Click here for transcript of the confessions of a cyber spy hunter video.
ERIC WINSBORROW: We see it every day in the news for the past decade, the battles that are being waged across the Middle East. On the YouTube and Facebook, we get instant updates through satellites to give us a front row seat into the action like never before.
But what the cameras don't capture is that there is another war going on beneath the surface-- a digital cyber world, where the battles are not being fought with bombs and bullets, but with bits and bytes. My name is not Doug Schmidt. But it could be if I wanted it to.
My real name is Eric Winsborrow. And for the past two decades, I've been involved in creating the next generation disruptive technologies at companies such as Symantec and McAfee. I currently run a cybersecurity company made up of PhDs from MIT and scientists from the national labs who were tasked by the US government to create the next generation of cyber technology. Our customers include the Office of the Secretary of Defense and the Department of Homeland Security.
If there's one thing I'm certain of, it's this-- that what's going on today in cyber espionage will profoundly impact our lives. And we may never even realize it. If you think about it, a lot of technologies that impact our lives have been coming from government-sponsored research into next generation defense technologies.
Last generation, the Cold War created technologies such as the computer, satellite communications, and navigation, and even the internet. It has so permeated our everyday lives, it's gotten to the point where we can't imagine ever having lived without it, to be able to see halfway around the world instantly or just navigate around the block.
So if yesterday's next generation technology has such a profound impact on us today, then what's today's next generation technology? I'm going to show you the future of cyber espionage with technology that's actually being created today to protect nations. There are cyber battles taking place throughout the world, and we don't even realize it. It's gotten to a point of a confluence, a merging between man and machine in a digital cyber world where we can never tell them apart. This is the age of the cyber spy.
Now, when we think of spies, we might share Hollywood's image of the dashing and daring secret agent who sneaked into some underground nuclear facility somewhere halfway around the world to protect us from a nuclear threat. Sometimes Hollywood goes a bit too far. In this case, however, they don't go far enough.
You see, governments today would never send a human operative into such a secret location. He'd never get in. Today's spies are cyber spies. You see, it used to be that James Bond used technology. Today James Bond is technology.
I want to walk you on a journey into the future. But before I can take you there, I have to take you to the past to where the first virus actually started and the beginning of this journey of convergence. The first virus was actually written into a floppy disk video game and inserted into a Macintosh. Yes, ironically, the world's first virus was aimed at a Mac. My, how the world has changed.
And we call these types of viruses sneakerware, because you literally had to walk around to install it. This is the first level of convergence where man is completely separate from machines, joined only by a pair of red sneakers. If James Bond wanted to insert a virus into a computer in a nuclear facility, he'd have to sneak it in his scuba gear and install it himself.
I love you. Well, not you. We've only just met. I'm talking about Melissa. Melissa's not my wife. She's a stripper from Miami. You see, around the year 2000, or Y2K, the Melissa virus, named after the virus writer's favorite stripper from--
ERIC WINSBORROW: --was the world's first email-borne virus. It was inserted into an email attachment and sent with the subject line, I love you. Once the attachment was opened, the process repeated itself. And within three months, the world's email systems were clogged up, inadvertently becoming the world's first spam.
But this also marks the second leg of our convergence story, because this is now the first time where man is leveraging technology to do work. This would be the time that James Bond used technology. But then in the September of 2001, the world changed. And I'm not talking about 9/11. I'm talking about one week later when the internet world changed. This was the introduction of Code Red.
Code Red wasn't an email virus. It wasn't a zombie, a Trojan. It was all of the above. It was the world's first complex blended threat. And it went around the world in three days. By September 21, it had infected 2.2 million systems worldwide. Governments took notice, because they realized they could take this technology and bring it up to a whole other level to do the work its human spies could not.
This enters the third phase, the phase where technology replaces people. This is the beginning of the era of the cyber spy. I'm going to tell you a little bit about how this cyber spy technology works. I'm going to take you on a real life mission that happened just before the end of last decade, way off in the Middle East. You might already have guessed its mission-- to sneak in to an underground nuclear facility halfway around the world to protect us from a nuclear threat.
This is the Natanz nuclear fuel enrichment facility in Iran. And so is this, from space. The allied nations were worried that this man, President Ahmadinejad, was using those very centrifuges to create more nuclear fuel than he needed for electrical energy production.
And they were right. He was also using those centrifuges to create nuclear fuel for atomic weapons. They needed to destroy those centrifuges. But how were they going to do it? They couldn't send in a human agent in his scuba gear. They're in the middle of a desert.
And they actually debated sending in fighter jets to drop bombs and blow the place apart-- a little messy, and not good PR. I mean, imagine the fallout.
Yeah, I know. I know, I know.
You just wait.
So instead of dropping a bomb, they dropped a bug, very clean. It was a-- they called it Operation Olympic Games. What a great name for such a clean operation. I was here for the Olympics in Vancouver. It was clean. It was fun. It's a great name. It's great name. If they wanted to stick with their old plan and set fire to everything and have fallout for years, they would have called it Operation Stanley Cup.
I was actually expecting some boos there a little bit. Sorry. But they had to get the agent in. And there are several ways they do it. I can't describe them all. But one that was at least publicly shared was this one. So that's what we'll go with. And it's true.
They did insert the agent program into USB sticks. And then they scattered those USB sticks around the compound. Some workers did manage to pick them up and insert them in their computers. Look, you know this story.
Before you get too judgmental, think about this. What would you do if you found a USB stick?
Think about that the next time you go to a trade show and some stranger from marketing, he says, hands you a USB and says, read my collateral. I don't know how many security trade shows I've been to where that's happened. Now, that is a different story.
But the agents did get in. And they did what all good agents do. They started doing reconnaissance. They started working their way around the network, walking the hallways so to speak, looking for its target. And its target was that Siemens box.
That Siemens box was a controller for the centrifuges. And once they found it, they inserted a rootkit and a weapons payload. That-- forgive me-- altered the programmable logical controller of the STEP 7 software in the application.
And then it phoned home in several ways. Phoned home and gave the Americans and Israelis full command and control over that Siemens controller, which then, of course, went and spun up the centrifuges to such a state of supersonic speed that they literally fell to pieces. They destroy the centrifuges for months, quite frankly, without ever stepping foot into the facility.
The program was a smashing success. Ahmadinejad was beside himself. He was firing his best scientists because he thought they were incompetent. One small problem, though-- the allies spent so much time trying to get this agent in, they didn't think about what if he actually got out. And bits of the program actually did. And it did its job. It started searching its way for other Siemens controllers, first in Iran, then the Middle East, then Europe, and all the way to the doorstep of the nuclear facilities in America.
Now, before we get a little nervous, this spy knew its programming. It was told to look for a specific signature of that controller in Natanz. So it didn't do anything. However, its cover had been blown. The security industry, chiefly a researcher from Kaspersky Labs, found it. And what was once a covert operation to protect us from a nuclear threat became known as the advanced persistent threat, Stuxnet, in case you've ever heard of it.
Now, there are battles like this going on all around the world and even in our backyards. And we don't even realize it. The Chinese are particularly good at this. That video you saw earlier, that's just marketing. You don't see what else goes on. So let me explain a bit.
Last year, the Chinese successfully hacked into the RSA security company through the HR department. And like Stuxnet, they weaved their way around to find what they were after. They found the confidential customer passwords for secure ID tokens. What do these tokens do? They get you into networks, like military contractors-- Lockheed Martin, Northrop Grumman, L3. Now, given Lockheed Martin makes stealth fighter planes, you can imagine why that's a good target.
But they also focused on business. Operation Aurora you might have heard about, because it was famous for successfully breaching Google's network. But what people don't realize is that Operation Aurora was about successfully targeting more than 20 companies, from Intel to Morgan Stanley. And here at home, companies like Nortel were not immune. The Chinese had CEO-level access to confidential information and documentation for nearly 10 years.
And if you're involved in natural resources, for example, bidding in the oil sands, especially against the Chinese-- a little bit of a wake-up call-- you might want to look up something called Operation Night Dragon. It brings whole new meaning to the term "bidding wars."
Now, these researchers at Kaspersky who discovered Stuxnet also recently released a report that said that the number of network intrusions around the world in a single year had skyrocketed from 220 million-- now, that's already a big number-- to 1.3 billion. What is going on? What's the implications for all of us nationally or even personally?
Well, nationally, you can see why governments are so concerned. It's not just about international espionage. It's about the own infrastructure that we have. After all, if you can take out a nuclear facility in Iran, what's to stop them from returning the favor? And if you're going to attack a nation, you want to take out the communications network and the infrastructure, like banking.
And while we're talking about technology replacing people in this current level of convergence, then who flies commercial airplanes these days? Is it pilots or programs? If a decade ago a number of operatives, human operatives, could storm into the cockpit of an airline, what's to stop a program from invading an autopilot or the air traffic control? Just last week, Leon Panetta, the Secretary of Defense for the United States, publicly went on record and said, there's a high probability, and I quote, "of a cyber Pearl Harbor with physical destruction and loss of life."
Now, what about us individually? There are a lot of hackers who are so intelligent they know how to reverse engineer these types of attacks and use some of those techniques for their own gain. You might have heard last year over 100 million user accounts were stolen from Sony PlayStation Network. I see some nodding heads. But what you might not have known is that those attacks actually happened over a series of several months, many different individual attacks. And Sony never realized it.
And as we get more and more dependent on internet appliances, I wonder what's next. Taking over our food supply? Maybe creating killer cookie robots? The government always warned me about cookies were bad for our children. But I just never knew.
But a little bit more seriously, if we think about those centrifuges off in Iran where we could spin them up and out of control until they fell to pieces, what other devices are we reliant on under the assumption of perfectly secure wireless internet connectivity? If this scares you just a bit, remember this-- that our parents' generation were so terrified of the technologies that were getting invented during the Cold War that they built bomb shelters. And yet they survived. And those very same technologies that terrified them are changing our lives today in a way where we can't ever imagine living without them.
Now also remember this. Those technologies I'm talking about were invented last decade. I promised you that I would take you on a vision to espionage of the future with technologies that are being invented today. So let me share that with you now.
I'm going to take you down a digital wormhole, a wormhole by the way that we plan to send those attackers. You see, if you're going to defend yourself against technology that replaces people, then the next step of convergence is to create technology that behaves like people, that in a digital world you cannot tell one from the other. We're capable of creating massive networks so real that you cannot tell them apart.
So when those attackers come in to a nuclear facility or to an HR department, instead of finding the real network, they find ours. And they walk around it, just like Stuxnet tried to do or the Chinese did, looking for systems to infect. But instead of finding real ones, they find ours, these shadow systems that look and behave just like real employees checking their emails or spending too much time on Facebook. Yeah, we know.
But here's the thing. If one of those attack programs send us an email attachment and ask us to open it, we gladly do. If they ask for confidential data, we happily hand it to them hoping they call home, because in these shadow networks we're watching and recording, I'm actually going to show you such a recording.
Now, I got to be honest here. We couldn't show you everything. We had to actually change a lot of names, scribble out some IP addresses. And we're not allowed to bring you as deep into the network as we want. It's a good thing, because if we showed you everything, we'd have to shoot you. Or even worse, even worse, make you a government employee.
So this is, like I said, a real video. Those aren't the real locations, of course. But what is real is it did attack, did start in the HR department. It actually did. May be a coincidence. Those are real, real systems doing emails, real people sending out, backing up their systems. But they're actually impacted with this spy program, and we don't know it.
So then we turn on our shadow network. These are systems that behave like real. They interlace with the actual systems, and they start communicating. In fact, it's the bad guys that communicate to us into our systems. And we let them. Come on in. Send me an attachment. Because when they do that, we have every bit of information, because we can't look into the real computers. But we can look into ours.
And we can see what processes they use and then decide to quarantine the actual system using software-defined networking. And then they can't talk out to the real world. And instead, we tunnel them down to a shadow HR department that isn't real but just behaves like real. And they can take whatever they want. And we know exactly where they're going.
Now, what would we do with this kind of information? Or more importantly, what would James Bond do? James Bond had a license to kill, or at least kick them really hard where it hurts. Now today, 007 has an ally-- agent 001.
So we've come to the end of our journey of convergence of man and machine, of confluence between two separate streams that come together to make things more powerful. We've seen technology go from completely separate from man, to leveraged, to replacing man, to behaving like man. What comes after behaving, I wonder? Well, if history is any guide, the question shouldn't be if this technology will one day profoundly impact our lives. The question should be, will we ever even realize it? Thank you very much.