Transcript for:
Cyber Warfare: Stuxnet's Global Impact

Through the darkness of the pathways that we march, evil and good live side by side, and this is the nature of life. In an unbalanced and unequivalent confrontation between democracies who are obliged to play by the rules and entities who think democracy is a joke. You can't convince fanatics by saying, hey, hatred paralyzes you, love releases you.

There are different rules that we have to play by. Scientists were targeted by hit squads. There's a form of attack in the capital of Tehran. The latest in a string.

Today's attack has all the hallmarks of major strategic sabotage. Iran has immediately accused the US and Israel of trying to damage its nuclear program. The terror that has happened, unfortunately, without any delay, is in the hands of the Western governments and the secularist regime. I want to categorically deny any United States involvement. involvement in any kind of act of violence inside Iran.

Covert actions can help, can assist. They are needed, they are not all the time essentials. They in no way can replace their political wisdom. Were the assassinations in Iran related to the Stuxnet computer attacks? Next question, please.

Iran's infrastructure is being targeted by a new and dangerously powerful cyber worm. The so-called Stuxnet worm is specifically designed, it seems, to infiltrate and sabotage real-world power plants and factories. It's not trying to steal information. information or grab your credit card it's trying to get into some sort of industrial plant and wreak havoc trying to blow up an engine. A supercomputer puts on alert the secret services of various countries.

There is information that they are already in the power of terror. No one knows who's behind the worm and the exact nature of its mission. But there are fears Iran will hold Israel or America responsible and seek retaliation. It's not impossible that some group of hackers did it, but the security experts that are studying this really think this required the resources of a nation state.

Okay, good. Here we go. What impact, ultimately, did the Stuxnet attack have, can you say?

I don't want to get into the details. Since the event has already happened, why can't we... talk more openly and publicly about Stuxnet?

Yeah, I mean my answer is because it's classified. I won't knowledge, you know, knowingly offer up anything I consider classified. I know that you can't talk much about Stuxnet because Stuxnet is...

officially classified. You're right on both those counts. But there has been a lot reported about it in the press. I don't want to comment on this. I read it in the newspapers, in the media like you, but I'm unable to elaborate upon it.

People might find it frustrating not to be able to talk about it when it's in the public domain, but I find it frustrating. Yeah, I'm sure you do. I don't answer that question. Unfortunately, I can't comment. I do not know how to answer that.

Two answers before we even get started. I don't know, and if I did, we wouldn't talk about it anyway. But how can you have a debate if everything's secret? I think right now that's just where we are. No one wants to...

Countries aren't happy about confessing or owning up to what they did because they're not quite sure where they want the system to go. And so whoever was behind Stuxnet hasn't admitted they were behind it. Asking officials about Stuxnet was frustrating and surreal, like asking the Emperor about his new clothes.

Even after the cyberweapon had penetrated computers all over the world, no one was willing to admit that it was loose, or to talk about the dangers it posed. What was it about the Stuxnet operation that was hiding in plain sight? Maybe there was a way the computer code could speak for itself. Stuxnet first surfaced in Belarus. I started with a call to the man who discovered it when his clients in Iran began to panic over an epidemic of computer shutdowns.

Had you ever seen anything quite so sophisticated before? I have seen very sophisticated viruses before, but they didn't have... This kind of zero day, it was firstly in my practice.

It led to the fact that as soon as possible, to inform the security companies that there is such a problem. On a day-to-day basis, basically, we are sifting through a massive haystack looking for that proverbial needle. We get millions of pieces of new malicious threats and there are millions of attacks going on every single day. And the only way we're going to be able to get We're trying to protect people and their computers and their systems and the country's infrastructure from being taken down by those attacks.

But more importantly, we have to find the attacks that matter. When you're talking about that many, impact is extremely important. 20 years ago the antivirus companies they were hunting for computer viruses because there were not so many so we had like a tens of dozens a month and there was just a little numbers now we collect millions of unique attacks every month This room we call a woodpecker's room or virus lab.

And this is where virus analysts sit. We call them woodpeckers because they are packing the worms, network worms and viruses. And we see like three different groups.

of actors behind cyber attacks. They are traditional cyber criminals. Those guys are interested only in illegal profit and quick and dirty money. Activists or hacktivists, they are hacking for fun or hacking to push some political message. And the third group is nation states.

They are interested in high-quality intelligence or sabotage activity. Security companies not only share information, but we also share binary samples. So when this threat was found by a Belarusian security company on one of their customers'machines in Iran, the sample was shared amongst the security community. When we try to name threats, we just try to pick some sort of string, some sort of words that are inside of the binary. In this case, there was a couple of words in there.

We took pieces of each, and that formed Stuxnet. I got the news about Stuxnet from one of my engineers. He came to my office, opened the door and he said, so Eugene, of course you know, but we are waiting for something really bad. It happened.

Give me some sense of what it was like in the lab at that time. Was there a palpable sense of amazement that you had something really different there? Well, I wouldn't call it amazement.

It was kind of a shock. It went beyond our worst fears, our worst nightmares. And this continued.

The more we analyzed, the more we researched, the more bizarre the whole story got. We look at so much malware every day that we can just look at the code and straight away you can say, OK, there's something bad going on here and I need to investigate that. And that's the way it was when we looked at Stuxnet for the first time. We opened it up and there was just bad things everywhere.

Just like, OK, this is bad and that's bad and, you know, we need to investigate this. And just suddenly we had like a hundred questions straight away. The most interesting thing that we do is the detective work where we try to track down who's behind a thread, what are they doing, what's their motivation and try to really stop it at the root.

And it is kind of all-consuming. You get this new puzzle and it's very difficult to put it down. You know, work until like 4 a.m.

in the morning and figure these things out. And I was in that zone where I was very consumed by this, very excited about it, very interested to know what was happening. And Eric was also in that same sort of zone. So the two of us were like back and forth all the time. Liam and I continued to grind at the code, sharing pieces, comparing notes, bouncing ideas off of each other.

We realized that we needed to do what we call deep analysis. Pick apart the threat, every single byte, every single zero and one, and understand every single bit. that was inside of it. Just to give you some context, we can go through and understand every line of code for the average threat in minutes.

And here we are one month into this threat, and we are just starting to discover what we call the payload, or its whole purpose. When looking at the Stuxnet code, it's 20 times the size of the average piece of code, but contains almost no bugs inside of it. And it's extremely rare, because code always has bugs inside of it. This wasn't the case with Stuxnet. It's dense, and every piece of code does something, and does something right, in order to conduct its attack.

One of the things that surprised us was that Stuxnet utilized what's called a zero-day exploit. Or basically a piece of code that allows it to spread without you having to do anything. You don't have to, for example, download a file and run it. A zero-day exploit is an exploit that nobody knows about except the attacker.

So there's no protection against it, there's been no patch released. There's been zero days protection, you know, against it. That's what attackers value because they know 100% if they have this zero-day exploit, they can get in wherever they want. They're actually very valuable.

You can sell these in the underground for hundreds of thousands of dollars. Then we became more worried because immediately we discovered more zero-days. And again, these zero-days are extremely rare.

Inside Stuxnet, we had four zero-days, and for the entire rest of the year, we only saw 12 zero-days used. It blows everything else out of the water. We've never seen this before. before, actually we've never seen it since either.

Seeing one in a malware you could understand because the malware authors are making money, they're stealing people's credit cards, they're making money so it's worth their while to use it. But seeing four zero days could be worth half a million dollars right there used in. in one piece of malware, this is not your ordinary criminal gang who's doing this, this is someone bigger.

It's definitely not traditional crime, not hacktivists. Who else? It was evident on a very early stage that, just given the sophistication of this malware, suggested that there must have been a nation state involved, at least one nation state involved in the development.

When we look at code that's coming from what appears to be a state attack, attacker or state sponsored attacker. Usually they're scrubbed clean. They don't leave little bits behind. They don't leave little hints behind.

But in Stuxnet, there were actually a few hints left behind. One was that in order to get low-level access to Microsoft Windows, Stuxnet needed to use a digital certificate, which certifies that this piece of code came from a particular company. Now, those attackers obviously couldn't go to Microsoft and say, hey, test our code out for us and give us a digital certificate.

So they essentially stole them. From two companies in Taiwan. And these two companies have nothing to do with each other except for their close proximity in the exact same business park.

Digital certificates are guarded very, very closely behind multiple doors and they require multiple people to unlock. And they need to provide both biometrics and as well, passphrases. It wasn't like those certificates were just sitting on some machine connected to the internet. Some human assets had to be involved.

Spies, like a cleaner who comes in at night and has stolen these certificates from these companies. It did feel like walking onto the set. ...of this James Bond movie and you've been embroiled in this thing that you know you'd never expected. We continued to search and we continued to search in the code and eventually we found some other breadcrumbs left we were able to follow. There was doing something with Siemens, Siemens software, possibly Siemens hardware.

We'd never ever seen that in any malware before, something targeting Siemens. We didn't even know why they would be doing that. But after googling very quickly we understood it was targeting Siemens PLCs.

Stuxnet was targeting very specific hardware device something called a PLC or a programmable logic controller. The PLC is kind of a very small computer. attached to physical equipment like pumps like valves like motors so this little box is running a digital program and the actions of this program turns that motor on. motor on or off or sets a specific speed. Those programmatic controllers control things like power plants, power grids.

This is used in factories, it's used in critical infrastructure. Critical infrastructure is everywhere around us. Transportation, telecommunication, financial services, healthcare.

So the payload of Stuxnet was designed to attack some very important part of our world. The payload is going to be important. What happens there could be very dangerous.

The next very big surprise came when we infected our lab system. We figured out that the malware was probing the controllers. It was quite picky on its target.

It didn't try to manipulate any given controller in a network that it would see. It went through several checks and when those checks failed, it would not implement the attack. It was obviously probing for a specific target.

You got to put this in context that at the time we already knew, well, this is the most sophisticated piece of malware that we have ever seen. So it's kind of strange. Somebody takes that huge effort to hit one specific target. Well, that must be quite a significant target. So at Symantec we have probes on networks all over the world watching for malicious activity.

We'd actually seen infections of Stuxnet all over the world in the US, in Australia, in the UK, in France, Germany, all over Europe. It spread to any Windows... in the entire world.

You know, we had these organizations inside the United States. We were in charge of industrial control facilities, saying, we're infected. What's going to happen?

We didn't know if there was a deadline coming up where this threat would trigger and suddenly... It would turn off all electricity plants around the world, or it would start shutting things down or launching some attack. We knew that Stuxnet could have very dire consequences, and we were very worried about what the payload contained, and there was an imperative speed that we had to race and try and beat this ticking bomb. Eventually, we were able to refine the statistics a little bit, and we saw that Iran was the number one infected country in the world.

That immediately raised our eyebrows. We had never seen a threat before where it was predominantly in Iran. And so we began to follow what was going on in the geopolitical world, what was happening in the general news.

And at that time, there were actually multiple explosions of gas pipelines going in and out of Iran. Unexplained explosions. And of course, we did notice that at the time, there had been assassinations of nuclear scientists. So that was worrying.

We knew there was something bad happening. Did you get concerned for yourself? Did you begin to start looking over your shoulder from time to time?

Yeah, definitely looking over my shoulder and being careful about what I spoke about on the phone. Pretty confident my conversations on the phone were being listened to. We were only half joking when we would look at each other and tell each other things like, look, I'm not suicidal if I show up dead on Monday.

You know, it wasn't me. We've been publishing information about Stuxnet all through that summer. And then in November, an industrial control system sort of expert in Holland contacted us. And he said, all of these devices that would be inside an industrial control system hold a unique identifier number that identified the make and model of that device.

And we actually had a couple of these numbers. In the code that we didn't know what they were And so we realized maybe what he was referring to was the magic numbers We had and then when we searched for those magic numbers in that context We saw that what had to be connected to this industrial control system that was being targeted or something called frequency converters from two specific manual manufacturers, one of which was in Iran. And so at this time, we absolutely knew that the facility that was being targeted had to be in Iran and had equipment made from Iranian manufacturers. When we looked up those frequency converters, we immediately found out that they were actually export controlled by the Nuclear Regulatory Commission.

And that immediately led us then to some nuclear facility. This was more than a computer story, so I left the world of the antivirus detectives and sought out journalist David Sanger, who specialized in the strange intersection of cyber, nuclear weapons, and espionage. The emergence of the code is what put me on alert that an attack was underway.

And because of the covert nature of the operation, not only were official government spokesmen unable to talk about it, they didn't even know about it. Eventually, the more I dug into it, the more I began to find individuals who had been involved in some piece of it or who had witnessed some piece of it. And that meant talking. talking to Americans, talking to Israelis, talking to Europeans, because this was obviously the first, biggest, and most sophisticated example of a state or two states using a cyber weapon for offensive purposes. I came to this with a fair bit of history, understanding the Iranian nuclear program.

How did Iran get its first nuclear reactor? We gave it to them, under the Shah, because the Shah was considered an American ally. Thank you again for your warm welcome, Mr. President. During the Nixon administration, the U.S. was very enthusiastic about supporting the Shah's nuclear power program. And at one point, the Nixon administration was pushing the idea that Pakistan and Iran should build a joint plant together in Iran.

There's at least some evidence that the Shah was thinking about acquisition of nuclear weapons because he saw, and we were encouraging him to see Iran as the so-called policeman of the Persian Gulf. And the Iranians have always viewed themselves as naturally the dominant power in the Middle East. Why would it be normal for you, for the Federal Republic of Germany, for England, even to have atomic or hydrogen weapons?

And for Iran, the simple principle of defending one's interests becomes a problem, and for the others it's quite normal. But the revolution which overthrew the Sharan 79 really curtailed the program before it ever got any head of steam going. Part of our policy against Iran after the revolution was to deny them nuclear technology.

So most of the period when I was involved in the 80s and the 90s was the U.S. running around the world and persuading potential nuclear suppliers not to provide even peaceful nuclear technology to Iran. And what we missed was the clandestine transfer in the mid-1980s from Pakistan to Iran. Abdul Qadir Khan is what we would call the father of the Pakistan nuclear program. He had the full authority and confidence of the Pakistan government from its inception to the production of nuclear weapons.

I was a CIA officer for over two decades, operations officer, worked overseas most of my career. The AQ Khan network is so notable because, aside from building the Pakistani program for decades, it also was the means by which other countries were able to develop nuclear weapons, including Iran. aq khan acting on behalf of the pakistani government negotiated with officials in iran and then there was a transfer which took place through dubai of blueprints for nuclear weapons design as well as some hardware throughout the mid-1980s The Iranian program was not very well resourced.

It was more of an R&D program. It wasn't really until the mid-'90s that it started to take off when they made the decision to build a nuclear weapons program. You know, we can speculate what, in their mind, motivated them.

I think it was the U.S. invasion of Iraq after Kuwait. There was an eight-year war between Iraq and Iran. We had wiped out Saddam's forces in a matter of weeks. I think that was enough to convince the rulers in Tehran that they needed to pursue nuclear weapons more seriously.

States like these and their terrorist allies constitute an axis of evil, arming to threaten the peace of the world. From 2003 to 2005, when they feared that the U.S. would invade, them they accepted limits on their nuclear program but by 2006 the Iranians had come to the conclusion that the u.s. was bogged down in Afghanistan and Iraq and no longer had the capacity to threaten them and so they felt it was safe to resume their enrichment program they started producing low enriched uranium producing more centrifuges installing them at the large-scale underground enrichment facility at Natanz The entry of these underground tunnels and the opening of the heart of the Iranian nuclear facilities is something similar to an incident. Today, the president's opening of this place made this incident possible for us. They say, well, you have to negotiate with us for 10 years, and then we will allow you to have 20 of these or not.

Of course, the people of Iran will not accept it. And today, about 7,000 of those machines are working underground. How many times have you been to Natanzi?

Not that many because I left a few years ago already, but I was there quite a few times. Natanzi is just in the middle of the desert. When they were building it in secret, they were calling it a desert irrigation facility.

For the local people, you want to say, why are you building a big complex? There is a lot of artillery and air force. It's better protected against attack from air than any other nuclear installation or FC. So this is deeply underground. Then inside, Natanzi is like any other centrifuge facility.

I have been all over the world, from Brazil to Russia, Japan. So they are all alike with their own features, their own centrifuges, their own culture. But basically the process is the same.

And so are the monitoring activities of the IAEA. They are basic principle. You want to see what goes in, what goes out.

And then on top of that you make sure that it produces low-end uranium instead anything to do with the higher-end nuclear weapons create uranium. Iran's nuclear facilities are under 24-hour watch. Oh, the United Nations nuclear watchdog, the IAEA, the International Atomic Energy Agency. Every single gram of Iranian fissile material is accounted for.

They have like basically seals that they put on fissile materials. There are IAEA seals. You can't break anything without getting noticed. When you look at the uranium which was there in Natas, it was a very special uranium.

This is called Isoto-236. And that was a puzzle to us because you only see this sort of uranium in states which have had nuclear weapons. We realized that they had cheated.

This sort of equipment has been bought from what they call a black market. They never pointed out it to AQ Khan at that point of time. What I was surprised was the sophistication and the quality control and the way they have the manufacturing. It was really professional.

It was not something, you know, you just create in a few months'time. This was a result of a long process. The centrifuge, you feed uranium gas in and you have a cascade, thousands of centrifuges, and from the other end you get enriched uranium out.

It separates uranium based on spinning the rotor. It spins so fast, 300 meters per second, the same as the velocity of sound. These are tremendous forces, and as a result, the rotor, it twists. It looks like a banana at one point in time. So it has to be in balance because any small vibration, it will blow up.

And here comes another trouble. You have to raise the temperature, but these very thin rotor walls, they are made from carbon fiber, and the other pieces, they are made from metal. When you heat carbon fiber, it shrinks.

When you heat metal, it expands. So you need to balance not only that they spin, they twist, but this temperature behavior in such a way that it doesn't break. So this has to be very precise. This is what makes them very difficult to manufacture. You can model it, you can calculate it, but at the very end, it's actually based on practice and experience.

So it's a piece of art, so to say. Iranians are very proud of their centrifuges. There were a lot of public relations videos given up, always in April when they had what they call a national nuclear day.

Today, dear country of Iran, in the midst of the countries of production... If they want us to sign more inspections and more additional protocols and other measures, no, we will not. We will fight for our rights. Iran is a signatory to the Nuclear Non-Proliferation Treaty, and under that treaty, Iran has a right to nuclear program.

We can have enrichment. Who are you, world powers, to come and tell us that we cannot have enrichment? This was his mantra.

And it's galvanized the public. By 2007, 2008, the U.S. government was in a very bad place with the Iranian program. President Bush recognized that he could not even come out in public and declare that the Iranians were building a nuclear weapon, because by... This time, he had gone through the entire WMD fiasco in Iraq. He could not really take military action.

Condoleezza Rice said to him at one point, You know, Mr. President, I think you've invaded your last Muslim country, even for the best of reasons. He didn't want to let the Israelis conduct a military operation. It's 1938, and Iran is Germany, and it's racing to arm itself with atomic bombs. Iran's nuclear ambitions must be stopped.

They have to be stopped. We all have to stop it. Now, that's the one message I have for you today.

Thank you. Israel was saying they were going to bomb Iran, and the government here in Washington did all sorts of scenarios about what would happen. If that Israeli attack occurred, they were all very ugly scenarios. Our belief was that if they went on their own, knowing the limitations, look, they're a very good air force, alright, but it's small and the distances are great and the target's dispersed and hard. If they would have attempted a raid on a military plane, we would have been assuming, that they were assuming, we would finish that which they started.

In other words, there would be many of us in government thinking that the purpose of the raid wasn't to destroy the Iranian nuclear system, but the purpose of the raid was to put us at war with Iran. Israel is very much concerned about Iran's nuclear program more than the United States. It's only natural because of the size of the country, because we live in this neighborhood.

America lives thousands and thousands of miles away from Iran. The two countries agreed on the goal. There is no page between us that Iran should not have a nuclear military capability.

There are some differences on how to achieve it and when action is needed. And this corruption will be removed from the agenda. We are taking very seriously leaders of countries who call to the destruction and annihilation of our people. If Iran will get nuclear weapons now or in the future.

It means that for the first time in human history, Islamic zealots, religious zealots, will get their hand on the most dangerous, devastating weapons. And the world should prevent this. The Israelis believe that the Iranian leadership has already made the decision to build nuclear weapons when they think they can get away with it.

The view in the U.S. is that the Iranians haven't made that final decision yet. To me, that doesn't make any difference. I mean, it really doesn't make any difference, and it's probably unknowable unless you can put Supreme Leader Khamenei on the couch and interview him.

I think, you know, from our standpoint, stopping Iran from getting the threat. threshold capacity as, you know, the primary policy objective. Once they have the fissile material, once they have the capacity to produce nuclear weapons, then the game is lost.

President Bush once said to me, he says, Mike, I don't want any president ever to be faced with only two options, bombing or the bomb. He wanted options that made it far less likely he or his successor or successors would ever get to that point where that's all you've got. We wanted to be energetic enough in pursuing this problem that the Israelis would certainly... believe yeah we get it the intelligence cooperation between Israel and the United States is very very good and therefore the Israelis went to the Americans and said okay guys you don't want us to bomb Iran okay let's do it differently And then the American intelligence community started rolling and joined forces with the Israeli intelligence community.

One day, a group of intelligence and military officials showed up in President Bush's office and said, Sir, we have an idea. It's a big risk. It might not work, but here it is. Moving forward in my analysis of the code, I took a closer look at the photographs that had been published by the Iranians themselves in a press tour from 2008, Ahmadinejad and the Chinese centrifuges. The photographs of Ahmadinejad going through the centrifuges at Natanz provided some very important clues.

There was a huge amount to be learned. First of all, those photographs showed many of the individuals who were guiding Ahmadinejad through the program. And there's one very famous photograph that shows Ahmadinejad being shown something.

You see his face, you can't see what's on the computer. And one of the scientists who was behind him was assassinated a few months later. In one of those photographs, you could see... Parts of a computer screen, we refer to that as a SCADA screen.

The SCADA system is basically a piece of software running on a computer. It enables the operators to monitor the process. What you could see, when you look close enough, was a more detailed view of the configuration.

There were these six groups of centrifuges and each group had 164 entries. And guess what? That was a perfect match to what we saw in the attack code.

It was absolutely clear that this piece of code was attacking an array with six different groups of, let's just say, thingies, physical objects, and in those six groups there were 164 elements. Were you able to do any actual physical tests or it was all just a code analysis? Yeah, so you know we obviously couldn't set up our own sort of nuclear enrichment facility. So, but what we did was we did obtain some PLCs, the exact models.

We then ordered an air pump and that's what we used sort of as our proof of concept. We needed a visual demonstration to show people what we discovered. So we thought of different things that we could do and we settled on blowing up a balloon. We were able to write a program that would inflate a balloon and it was set to stop after five seconds. So we inflate the balloon to a certain size but it wouldn't burst the balloon and it was all safe and we showed everybody this is the code that's on the PLC and the timer says stop after five seconds we know that's what's going to happen and then we would infect the computer with Stuxnet and we would run the test again Here is a piece of software that should only exist in the cyber realm and it is able to affect physical equipment in a plant or factory and cause physical damage.

Real-world physical destruction. At that time, things became very scary to us. Here you had malware potentially killing people, and that was something that was always Hollywood-esque to us, that we'd always laugh at when people made that kind of assertion.

At this point, you had to have started developing theories as to who had built Stuxnet. It wasn't lost on us that there were probably only a few countries in the world that would want and have the motivation to sabotage Iranians'nuclear enrichment facility. The U.S. government would be up there, Israeli government certainly.

would be up there, you know, maybe UK, France, Germany, those sorts of countries, but we never found any information that would tie it back 100% to those countries. There are no telltale signs. You know, the attackers don't leave a message inside saying...

saying, you know, it was me. And even if they did, all that stuff can be faked. So it's very, very difficult to do attribution when looking at computer code.

Subsequent work that's been done leads us to believe that this was the work of a collaboration between Israel and the United States. Did you have any evidence in terms of your analysis that would lead you to believe that that's correct also? Nothing that I could talk about on camera. Can I ask? No.

You can, but I won't answer. But even in the case of nation states, one of the concerns is... This was beginning to really piss me off.

Even civilians with an interest in telling the Stuxnet story were refusing to address the role of Tel Aviv and Washington. But luckily for me, while DC is a city of secrets, it is also a city of leaks. They're as regular as a heartbeat, and just as hard to stop. That's what I was counting on. Finally, after speaking...

To a number of people on background, I did find a way of confirming, on the record, the American role in Stuxnet. In exchange for details of the operation, I had to agree to find a way to disguise the source of the information. We're good?

We're on. So the first question I have to ask you is about secrecy. I mean, at this point, everyone knows about Stuxnet.

Why can't we talk about it? It's a covert operation. Not anymore. I mean, we know what happened, we know who did it. Well, maybe you don't know as much as you think you know.

I'm talking to you because I want to get the story right. Well, that's the same reason I'm talking to you. Even though it's a covert operation. Look.

This is not a Snowden kind of thing, okay? I think what he did was wrong. He went too far. He gave away too much. Unlike Snowden, who was a contractor, I was in NSA.

I believe in the agency, so what I'm willing to give you will be limited, but we're talking because everyone's getting this story wrong and we have to get it right. We have to understand these new weapons. The stakes are too high.

What do you mean? We did Stuxnet. It's a fact. We came so fucking close to disaster.

And we're still on the edge. It was a huge multinational interagency operation. In the US it was CIA, NSA, and the military cyber command.

From Britain we used Iran Intel out of GCHQ. But the main partner was Israel. Over there Mossad ran the show and the technical work was done by Unit 8200. Israel is really the key to the story.

The traffic in Israel is so unpredictable. Yossi, how did you get into this whole Stuxnet story? I have been covering the Israeli intelligence in general, and the Mossad in particular, for nearly 30 years.

In 1982, I was a London-based correspondent, and I covered a trial of terrorists, and I became more familiar with this topic of terrorism, and slowly but surely, I started covering it as a bit. Israel, we live in a very rough neighborhood where the more democratic values, Western values are very rare, but Israel pretends to be a free democratic westernized society. Posh neighborhoods, rich people, youngsters who are having almost similar mindset to their American or Western European counterparts. On the other hand, you see a lot of scenes and events which resemble the real Middle East, terror attacks, radicals, fanatics, religious zealots.

I knew that Israel is trying to slow down Iran's nuclear program and therefore I came to the conclusion that if there was a virus affecting Iran's computers it's it's one more element in in this larger picture based on past precedents In 1981 I was a F-16 pilot. We were told that unlike our dream to do dogfights and to kill MiGs, we have to be prepared. for a long-range mission to destroy a valuable target. Nobody told us what is this very valuable strategic target. It was 600 miles from Israel.

So we trained ourselves to do the job, which was very difficult. No air refueling at that time. No satellites for reconnaissance.

Fuel was on the limit. At the end of the day, we accomplished the mission. Which was? To destroy the Iraqi nuclear reactor near Baghdad, which was called Osirak.

And Iraq never was able to accomplish its ambition to have a nuclear bomb. Amos Yadlin, General Yadlin, he was the head of the military intelligence. The biggest unit within that organization is Unit H200.

They bug telephones, they bug faxes, they break into computers. A decade ago, when Yadmin became the chief of military intelligence, there was no cyber warfare unit in H200. So they started recruiting very talented people, hackers, either from the military or outside the military that can contribute to the project of building a cyber warfare unit. In the 19th century there were only army and navy. In the 20th century we got air power as a third dimension of war.

In the 21st century cyber will be the force dimension of war. It's another kind of weapon and it is for unlimited range in a very high speed and in a very low signature. So this gives you a huge opportunity and the superpowers have to change the way we think about warfare. Finally we are transforming our military for a new kind of war that we're fighting now.

And for wars of tomorrow. We have made our military better trained, better equipped, and better prepared to meet the threats facing America today, and tomorrow, and long in the future. Back in the end of the Bush administration, people within the U.S. government were just beginning to convince President Bush to pour money into offensive cyber weapons. Stuxnet started off in the Defense Department. Then Robert Gates, Secretary of Defense, reviewed this program and he said, this program shouldn't be in the Defense Department.

This should really be under the covert authorities over in the intelligence world. So the CIA was very deeply involved. involved in this operation.

While much of the coding work was done by the National Security Agency and unit 8200, its Israeli equivalent, working together with a newly created military position called US Cyber Command. And interestingly, the director of the National Security Agency would also have a second role as the commander of U.S. Cyber Command. And U.S. Cyber Command is located at Fort Meade in the same building as the NSA. I was deployed for a year giving advice on air operations in Iraq and Afghanistan and when I was returning home after that the assignment I was given was to go to US Cyber Command.

Cyber Command is the military command that's responsible for essentially conducting the nation's military affairs in cyberspace. The stated reason the United States decided it needed a cyber command was because of an event called Operation Buckshot Yankee. In the fall of 2008 we found some adversaries inside of our classified networks.

While it wasn't completely true that we always assumed that we were successful at defending things at the barrier, at the kind of perimeter that we might have between our networks and the outside world, there was a large confidence that we'd been mostly successful. But that was a moment in time when we came to the quick conclusion that it's not really ever secure. That then accelerated the Department of Defense's progress towards what ultimately became Cyber Command. Good morning, sir. Team Cyber has one item for you today.

Earlier this week, NTOC analysts detected a foreign adversary using known methods to access a U.S. military network. We identified the malicious activity via data collected through our information assurance and signals intelligence authorities and confirmed it was a U.S. military. was a cyber adversary. We provided data to our cyber partners within the DOD. If you think of NSA as an institution that essentially uses its abilities in cyberspace to help defend communications in that space, Cyber Command extends that capability by saying that they will then take responsibility to attack.

NSA has no legal authority to attack. It's never had it. I doubt that it ever will.

It might explain why U.S. Cyber Command is sitting out at Fort Meade on top of the National Security Agency. Because NSA has the abilities to do these things, Cyber Command has the authority to do these things. And these things here refer to the cyber attack.

This is a huge change for... The nature of the intelligence agencies. The NSA was supposed to be a code-making and code-breaking operation to monitor the communications of foreign powers and American adversaries in the defense of the United States. But creating a cyber command meant using the same technology to do offense. Once you get inside an adversary's computer networks, you put an implant in that network.

And we have tens of thousands of foreign computers and networks that the United States has put implants in. You can use it to monitor what's going across that network, and you can use it to insert cyber weapons, malware. If you can spy on a network, you can manipulate it.

It's already included. The only thing you need is an active will. It played a role in Iraq. I can't tell you whether it was military or not, but I can tell you NSA had combat support teams in country. And for the first time, units in the field had direct access to NSA intel.

Over time we thought more about offense than defense, you know, more about attacking than intelligence. In the old days, SIGINT units would try to track radios, but through NSA and Iraq, we had access to all the networks going in and out of the country. We hoovered up every text message, email, and phone call.

The complete surveillance state. We could find the bad guys, say a gang, making IEDs, map their networks and follow them in real time. We could lock into cell phones even when they were off, send a fake text from a friend, suggest a meeting place and then capture.

Or kill. A lot of the people that came to Cyber Command, the military guys, came directly from an assignment in Afghanistan or Iraq because those are the people with experience and expertise in operations and those are the ones you want looking at this to see how cyber could facilitate traditional military operations. Fresh from the surge, I went to work at NSA in 07, in a supervisory capacity. Exactly where did you work?

Fort Meade. You know, I commuted to that massive complex every single day. I... was in TAO S321, The Rock. Okay, the TAO, The Rock?

Right, sorry. TAO is Tailored Access Operations. It's where NSA's hackers work. Of course, we didn't call them that.

What did you call them? On-net operators. They're the only people at NSA allowed to break in or attack on the Internet.

Inside TAO headquarters is The Rock, Remote Operations Center. If the US government wants to get in somewhere, it goes to the rock. I mean, we were flooded with requests. So many that we could only do about 30% of the missions that were requested of us at one time.

Through the web, but also by hijacking shipments of parts. You know, sometimes the CIA would assist in putting implants in machines. So once inside a target network, we could just watch. We could attack.

Inside NSA was a strange kind of culture, like two parts macho military and two parts cyber geek. I mean, I came from Iraq, so I was used to yes sir, no sir, but for the weapons programmers, we needed more think-outside-the-box types. And from cubicle to cubicle, you'd see lightsabers, tribbles, a dozen Ruto action figures, lots of Aqua Teen hunger force.

This one guy, they were mostly guys, who liked to wear yellow hooded cape. He used a ton of gray Legos to build a massive Death Star. Are they all working on Stuxnet?

We never called it Stuxnet. That was the name invented by the antivirus guys. When it hit the papers, we're not allowed to read about classified operations, even if it's in the New York Times, we went out of our way to avoid the term. I mean, saying Stuxnet out loud was like saying Voldemort in Harry Potter, the name that shall not be spoken.

What did you call it? The Natanz attack, and this is out there already, was called Olympic Games, or OG. There was a huge operation to test the code on PLCs here at Fort Meade and in Sandia, New Mexico. Remember during the Bush era when Libya turned over all of its centrifuges?

Those were the same models the Iranians got from AQ Khan. P1s. We took them to Oak Ridge and used them to test the code.

Just demolished the insides. At Dimona, the Israelis also tested on the P1s. Then, partly by using our intel on Iran, we got the plans for the newer models.

The IR2s. We tried out different attack vectors. We ended up focusing on ways to destroy the rotor tubes. In the tests we ran, we blew them apart.

They swept up the pieces, they put it on an airplane, they flew it to Washington, they stuck it in the truck, they drove it through the gates of the White House and dumped the shards out on the conference room table in the Situation Room. And then they invited... President Bush to come down and take a look.

And when he could pick up the shard of a piece of centrifuge, he was convinced this might be worth it. And he said, go ahead and try. Was there legal concern inside the Bush administration that this might be an act of undeclared war?

If there were concerns, I haven't found them. That doesn't mean that they didn't exist and that some lawyers somewhere were concerned about it, but this was an entirely new territory. At the time, there were really very few people who had expertise specifically on the law of war and cyber.

And basically what we did was looking at, okay, here's our broad direction. Now let's look technically what can we do to facilitate this broad direction. And after that, maybe I would come in or— where one of my lawyers would come in and say, okay, this is what we may do. Okay. There are many things we can do, but we are not allowed to do them.

And then after that, there's still a final level that we look at, and that's what should we do. Because there are many things that would be technically possible and technically legal, but a bad idea. For Natanz, it was a CIA-led operation.

So we had to have agency sign off. Really? Yes. Someone from the agency stood behind the operator and the analyst and gave the order to launch every attack. Before they even started this attack, they put inside of a code a kill date.

A date at which it would stop operating. Cut-off dates, we don't normally see that in other threats. And you have to think, well, why is there a cut-off date in there? And when you realize that, well, Succint was probably... written by government and that there are laws regarding how you can use this sort of software that there may have been a legal team who said no, you need to have a cut off date in there and you can only do this and you can only go that far and we need to check if this is legal or not.

That date is a few days before Obama's inauguration. So the theory was that this was an operation that needed to be stopped at a certain time because there was going to be a handover and that more approval was needed. Are you prepared to take the oath, Senator?

I am. I, Barack Hussein Obama, do solemnly swear... I, Barack Hussein Obama, do solemnly swear... The Olympic Games was reauthorized by President Obama in his first year in office, 2009. All the best wishes. It was fascinating because it was the first year of the Obama administration and they would talk to you endlessly about cyber defense.

We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation. and air traffic control. But just as we failed in the past to invest in our physical infrastructure, our roads, our bridges, and rails, we failed to invest in the security of our digital infrastructure.

He was running East Room events, trying to get people to focus on the need to defend cyber networks and defend American infrastructure. But when you asked questions about the use of offensive cyber weapons, everything... No cooperation. White House wouldn't help.

Pentagon wouldn't help. NSA wouldn't help. Nobody would talk to you about it.

But when you dug into the budget for cyber spending during the Obama administration, what you discovered was much of it was being spent on offensive cyber weapons. You see phrases like Title 10 CNO. Title 10 means operations for the US military, and CNO means computer network operations. This is considerable evidence that Stuxnet was just the opening wedge of what is a much broader US government effort now to develop an entire new class of weapons. Stuxnet wasn't just an evolution, it was really a revolution in the threat landscape.

In the past, the vast majority of threats that we saw were always controlled by an operator somewhere. They would infect your machines, but they would have what's called a callback, or a command and control channel. The threats would actually contact the operator and say, what do you want me to do next?

And the operator would send down commands and say, maybe search through this directory, find these folders, find these files, upload these files to me, spread to this other machine, things of that nature. But Stuxnet couldn't have a command and control channel. Because once it got inside a Natanz, it would not have been able to reach back out to the attackers. The Natanz network is completely air-gapped from the rest of the Internet. It's not connected to the Internet.

It's its own isolated network. Generally, getting across an air-gap is one of the more difficult challenges that attackers will face, just because of the fact that everything is in place to prevent that. Everything, you know, the policies and procedures and the physical network that's in place is specifically designed to prevent you crossing the air-gap. But there's no truly... air gap network in these real-world production environments.

People got to get new code into Natanz. People have to get log files off of these networks in Natanz. People have to upgrade equipment. People have to upgrade computers. This highlights one of the major security issues that we have in the field.

If you think, well, nobody can attack this power plant or this chemical plant because it's not connected to the internet, that's a bizarre illusion. The first time we introduced the code into Natanz, we used human assets. Maybe CIA, more likely Mossad, but our team was kept in the dark about the tradecraft. We heard rumors in Moscow, an Iranian laptop infected by a phony Siemens technician with a flash drive.

A double agent neuron with access to Natanz, but I don't really know. What we had to focus on was to write the code so that once inside, the worm acted on its own. They built in all the code and all the logic into the threat to be able to operate all by itself.

It had the ability to spread by itself. It had the ability to figure out, do I have the right PLCs? Have I arrived in Natanz? Am I at the target? And when it's on target, it executes autonomously.

That also means you cannot call off the attack. It was definitely the type of attack where someone had decided that this is what they wanted to do. There was no turning back once Stuxnet was released.

When it began to actually execute its payload, you would have a whole bunch of centrifuges in a huge array of cascades sitting in a big hall. And then just off that hall you would have an operator's room. Big control panels in front of them, a big window where they could see into the hall. Computers monitor the activities of all these centrifuges. So a centrifuge, it's driven by an electrical motor.

And the speed of this electrical motor is controlled by another PLC, by another programmable logic controller. Stuxnet would wait for 13 days before doing anything. Because 13 days is about the time it takes to actually fill an entire cascade of centrifuges with uranium. They didn't want to attack when the centrifuges essentially were empty or at the beginning of the enrichment process.

What Stuxnet did was it actually would sit there during the 13 days and basically record all of the normal activities that were happening and save it. And once they saw them spinning for 13 days, then the attack occurred. Centrifuges spin at incredible speeds, about 1,000 hertz.

They have a safe operating speed, 63,000 revolutions per minute. Stuxnet caused the uranium enrichment centrifuges to spin up to 1,400 hertz. Up to 80. ...thousand revolutions per minute. What would happen was those centrifuges would go through what's called a resonance frequency. It would go through a frequency at which the metal would basically vibrate uncontrollably and essentially shatter.

There'd be uranium gas everywhere. And then the second attack they attempted was they actually tried to lower it to two hertz. They were slowed down to almost stand still.

And at 2 Hz, sort of an opposite effect occurs. You can imagine it to a top that you spin, and as the top begins to slow down, it begins to wobble. That's what would happen to these centrifuges. They begin to wobble and essentially chatter and fall apart. And instead of sending back to the computer what was really happening, it would send back that old data that it had recorded.

And so the computer is sitting there thinking, yep, running at a thousand hertz, everything's fine, running at a thousand hertz, everything's fine. But those centrifuges are potentially spinning up wildly. A huge noise would occur.

It'd be like, you know, a jet engine. So the operators then would know, whoa, something is going wrong here. They might look at their monitors and see, it says it's a thousand hertz, but they would hear that in the room something gravely bad was happening.

Not only are the operators fooled into thinking everything's normal, but... If your cyber weapon is good enough, if your enemy is not aware of you, it is an ideal weapon, because the enemy even doesn't understand what is happening to him. Maybe even better, the enemy begins to doubt their own capability.

Absolutely. Certainly, one must conclude that what happened at Natanz must have driven the engineers crazy. Because the worst thing that can happen to a maintenance engineer is not being able to figure out what the cause of specific trouble is. So they must have been analyzing themselves to death. You know, you see centrifuges blowing up.

You look at the computer screens. They go with the proper speed. There's a proper gas pressure. Everything looks beautiful.

Through 2009, it was going pretty smoothly. Centrifuges were blowing up. The International Atomic Energy Agency inspectors would go into Natanz and they would see that whole sections of the centrifuges had been removed. The United States knew from its intelligence channels that some Iranian scientists and engineers were being fired because the centrifuges were blowing up and the Iranians had assumed that this was because they had been making errors, they were manufacturing mistakes, clearly this was somebody's fault.

So the program was doing exactly what it was supposed to be doing, which was it was blowing up centrifuges and it was leaving no trace and leaving no trace. the Iranians to wonder what they got hit by. This was the brilliance of Olympic Games.

You know, as a former director of a couple of big three-letter agencies, slowing down a thousand centrifuges into tons, an unalloyed good. There was a need for buying time. There was a need for slowing them down.

There was a need to try to push them to the negotiating table. I mean, there are a lot of variables at play here. President Obama would go down into the Situation Room and he would have laid out in front of him what they called the horse blanket, which was a giant schematic of the Natanz nuclear enrichment plant.

And the designers of Olympic Games would describe to him what kind of progress they made and look for him for the authorization to move on ahead to the next attack. And at one point during those discussions, he said to a number of his aides, you know, I have some concerns because once word of this gets out, and eventually he knew it would get out, the Chinese may use it as an excuse for their attacks on us, the Russians might, or others. So he clearly had some misgivings, but they weren't big enough to stop him from going ahead with the program.

And then in 2010, a decision was made to change the code. Our human assets... We weren't always able to get code updates into Natanz. And we weren't told exactly why. But we were told we had to have a cyber solution for delivering the code.

But the delivery systems were tricky. If they weren't aggressive enough, they wouldn't get in. If they were too aggressive, they could spread and be discovered.

When we got the first sample, there was some configuration information inside of it. And one of the pieces in there was a version number, 1.1. And that made us realize, well look, this likely isn't the only copy. We went back through our databases looking for anything that looked similar to Stuxnet.

As we began to collect more samples, we found a few earlier versions of Stuxnet. And when we analyzed that code, we saw that versions previous to 1.1 were a lot less aggressive. The earlier version of Stuxnet, it basically required humans to do a little bit of double-clicking in order for it to spread from one computer to another.

And so what we believe after looking at that code is two things. One, either they didn't get into Natanz with that earlier version, because it simply wasn't aggressive enough, wasn't able to jump over that error gap. And or two, that payload as well didn't work properly, didn't work to their satisfaction, maybe was not explosive enough.

There were slightly different versions, which were aimed at different parts of the centrifuge cascade. But the guys at Symantec figured you'd change the code because the first variations couldn't get in and didn't work, right? Bullshit. We always found a way to get across the air gap. At TAO we laughed when people thought they were protected by an air gap.

And for OG, the early versions of the payload did work. But what NSA did... It was always low-key and subtle.

The problem was that Unit 8200, the Israelis, kept pushing us to be more aggressive. The later version of Stuxnet, 1.1, that version had multiple ways of spreading. It had the four zero days inside of it, for example, that allowed it to spread all by itself without you doing anything.

It could spread via network shares, it could spread via USB keys, it was able to spread via network. Exploits, that's the sample that introduces the stolen digital certificates. That is the sample that all of a sudden became so noisy and caught the attention of the antivirus guys.

In the first sample we don't find that and this is very strange because it tells us that in the process of this development the attackers were less concerned with operational security that's not actually kept a log inside of itself of all the machines that it infected along the way, as it jumped from one machine to another to another to another. And we were able to gather up all the samples that we could acquire, tens of thousands of samples. We extracted all of those logs. You can see the exact path that Stuxnet took. Eventually, we were able to trace back this version of Stuxnet to Ground Zero, to the first five infections in the world.

The first five infections are all outside of Natanz's plant, all inside of organizations inside of Iran, all... Organizations that are involved in industrial control systems, in the construction of industrial control facilities. Clearly contractors who were working on the Natanz facility. And the attackers knew that. They're electrical companies, they're piping companies, they're...

you know, these sorts of companies, and they knew that technicians from those companies would visit Natanz. So they would infect these companies, and then technicians would take their computer, their laptop, or their USB. That operator then goes down to Natanz, and he plugs in his USB key, which has some code that he needs to update, into Natanz, into the Natanz network.

And now Stuxnet is able to get inside Natanz and conduct its attack. These five companies were specifically targeted to spread Stuxnet into Natanz, and that it wasn't that Stuxnet escaped out of Natanz and then spread all over the world, and it was this big mistake, and, oh, it wasn't meant to spread that far, but it really did. No, that's not the way we see it.

The way we see it is that they wanted it to spread far so that they could get it into Natanz. Someone decided that we're going to create something new, something evolved, that's going to be far, far, far more aggressive. And we're okay, frankly, with it spreading all over the world to innocent machines and in order to go after our target.

The Mossad had the role, had the assignment to deliver the virus, to make sure that... The Stuxnet would be put in place in Natanz to affect the centrifuges. Mayor Dagan, the head of Mossad, was under growing pressure from the Prime Minister, Benjamin Netanyahu, to produce results.

Inside the rock we were furious. The Israelis took our code for the delivery system and changed it. Then, on their own, without our agreement, they just fucking launched it. 2010, around the same time they started killing Iranian scientists. And they fucked up the code.

Instead of hiding, the code started shutting down computers, so naturally people noticed. Because they were in a hurry, they opened Pandora's box. They let it out, and it spread all over the world.

The worm spread quickly, but somehow it remained unseen until it was identified in Belarus. Soon after, Israeli intelligence confirmed that it had made its way into the hands of the Russian Federal Security Service, a successor to the KGB. So it happened that the formula for a secret cyber weapon designed by the U.S. and Israel fell into the hands of Russia and the very country it was meant to attack. It didn't work. They could have made some of our centrifuges difficult.

Of course, with the soft materials that were installed in the electronic parts, it would have been easier. They did a bad thing, they did a bad thing, but fortunately our experts discovered it and today they are not capable of it. In international law, when some country or a coalition of countries targets a nuclear facility, it's an act of war.

Please, let's be frank here. If it wasn't Iran... Let's say a nuclear facility in the United States was targeted in the same way.

The American government would not sit by and let this go. Stuxnet is an attack in peacetime on critical infrastructure. Yes, it is. Look, when I read about it, I go, whoa, this is a big deal.

The people who were running this program, including Leon Panetta, the director of the CIA at the time, had to go down into the Situation Room and face President Obama, Vice President Biden, and explain that this program was suddenly on the loose. Vice President Biden, at one point during this discussion, sort of exploded in Biden-esque fashion and blamed the Israelis. He said, it must have been the Israelis who made a change in the code that enabled it to get out.

President Obama said to the senior leadership, you told me it wouldn't get out of the network. It did. You told me the Iranians would never figure out it was the United States.

They did. You told me it would have a huge effect on their nuclear program, and it didn't. The Natanz plant is inspected every couple of weeks by the International Atomic Energy Agency inspectors.

And if you line up what you know about the attacks with the inspection reports, you can see the effects. If you go to the IAEA reports, we really saw that a lot of centrifuges were switched off and they were removed, as much as almost a couple of thousand got compromised. When you put it all together, I wouldn't be surprised if the program got delayed by the one year.

But go then to year 2012-13 and look, you know, how the centrifuges started to come up again. Iran's number of centrifuges... went up exponentially to 20,000 with a stockpile of low-enriched uranium. These are high numbers. Iran's nuclear facilities expanded with the construction of Fordow and other highly protected facilities.

So ironically, cyber warfare, assassination of its nuclear scientists, economic sanctions, political isolation. Iran has gone through A to X of everything. coercive policy that the US, Israel and those who ally with them have placed on Iran and they have actually made Iran's nuclear program more advanced today than it was ever before. This is a very, very dangerous minefield that we are walking and the nations who decide to take this covert actions should be taking into consideration all...

the effects, including the moral effects. I would say that this is the price that we have to pay in this war, and our blade of righteousness shouldn't be so sharp. In Israel and in the United States, the blade of righteousness cut both ways, wounding the targets and the attackers.

When Stuxnet infected American computers, the Department of Homeland Security, unaware of the cyber weapons launched by the NSA, devoted enormous resources trying to protect Americans from their own government. We had met the enemy, and it was us. The purpose of the watch stations that you see in front of you is to aggregate the data coming in from multiple feeds of what the cyber threats could be.

So if we see threats, we can provide real-time recommendations for both private companies as well as federal agencies. Can we just read out on this Stuxnet virus? Absolutely. We'd be more than happy to discuss that.

Early July of 2010, we received a call that said that this piece of malware was discovered, and could we take a look at it? When we first started the analysis, there was that, oh, crap moment, you know, where we sat there and said, this is something that's significant. It's impacting industrial control. It can disrupt it to the point where it could cause harm and not only damage to the equipment, but potentially harm or loss of life.

We were very concerned because Stuxnet was something that we had not seen before. So there wasn't a lot of sleep that night. Basically, light up the phones, call everybody we know, inform the secretary, inform the White House, inform the other departments and agencies, wake up the world, and figure out what's going on with this particular malware. Good morning Chairman Lieberman, Ranking Member Collins. Something as simple and innocuous as this becomes a challenge for all of us to maintain accountability and control of our critical infrastructure systems.

This actually contains the Stuxnet virus. I've been asked on a number of occasions, did you ever think this was us and at no point did that ever really crossed our mind because we were looking at it from the standpoint of is this something that's coming after the homeland you know what's what's going to potentially impact you know our industrial control base here in the United States You know, I liken it to, you know, field battle. You don't think the sniper that's behind you is going to be shooting at you because you expect him to be on your side. We really don't know who the attacker was in the Stuxnet case. So help us understand a little more what this thing is, whose origin and destination we don't understand.

Did anybody ever give you any indication that... something that they already knew about? No. At no time did I get the impression from someone that that's okay, you know, get the little pat on the head and scoot it out the door. I never received a stand-down order.

I never... No one ever asked to stop looking at this. Do we think that this was a nation-state actor and that there are a limited number of nation-states that have such advanced capacity? Sean McGurk, the Director of Cyber for the Department of Homeland Security, testified before the Senate about how he thought Stuxnet was a terrifying threat to the United States.

Is that not a problem? I don't know. And how do you mean? Is that a distraction? that thing was a bad idea?

No, no, no, just that before he knew what it was and what it attacks. Oh, I get it. Yeah, that he was responding to something that we thought was a threat to critical infrastructure in the United States. The worm is loose.

The worm is loose. I understand, but there's a further theory having to do with whether or not, following upon David Sanger... I got the subplot, and who did that, was it the Israelis?

Yeah, I truly don't know, and even though I don't know, I still can't talk about it, all right? Stuxnet was somebody's covert action, all right? And the definition of covert action is an activity in which you want to have the hand of the actor forever hidden.

So by definition, it's going to end... end up in this we don't talk about these things box to this day the united states government has never acknowledged conducting any offenses cyber attack anywhere in the world. But thanks to Mr. Snowden, we know that in 2012, President Obama issued an executive order that laid out some of the conditions under which cyber weapons can be used.

And interestingly, every use of a cyber weapon requires presidential sign-off. That is only true in the physical world for nuclear weapons. Nuclear war and nuclear weapons are vastly different from cyber war and cyber weapons. Having said that, there are some similarities.

And in the early 1960s, the United States government suddenly realized it had thousands of nuclear weapons, big ones and little ones, weapons on jeeps, weapons on submarines. And it really didn't have a doctrine. It really didn't have a strategy. It really didn't have an understanding at the policy level about how it was going to use all of these things. And so academics started publishing unclassified documents about nuclear war and nuclear weapons.

And the result was more than 20 years in the United States of very vigorous national debates about how we want to go use nuclear weapons. And not only did that cause the Congress and people in the executive branch in Washington to think about these things, it caused the Russians to think about these things. And out of that grew nuclear doctrine, mutual assured... construction, all of that complicated set of nuclear dynamics.

Today, on this vital issue, at least we have seen what can be accomplished when we pull together. We can't have that discussion. in a sensible way right now about cyber war and cyber weapons because everything is secret. And when you get into a discussion with people in the government, people still in the government, people who have security clearances, you run into a brick wall. Trying to stop Iran is really my number one job.

Can I ask you in that context about the Stuxnet computer virus potentially? You can ask, but I won't comment. Can you tell us anything? No. has had the most impact on their nuclear decision making, the Stuxnet virus. I can't talk about Stuxnet.

I can't even talk about the operation of Iran centrifuges. Was the US involved in any way in the development of Stuxnet? It's hard to get into any kind of comment on that until we've finished any of our examination.

But sir, I'm not asking you if you think another country was involved. I'm asking you if the US was involved. And this is not something that we're going to be able to answer at this point. Look, for the longest time, I was in fear that I couldn't actually say the phrase computer network attack.

This stuff is hideously overclassified, and it gets into the way of a mature public discussion. as to what it is we as a democracy want our nation to be doing up here in the cyber domain now this is a former director of nsa and cia saying this stuff is over classified one of the reasons it's as highly classified as it is this is a peculiar weapon system this is the weapon system that's come out of the espionage community and and so those people have a habit of secrecy secrecy is still justifiable in certain cases to protect sources or to protect national security but when we deal with secrecy don't hide behind it, to use it as an excuse to not disclose something properly that you know should be or that the American people need ultimately to see. While most government officials refused to acknowledge the operation, at least one key insider did leak parts of the story to the press.

In 2012, David Sanger wrote a detailed account of Olympic Games that unmasked the extensive joint operation between the U.S. and Israel to launch cyberattacks on Matanz. The publication of this story, coming at a time that turned out that there were a number of other unrelated national security stories being published, led to the announcement of investigations by the Attorney General. Into the press and into the leaks. Soon after the article, the Obama administration targeted General James Cartwright in a criminal investigation for allegedly leaking classified details about Stuxnet. There are reports of cyber attacks on the Iranian nuclear program.

What's your reaction to this information getting out? Well, first of all, I'm not going to comment on the details of what are supposed to be classified items. Since I've been in office, my attitude has been zero tolerance for these kinds of leaks. We have mechanisms in place where if we can root out folks who have leaked, they will suffer consequences. consequences.

It became a significant issue and a very wide-ranging investigation in which I think most of the people who were cleared for Olympic Games at some point had been, you know, interviewed and so forth. When Stuxnet hit the media, they polygraphed every... including people who didn't know shit. You know, they pollied the interns, for God's sake.

These are criminal acts when they release information like this. And we will conduct thorough investigations as we have in the past. The administration never filed charges, possibly afraid that a prosecution would reveal classified details about Stuxnet. To this day, no one in the U.S. or Israeli governments has officially acknowledged the existence of the joint operation. I would never compromise ongoing operations in the field, but we should be able to talk about capability.

We can talk about our bunker busters. Why not our cyber weapons? I mean, the secrecy of the operation has been blown.

Our friends in Israel took a weapon that we jointly developed in part to keep Israel from doing something crazy and then used it on their own in a way that blew the cover of the operation and could have led to war. And we can't talk about that? There's a way to talk about Stuxnet.

It happened. The deny that it happened is foolish. So the fact that it happened is really what we're talking about here. What are the implications of the fact that we now are in a post-Stuxnet world?

What I said to David Sanger was, I understand the difference in destruction is dramatic, but this has the whiff of August 1945. Somebody just used a new weapon. And this weapon will not be put back into the box. I know no operational details and don't know what anyone did or didn't do before someone decided to use the weapon.

I do know this. If we go out and do something, most of the rest of the world now thinks that's a new standard. And it's something that they now feel legitimated to do as well.

But the rules of engagement, international norms, treaty standards, they don't exist right now. The law of war, because it began to develop so long ago, is really dependent on thinking of things kinetically, in the physical realm. So, for example, we think in terms of attacks.

You know an attack when it happens in the kin- world. It's not really much of a mystery. But in cyberspace it is sort of confusing to think how far do we have to go before something is considered an attack.

So we have to take all the vocabulary and the terms. that we use in strategy and military operation and adapt them into the cyber realm. For nuclear, we have these extensive inspection regimes.

The Russians come and look at our silos. We go and look at their silos. Bad as things get between the two countries, those inspection regimes have held up.

But working that out for cyber would be virtually impossible. Where do you send your inspector? Inside the laptop of, you know, how many laptops?

are there in the United States and Russia? It's much more difficult in the cyber area to construct an international regime based on treaty commitments and rules of the road and so forth. Although we've tried to have discussions with the Chinese and Russians and so forth about that, but it's very difficult.

Right now, the norm in cyberspace is, do whatever you can get away with. That's not a good norm, but it's the norm that we have. That's the norm that's preferred by states that are engaged. engaging in lots of different kinds of activities that they feel are benefiting their national security.

Those who excel in cyber are trying to slow down the process of creating regulation. Those who are victims will like the regulation to be in the open as soon as possible. International law in this area is written by custom, and customary law requires a nation to say, this is what we did and this is why we did it. And the U.S. doesn't want to push the law in that direction, and so it chooses not to disclose its involvement. And one of the reasons that I thought it was important...

To tell the story of Olympic Games was not simply because it's a cool spy story. It is, but it's because as a nation, we need to have a debate about how we want to use cyber weapons because we are the most vulnerable nation on Earth to cyber attack ourselves. If you get up in the morning and turn off your alarm and make coffee and pump gas and use the ATM, you've touched industrial control systems. It's what powers our lives.

And unfortunately, these systems are connected and interconnected. in some ways that make them vulnerable. Critical infrastructure systems generally were built years and years ago without security in mind, that they didn't realize how things were going to change, maybe they weren't even meant to be connected to the internet.

And we've seen through a lot of experimentation and through also, unfortunately, a lot of attacks, that most of these systems are relatively easy for a sophisticated hacker to get into. Let's say you took over the control system of a railway. You could switch tracks.

You could cause derailments of trains carrying explosive materials. What if you were in the control system of gas pipelines? And when a... valve is supposed to be open it was closed from the pressure built up that the pipeline exploded there are companies that run electric power generation or electric power distribution that we know have been packed by foreign entities to have the ability to shut down the power grid Imagine for a moment that not only all the power went off on the East Coast, but the entire Internet came down.

Imagine what the economic impact of that is, even if it only lasted for 24 hours. According to the officials, Iran is the first country ever in the Middle East to actually be engaged in a cyber war with the United States and Israel. If anything, they said the recent cyber attacks were what encouraged them to plan to set up the cyber army, which will gather computer scientists, programmers, software engineers... If you are youth and you see assassination or nuclear scientists, your nuclear facilities are getting attacked.

Wouldn't you join your national cyber army? Well, many did. And that's why today Iran has one of the largest cyber armies in the world.

So whoever initiated this and was very proud of themselves to see that little dip in Iran's centrifuge numbers should look back now and acknowledge that it was a major mistake. Very quickly, Iran sent a... a message to the United States, very sophisticated message.

And they did that with two attacks. First, they attacked Saudi Aramco, the biggest oil company in the world, and wiped out every piece of software, every line of code on 30,000 computer devices. Then Iran did a surge attack on the American banks.

The most extensive attack on American banks ever, launched from the Middle East, happening right now. Millions of customers trying to bank online this week blocked. Among the targets, Bank of America, PNC, and Wells Fargo.

The U.S. suspects hackers in Iran may be involved. When Iran hit our banks, we could have shut down their botnet. But the State Department got nervous because the servers weren't actually in Iran. So until there was a diplomatic solution, Obama let the private sector deal with the problem. I imagine that in the White House Situation Room, people sat around and said, Let me be clear.

I don't imagine, I know, people sat around in the White House Situation Room and said, the Iranians have sent us a message which is essentially, stop attacking us in cyberspace the way you did at Natanz with Stuxnet. We can do it too. There are unintended consequences of the Stoxnet attack. You wanted to cause confusion and damage to the other side, but then the other side can do the same to you. The monster turned against its creator.

And now everyone is in this game. They did a good job in showing the world, including the bad guys, what you would need to do in order to cause serious trouble that could lead to injuries and death. It's inevitable that more countries will acquire the capacity to use cyber both for espionage and for destructive activities. And we've seen this in some of the recent conflicts that Russia's been involved in. If there's a war, then somebody will try to knock out our communications system or the radar.

State-sponsored cyber sleeper cells, they're out there everywhere today. It could be for communications purposes, it could be for data exfiltration, it could be to, you know, shepherd in the next Stuxnet. I mean, you've been focusing on Stuxnet, but that was just a small part of a much larger Iranian mission. It was a larger Iranian mission.

Nitro Zeus, NZ. We spent hundreds of millions, maybe billions on it. In the event the Israelis did attack Iran, we assumed we would be drawn into the conflict.

We built in attacks on Iran's command and control systems so the Iranians couldn't talk to each other in a fight. We infiltrated their IADs, military air defense systems, so they couldn't shoot down our planes if we flew over. We also went after their civilians.

systems, power grids, transportation, communications, financial systems. We were inside waiting, watching, ready to disrupt, degrade, and destroy those systems with cyber attacks. In comparison Stuxnet was a back alley operation. NZ was the plan for a full-scale cyber war with no attribution.

The question is, is that the kind of world we want to live in? And if we don't, as citizens, how do we go about a process where we have a more sane discussion? We need an entirely new way of thinking about how we're going to solve this problem.

You're not going to get an entirely new way of solving this problem until you begin to have an open acknowledgement that we have cyber weapons as well. and that we may have to agree to some limits on their use if we're going to get other nations to limit their use. It's not going to be a one-way street. I'm old enough to have worked on nuclear arms control and biological weapons arms control and chemical weapons arms control.

And I was told in each of those types of arms control when we were beginning, it's too hard, there are all these problems, it's technical, there's engineering, there's science involved, there are real verification difficulties. you'll never get there. Well, it took 20, 30 years in some cases. But we have a biological weapons treaty that's pretty damn good.

We have a chemical weapons treaty that's pretty damn good. We've got three or four nuclear weapons treaties. Yes, it may be hard, and it may take 20 or 30 years, but it'll never happen unless you get serious about it, and it'll never happen unless you start it.

Today, after two years of negotiations, the United States, together with our international partners, has achieved something that decades of animosity has not. A comprehensive, long-term deal with Iran that will prevent... from obtaining a nuclear weapon. It was reached in Lausanne, Switzerland, by Iran, the US, Britain, France, Germany, Russia, and China. It is a deal in which Iran will cut its installed centrifuges by...

by more than two-thirds. Iran will not enrich uranium with its advanced centrifuges for at least the next 10 years. It will make our country, our allies, and our world safer.

70 years after the murder of 6 million Jews, Iran's rulers promised to destroy my country and the response from nearly every one of the governments represented here has been utter silence, deafening silence. Perhaps you cannot understand why Israel is not joining you in celebrating this deal. History shows that America must lead not just with our might, but with our principles.

It shows we are stronger not when we are alone, but when we bring the world together. Today's announcement marks one more chapter in this pursuit of a safer and more helpful, more hopeful world. Thank you. God bless you.

And God bless the United States of America. Everyone I know is basically thrilled with the Iran deal. Sanctions and diplomacy worked. But behind that deal was a lot of... A lot of confidence in our cyber capability.

People are everywhere inside Iran, still are. I'm not going to tell you the operational details of what we can do going forward or where. But the science fiction cyber war scenario is here. That's Nitro Zeus.

But my concern, and the reason I'm talking, is because when you shut down a country's power grid, It doesn't just pop back up. You know, it's more like Humpty Dumpty. And if all the King's men can't turn the lights back on or filter the water for weeks, then lots of people die.

And something we can do to others, they can do to us too. Is that something that we should keep quiet? Or should we talk about it?

I've gone to many people on this film, even friends of mine, who won't talk to me about the NSA or Stuxnet, even off the record, for fear of going to jail. Is that fear protecting us? No. But it protects me.

Or should I say, we. I'm an actor playing a role written from the testimony of a small number of people from NSA and CIA. All of whom are angry about the secrecy, but too scared to come forward. Now we're forward. Well, forward leaning.

The