WEBVTT

1
00:00:00.120 --> 00:00:05.599
<v Speaker 1>Imagine a weapon, right, but one so quiet, so sneaky.

2
00:00:05.960 --> 00:00:08.839
<v Speaker 1>It worked for months, maybe even years, before anyone really

3
00:00:08.880 --> 00:00:11.720
<v Speaker 1>got what it was. A weapon that could just take

4
00:00:11.720 --> 00:00:14.679
<v Speaker 1>apart critical systems without a single bullet being fired. It

5
00:00:14.759 --> 00:00:16.760
<v Speaker 1>sort of opened up a whole new kind of conflict.

6
00:00:17.039 --> 00:00:19.480
<v Speaker 1>Today we're diving into the story of the world's first

7
00:00:19.640 --> 00:00:22.920
<v Speaker 1>really destructive digital weapon. Okay, let's unpack this.

8
00:00:23.079 --> 00:00:26.399
<v Speaker 2>Yeah, and what's fascinating here is this isn't just about code, yeah,

9
00:00:26.519 --> 00:00:29.879
<v Speaker 2>or like clever hackers in dark rooms. This story is

10
00:00:29.920 --> 00:00:35.560
<v Speaker 2>really about geopolitics. The weakness is built into our industrial systems,

11
00:00:35.799 --> 00:00:38.039
<v Speaker 2>and how the digital world can suddenly smash into the

12
00:00:38.039 --> 00:00:41.520
<v Speaker 2>physical one affecting you. So our mission today is to

13
00:00:41.520 --> 00:00:43.679
<v Speaker 2>get our heads around Stuck's Net, not just as this

14
00:00:43.719 --> 00:00:45.840
<v Speaker 2>piece of amazing tech, but as a moment that really

15
00:00:45.920 --> 00:00:48.679
<v Speaker 2>opened a kind of digital Pandora's box. We'll be looking

16
00:00:48.679 --> 00:00:52.600
<v Speaker 2>at some deep investigations, stuff on cyber attacks, industrial security,

17
00:00:52.679 --> 00:00:54.439
<v Speaker 2>national defense, the whole picture.

18
00:00:54.520 --> 00:00:56.240
<v Speaker 1>Okay, so where did this all begin? I mean, who

19
00:00:56.320 --> 00:00:58.560
<v Speaker 1>first noticed something was wrong? What did they even see?

20
00:00:58.640 --> 00:01:00.840
<v Speaker 2>Well, a story really gets going into one. There was

21
00:01:00.880 --> 00:01:05.280
<v Speaker 2>this pretty small security firm in Belarus, virus BLOCKAA and

22
00:01:05.519 --> 00:01:08.959
<v Speaker 2>these researchers there, Sergey U. Lawson and Ola Kaprieve, they

23
00:01:09.000 --> 00:01:12.760
<v Speaker 2>stumbled onto something well, really weird. They found malware spreading

24
00:01:12.760 --> 00:01:15.439
<v Speaker 2>through USB drives. Now that happens, right, But how it

25
00:01:15.480 --> 00:01:18.200
<v Speaker 2>was spreading it was totally new. See, usually malware used

26
00:01:18.200 --> 00:01:21.280
<v Speaker 2>this auto un feature which you could disable. But this thing,

27
00:01:21.319 --> 00:01:23.480
<v Speaker 2>he used a really clever trick with Windows l NK

28
00:01:23.680 --> 00:01:27.680
<v Speaker 2>files shortcut files, much harder to stop, a new way in.

29
00:01:28.319 --> 00:01:31.040
<v Speaker 1>So what was so scary about this lank thing?

30
00:01:31.239 --> 00:01:34.159
<v Speaker 2>Ye, exactly, a new way in, you Leysen. He immediately

31
00:01:34.200 --> 00:01:36.879
<v Speaker 2>thought this could be a zero day, you know, a

32
00:01:36.959 --> 00:01:40.040
<v Speaker 2>vulnerability that the software maker Microsoft in this case doesn't

33
00:01:40.040 --> 00:01:42.640
<v Speaker 2>even know exists. And he got really worried when he

34
00:01:42.719 --> 00:01:44.840
<v Speaker 2>tested it. He tried it on a Windows seven machine,

35
00:01:44.879 --> 00:01:47.599
<v Speaker 2>the latest version, totally up to date with patches, and

36
00:01:47.640 --> 00:01:52.959
<v Speaker 2>the malicious files just appeared seamlessly. Nothing blocked it. And

37
00:01:53.000 --> 00:01:56.840
<v Speaker 2>here's where it gets really interesting. The malicious drivers, the

38
00:01:56.920 --> 00:02:00.799
<v Speaker 2>bad code. It was signed with a real digital certificate

39
00:02:00.840 --> 00:02:04.079
<v Speaker 2>from real Tech Semiconductor, a legitimate hardware company that was

40
00:02:04.159 --> 00:02:06.840
<v Speaker 2>just yeah, unheard of. It basically told Windows, hey, this

41
00:02:06.879 --> 00:02:10.080
<v Speaker 2>code's legit. Let it run. It bypassed security warnings. How

42
00:02:10.080 --> 00:02:13.120
<v Speaker 2>they got that key, stole it core someone big questions.

43
00:02:13.319 --> 00:02:15.919
<v Speaker 2>This whole thing showed something chilling. Even if your system

44
00:02:15.960 --> 00:02:18.199
<v Speaker 2>is fully patched, totally up to date, you could still

45
00:02:18.199 --> 00:02:20.479
<v Speaker 2>be hit by these unknown flaws. A total shift in

46
00:02:20.520 --> 00:02:23.520
<v Speaker 2>how we had to think about security, these tactics, the stealth,

47
00:02:23.960 --> 00:02:26.400
<v Speaker 2>It was all designed so that you, or any normal

48
00:02:26.479 --> 00:02:28.840
<v Speaker 2>use or any system adamant even would have almost no

49
00:02:28.879 --> 00:02:30.520
<v Speaker 2>way of knowing your system was compromised.

50
00:02:30.599 --> 00:02:35.680
<v Speaker 1>Wow, so the whole world was sort of exposed without

51
00:02:35.719 --> 00:02:38.719
<v Speaker 1>knowing it. And then I guess bigger companies started looking

52
00:02:38.719 --> 00:02:40.680
<v Speaker 1>into it, like Semantech.

53
00:02:40.280 --> 00:02:43.639
<v Speaker 2>Right, Yeah. Soon after researchers like Lamo Merchu and Nicholas

54
00:02:43.680 --> 00:02:47.159
<v Speaker 2>Fallier at Semantec really started digging deep into the code.

55
00:02:47.520 --> 00:02:50.280
<v Speaker 2>Amrchu apparently was always taking things apart as a kid,

56
00:02:50.520 --> 00:02:53.520
<v Speaker 2>and Fallier was a master at reverse engineering, turning that

57
00:02:53.560 --> 00:02:56.800
<v Speaker 2>Messa computer code back into something a human could understand,

58
00:02:57.599 --> 00:03:00.400
<v Speaker 2>skills he apparently picked up working on like puzzle files

59
00:03:00.400 --> 00:03:01.240
<v Speaker 2>called crackmes.

60
00:03:01.599 --> 00:03:04.879
<v Speaker 1>Okay, so these experts start digging and it became clear

61
00:03:04.919 --> 00:03:07.080
<v Speaker 1>pretty fast this wasn't your typical virus, right. It wasn't

62
00:03:07.080 --> 00:03:08.759
<v Speaker 1>trying to steal credit cards or anything.

63
00:03:08.960 --> 00:03:12.159
<v Speaker 2>No, definitely not. Its target was much much more critical.

64
00:03:12.240 --> 00:03:14.960
<v Speaker 2>It was going after industrial control systems. We're talking about

65
00:03:14.960 --> 00:03:19.960
<v Speaker 2>plc's programmable logic controllers. Think of them as the automated

66
00:03:20.000 --> 00:03:23.639
<v Speaker 2>brains and factories, power plants, water treatment facilities, all that

67
00:03:23.800 --> 00:03:26.719
<v Speaker 2>critical infrastructure. They tell the machines what to do. Now,

68
00:03:26.719 --> 00:03:29.159
<v Speaker 2>these things were mostly designed back in the sixties and seventies,

69
00:03:29.520 --> 00:03:33.719
<v Speaker 2>built for reliability in like physically isolated environments. Security against

70
00:03:33.759 --> 00:03:36.759
<v Speaker 2>hackers not really on the radar back then, so stick

71
00:03:36.800 --> 00:03:39.400
<v Speaker 2>them on a network they become well, pretty soft targets.

72
00:03:39.639 --> 00:03:42.719
<v Speaker 2>It exposed this dangerous legacy systems built for one world

73
00:03:42.800 --> 00:03:45.360
<v Speaker 2>suddenly living in a very different, connected one, and with

74
00:03:45.439 --> 00:03:46.080
<v Speaker 2>that level.

75
00:03:45.840 --> 00:03:48.879
<v Speaker 1>Of sophistication going after PLCs, it must have had a

76
00:03:49.000 --> 00:03:51.639
<v Speaker 1>very specific, very high value target in mind.

77
00:03:51.919 --> 00:03:56.599
<v Speaker 2>Absolutely the ultimate target the Nintends uranium Enrichment facility in Iran.

78
00:03:57.479 --> 00:04:02.280
<v Speaker 2>And interestingly, even before Stuck Snip became public knowledge, inspectors

79
00:04:02.280 --> 00:04:06.159
<v Speaker 2>from the International Atomic Energy Agency the IAEA had seen

80
00:04:06.240 --> 00:04:09.240
<v Speaker 2>weird things. Centrifuges weren't working right. They were running at

81
00:04:09.280 --> 00:04:12.599
<v Speaker 2>lower capacities like forty five to sixty six percent, even

82
00:04:12.639 --> 00:04:14.719
<v Speaker 2>when they weren't being fed as much Uranian gas. It

83
00:04:14.800 --> 00:04:17.519
<v Speaker 2>just didn't add up. Nobody could figure out why. And remember,

84
00:04:17.800 --> 00:04:20.319
<v Speaker 2>Neitan's itself had been under the microscope since about two

85
00:04:20.319 --> 00:04:23.800
<v Speaker 2>thousand and two when satellite photos first really identified it.

86
00:04:23.920 --> 00:04:26.360
<v Speaker 1>Right, a very sensitive sight. So how did stucksne actually

87
00:04:26.360 --> 00:04:28.319
<v Speaker 1>do it? How did it mess with these centrifuges in

88
00:04:28.360 --> 00:04:29.199
<v Speaker 1>such a secure place?

89
00:04:29.240 --> 00:04:31.240
<v Speaker 2>What was the attack like, Okay, here's where it gets

90
00:04:31.439 --> 00:04:35.360
<v Speaker 2>really interesting. The attack on the Siemens PLCs at Natan's.

91
00:04:35.439 --> 00:04:39.319
<v Speaker 2>It was incredibly clever, multi stage. First, it pulled off

92
00:04:39.319 --> 00:04:41.439
<v Speaker 2>what's called a man in the middle trick. For about

93
00:04:41.439 --> 00:04:44.639
<v Speaker 2>thirteen days, stucksnet would just sit there and secretly record

94
00:04:44.639 --> 00:04:47.759
<v Speaker 2>what normal operations looked like, the data coming from the centrifuges.

95
00:04:48.639 --> 00:04:52.199
<v Speaker 2>Then when it decided to actually attack to sabotage, it

96
00:04:52.240 --> 00:04:55.079
<v Speaker 2>would play back that recorded normal data to the control

97
00:04:55.160 --> 00:04:58.279
<v Speaker 2>room operators. So the operators are looking at their screens thinking, yep,

98
00:04:58.319 --> 00:05:01.160
<v Speaker 2>everything's running fine. Well, behind this scenes, stucksnet is actually

99
00:05:01.199 --> 00:05:05.959
<v Speaker 2>damaging the centrifuges. Someone described it as the digital equivalent

100
00:05:05.959 --> 00:05:09.199
<v Speaker 2>of a six ton circus elephant performing a one legged handstand.

101
00:05:09.639 --> 00:05:12.519
<v Speaker 2>Just complete hidden deception, and it wasn't like one big

102
00:05:12.560 --> 00:05:15.279
<v Speaker 2>explosion It was subtle. It would sabotage things for maybe

103
00:05:15.319 --> 00:05:18.000
<v Speaker 2>fifteen minutes, then wait, then sabotage for fifteen minutes, then

104
00:05:18.040 --> 00:05:20.439
<v Speaker 2>lie low for like twenty six days just watching. This

105
00:05:20.480 --> 00:05:23.519
<v Speaker 2>went on for weeks months, designed to cause damage slowly

106
00:05:23.720 --> 00:05:24.959
<v Speaker 2>avoid setting off alarms.

107
00:05:25.199 --> 00:05:30.000
<v Speaker 1>That is incredibly patient and sneaky. How did this digital

108
00:05:30.040 --> 00:05:33.560
<v Speaker 1>trickery actually break the machines? What was the physical damage?

109
00:05:33.639 --> 00:05:38.639
<v Speaker 2>The physical impact was severe. Stucksnet specifically targeted the frequency converters.

110
00:05:38.959 --> 00:05:41.560
<v Speaker 2>These are devices that control the speed of motors, like

111
00:05:41.600 --> 00:05:45.759
<v Speaker 2>the one spinning the centrifuges. It targeted models made by Vacan,

112
00:05:46.000 --> 00:05:50.519
<v Speaker 2>a finished company, and also Furropaya, which was thought to

113
00:05:50.519 --> 00:05:54.439
<v Speaker 2>be an Iranian company, possibly making copies. Stucks Net would

114
00:05:54.759 --> 00:05:57.759
<v Speaker 2>mess with the speeds, make the centrifuges spin too fast,

115
00:05:57.879 --> 00:06:02.000
<v Speaker 2>then too slow, creating vibrations. These vibrations would literally destroy

116
00:06:02.040 --> 00:06:05.680
<v Speaker 2>the rotors. Iran's own Atomic Energy organization later talked about

117
00:06:05.680 --> 00:06:09.360
<v Speaker 2>centrifuge rotors turning into powder. That's what stucksnet was doing.

118
00:06:09.600 --> 00:06:12.240
<v Speaker 2>And think about this. To pull that off, you don't

119
00:06:12.279 --> 00:06:15.079
<v Speaker 2>just need amazing coders, the sources say, you needed like

120
00:06:15.399 --> 00:06:18.920
<v Speaker 2>a team of material scientists and centrifuge experts, people who

121
00:06:18.959 --> 00:06:22.079
<v Speaker 2>knew exactly how changing the speed would physically wreck those

122
00:06:22.120 --> 00:06:26.240
<v Speaker 2>specific machines. That's the key thing here, digital code causing direct,

123
00:06:26.439 --> 00:06:29.720
<v Speaker 2>calculated physical destruction, a totally new kind of warfare.

124
00:06:29.759 --> 00:06:32.279
<v Speaker 1>Wow, so stucksnet wasn't just about Natan's. Then it kind

125
00:06:32.319 --> 00:06:35.160
<v Speaker 1>of blew the lid off. How vulnerable these industrial systems

126
00:06:35.160 --> 00:06:35.720
<v Speaker 1>are everywhere?

127
00:06:35.800 --> 00:06:39.439
<v Speaker 2>Right? Oh? Absolutely? It showed these weren't just isolated problems

128
00:06:39.480 --> 00:06:43.959
<v Speaker 2>at one facility. These were systemic flaws. Experts like Joe Weiss,

129
00:06:44.160 --> 00:06:47.040
<v Speaker 2>they'd been warning about this for years, especially after the

130
00:06:47.040 --> 00:06:49.360
<v Speaker 2>whole y two K thing. He pointed out that these

131
00:06:49.360 --> 00:06:53.079
<v Speaker 2>control systems often didn't even have basic stuff like firewalls

132
00:06:53.160 --> 00:06:56.680
<v Speaker 2>or ways to log network activity. They were built assuming

133
00:06:56.680 --> 00:06:59.680
<v Speaker 2>they'd never be connected or attacked. And guys like Dylan

134
00:06:59.680 --> 00:07:03.000
<v Speaker 2>BEBARSSD in twenty ten, he was just this twenty five

135
00:07:03.079 --> 00:07:08.040
<v Speaker 2>year old researcher. He literally went online, bought some Siemens PLCs,

136
00:07:08.199 --> 00:07:11.399
<v Speaker 2>the same kind used in Natanse, and working from his apartment,

137
00:07:11.480 --> 00:07:14.120
<v Speaker 2>in just a few weeks, he found tons of security holes,

138
00:07:14.160 --> 00:07:17.920
<v Speaker 2>like communications weren't encrypted. The PLCs would happily talk to

139
00:07:17.959 --> 00:07:20.879
<v Speaker 2>any machine that knew their language. And get this Some

140
00:07:20.959 --> 00:07:24.240
<v Speaker 2>had hard coded passwords like basisk built right in that

141
00:07:24.319 --> 00:07:26.600
<v Speaker 2>could be changed. It was like leaving the front door

142
00:07:26.639 --> 00:07:28.079
<v Speaker 2>wide open with a key tape to it.

143
00:07:28.160 --> 00:07:30.639
<v Speaker 1>That's unbelievable. Hard coded passwords you can't change.

144
00:07:30.839 --> 00:07:34.120
<v Speaker 2>Yeah, it just showed they weren't designed with network security

145
00:07:34.120 --> 00:07:37.399
<v Speaker 2>in mind at all. It really highlights how vulnerable these

146
00:07:37.399 --> 00:07:39.879
<v Speaker 2>systems were. And we'd seen hints of this before, like

147
00:07:39.920 --> 00:07:43.120
<v Speaker 2>that incident in maruci Shire or Australia back in two thousand,

148
00:07:43.439 --> 00:07:46.279
<v Speaker 2>an ex employee got mad. You stolen software and a

149
00:07:46.360 --> 00:07:49.399
<v Speaker 2>radio link to hack into the sewage treatment system and

150
00:07:49.480 --> 00:07:53.360
<v Speaker 2>deliberately caused massive spares. Hundreds of thousands of gallons of

151
00:07:53.439 --> 00:07:56.519
<v Speaker 2>raw sewage flooded into parks and rivers, a real world

152
00:07:56.600 --> 00:07:58.079
<v Speaker 2>impact from a digital intrusion.

153
00:07:58.480 --> 00:08:02.519
<v Speaker 1>Grim reminder. We always here about critical systems being air gapped,

154
00:08:02.519 --> 00:08:05.360
<v Speaker 1>you know, disconnected from the Internet for safety. Does stucksnet

155
00:08:05.399 --> 00:08:06.560
<v Speaker 1>basically killed that idea.

156
00:08:06.800 --> 00:08:08.240
<v Speaker 2>It certainly punched a huge hole in it.

157
00:08:08.399 --> 00:08:08.800
<v Speaker 1>Yeah.

158
00:08:09.000 --> 00:08:11.759
<v Speaker 2>Yeah, many of these control systems had similar design flaws.

159
00:08:11.839 --> 00:08:14.439
<v Speaker 2>This legacy from before the Internet was everywhere. The whole

160
00:08:14.480 --> 00:08:17.160
<v Speaker 2>air gap idea that these systems were safe because they

161
00:08:17.199 --> 00:08:19.680
<v Speaker 2>were isolated, well, it turned out to be largely a myth.

162
00:08:21.959 --> 00:08:24.879
<v Speaker 2>In twenty twelve, one researcher in the UK used this

163
00:08:24.920 --> 00:08:29.279
<v Speaker 2>search engine called showdan, which specifically looks for Internet connected devices,

164
00:08:29.519 --> 00:08:33.039
<v Speaker 2>and he found over ten thousand industrial control systems online,

165
00:08:33.240 --> 00:08:37.039
<v Speaker 2>water plants, power grids, dams, train systems just sitting there

166
00:08:37.080 --> 00:08:40.519
<v Speaker 2>connected to the Internet. Then there was that actor proof

167
00:08:40.720 --> 00:08:42.600
<v Speaker 2>and twenty eleven he got into the controls of a

168
00:08:42.639 --> 00:08:45.559
<v Speaker 2>water plant in South Houston. HOWATAI password? That was literally

169
00:08:45.600 --> 00:08:48.639
<v Speaker 2>just three characters long. Kasprusio himself said, most HAXI saw

170
00:08:48.679 --> 00:08:51.720
<v Speaker 2>weren't because of amazing skill, but just gross stupidity in

171
00:08:51.799 --> 00:08:52.639
<v Speaker 2>security practices.

172
00:08:52.960 --> 00:08:53.200
<v Speaker 1>Wow.

173
00:08:53.279 --> 00:08:56.039
<v Speaker 2>Three Yeah. And maybe the most dramatic demonstration was the

174
00:08:56.080 --> 00:08:59.159
<v Speaker 2>Aurora generator test. This is back in two thousand and seven.

175
00:08:59.399 --> 00:09:03.000
<v Speaker 2>The Idaho National Lab researchers wanted to prove a point.

176
00:09:03.120 --> 00:09:06.840
<v Speaker 2>They digitally hacked into a huge diesel generator, a Wartzelen model,

177
00:09:07.320 --> 00:09:10.840
<v Speaker 2>and they manipulated its protective relays, the safety systems designed

178
00:09:10.840 --> 00:09:13.720
<v Speaker 2>to stop damage from happening. They basically tricked the relays

179
00:09:13.720 --> 00:09:16.960
<v Speaker 2>into rapidly opening and closing breakers out of sinc The

180
00:09:17.000 --> 00:09:20.720
<v Speaker 2>physical forces were so violent the generator literally tore itself apart.

181
00:09:21.120 --> 00:09:25.440
<v Speaker 2>Smoke flying debris. It was physically destroyed by a digital

182
00:09:25.480 --> 00:09:27.519
<v Speaker 2>command and the thing that was supposed to prevent an

183
00:09:27.519 --> 00:09:29.879
<v Speaker 2>attack like this was the very thing they used to

184
00:09:29.919 --> 00:09:30.720
<v Speaker 2>conduct the attack.

185
00:09:30.879 --> 00:09:32.200
<v Speaker 1>That's deeply unsettling.

186
00:09:32.279 --> 00:09:34.720
<v Speaker 2>It is. And here's something crucial for you to consider.

187
00:09:35.039 --> 00:09:37.879
<v Speaker 2>In the US, something like eighty five percent of critical

188
00:09:37.919 --> 00:09:42.039
<v Speaker 2>infrastructure is owned and operated privately. That makes it incredibly

189
00:09:42.080 --> 00:09:45.080
<v Speaker 2>hard to enforce consistent high level security across the board.

190
00:09:45.480 --> 00:09:48.559
<v Speaker 2>Back in twenty thirteen, General Keith Alexander, who was head

191
00:09:48.559 --> 00:09:50.960
<v Speaker 2>of the NSA then was asked how prepared the nation

192
00:09:51.200 --> 00:09:54.120
<v Speaker 2>was for cyber attacks. He bluntly set at three on

193
00:09:54.159 --> 00:09:55.200
<v Speaker 2>a scale of one to ten.

194
00:09:55.480 --> 00:09:56.279
<v Speaker 1>A three out of ten.

195
00:09:56.320 --> 00:09:57.200
<v Speaker 2>That's not comforting.

196
00:09:57.840 --> 00:10:01.159
<v Speaker 1>So stecksnet wasn't just about finding holes. It really unleashed

197
00:10:01.200 --> 00:10:04.080
<v Speaker 1>something new, didn't It changed the whole game of geopolitics

198
00:10:04.080 --> 00:10:07.759
<v Speaker 1>and warfare. What was the thinking before stucksnet hit.

199
00:10:07.679 --> 00:10:10.399
<v Speaker 2>The scene, Well, people were thinking about it way back

200
00:10:10.440 --> 00:10:13.879
<v Speaker 2>in nineteen ninety three. Analysts at Ran Corporation actually coined

201
00:10:13.879 --> 00:10:16.759
<v Speaker 2>the term cyber war. They predicted it could be the

202
00:10:16.759 --> 00:10:19.840
<v Speaker 2>Blitzkrieg of the twenty first century. And there were early

203
00:10:19.879 --> 00:10:23.080
<v Speaker 2>hacks that raised eyebrows like Marcus Hess in the eighties,

204
00:10:23.120 --> 00:10:26.960
<v Speaker 2>apparently spying for the KGB through computer networks, where those

205
00:10:27.039 --> 00:10:30.200
<v Speaker 2>Dutch teenagers who broke into US military systems right before

206
00:10:30.240 --> 00:10:33.240
<v Speaker 2>the First Gulf War. Then the US military ran its

207
00:10:33.240 --> 00:10:36.600
<v Speaker 2>own exercises in the late nineties like Eligible Receiver and

208
00:10:36.639 --> 00:10:39.480
<v Speaker 2>Solar Sunrise, and the results were pretty shocking. They found

209
00:10:39.480 --> 00:10:42.360
<v Speaker 2>their own networks were wide open to attack, and maybe

210
00:10:42.360 --> 00:10:44.960
<v Speaker 2>even more worrying, they realized that basically no one was

211
00:10:45.000 --> 00:10:48.279
<v Speaker 2>in charge of defending military networks effectively. So, yeah, the

212
00:10:48.320 --> 00:10:51.840
<v Speaker 2>potential was recognized, but the actual defenses and strategy they

213
00:10:51.840 --> 00:10:52.799
<v Speaker 2>were lagging way behind.

214
00:10:53.080 --> 00:10:55.559
<v Speaker 1>Chilling to look back on those warnings. Now, Okay, so

215
00:10:55.639 --> 00:10:58.399
<v Speaker 1>after those wake up calls, the US set up things

216
00:10:58.440 --> 00:11:01.559
<v Speaker 1>like the Joint Task Force for Computer and Network Defense.

217
00:11:02.120 --> 00:11:04.799
<v Speaker 1>But developing these kinds of weapons like STUCKSNT there's a

218
00:11:04.879 --> 00:11:07.440
<v Speaker 1>hidden danger, isn't there a paradox.

219
00:11:07.200 --> 00:11:10.159
<v Speaker 2>Huge paradox. Yeah. Andy Pennington used to be an Air

220
00:11:10.240 --> 00:11:12.879
<v Speaker 2>Force weapons officer. He planted really well, he warned, the

221
00:11:13.000 --> 00:11:18.279
<v Speaker 2>cyber weapon it doesn't die, it's just code. Somebody can

222
00:11:18.320 --> 00:11:19.960
<v Speaker 2>pick it up and fire it right back at you. Ye,

223
00:11:20.159 --> 00:11:24.600
<v Speaker 2>unlike a bomb that explodes once code can be copied analyzed, repurposed,

224
00:11:25.200 --> 00:11:28.960
<v Speaker 2>and we saw that happen frighteningly with stucksnt itself. There

225
00:11:29.000 --> 00:11:31.440
<v Speaker 2>was a version in twenty ten that somehow lost its

226
00:11:31.480 --> 00:11:36.000
<v Speaker 2>precision targeting. It just started spreading like crazy, uncontrollably, infecting

227
00:11:36.080 --> 00:11:39.360
<v Speaker 2>thousands and thousands of computers that weren't its intended target

228
00:11:39.360 --> 00:11:42.279
<v Speaker 2>in Iran. It showed just how easily even a supposedly

229
00:11:42.320 --> 00:11:45.559
<v Speaker 2>surgical weapon could escape control. And this also fueled the

230
00:11:45.639 --> 00:11:49.080
<v Speaker 2>rise of this sort of gray market for exploits. Companies

231
00:11:49.120 --> 00:11:51.919
<v Speaker 2>like VUP and Security in France were openly finding zero

232
00:11:52.000 --> 00:11:54.519
<v Speaker 2>day flaws and then selling them to governments, sometimes for

233
00:11:54.559 --> 00:11:56.840
<v Speaker 2>like one hundred thousand dollars a popp or more. The

234
00:11:56.879 --> 00:11:59.480
<v Speaker 2>big takeaway once you let these digital weapons out, they're

235
00:11:59.519 --> 00:12:02.919
<v Speaker 2>incredibly to control. They spread, they proliferate, and the consequence

236
00:12:02.919 --> 00:12:04.159
<v Speaker 2>has become totally unpredictable.

237
00:12:04.240 --> 00:12:06.960
<v Speaker 1>Right, So, looking back, President Obama gave this big speech

238
00:12:06.960 --> 00:12:09.840
<v Speaker 1>about cybersecurity in two thousand and nine, really sounding the

239
00:12:09.879 --> 00:12:13.720
<v Speaker 1>alarm right before stucksnet was deployed. The irony is pretty stark.

240
00:12:13.759 --> 00:12:16.799
<v Speaker 1>Michael Hayden, the former CIA and NSA director, he famously

241
00:12:16.799 --> 00:12:20.600
<v Speaker 1>said Stucksnet meant somebody had crossed the Rubicon, there was

242
00:12:20.639 --> 00:12:23.080
<v Speaker 1>no going back. So what are the global consequences? Now?

243
00:12:23.120 --> 00:12:25.759
<v Speaker 1>This new frontier is open. But how do you even

244
00:12:25.799 --> 00:12:27.519
<v Speaker 1>fight a war when you might not know who fired

245
00:12:27.559 --> 00:12:28.240
<v Speaker 1>the first shot.

246
00:12:28.320 --> 00:12:30.679
<v Speaker 2>Well, if we connect this to the bigger picture, that

247
00:12:30.799 --> 00:12:34.200
<v Speaker 2>Rubicon analogy is spot on. The immediate consequence was a

248
00:12:34.279 --> 00:12:37.960
<v Speaker 2>kind of global cyber arms race. Suddenly everyone realized this

249
00:12:38.080 --> 00:12:43.279
<v Speaker 2>was real. Nations like China, Russia, the UK, Israel, France, Germany,

250
00:12:43.360 --> 00:12:47.320
<v Speaker 2>North Korea, even Iron itself. They all started pouring resources

251
00:12:47.320 --> 00:12:52.039
<v Speaker 2>into developing their own cyber warfare capabilities, offensive and defensive.

252
00:12:52.759 --> 00:12:55.879
<v Speaker 2>But maybe the trickiest part is what you just said, attribution,

253
00:12:56.679 --> 00:12:59.360
<v Speaker 2>knowing who actually launched an attack. There was this simulation

254
00:12:59.440 --> 00:13:02.559
<v Speaker 2>run at Televi University in twenty thirteen. It showed just

255
00:13:02.600 --> 00:13:05.360
<v Speaker 2>how easily a cyber incident could spiral out of control

256
00:13:05.399 --> 00:13:07.799
<v Speaker 2>in the real world conflict, especially the leaders aren't sure

257
00:13:07.799 --> 00:13:10.519
<v Speaker 2>who's attacking them. Imagine Country AID attacks Country B but

258
00:13:10.600 --> 00:13:12.720
<v Speaker 2>makes it look like country SE did it. These would

259
00:13:12.720 --> 00:13:17.039
<v Speaker 2>get kinetic fast based on bad information. Stucks Net technically

260
00:13:17.159 --> 00:13:19.240
<v Speaker 2>is still the only known case of cyber warfare on

261
00:13:19.279 --> 00:13:21.200
<v Speaker 2>record where code was used by one nation to cause

262
00:13:21.200 --> 00:13:24.919
<v Speaker 2>physical damage in another during peacetime, but that digital Pandora's box,

263
00:13:25.000 --> 00:13:26.799
<v Speaker 2>it's wide open. Now. We live in a world where

264
00:13:26.919 --> 00:13:30.080
<v Speaker 2>civilian infrastructure of power grids, water systems, hospitals is potentially

265
00:13:30.159 --> 00:13:33.279
<v Speaker 2>on the front line, and maybe, just maybe defense is

266
00:13:33.320 --> 00:13:34.960
<v Speaker 2>the only viable offense anymore.

267
00:13:35.039 --> 00:13:37.279
<v Speaker 1>It's been quite a journey, hasn't it, From that small

268
00:13:37.279 --> 00:13:40.799
<v Speaker 1>firm in Belarus finding something odd all the way to

269
00:13:40.879 --> 00:13:45.000
<v Speaker 1>this global shift in security and warfare. Stucks Net really

270
00:13:45.039 --> 00:13:48.639
<v Speaker 1>left us with two big things. It's sheer technical brilliance

271
00:13:48.679 --> 00:13:51.200
<v Speaker 1>as a weapon, yes, but also how it ripped the

272
00:13:51.279 --> 00:13:54.440
<v Speaker 1>veil off these deep, deep vulnerabilities in the systems we

273
00:13:54.480 --> 00:13:56.080
<v Speaker 1>all rely on every single day.

274
00:13:56.480 --> 00:13:59.840
<v Speaker 2>Absolutely, and this raises an important question for you, as

275
00:14:00.679 --> 00:14:03.480
<v Speaker 2>we're now in this world where digital attacks can cause

276
00:14:03.519 --> 00:14:06.559
<v Speaker 2>real physical harm, but figuring out who did it is

277
00:14:06.639 --> 00:14:09.960
<v Speaker 2>incredibly difficult. So how do you think nations can even

278
00:14:09.960 --> 00:14:12.919
<v Speaker 2>begin to set rules for this, clear rules of engagement

279
00:14:13.000 --> 00:14:16.679
<v Speaker 2>for cyber conflict, And maybe closer to home, what responsibility

280
00:14:16.679 --> 00:14:19.240
<v Speaker 2>do we all have to push for better security in

281
00:14:19.279 --> 00:14:20.840
<v Speaker 2>this super connected world we've built?

282
00:14:20.960 --> 00:14:22.679
<v Speaker 1>Definitely a lot. Tom all over there, thank you for

283
00:14:22.759 --> 00:14:24.639
<v Speaker 1>joining us on this deep dive. We really hope you'll

284
00:14:24.679 --> 00:14:27.720
<v Speaker 1>keep exploring this stuff. Until next time, stay curious,