>> host: the book is called "countdown to zero day: stuxnet and the launch of the world's first digital weapon". the author kim zetter. what was stuxnet? >> guest: it was used to

attack irani and uranium enrichment plants. it was designed to speed them up or slow them down in order to degrade the level of uranium enrichment. >> host: what was unique about stuxnet? >> guest: it was very sophisticated. a virus designed to physically destroy something other than that it was very sophisticated, designed to

increase and slow the speed of centrifuges but it also did this remarkable trick to make the operators of the plan think that the operations were perfectly normal. so that was something remarkable about it. one more thing was that stuxnet used what is called a zero day something unknown to the software vendor therefore no patch exists and are time-consuming and expensive to find the vulnerability. generally we see one zero day in an attack. in this we saw five. >> host: where and how was

it developed? >> guest: we believe here and israel. this was a process that took a number of years to develop there were multiple teams working on it. we had to have several -- several teams working on it which required materials scientists to examine centrifuges and how speeding and slowing would affect them a team looking at the computers controlling the centrifuges. you need to find vulnerabilities in that and figure out how to get your worm on to the system in a a way that we will hide it so no one can find it. so multiple teams over a minimum of six months probably longer.

the centrifuge research itself probably took around two years. >> host: do you mean the defense department? >> guest: multiple agencies. it is a covert operation. getting the worm onto the system requires an agency that has covert authority, in this case the cia. developing code like this requires the elite programmers, so elite teams at the nsa. the edward snowden documents have pointed to the teams designed to do deep espionage and what is called cna computer attacks. the us cyber command is an umbrella.

>> host: kim zetter, where did the name come from? >> guest: it was dubbed by microsoft. they can mind essentially two names of two separate files into one word. >> host: so private corporations were also participating in this correct? >> guest: house so? >> host: you said microsoft. >> guest: yes, microsoft was working to help design the attack but multiple antivirus firms and security research labs were taking it apart. microsoft focused on zero day. it had to examine, figure out the vulnerabilities and

release patches. >> host: what was the effect? >> guest: it had two different payloads. it has the carrier and then the payload. stuxnet had to payloads, one designed to close valves on centrifuges in order to trap gas. when that occurred the gas would condense and become more of a solidified mass which would throw the centrifuges off balance, possibly making them crash and also deteriorate the rotors inside the centrifuges. the result of that would be destroyed centrifuges and wasted gas.

and iran did not have a lot of gas to work with. the 2nd weapon was designed to speed up the centrifuges and this would have been a more direct attack. the 2nd payload was speeding up centrifuges reducing the speed, and you would get deteriorated uranium. the irani is would have expected a certain grade and would have had a much lower grade of enrichment than they expected. >> host: this was in 2010. has iran recovered? >> guest: remarkably, it did. a lot of the centrifuges appear to have been destroyed around the end of 2009 2010.

within six months they recovered and started to increase the number of centrifuges in a cascade. they increased the number of those and ultimately did not come out too far behind where they would have been heading anyway, but i should.out that the program was set back by multiple factors. over the years they started enriching in 2,006 _-dash seven. there was other sabotage going on diplomatic efforts to halt the program.

multi pronged approach is. abcawun what what was it like to try to research this >> guest: it was a complicated book. the uranium enrichment program, iran's nuclear history, all of all of the politics around that, the technical details, what was significant about it a lot of clues in the virus and worms. and the and the narrative story about these researchers. i wanted to tell the story of the security community and intricate and complex labor that goes into responding to attacks like these. >> host: was stuxnet considered successful?

>> guest: by many because they were estimates that iran would have had enough to build the bomb by 2010 and that was the estimate. afterward they afterward they were estimates it had been pushed back about three years the estimates of the us state department had some others. again, it depends. western intelligence agencies do not have a firm grasp. there is no hard evidence. a lot of conflicting information. in terms of knowing how long the program went there is also guessing. >> host: were you able to discover or figure out the cost of developing stuxnet? >> guest: this would have

been several million dollars at the least. you are talking about testing, building a plan, testing the worm itself. they had to make sure that stuxnet would not damage any other systems. it had a very narrow configuration. it would only unload its payload on a system that matched a specific configuration. to achieve that you have to do a lot of testing. the way that stuxnet was discovered was it was crashing some systems and iran there was something that they missed which caused it to get exposed. >> host: kim zetter, it

has been a long time. is there a stuxnet 2.0? >> guest: we assume their are things we don't know about. we get hands with the edward snowden documents the level of activity that is occurring in espionage programs and cyber offense programs. a lot of activity. what stuxnet showed us was that the rules of engagement were not completely formulated when stuxnet was released. i think that has slowed down the use of attack weapons to a certain extent.

there have been people that told me stuxnet was the 1st that was released. attacks against georgia and estonia which do not reach the level of what we understand cyber warfare to be or warfare in general. stuxnet would qualify as the 1st digital weapon. >> host: we often here from generals at the pentagon that cyber warfare is the new frontier. how threatened are we in the united states by that?

>> guest: how vulnerable we are, we are very vulnerable. any country any country that is connected in the way the us is that relies upon computers for our critical infrastructure -- all of our infrastructure runs on computers. they had to devise a method to spread it on computers not connected to the internet. attackers will find a way to get onto the system and destroy it. it is unclear to the extent. there are a lot of estimates of a cyber pearl harbor. i i don't think anyone knows the full capacity because we do not no how things are connected. when you unleash a weapon like this the damage is

geographically finite because everything is connected. it it is hard to determine in advance the route your weapon we will take and the extent to the effect of her influence on other systems you do not expect. >> host: did your book have to be vetted? >> guest: no. >> host: did you have sources inside the government? >> guest: i will not talk about my sources, sources but i spoke to people who had past experience in developing programs for essential operations in the us that began probably in the mid- 1990s 96 97.

it started out in the defense mode. the realization of how vulnerable the us was and then realized that if our systems are vulnerable than our enemies are as well which opened up a realm of possibility >> host: other other cyber warfare offense of attacks that the us has committed that perhaps, perhaps are not as publicized as stuxnet? >> guest: categorizing it as cyber warfare, there have been cyber offense of operations taking out a a monitoring system. for example, when israel went into syria to bomb a a suspected nuclear plant, there are reports the radar

systems were taken out. you can do that through electromagnetic -- electronic means that are not necessarily digital. in in this case their are reports that in addition to that there were computer attacks done from airplanes so we would have been from air to ground attacks digitally. >> host: kim zetter what was israel's role in creating stuxnet? >> guest: it is unclear who did what. israel was helpful in gathering intelligence and might have had a role in spreading stuxnet. this is a.of contention. zero day got caught because it spread wildly.

like i said, it would spread to any computer but only released to those with a specific configuration. >> host: what about other countries are they conducting these types of cyber offenses? >> guest: yes. there are many countries that have developed cyber warfare programs and capabilities. russia, china, the uk countries that have announced plans to develop them and obviously israel. a lot of countries are playing catch-up. stuxnet showed the viability

of using an electronic attack as opposed to diplomacy or kinetic warfare actors who ordinarily do not have the resources or skills or equipment to launch a physical attack against an enemy can do it for much cheaper, a digital attack. >> host: do you no how the flash drive got to the irani and computers? >> guest: their are a couple of possibilities. one, there are contractors working at the time. the belief is the contractors were infected and became unwitting accomplices in carrying the worm into the protective facility. other suggestions are that their were insiders who helped.

there are versions of stuxnet, like i said the 1st did not have zero days. there is a sense that it has a more a more intimate connection with the computers that were connected. maybe that 1st version was planted, and then they lost the access in subsequent versions which may be the reason they had to add zero day to spread it. >> host: are you a techie? >> guest: no, i got into tech journalism not by choice and found that i loved it. i do not particularly like gadgets in the sense of taking them apart or things

like that. issues of cyber security. >> host: what was it about stuxnet that fascinated you? >> guest: it was multifaceted. it was unlike anything we had seen before. multiple ways of approaching the story that fascinated me ,, and finally to be able to tell the story of security researchers. they are brilliant and i have wanted to showcase the work and skill that is required. i wanted to highlight. >> host: so have offenses and defenses mechanisms to defend and attack become an

industry in silicon valley? >> guest: not necessarily silicon valley. this is a burgeoning market for zero day in particular. there are boutique companies that specialize in finding zero day liabilities for the government, but government, but we also have the defense industry, raytheon and others. they have gotten into the digital realm and have teams that are also looking for vulnerabilities and designing digital weapons. >> host: is this a case where contractors would use hackers? >> guest: the contractors are hackers. contract firms work for the nsa and design weapons on a

full-time basis. >> host: what would an all-digital war look like? >> guest: of a lot of people have posited scenarios about this. i don't know that we will see one. i don't think it will accomplish everything you need. it need. it is more something to use as an adjunct to conventional warfare to get that systems you normally cannot get at, information you normally cannot get at. someone was describing me -- describing to me, in world war ii despite all the carpet bombing that occurred, you still needed troops on the ground. the ground. the same thing is true with

digital warfare. ultimately you are going to need boots on the ground and to seize territory. i am not not sure we will ever see holy digital warfare. >> host: have there been efforts to develop standards or rules when it comes to cyber warfare? >> guest: we are just seeing that now. in estonia there was a group of legal experts from the us and other countries who looked into the laws of warfare in relation to digital warfare and whether or not they still apply for whether we need new laws. they have come out with a huge volume and examining that to sort of assist nato countries and defining

rules of engagement. i do not think we have all the answers. the us began developing rules of engagement around 2011 2012. there are still are still a lot of questions that we as a society have to answer. >> host: is their political opposition to cyber warfare by the us? >> guest: political opposition in the us? >> host: specifically in congress or, perhaps the administration. >> guest: there has been very little discussion. discussion. the white house has never fully admitted to engagement. we are just seeing a peak of this now. the government never wanted

to go on record acknowledging it was developing these capabilities. as. as a result we have not had discussions we need to have. when you have zero day and zero day vulnerabilities that you withhold and not tell the offender that means everyone else's foldable. while stuxnet was exploited by zero day we do not no who else might have been using it. we have not fully explored the consequences and have not fully explore the issues around it. there are other issues aside from zero day. the attackers stole what is called a certificate of design.

when you steal a legitimate digital certificate you create problems for the company itself. stuxnet undermined the windows update system which is used by millions of computers to obtain security patches. we have not discussed that as a society partly because the us will not admit to creating and unleashing these tools. until we examine the repercussions of that, i think we put the critical systems. the us at danger. >> host: the definition of zero day. >> host: a vulnerability and exploit

software that the vendor does not know about. code developed to attack that whole and obtain access and install a virus or trojan horse or something else. >> host: and kim zetter is the author of this book "countdown to zero day." >> you're watching book tv television for serious readers. you can watch any program you see here online at c-span.org. >> the big idea of barack obama was the guy that would get rid of polarization change politics