed on Iran, 1692 01:24:52,852 --> 01:24:55,788 and they have actually made Iran's nuclear program 1693 01:24:55,790 --> 01:24:58,524 more advanced today than it was ever before. 1694 01:25:02,697 --> 01:25:04,430 Mossad Operative: This is a very 1695 01:25:04,432 --> 01:25:07,566 very dangerous minefield that we are walking, 1696 01:25:07,568 --> 01:25:10,469 and nations who decide 1697 01:25:10,471 --> 01:25:12,671 to take these covert actions 1698 01:25:13,807 --> 01:25:16,842 should be taking into consideration 1699 01:25:17,477 --> 01:25:22,281 all the effects, including the moral effects. 1700 01:25:22,916 --> 01:25:26,952 I would say that this is the price 1701 01:25:26,954 --> 01:25:31,290 that we have to pay in this... in this war, 1702 01:25:31,625 --> 01:25:34,159 and our blade of righteousness 1703 01:25:34,161 --> 01:25:35,561 shouldn't be so sharp. 1704 01:25:41,401 --> 01:25:43,802 Gibney: In Israel and in the United States, 1705 01:25:43,804 --> 01:25:46,138 the blade of righteousness cut both ways, 1706 01:25:46,673 --> 01:25:49,208 wounding the targets and the attackers. 1707 01:25:50,276 --> 01:25:52,678 When STUXnet infected American computers, 1708 01:25:52,680 --> 01:25:54,747 the Department of Homeland Security, 1709 01:25:55,081 --> 01:25:58,017 unaware of the cyber weapons launch by the NSA, 1710 01:25:58,284 --> 01:26:01,453 devoted enormous resources trying to protect Americans 1711 01:26:01,455 --> 01:26:02,755 from their own government. 1712 01:26:03,256 --> 01:26:05,691 We had met the enemy and it was us. 1713 01:26:11,464 --> 01:26:13,132 Se�n Paul McGurk: The purpose of the watch stations that 1714 01:26:13,134 --> 01:26:15,300 you see in front of you is to aggregate the data 1715 01:26:15,302 --> 01:26:16,769 - coming in from multiple feeds 1716 01:26:16,771 --> 01:26:18,504 of what the cyber threats could be, 1717 01:26:18,506 --> 01:26:19,938 so if we see threats 1718 01:26:19,940 --> 01:26:22,508 we can provide real-time recommendations 1719 01:26:22,510 --> 01:26:25,744 for both private companies, as well as federal agencies. 1720 01:26:26,479 --> 01:26:28,233 Male journalist: 1721 01:26:28,233 --> 01:26:30,108 Can you give us a readout on this Stuxnet virus? 1722 01:26:30,350 --> 01:26:32,785 Yep, absolutely. We'd be more than happy to discuss that. 1723 01:26:32,787 --> 01:26:33,852 Female journalist: Se�n, is it... 1724 01:26:33,854 --> 01:26:36,455 McGurk: Early July of 2010 we received a call 1725 01:26:36,457 --> 01:26:39,058 that said that this piece of malware was discovered 1726 01:26:39,060 --> 01:26:40,459 and could we take a look at it. 1727 01:26:42,063 --> 01:26:43,562 When we first started the analysis, 1728 01:26:43,564 --> 01:26:45,898 there was that "oh, crap" moment, you know, 1729 01:26:45,900 --> 01:26:47,733 where we sat there and said, this is something 1730 01:26:47,735 --> 01:26:48,867 that's significant. 1731 01:26:48,869 --> 01:26:50,602 It's impacting industrial control. 1732 01:26:50,837 --> 01:26:53,305 It can disrupt it to the point where it could cause harm 1733 01:26:53,307 --> 01:26:55,374 and not only damage to the equipment, 1734 01:26:55,376 --> 01:26:57,443 but potentially harm or loss of life. 1735 01:26:58,211 --> 01:27:00,412 We were very concerned because STUXnet 1736 01:27:00,414 --> 01:27:02,181 was something that we had not seen before. 1737 01:27:02,183 --> 01:27:04,316 So there wasn't a lot of sleep that night. 1738 01:27:04,318 --> 01:27:07,219 Basically, light up the phones, call everybody we know, 1739 01:27:07,221 --> 01:27:10,456 inform the secretary, inform the White House, 1740 01:27:10,657 --> 01:27:12,725 inform the other departments and agencies, 1741 01:27:12,892 --> 01:27:15,594 wake up the world, and figure out what's going on 1742 01:27:15,596 --> 01:27:17,796 with this particular malware. 1743 01:27:19,599 --> 01:27:20,866 Good morning, Chairman Lieberman, 1744 01:27:20,868 --> 01:27:22,134 ranking member Collins. 1745 01:27:22,702 --> 01:27:24,503 Something as simple and innocuous as this 1746 01:27:24,505 --> 01:27:26,672 becomes a challenge for all of us to maintain 1747 01:27:26,674 --> 01:27:29,641 accountability control of our critical infrastructure systems. 1748 01:27:30,110 --> 01:27:32,244 This actually contains the STUXnet virus. 1749 01:27:32,445 --> 01:27:33,912 I've been asked on a number of occasions, 1750 01:27:33,914 --> 01:27:35,748 "did you ever think this was us?" 1751 01:27:35,750 --> 01:27:39,451 And at... at no point did that ever really cross our mind, 1752 01:27:39,453 --> 01:27:42,254 because we were looking at it from the standpoint of, 1753 01:27:42,589 --> 01:27:44,556 is this something that's coming after the homeland? 1754 01:27:44,558 --> 01:27:47,126 You know, what... what's going to potentially impact, 1755 01:27:47,128 --> 01:27:49,928 you know, our industrial control based here in the United States? 1756 01:27:50,363 --> 01:27:53,298 You know, I liken it to, you know, field of battle. 1757 01:27:53,466 --> 01:27:55,434 You don't think the sniper that's behind you 1758 01:27:55,436 --> 01:27:56,935 is gonna be shooting at you, 1759 01:27:57,103 --> 01:27:58,743 'cause you expect him to be on your side. 1760 01:27:59,239 --> 01:28:02,941 We really don't know who the attacker was 1761 01:28:02,943 --> 01:28:04,343 in the STUXnet case. 1762 01:28:04,544 --> 01:28:06,779 So help us understand a little more 1763 01:28:07,046 --> 01:28:09,214 what this thing is 1764 01:28:09,916 --> 01:28:15,320 whose origin and destination we don't understand. 1765 01:28:16,556 --> 01:28:18,657 Gibney: Did anybody ever give you any indication 1766 01:28:18,659 --> 01:28:20,826 that it was something that they already knew about? 1767 01:28:20,828 --> 01:28:23,562 No, at no time did I get the impression from someone 1768 01:28:23,564 --> 01:28:26,431 that that's okay, you know, get the little pat on the head, 1769 01:28:26,433 --> 01:28:27,900 and... and scooted out the door. 1770 01:28:27,902 --> 01:28:29,768 I never received a stand-down order. 1771 01:28:29,770 --> 01:28:33,405 I never... no one ever asked, "stop looking at this." 1772 01:28:34,007 --> 01:28:37,810 Do we think that this was a nation-state actor 1773 01:28:37,812 --> 01:28:40,245 and that there are a limited number of nation-states 1774 01:28:40,247 --> 01:28:43,649 that have such advanced capacity? 1775 01:28:45,485 --> 01:28:47,753 Gibney: Se�n McGurk, the Director of Cyber 1776 01:28:47,755 --> 01:28:49,488 for the Department of Homeland Security, 1777 01:28:49,490 --> 01:28:52,324 testified before the Senate about how he thought 1778 01:28:52,326 --> 01:28:55,427 STUXnet was a terrifying threat to the United States. 1779 01:28:55,695 --> 01:28:56,962 Is that not a problem? 1780 01:28:56,964 --> 01:28:58,864 I don't... and... and how... how do you mean? 1781 01:28:59,132 --> 01:29:01,533 That STUXnet was a bad idea? 1782 01:29:01,935 --> 01:29:04,603 Gibney: No, no, no, just that before he knew what it was 1783 01:29:04,605 --> 01:29:06,438 - and what it attacks... - Oh, I... I get it. 1784 01:29:06,440 --> 01:29:07,840 - Gibney: Yeah... - Yeah, 1785 01:29:07,842 --> 01:29:09,441 he was responding to something that we... 1786 01:29:09,443 --> 01:29:09,943 Gibney: He thought it was a threat 1787 01:29:10,777 --> 01:29:12,644 to critical infrastructure in the United States. 1788 01:29:12,646 --> 01:29:14,346 Yeah. The worm is loose! 1789 01:29:14,348 --> 01:29:16,215 Gibney: The worm is loose. I understand. 1790 01:29:16,217 --> 01:29:19,218 But there's... there's a further theory 1791 01:29:19,220 --> 01:29:20,819 having to do with whether or not, 1792 01:29:20,821 --> 01:29:23,055 following upon David Sanger... 1793 01:29:23,057 --> 01:29:24,957 I got the subplot, and who did that? 1794 01:29:24,959 --> 01:29:26,859 Was it the Israelis? And, yeah, I... 1795 01:29:27,460 --> 01:29:30,362 I truly don't know, and even though I don't know, 1796 01:29:30,364 --> 01:29:32,064 I still can't talk about it, all right? 1797 01:29:32,365 --> 01:29:35,901 STUXnet was somebody's covert action, all right? 1798 01:29:36,135 --> 01:29:37,803 And the definition of covert action 1799 01:29:37,805 --> 01:29:40,706 is an activity in which you want to have the hand 1800 01:29:40,708 --> 01:29:42,708 of the actor forever hidden. 1801 01:29:43,076 --> 01:29:46,245 So by definition, it's gonna end up in this 1802 01:29:46,247 --> 01:29:48,146 "we don't talk about these things" box. 1803 01:29:53,820 --> 01:29:56,688 Sanger: To this day, the United States government 1804 01:29:56,690 --> 01:29:58,824 has never acknowledged 1805 01:29:58,826 --> 01:30:03,295 conducting any offensive cyber attack anywhere in the world. 1806 01:30:05,331 --> 01:30:10,235 But thanks to Mr. Snowden, we know that in 2012 1807 01:30:10,237 --> 01:30:12,638 President Obama issued an Executive Order 1808 01:30:12,839 --> 01:30:15,574 that laid out some of the conditions 1809 01:30:15,576 --> 01:30:18,043 under which cyber weapons can be used. 1810 01:30:18,045 --> 01:30:21,613 And interestingly, every use of a cyber weapon 1811 01:30:21,615 --> 01:30:24,650 requires presidential sign-off. 1812 01:30:25,885 --> 01:30:29,721 That is only true in the physical world 1813 01:30:29,723 --> 01:30:31,590 for nuclear weapons. 1814 01:30:42,902 --> 01:30:45,203 Clarke: Nuclear war and nuclear weapons are vastly different 1815 01:30:45,205 --> 01:30:47,072 from cyber war and cyber weapons. 1816 01:30:47,074 --> 01:30:50,042 Having said that, there are some similarities. 1817 01:30:50,044 --> 01:30:52,444 And in the early 1960s, 1818 01:30:52,879 --> 01:30:54,780 the United States government suddenly realized 1819 01:30:54,782 --> 01:30:56,848 it had thousands of nuclear weapons, 1820 01:30:57,050 --> 01:30:58,717 big ones and little ones, 1821 01:30:58,719 --> 01:31:01,053 weapons on jeeps, weapons on submarines, 1822 01:31:01,921 --> 01:31:04,056 and it really didn't have a doctrine. 1823 01:31:04,058 --> 01:31:05,891 It really didn't have a strategy. 1824 01:31:05,893 --> 01:31:07,659 It really didn't have an understanding 1825 01:31:07,927 --> 01:31:10,062 at the policy level about how he was going to use 1826 01:31:10,064 --> 01:31:11,229 all of these things. 1827 01:31:11,798 --> 01:31:13,799 And so academics 1828 01:31:13,801 --> 01:31:16,635 started publishing unclassified documents 1829 01:31:16,637 --> 01:31:20,505 about nuclear war and nuclear weapons. 1830 01:31:22,977 --> 01:31:24,242 Sanger: And the result was 1831 01:31:24,610 --> 01:31:26,945 more than 20 years, in the United States, 1832 01:31:26,947 --> 01:31:29,648 of very vigorous national debates 1833 01:31:30,183 --> 01:31:33,719 about how we want to go use nuclear weapons. 1834 01:31:37,091 --> 01:31:39,358 And not only did that cause the Congress 1835 01:31:39,360 --> 01:31:41,760 and people in the executive branch in Washington 1836 01:31:41,762 --> 01:31:43,495 to think about these things, 1837 01:31:43,497 --> 01:31:46,765 it caused the Russians to think about these things. 1838 01:31:47,700 --> 01:31:50,936 And out of that grew nuclear doctrine, 1839 01:31:50,938 --> 01:31:52,604 mutual assured destruction, 1840 01:31:52,606 --> 01:31:57,743 all of that complicated set of nuclear dynamics. 1841 01:31:58,344 --> 01:32:01,313 Today, on this vital issue at least, 1842 01:32:01,315 --> 01:32:03,382 we have seen what can be accomplished 1843 01:32:03,384 --> 01:32:05,050 when we pull together. 1844 01:32:05,052 --> 01:32:09,221 We can't have that discussion in a sensible way right now 1845 01:32:09,489 --> 01:32:11,556 about cyber war and cyber weapons 1846 01:32:11,558 --> 01:32:12,924 because everything is secret. 1847 01:32:13,860 --> 01:32:17,062 And when you get into a discussion 1848 01:32:17,064 --> 01:32:20,165 with people in the government, people still in the government, 1849 01:32:20,167 --> 01:32:21,700 people who have security clearances, 1850 01:32:21,968 --> 01:32:23,201 you run into a brick wall. 1851 01:32:23,469 --> 01:32:24,803 Trying to stop Iran 1852 01:32:24,805 --> 01:32:28,140 is really the... my number one job, and I think... 1853 01:32:28,142 --> 01:32:29,541 Host: And let me ask you, in that context, 1854 01:32:29,543 --> 01:32:31,576 about the STUXnet computer virus potentially... 1855 01:32:31,578 --> 01:32:33,145 You can ask, but I won't comment. 1856 01:32:34,214 --> 01:32:35,313 Host: Can you tell us anything? 1857 01:32:35,315 --> 01:32:36,481 No. 1858 01:32:36,483 --> 01:32:38,917 What do you think has had the most impact 1859 01:32:38,919 --> 01:32:41,053 on their nuclear decision-making, 1860 01:32:41,055 --> 01:32:42,754 the STUXnet virus? 1861 01:32:42,756 --> 01:32:45,023 I can't talk about STUXnet. 1862 01:32:45,025 --> 01:32:49,428 I can't even talk about the operation of Iran centrifuges. 1863 01:32:49,595 --> 01:32:51,830 Was the U.S. involved in any way 1864 01:32:51,832 --> 01:32:53,432 in the development of STUXnet? 1865 01:32:53,900 --> 01:32:56,601 It's hard to get into any kind of comment on that 1866 01:32:56,603 --> 01:32:58,737 till we've finished any... our examination. 1867 01:32:59,572 --> 01:33:00,906 But, sir, I'm not asking you 1868 01:33:00,908 --> 01:33:02,874 if you think another country was involved. 1869 01:33:02,876 --> 01:33:04,876 I'm asking you if the U.S. was involved. 1870 01:33:04,878 --> 01:33:07,245 And we're... this is not something 1871 01:33:07,247 --> 01:33:09,207 that we're gonna be able to answer at this point. 1872 01:33:09,549 --> 01:33:11,883 Look, for the longest time, I was in fear that 1873 01:33:11,885 --> 01:33:13,385 I couldn't actually say the phrase 1874 01:33:13,387 --> 01:33:15,053 "computer network attack." 1875 01:33:15,055 --> 01:33:17,923 This stuff is hideously overclassified, 1876 01:33:17,925 --> 01:33:20,058 and it gets into the way of a... 1877 01:33:20,060 --> 01:33:22,861 Of a mature public discussion 1878 01:33:22,863 --> 01:33:25,397 as to what it is we as a democracy 1879 01:33:25,399 --> 01:33:29,568 want our nation to be doing up here in the cyber domain. 1880 01:33:29,570 --> 01:33:32,404 Now, this is a former director of NSA and CIA 1881 01:33:32,406 --> 01:33:34,372 saying this stuff is overclassified. 1882 01:33:34,607 --> 01:33:38,110 One of the reasons this is highly classified as it is 1883 01:33:38,112 --> 01:33:39,711 this is a peculiar weapons system. 1884 01:33:39,713 --> 01:33:41,713 This is a weapons system that's come out of 1885 01:33:41,715 --> 01:33:43,048 the espionage community, 1886 01:33:43,050 --> 01:33:46,318 and... and so those people have a habit of secrecy. 1887 01:33:46,320 --> 01:33:48,620 Secrecy is still justifiable in certain cases 1888 01:33:48,622 --> 01:33:51,823 to protect sources or to protect national security 1889 01:33:51,825 --> 01:33:54,993 but when we deal with secrecy, don't hide behind it 1890 01:33:54,995 --> 01:33:58,930 to use as an excuse to not disclose something properly 1891 01:33:58,932 --> 01:34:00,966 that you know should be 1892 01:34:00,968 --> 01:34:02,234 or that the American people 1893 01:34:02,236 --> 01:34:03,502 need ultimately to see. 1894 01:34:06,172 --> 01:34:08,240 Gibney: While most government officials refused 1895 01:34:08,242 --> 01:34:09,708 to acknowledge the operation, 1896 01:34:10,309 --> 01:34:13,078 at least one key insider did leak parts of the story 1897 01:34:13,080 --> 01:34:14,179 to the press. 1898 01:34:14,181 --> 01:34:18,083 In 2012, David Sanger wrote a detailed account 1899 01:34:18,085 --> 01:34:21,419 of Olympic Games that unmasked the extensive joint operation 1900 01:34:21,421 --> 01:34:23,355 between the U.S. and Israel 1901 01:34:23,357 --> 01:34:25,590 to launch cyber attacks on Natanz. 1902 01:34:26,459 --> 01:34:28,326 Sanger: The publication of this story 1903 01:34:28,328 --> 01:34:30,362 coming at a time that turned out that there were 1904 01:34:30,364 --> 01:34:33,165 a number of other unrelated national security stories 1905 01:34:33,167 --> 01:34:35,834 being published, lead to the announcement 1906 01:34:35,836 --> 01:34:39,204 of investigations by the Attorney General. 1907 01:34:39,672 --> 01:34:41,973 Gibney: In... into the press and into the leaks? 1908 01:34:41,975 --> 01:34:43,508 Into the press and into the leaks. 1909 01:34:45,978 --> 01:34:47,145 Gibney: Soon after the article, 1910 01:34:47,147 --> 01:34:49,314 the Obama administration targeted 1911 01:34:49,316 --> 01:34:52,350 General James Cartwright in a criminal investigation 1912 01:34:52,352 --> 01:34:53,618 for allegedly leaking 1913 01:34:53,620 --> 01:34:55,954 classified details about STUXnet. 1914 01:34:57,323 --> 01:34:58,823 Journalist: There are reports of cyber attacks 1915 01:34:58,825 --> 01:35:01,626 on the Iranian nuclear program that you ordered. 1916 01:35:01,628 --> 01:35:03,128 What's your reaction to this information getting out? 1917 01:35:03,130 --> 01:35:04,729 Well, first of all, I'm not gonna comment on the... 1918 01:35:04,731 --> 01:35:08,099 The details of... what are... 1919 01:35:10,469 --> 01:35:14,773 Supposed to be classified items. 1920 01:35:15,575 --> 01:35:17,943 Since I've been in office, my attitude has been 1921 01:35:18,177 --> 01:35:21,446 zero tolerance for these kinds of leaks. 1922 01:35:22,048 --> 01:35:23,715 We have mechanisms in place 1923 01:35:24,016 --> 01:35:27,552 where, if we can root out folks who have leaked, 1924 01:35:28,354 --> 01:35:29,788 they will suffer consequences. 1925 01:35:30,156 --> 01:35:32,557 It became a significant issue 1926 01:35:32,559 --> 01:35:34,826 and a very wide-ranging investigation 1927 01:35:34,828 --> 01:35:37,262 in which I think most of the people who were cleared 1928 01:35:37,264 --> 01:35:38,830 for Olympic Games at some point 1929 01:35:38,832 --> 01:35:40,699 had been, you know, interviewed and so forth. 1930 01:35:40,701 --> 01:35:42,400 When STUXnet hit the media, 1931 01:35:42,402 --> 01:35:44,603 they polygraphed everyone in our office, 1932 01:35:44,605 --> 01:35:46,204 including people who didn't know shit. 1933 01:35:46,206 --> 01:35:48,340 You know, they polyed the interns, for God's sake. 1934 01:35:48,874 --> 01:35:50,275 These are criminal acts 1935 01:35:50,277 --> 01:35:51,910 when they release information like this, 1936 01:35:52,445 --> 01:35:56,281 and we will conduct thorough investigations 1937 01:35:56,882 --> 01:35:58,650 as we have in the past. 1938 01:36:00,686 --> 01:36:02,921 Gibney: The administration never filed charges, 1939 01:36:03,256 --> 01:36:05,056 possibly afraid that a prosecution 1940 01:36:05,058 --> 01:36:07,926 would reveal classified details about STUXnet. 1941 01:36:08,861 --> 01:36:12,297 To this day, no one in the U.S. or Israeli governments 1942 01:36:12,299 --> 01:36:14,366 has officially acknowledged the existence 1943 01:36:14,368 --> 01:36:15,834 of the joint operation. 1944 01:36:17,803 --> 01:36:19,271 I would never compromise 1945 01:36:19,273 --> 01:36:21,039 ongoing operations in the field, 1946 01:36:21,041 --> 01:36:25,110 but we should be able to talk about capability. 1947 01:36:26,479 --> 01:36:27,979 We can talk about our... 1948 01:36:29,115 --> 01:36:31,883 Bunker busters, why not our cyber weapons? 1949 01:36:32,251 --> 01:36:33,318 I mean, the secrecy 1950 01:36:33,320 --> 01:36:35,020 of the operation has been blown. 1951 01:36:36,555 --> 01:36:38,590 Our friends in Israel took a weapon 1952 01:36:38,592 --> 01:36:40,058 that we jointly developed, 1953 01:36:40,060 --> 01:36:42,193 in part to keep Israel from doing something crazy, 1954 01:36:42,628 --> 01:36:44,429 and then used it on their own in a way 1955 01:36:44,431 --> 01:36:45,797 that blew the cover of the operation 1956 01:36:45,799 --> 01:36:46,965 and could have led to war. 1957 01:36:46,967 --> 01:36:48,400 And we can't talk about that? 1958 01:36:52,938 --> 01:36:55,018 Mowatt-Larssen: There's a way to talk about STUXnet. 1959 01:36:55,408 --> 01:36:56,775 It happened. 1960 01:36:56,777 --> 01:36:59,644 That... to deny that it happened is... is foolish. 1961 01:36:59,646 --> 01:37:01,579 So the fact it happened 1962 01:37:01,581 --> 01:37:03,081 is really what we're talking about here. 1963 01:37:03,083 --> 01:37:04,916 What does... what are the implications 1964 01:37:04,918 --> 01:37:07,752 of the fact that we now are in a post-STUXnet world? 1965 01:37:08,254 --> 01:37:10,689 What I said to David Sanger was, 1966 01:37:10,691 --> 01:37:13,391 "I understand the difference in destruction is dramatic, 1967 01:37:13,626 --> 01:37:16,094 but this has the whiff of August 1945." 1968 01:37:16,929 --> 01:37:18,496 Somebody just used a new weapon, 1969 01:37:18,864 --> 01:37:21,599 and this weapon will not be put back into the box. 1970 01:37:22,034 --> 01:37:24,703 I... I know no operational details 1971 01:37:24,705 --> 01:37:27,639 and don't know what anyone did or didn't do 1972 01:37:27,641 --> 01:37:30,275 before someone decided to use the weapon, all right. 1973 01:37:30,609 --> 01:37:31,843 I do know this. 1974 01:37:31,845 --> 01:37:33,745 If we go out and do something, 1975 01:37:34,513 --> 01:37:36,614 most of the rest of the world now thinks 1976 01:37:36,816 --> 01:37:38,196 that's the new standard 1977 01:37:38,384 --> 01:37:41,252 and it's something that they now feel legitimated to do as well. 1978 01:37:42,655 --> 01:37:44,122 But the rules of engagement, 1979 01:37:44,124 --> 01:37:46,691 international norms, treaty standards, 1980 01:37:46,693 --> 01:37:48,526 they don't exist right now. 1981 01:37:52,365 --> 01:37:55,533 Brown: The law of war, because it began to develop so long ago 1982 01:37:55,535 --> 01:37:59,104 is really dependent on thinking of things kinetically 1983 01:37:59,472 --> 01:38:00,972 and the physical realm. 1984 01:38:01,240 --> 01:38:04,642 So for example, we think in terms of attacks. 1985 01:38:05,578 --> 01:38:07,812 You know an attack when it happens in the kinetic world. 1986 01:38:07,814 --> 01:38:09,547 It's not really much of a mystery. 1987 01:38:09,549 --> 01:38:12,484 But in cyberspace it is sort of confusing to think, 1988 01:38:13,052 --> 01:38:14,519 how far do we have to go 1989 01:38:14,521 --> 01:38:16,721 before something is considered an attack? 1990 01:38:16,889 --> 01:38:20,658 So we have to take all the vocabulary 1991 01:38:21,160 --> 01:38:23,995 and the terms that we use in strategy 1992 01:38:23,997 --> 01:38:25,630 and military operations 1993 01:38:25,865 --> 01:38:28,933 and adapt them into the cyber realm. 1994 01:38:30,269 --> 01:38:31,703 Sanger: For nuclear we have these 1995 01:38:31,705 --> 01:38:33,638 extensive inspection regimes. 1996 01:38:33,939 --> 01:38:36,007 The Russians come and look at our silos. 1997 01:38:36,342 --> 01:38:37,942 We go and look at their silos. 1998 01:38:38,411 --> 01:38:40,412 Bad as things get between the two countries, 1999 01:38:40,613 --> 01:38:42,514 those inspection regimes have held up. 2000 01:38:42,516 --> 01:38:45,417 But working that our for... for cyber 2001 01:38:45,419 --> 01:38:46,985 would be virtually impossible. 2002 01:38:47,286 --> 01:38:48,653 Where do you send your inspector? 2003 01:38:49,021 --> 01:38:51,089 Inside the laptop of, you know... 2004 01:38:51,424 --> 01:38:53,784 How many laptops are there in the United States and Russia? 2005 01:38:54,059 --> 01:38:56,261 It's much more difficult in the cyber area 2006 01:38:56,263 --> 01:38:58,596 to construct an international regime 2007 01:38:58,598 --> 01:39:01,633 based on treaty commitments and rules of the road 2008 01:39:01,635 --> 01:39:02,801 and so forth. 2009 01:39:02,803 --> 01:39:06,104 Although, we've tried to have discussions with the Chinese 2010 01:39:06,106 --> 01:39:08,139 and Russians and so forth about that, 2011 01:39:08,141 --> 01:39:09,507 but it's very difficult. 2012 01:39:10,609 --> 01:39:14,112 Brown: Right now, the norm in cyberspace is 2013 01:39:14,114 --> 01:39:15,474 do whatever you can get away with. 2014 01:39:16,449 --> 01:39:18,850 That's not a good norm, but it's the norm that we have. 2015 01:39:19,418 --> 01:39:21,486 That's the norm that's preferred by states 2016 01:39:21,488 --> 01:39:24,122 that are engaging in lots of different kinds of activities 2017 01:39:24,124 --> 01:39:26,364 that they feel are benefitting their national security. 2018 01:39:27,393 --> 01:39:29,994 Yadlin: Those who excel in cyber 2019 01:39:29,996 --> 01:39:32,797 are trying to slow down the process 2020 01:39:32,799 --> 01:39:34,466 of creating regulation. 2021 01:39:34,934 --> 01:39:38,770 Those who are victims we like the regulation 2022 01:39:38,772 --> 01:39:42,507 to be in the open as... as soon as possible. 2023 01:39:44,677 --> 01:39:47,512 Brown: International law in this area is written by custom, 2024 01:39:47,514 --> 01:39:50,615 and customary law requires a nation to say, 2025 01:39:50,617 --> 01:39:52,497 this is what we did and this is why we did it. 2026 01:39:53,152 --> 01:39:56,087 And the U.S. doesn't want to push the law in that direction 2027 01:39:56,089 --> 01:39:58,523 and so it chooses not to disclose its involvement. 2028 01:39:59,091 --> 01:40:01,292 And one of the reasons that I thought it was important 2029 01:40:01,294 --> 01:40:04,162 to tell the story of Olympic Games 2030 01:40:04,164 --> 01:40:06,965 was not simply because it's a cool spy story, 2031 01:40:06,967 --> 01:40:10,201 it is, but it's because as a nation... 2032 01:40:11,370 --> 01:40:14,939 We need to have a debate about how we want to use cyber weapons 2033 01:40:15,174 --> 01:40:18,676 because we are the most vulnerable nation on earth 2034 01:40:18,844 --> 01:40:20,678 to cyber-attack ourselves. 2035 01:40:24,650 --> 01:40:27,151 McGurk: If you get up in the morning and turn off your alarm 2036 01:40:27,153 --> 01:40:31,523 and make coffee and pump gas and use the ATM, 2037 01:40:32,057 --> 01:40:33,858 you've touched industrial control systems. 2038 01:40:33,860 --> 01:40:35,527 It's what powers our lives. 2039 01:40:35,861 --> 01:40:38,496 And unfortunately, these systems are connected 2040 01:40:38,498 --> 01:40:42,166 and interconnected in some ways that make them vulnerable. 2041 01:40:42,168 --> 01:40:44,903 Critical infrastructure systems generally were built 2042 01:40:44,905 --> 01:40:47,539 years and years and years ago without security in mind 2043 01:40:47,541 --> 01:40:49,641 and they didn't realize how things were gonna change, 2044 01:40:49,643 --> 01:40:51,876 maybe they weren't even meant to be connected to the Internet. 2045 01:40:51,878 --> 01:40:54,979 And we've seen, through a lot of experimentation 2046 01:40:54,981 --> 01:40:57,615 and through also, unfortunately, a lot of attacks 2047 01:40:57,917 --> 01:41:00,251 that most of these systems are relatively easy 2048 01:41:00,253 --> 01:41:02,921 for a sophisticated hacker to get into. 2049 01:41:04,891 --> 01:41:06,691 Let's say you took over the control system 2050 01:41:06,693 --> 01:41:09,427 of a railway. You could switch tracks. 2051 01:41:09,895 --> 01:41:12,196 You could cause derailments of trains 2052 01:41:12,198 --> 01:41:13,998 carrying explosive materials. 2053 01:41:15,200 --> 01:41:18,436 What if you were in the control system of gas pipelines 2054 01:41:18,771 --> 01:41:21,339 and when a valve was supposed to be open, 2055 01:41:21,341 --> 01:41:24,008 it was closed and the pressure built up 2056 01:41:24,209 --> 01:41:25,743 and the pipeline exploded? 2057 01:41:26,712 --> 01:41:30,648 There are companies that run electric power generation 2058 01:41:31,050 --> 01:41:32,951 or electric power distribution 2059 01:41:33,218 --> 01:41:35,253 that we know have been hacked 2060 01:41:35,621 --> 01:41:38,056 by foreign entities that have the ability 2061 01:41:38,058 --> 01:41:39,691 to shut down the power grid. 2062 01:41:40,259 --> 01:41:42,360 Sanger: Imagine for a moment 2063 01:41:42,362 --> 01:41:45,129 that not only all the power went off on the east coast, 2064 01:41:45,431 --> 01:41:47,465 but the entire Internet came down. 2065 01:41:48,133 --> 01:41:50,668 Imagine what the economic impact of that is 2066 01:41:51,136 --> 01:41:53,271 even if it only lasted for 24 hours. 2067 01:41:55,641 --> 01:41:57,308 Newsreader: According to the officials, 2068 01:41:57,310 --> 01:42:00,545 Iran is the first country ever in the Middle East 2069 01:42:00,547 --> 01:42:03,047 to actually be engaged in a cyber war 2070 01:42:03,049 --> 01:42:05,249 with the United States and Israel. 2071 01:42:05,251 --> 01:42:08,620 If anything they said the recent cyber attacks 2072 01:42:08,622 --> 01:42:10,788 were what encouraged them to plan to set up 2073 01:42:10,790 --> 01:42:14,125 the cyber Army, which will gather computer scientists, 2074 01:42:14,127 --> 01:42:16,961 programmers, software engineers... 2075 01:42:16,963 --> 01:42:19,897 Kiyaei: If you are a youth and you see assassination 2076 01:42:19,899 --> 01:42:21,532 of a nuclear scientist, 2077 01:42:21,934 --> 01:42:24,402 your nuclear facilities are getting attacked, 2078 01:42:25,104 --> 01:42:28,406 wouldn't you join your national cyber Army? 2079 01:42:29,108 --> 01:42:30,408 Well, many did. 2080 01:42:30,676 --> 01:42:33,845 And that's why today, Iran has one of the largest... 2081 01:42:35,014 --> 01:42:37,415 Cyber armies in the world. 2082 01:42:37,916 --> 01:42:40,318 So whoever initiated this 2083 01:42:40,320 --> 01:42:42,820 and was very proud of themselves to see that little dip 2084 01:42:43,322 --> 01:42:47,558 in Iran's centrifuge numbers, should look back now 2085 01:42:48,027 --> 01:42:51,596 and acknowledge that it was a major mistake. 2086 01:42:52,197 --> 01:42:55,433 Very quickly, Iran sent a message 2087 01:42:55,435 --> 01:42:59,137 to the United States, very sophisticated message, 2088 01:42:59,139 --> 01:43:01,939 and they did that with two attacks. 2089 01:43:02,608 --> 01:43:05,410 First, they attacked Saudi Aramco, 2090 01:43:05,711 --> 01:43:07,679 the biggest oil company in the world, 2091 01:43:08,013 --> 01:43:10,715 and wiped out every piece of software, 2092 01:43:10,717 --> 01:43:15,119 every line of code, on 30,000 computer devices. 2093 01:43:16,488 --> 01:43:22,060 Then Iran did a surge attack on the American banks. 2094 01:43:22,062 --> 01:43:24,996 The most extensive attack on American banks ever 2095 01:43:24,998 --> 01:43:27,832 launched from the Middle East, happening right now. 2096 01:43:27,834 --> 01:43:29,154 Newsreader: Millions of customers 2097 01:43:29,368 --> 01:43:32,737 trying to bank online this week blocked, among the targets, 2098 01:43:32,971 --> 01:43:35,807 Bank of America, PNC, and Wells Fargo. 2099 01:43:36,075 --> 01:43:39,477 The U.S. suspects hackers in Iran may be involved. 2100 01:43:41,380 --> 01:43:43,414 NSA source: When Iran hit our banks, 2101 01:43:43,416 --> 01:43:45,817 we could have shut down their botnet, 2102 01:43:45,819 --> 01:43:47,985 but the state department got nervous, 2103 01:43:48,187 --> 01:43:50,888 because the servers weren't actually in Iran. 2104 01:43:51,557 --> 01:43:53,891 So until there was a diplomatic solution, 2105 01:43:54,326 --> 01:43:56,961 Obama let the private sector deal with the problem. 2106 01:43:57,563 --> 01:44:00,498 I imagine that in the White House Situation Room 2107 01:44:00,833 --> 01:44:02,900 people sat around and said... 2108 01:44:03,569 --> 01:44:06,604 Let me be clear, I don't imagine, I know. 2109 01:44:06,939 --> 01:44:09,507 People sat around in the White House Situation Room 2110 01:44:09,509 --> 01:44:12,543 and said, "the Iranians have sent us a message 2111 01:44:12,545 --> 01:44:16,781 which is essentially, 'stop attacking us in cyberspace 2112 01:44:16,783 --> 01:44:19,317 the way you did at Natanz with STUXnet. 2113 01:44:19,752 --> 01:44:21,119 We can do it, too.'" 2114 01:44:23,021 --> 01:44:25,590 Melman: There are unintended consequences 2115 01:44:25,592 --> 01:44:27,658 of the STUXnet attack. 2116 01:44:28,093 --> 01:44:31,863 You wanted to cause confusion and damage to the other side, 2117 01:44:31,865 --> 01:44:34,632 but then the other side can do the same to you. 2118 01:44:35,400 --> 01:44:38,302 The monster turned against its creators, 2119 01:44:38,304 --> 01:44:40,705 and now everyone is in this game. 2120 01:44:41,607 --> 01:44:44,075 They did a good job in showing the world, 2121 01:44:44,077 --> 01:44:47,478 including the bad guys, what you would need to do 2122 01:44:47,480 --> 01:44:49,614 in order to cause serious trouble 2123 01:44:49,882 --> 01:44:52,383 that could lead to injuries and death. 2124 01:44:52,651 --> 01:44:55,453 It's inevitable that more countries will acquire 2125 01:44:55,455 --> 01:44:57,755 the capacity to use cyber, 2126 01:44:57,757 --> 01:45:01,225 both for espionage and for destructive activities. 2127 01:45:01,994 --> 01:45:04,328 And we've seen this in some of the recent conflicts 2128 01:45:04,330 --> 01:45:05,797 that Russia's been involved in. 2129 01:45:05,998 --> 01:45:08,666 If there's a war, then somebody will try to knock out 2130 01:45:08,668 --> 01:45:11,068 our communication system or the radar. 2131 01:45:11,070 --> 01:45:13,638 McGurk: State-sponsored cyber sleeper cells, 2132 01:45:14,072 --> 01:45:15,907 they're out there everywhere today. 2133 01:45:16,141 --> 01:45:18,476 It could be for communications purposes. 2134 01:45:18,478 --> 01:45:20,678 It could be for data exfiltration. 2135 01:45:20,946 --> 01:45:24,549 It could be to, you know, Shepherd in the next STUXnet. 2136 01:45:24,950 --> 01:45:26,818 I mean, you've been focusing on STUXnet, 2137 01:45:26,820 --> 01:45:28,352 but that was just a small part 2138 01:45:28,354 --> 01:45:30,521 of a much larger Iranian mission. 2139 01:45:31,256 --> 01:45:32,976 Gibney: There was a larger Iranian mission? 2140 01:45:36,028 --> 01:45:39,263 Nitro Zeus. NZ. 2141 01:45:40,632 --> 01:45:44,836 We spent hundreds of millions, maybe billions on it. 2142 01:45:47,439 --> 01:45:51,008 In the event the Israelis did attack Iran, 2143 01:45:51,010 --> 01:45:53,678 we assumed we would be drawn into the conflict. 2144 01:45:55,047 --> 01:45:58,516 We built in attacks on Iran's command-and-control system 2145 01:45:58,518 --> 01:46:00,885 so the Iranians couldn't talk to each other in a fight. 2146 01:46:01,386 --> 01:46:04,922 We infiltrated their iads, military air defense systems, 2147 01:46:05,224 --> 01:46:07,464 so they couldn't shoot down our planes if we flew over. 2148 01:46:08,026 --> 01:46:11,128 We also went after their civilian support systems, 2149 01:46:11,130 --> 01:46:13,698 power grids, transportation, 2150 01:46:14,066 --> 01:46:16,868 communications, financial systems. 2151 01:46:17,469 --> 01:46:20,771 We were inside waiting, watching, 2152 01:46:21,039 --> 01:46:24,041 ready to disrupt, degrade, and destroy those systems 2153 01:46:24,043 --> 01:46:25,376 with cyber-attacks. 2154 01:46:29,014 --> 01:46:30,481 And in comparison, 2155 01:46:30,716 --> 01:46:32,950 STUXnet was a back alley operation. 2156 01:46:34,086 --> 01:46:37,588 NZ was the plan for a full-scale cyber war 2157 01:46:37,590 --> 01:46:39,457 with no attribution. 2158 01:46:40,225 --> 01:46:41,726 The question is, is that the kind of world 2159 01:46:41,728 --> 01:46:42,868 we want to live in? 2160 01:46:43,262 --> 01:46:47,031 And if we don't, as citizens, how do we go about a process 2161 01:46:47,033 --> 01:46:49,033 where we have a more sane discussion? 2162 01:46:49,035 --> 01:46:51,435 We need an entirely new way of thinking about 2163 01:46:51,437 --> 01:46:53,004 how we're gonna solve this problem. 2164 01:46:53,939 --> 01:46:56,073 You're not going to get an entirely new way 2165 01:46:56,075 --> 01:46:57,475 of solving this problem 2166 01:46:57,776 --> 01:47:00,578 until you begin to have an open acknowledgement 2167 01:47:01,079 --> 01:47:03,414 that we have cyber weapons as well, 2168 01:47:04,283 --> 01:47:07,318 and that we may have to agree to some limits on their use 2169 01:47:07,853 --> 01:47:10,187 if we're going to get other nations to limit their use. 2170 01:47:10,189 --> 01:47:11,756 It's not gonna be a one-way street. 2171 01:47:11,957 --> 01:47:14,625 I'm old enough to have worked on nuclear arms control 2172 01:47:14,960 --> 01:47:17,461 and biological weapons arms control 2173 01:47:17,463 --> 01:47:19,630 and chemical weapons arms control. 2174 01:47:20,799 --> 01:47:25,269 And I was told in each of those types of arms control, 2175 01:47:25,271 --> 01:47:26,604 when we were beginning, 2176 01:47:26,905 --> 01:47:29,874 "it's too hard. There are all these problems. 2177 01:47:30,142 --> 01:47:32,243 It's technical. There's engineering. 2178 01:47:32,245 --> 01:47:33,911 There's science involved. 2179 01:47:33,913 --> 01:47:36,247 There are real verification difficulties. 2180 01:47:36,249 --> 01:47:37,782 You'll never get there." 2181 01:47:38,216 --> 01:47:40,618 Well, it took 20, 30 years in some cases, 2182 01:47:41,053 --> 01:47:42,820 but we have a biological weapons treaty 2183 01:47:42,822 --> 01:47:44,221 that's pretty damn good. 2184 01:47:44,223 --> 01:47:45,723 We have a chemical weapons treaty 2185 01:47:45,725 --> 01:47:47,124 that's pretty damn good. 2186 01:47:47,292 --> 01:47:49,627 We've got three or four nuclear weapons treaties. 2187 01:47:49,928 --> 01:47:51,529 Yes, it may be hard, 2188 01:47:51,797 --> 01:47:53,898 and it may take 20 or 30 years, 2189 01:47:54,299 --> 01:47:56,867 but it'll never happen unless you get serious about it, 2190 01:47:57,336 --> 01:47:59,303 and it'll never happen unless you start it. 2191 01:48:05,110 --> 01:48:08,079 Today, after two years of negotiations, 2192 01:48:08,513 --> 01:48:11,816 the United States, together with our international partners, 2193 01:48:12,284 --> 01:48:15,686 has achieved something that decades of animosity has not, 2194 01:48:16,321 --> 01:48:18,222 a comprehensive, long-term deal 2195 01:48:18,657 --> 01:48:22,326 with Iran that will prevent it from obtaining a nuclear weapon. 2196 01:48:22,527 --> 01:48:24,996 It was reached in Lausanne, Switzerland, 2197 01:48:24,998 --> 01:48:27,498 by Iran, the U.S., Britain, France, 2198 01:48:27,500 --> 01:48:29,433 Germany, Russia, and China. 2199 01:48:29,435 --> 01:48:32,536 It is a deal in which Iran will cut 2200 01:48:32,538 --> 01:48:36,741 its installed centrifuges by more than two thirds. 2201 01:48:36,942 --> 01:48:40,177 Iran will not enrich uranium with its advanced centrifuges 2202 01:48:40,179 --> 01:48:42,179 for at least the next ten years. 2203 01:48:42,181 --> 01:48:44,815 It will make our country, our allies, 2204 01:48:44,817 --> 01:48:46,450 and our world safer. 2205 01:48:47,352 --> 01:48:51,355 Netanyahu: Seventy years after the murder of 6 million Jews 2206 01:48:51,357 --> 01:48:56,427 Iran's rulers promised to destroy my country, 2207 01:48:56,728 --> 01:49:00,464 and the response from nearly every one of the governments 2208 01:49:00,466 --> 01:49:04,535 represented here has been utter silence. 2209 01:49:05,170 --> 01:49:06,971 Deafening silence. 2210 01:49:14,679 --> 01:49:16,747 Perhaps you can now understand 2211 01:49:17,482 --> 01:49:20,985 why Israel is not joining you in celebrating this deal. 2212 01:49:22,154 --> 01:49:24,555 History shows that America must lead, 2213 01:49:24,557 --> 01:49:27,491 not just with our might, but with our principles. 2214 01:49:28,427 --> 01:49:31,595 It shows we're are stronger, not when we are alone, 2215 01:49:31,597 --> 01:49:33,764 but when we bring the world together. 2216 01:49:34,933 --> 01:49:37,201 Today's announcement marks one more chapter 2217 01:49:37,203 --> 01:49:41,472 in this pursuit of a safer and more helpful, 2218 01:49:41,840 --> 01:49:45,176 more hopeful world. Thank you. 2219 01:49:45,710 --> 01:49:48,946 God bless you, and God bless the United States of America. 2220 01:49:53,351 --> 01:49:55,119 NSA source: Everyone I know is basically 2221 01:49:55,121 --> 01:49:56,654 thrilled with the Iran deal. 2222 01:49:57,222 --> 01:49:59,090 Sanctions and diplomacy worked. 2223 01:49:59,458 --> 01:50:01,725 But behind that deal was a lot of confidence 2224 01:50:01,727 --> 01:50:03,327 in our cyber capability. 2225 01:50:04,396 --> 01:50:07,264 We were everywhere inside Iran. Still are. 2226 01:50:08,133 --> 01:50:10,367 I'm not gonna tell you the operational details 2227 01:50:10,369 --> 01:50:13,003 of what we can do going forward or where... 2228 01:50:14,539 --> 01:50:18,642 But the science fiction cyber war scenario is here. 2229 01:50:18,644 --> 01:50:20,111 That's Nitro Zeus. 2230 01:50:21,546 --> 01:50:24,215 But my concern and the reason I'm talking... 2231 01:50:25,717 --> 01:50:28,652 Is because when you shut down a country's power grid... 2232 01:50:29,955 --> 01:50:32,923 It doesn't just pop back up, you know? 2233 01:50:32,925 --> 01:50:34,725 It's more like humpty-dumpty... 2234 01:50:36,094 --> 01:50:39,964 And if all the king's men can't turn the lights back on 2235 01:50:39,966 --> 01:50:41,866 or filter the water for weeks, 2236 01:50:42,067 --> 01:50:43,968 then lots of people die. 2237 01:50:46,238 --> 01:50:48,172 And something we can do to others, 2238 01:50:48,473 --> 01:50:50,007 they can do to us too. 2239 01:50:51,409 --> 01:50:54,078 Is that something that we should keep quiet? 2240 01:50:55,247 --> 01:50:56,914 Or should we talk about it? 2241 01:50:57,849 --> 01:50:59,750 Gibney: I've gone to many people in this film, 2242 01:50:59,752 --> 01:51:01,519 even friends of mine, who won't talk to me 2243 01:51:01,521 --> 01:51:03,687 about the NSA or STUXnet even off the record 2244 01:51:03,689 --> 01:51:04,989 for fear of going to jail. 2245 01:51:05,357 --> 01:51:07,158 Is that fear protecting us? 2246 01:51:08,326 --> 01:51:10,928 No, but it protects me. 2247 01:51:11,696 --> 01:51:13,097 Or should I say we? 2248 01:51:14,432 --> 01:51:16,167 I'm an actor playing a role 2249 01:51:16,169 --> 01:51:18,302 written from the testimony of a small number of people 2250 01:51:18,304 --> 01:51:19,837 from NSA and CIA, 2251 01:51:20,172 --> 01:51:22,540 all of whom are angry about the secrecy 2252 01:51:22,542 --> 01:51:24,275 but too scared to come forward. 2253 01:51:24,609 --> 01:51:26,043 Now, we're forward. 2254 01:51:27,312 --> 01:51:30,114 Well, forward-leaning.