country so you can make up your own mind, created by cable in 1979, c-span is brought to you by your local cable or satellite provider, c-span, your unfiltered view of government. .. >> and career through a collection of her essays and notable quotes. you can find a full schedule online at booktv.org or by consulting your program guide. now we kick off the weekend with "wired" magazine's andy greenberg on sandworm, a group of hackers working for russia's

military intelligence agency that was responsibling for the world's largest cyber attack. >> hi, everybody. thank you for coming. my name's allison bane bridge, and i'm the host for this evening. i want to welcome you all tonight as well as c-span. in case you're wondering who that is, it is c-span recording this event. it's my honor to host this incredible, crucial and terrifying conversation that we're going to bear witness to tonight. we're so fortunate to have book passage. we consider it more than a bookstore. for 43 years we have served as a community center where we host nationally acclaimed authors like we have tonight, local authors, we've had panel discussions recently about race and immigration. we do lots of classes and so much more, conferences. so if you haven't received our latest newsletter to see what's

coming up for the next month and a half, please make sure you grab one when you go up to purchase the book at the end of the night. it'll tell you what's coming up for the next six weeks. and a quick reminder to, please, put your cell phones on silence in consideration of the audience and our speakers. we really appreciate that. thank you. so the l.a. times says our featured book for the evening, "sandworm, "is much more than a thrill. it's both invisible and critical to the daily lives of every person alive in the 21st century. in addition to taking us on a journey of understanding of the events around multiple attacks, the award-winning author and journalist andy greenberg takes a stab at answering these bigger questions; what motivates the sandworm hackers, why is the response from those in charge so tepid in when you realize the subtitle, a new era of cyber war and the hunt for the kremlin's

most dangerous hackers, you may think you're picking up the latest tom clancy normal. however, the most frightening aspect of the story, i think, is that it really happened. andy greenberg spent three years researching and reporting the story and traveled on multiple occasions to ukraine, denmark and russia. i happened to look up sandworm out of curiosity on the internet, and what came up is i'm not a science fiction aficionado. it's a fictional creature that appears in doom novels written by frank herber, so i'm curious about where this title came from. andy's the senior writer for "wired" magazine where he coffers security, privacy and culture. he's the author of the machine kills secret, and in 2017 the cover story on ukraine's cyber war won an award from the new york society of professional journalists. he lives in new york with his wife who's a documentary

filmmaker. and we're also so honored tonight to have robert mcmillan in conversation with andy. he writes about security, hackers and privacy, previously he wrote about icloud computing business technology, bitcoin and artificial intelligence. he writes for "the wall street journal" and lives in san francisco. please give a warm book passage welcome to andy. [applause] >> thanks so much for having us here. and thanks for having us in this great bookstore. it's really wonderful to be the in a full service bookstore with a great room like this to talk in. i'm going to get to your question about sandworm, but i wanted to start by -- it's almost like i feel like i should apologize to andy, because when his first book came out, i wrote about it. i just wrote a little blurb about it, and i was kind of like, you know, that story's about julian assange and cryptography, and it's a really

fascinating book about kind of the quest forren anonymous conversation -- for anonymous conversation on the internet and the enabling technologies that kind of allowed wikileaks to happen and the philosophy behind it. and i was like this leaking thing, i don't know if it's going to catch on. the wikileaks was kind of at a lull, and i remember writing i'm not sure, i think it might be overblown. >> i think it was kind of like both after and before its time. this very low point in the story of leakings x. then, of course, the next year edward snowden appeared, and i think everybody had forgotten that i had written a book about secrets at that point. and then came the panama papers, they just kept coming. >> and now it's part of the culture. it's almost like a generational thing. it's like we've raised this generation of millennials and postmillennials who almost have it in their dna to do leaking.

this is a wonderful time to be a journalist. one of the big stories in the news right now is about anonymous whistleblower. i mean, it's just, it really took off. and i just wondered if you, sort of a few years later, if you kind of thought, connected that, if that something about -- if technology really did kind of build a new sort of sentiment around leaking, if we have sort of created a leakers' generation or something like that. >> well, that book, i did not expect to be talking about this book tonight. [laughter] but it's, it was about megaleaks. it was about the ability to leak vast amounts of data digitally and anonymously. and, yeah, that has happened. and like the panama papers and then the paradise papers that followed have dwarfed all of the leaks that i wrote about in that book. and it did kind of continue this

exponential trend line that i was trying to show in this machine kills secrets that we are in this new era of very liquid information that can be leaked anonymously using cryptography tools. and i talked to these german reporters who obtained the panama papers, and they used cryptographic tools, now every newspaper has the same kind of protected anonymous inbox for leaks that wikileaks really invented or kind of popularized. now "the wall street journal" has one of those, right? "wired "has one, new york times, it's sort of table space in serious investigative journalism. so that seemed to pass. i don't know if that book was too early because it came after wikileaks and sort of when wikileaks was on the wane. but then, of course, wikileaks became very much news again in 2016. i don't know, i hope this book has better timing. >> i hope you're wrong about

that, andy, because this book is terrifying. [laughter] i mean, the things that, i mean, the book really puts the risks of cyber warfare in a context, in a perspective that if you had asked me if these kinds of things could come to pass ten years ago, i would have probably laughed at you. at that time i thought of cyber warfare as really just a fancy term for espionage. this was pre-stuxnet which was this, you know, software created to infect the nuclear enrichment facilities. this was something that it really did seem like science fiction. but the book really captures the whole context of this. and so i wanted to start -- actually, i think the first question i should start with is the name sandworm. tell us about how, how your book came to be called sandworm.

>> right. well, in late are 2016 after all of the 2016 election hacking by russians, by you would to haves at -- my you would to haves were obsessed, and they asked me to find the big story of cyber war. and i, like you, was like that is not -- actually, i didn't say this out how old because i do what you would to haves ask for -- what you would to haves ask -- editors ask for. i didn't consider those attacks that stole information from the democrats' national committee expect clinton campaign and leaked all that online. that seemed to me these digital dirty politics, not cyber war. but i went looking for what could be a, like, cyber war story. i wasn't sure that such a thing existed, but my colleague who had left "wired" kim zetter had written about the first-ever blackout induced by hackers, and

it happened in ukraine. so i started talking to sources there and who were familiar with what was happening in ukraine, what russia was doing, and i saw this bigger context which was that in 2014 ukraine had had this pro-western revolution. very much sort of breaking free of the putin influence. and russia had responded by invading. and that physical invasion had been accompanied by wave after wave of cyber attacks. not just as one blackout, but, in fact, a whole series of them. they actually tried to spoof the results of ukrainian elections in 2014 before they tried to mess with our election. they had attacked every strata of ukrainian society, the media and government agencies and private industry, destroying, you know, hundreds of computers in some cases inside of these targeted networks. and then finally, that first blackout had been the kind of climax of that first attack. and hackers had turned out the

power to ukrainian civilians, the first time that had ever happened anywhere in the world. and as i was looking into this, it happened again. there was a second blackout in ukraine, this time in the capital of kiev. is so i could see that this was actually i wasn't too late to the story, it was still unfolding. it was a real cyber war. it had all those criteria of this is an actual nation-state hacker group that seems to be launching disruptive attacks designed to actually break things, critical infrastructure in an adversary's country. and in the midst of a physical war. so i became kind of, i decided to figure out who was responsible for this, who were these russian hackers. and i traced their story back to this little company outside of d.c. called eyesight partners. and eyesight partners had discovered these hackers, who

seemed to be russian, in 2014. and the group, they appeared to be russian because they had actually left one of their servers open and unprotected. and the eyesight analysts had found on that server a russian language how to file for controlling the malware that they were planting on targets in eastern europe and nato. and it seemed like we were doing pretty typical espionage stuff, but i say partners -- eyesight partners then began to notice they were more like critical infrastructure, electric grids, and some of them were even in the united states. and those american grid targets had the same malware planted on them as, as, in fact, this group would use in 2015 and 2016 as a first step of their blackout attacks. but the reason that this group would come to be called sandworm is because each of those victims

of that first round of attacks was identified in a little snippet of the cold, of the malware that the hackers were installing. and each of those references was a little name from the science fiction novel "dune" which features these monsters called sandworms. so eyesight partners named the group sandworm. and to me, looking back it was this incredibly appropriate name because it's like this monster that sort of hides beneath the surface and only occasionally surfaces to do terrible, disruptive things. which, it turns out, was a very appropriate name for this one group of hackers focused on what i think would become the first real cyber war. >> is "dune" big in russia? >> i -- it's hard to imagine -- [laughter] but it seemed clear that the same hackers who had this russian language file were using that same server to control infections of this malware

called black energy that contained snippets from "dune." >> interesting to pursue that "dune" clue. >> in fact, that was what tied all these facts together and showed who sandworm's victims were in that first campaign in 2014. >> the thing that was so remarkable about the stories you're talking about is we had heard about cyber attacks on the grid for years, and they were always wrong. it was always -- i think you talk about this in your book. it's always a squirrel or soot on transistors or something like that. is so when this first happened, i don't know, were you kind of skeptical when people were suggesting that it might be a cyber event? how did you approach the story from the start? >> well, i got into this in late 2016, and by then it had been pretty well confirmed. in fact, the mechanics had been laid out by sort of some cybersecurity analysts and

researchers who had, who eventually became some of the central characters in my book. finish and the mechanism of that first blackout attack was so interesting. it wasn't, you know, it started with, like, the dip call word document -- the typical word document in a phishing e-mail that has like a kind of malicious part of it that takes over your exciter, and then they would -- computer, and then they would use that to steal your passwords and get access to a bpn they could use to move into the other part of the electric grid network. and that's the part that actually controls physical equipment like circuit breakers. but the way that they then took control of those circuit breakers was really insidious. they hijacked the remote desktop software, the same kind that like your i.t. administrators might use in your work to remote into your machine and fix something. but that meant that these poor grid operators in this western

ukraine control room watched as their mouse just started moving of its own accord, and they were locked out of the computer. and they just watched this mouse that they could not control click through all the circuit breakers op their screen. and each time it clicked, they would turn off the power to thousands more ukrainian civilians, and there was nothing they could do about it. it was so cinematic that i was, you know, very drawn to this hacker group that had that kind of flair. >> there's actually a video of that, right this. >> right. i got this video by eventually are going to that utility in western ukraine, and, you know, the guy who filmed this with his iphone air dropped it to my iphone, and we published it on "wired." yeah, it is -- it was something that i'd heard about, but we were actually able to see it. >> is but you write lots of interesting stories about cyber events. i mean, this was an interesting story, let's -- that's for sure. but at what point did you feel

that this was a meaty enough topic for a book? what made you decide this was going to be a book? >> right. so i eventually delivered what my editors wanted for "wired," which was a story about the ukrainian cyber wars. so in, by, you know, early 2017 i had gone to ukraine, i'd talked with everyone there about what, about how they saw what was happening as this one group of hackers which would come to be known as sandworm carried out these escalating attacks against them. and the kind of thesis of that story was we need to pay attention to ukraine, because it's where russia is showing their capabilities. because they're already at war with ukraine, they are using ukraine as a test lab for cyber war innovation. and if we look at ukraine, we can see the future of cyber war. in fact, we can predict likely what happened to ukraine will

soon happen to the rest of us in some sense. and bizarrely, the day that issue of the magazine hit newsstands was the day that this piece of malware was released by the same hackers in ukraine that spread to the rest of the world. >> this is -- >> and became the worst cyber attack in history, caused $10 billion of damage and took down the networks of companies like the world's largest shipping firm and merck, the pharmaceutical company and fedex and on and on. this prediction, you don't really want the prediction you make to come true on the very day that you print it. you don't really get credit when it happens. but that is, essentially, what happened. we were, you know, in the magazine making this argument that ukraine was this ca canary in the coal mine, that that was happening there would soon spill out to the west. and it did. >> so when that happened, you

were like, okay, this is a book. >> well, it took a little while to recognize it for what it was. >> right. >> initially the name -- i'm sorry, i said to dedefine sand worm, and now i have to define -- [inaudible] if it was this piece of malware, a worm, that spreads from computer to computer automatically which is an amazingly dangerous thing because it can very quickly just, you know, go bananas and spread to the entire internet, which is kind of what happened. but it looks like a ransomware worm. i'm sure you guys have all herald of ransomware where a piece of malware encrypts your computer and then demands a certain ransom to unlock it. in this case every computer demanded $300 in bitcoin for you to unlock your computer and gain access to it again. it and looks initially, this malware looks like a familiar piece of ransomware called

petya, but people realized even when you paid the $300, it wouldn't delimit. it was, in fact, not petya, it was a destructive worm pretending to be ransomware. >> masquerading. >> right. it was a cover story for a terribly disruptive and virulent attack that hit ukraine very quickly, destroyed the networks of 300 companies, pretty much every government agency, many hospitals, multiple airports and transportation atms. it was, in ukraine, truly like a kind of carpet bombing of the country's internet. but it also immediately spread to the rest of the world. and when -- it wasn't initially clear how serious it was, but these companies like mersk reported to their shareholders $300 million in damage. if you with put that in context, the ransomware attack that shuts

down the government of atlanta cost, i think, $20 million ultimately. $300 million for one company. merck lost $870 million. so i could see that this was quickly turning out to have been the worst attack in history, but none of these companies would talk about -- [inaudible] their experience, how in hell did they manage to lose that much money through this attack. so it was becoming clear that it was, you know, something, something unusual. it took a couple of months to see the full scale of it. it ultimately cost $10 billion. and when i saw that, i was -- and we could also very quickly see the forensic links between it and those earlier sandworm attacks that turned off the lights twice to civilians in ukraine, those first blackout attacks. so this was the work of one group. and i could see that there was an arc to the story, a kind of

building and then a climax. and it was that bigger story, and that's when i began to work on it as a book. >> right. it was crazy because it, as you point out, it spread quickly. it was designed to spread like a worm, so it was out of control when it was moving around the world, and it spread in russia. so we have these two attacks that are linked that in your book you link to russian intelligence, gru, and one of them is causing widespread damage around the world including taking out companies in russia. >> that's right. >> why? >> well, it does, you know, we tried to puzzle out, like, what's -- in the security community to figure out what it was intended to do. it's worked by hijacking this piece of ukrainian accounting software and sort of piggybacking on this software's updates. and pretty much anyone in ukraine who wanted to file taxes

or do business in the country had to have this piece of accounting software. it's kind of like the quicken or turbotax of ukraine. so it was definitely, that was a method that was used to target ukraine, but then it also hit everyone else who did business in ukraine. and it seems that sandworm in this kind of way that i have come to associate with this russian military intelligence agency that i now believe sandworm to be a part of was just an insanely reckless and brazen attack that was sort of a shoot first and ask questions later attempt to destroy ukraine's internet without really considering the collateral damage that would result. and that hit russia. but i spend, i spent six or nine months of this reporting of this book really delving into the experience of these multi-national companies to try to capture what it looks like

when an entire, you know, global conglomerate -- >> offline like that, yeah. >> yeah. >> it's incredible. there's, one of my favorite parts of the book is you write about mersk, the shipping giant, where there are basically 18 wheelers being turned around at ports around the world and vegetables rotting and, you know, just materially the global transit is system is basically frozen by this ransomware. and at mersk they almost lost everything. they almost lost all of their, their domain controllers, except they got lucky. >> yeah. the beginning of the story really starts in their headquarters in copenhagen. and mersk, by the way, never officially -- their pr people never returned my calls. this was the frustrating thing, that none of these massive companies that were just decimated or would talk officially about the fact what had happened to them, the fact that it was russia that did it. it took actual back channel,

like, investigative reporting to tell these stories. but eventually, i was able to piece together the story for mersk in particular, and it starts with an i.t. staffer who told me that hell, his screen went black, and, you know, in the afternoon in this, in the copenhagen headquarters of this massive shipping conglomerate. anden then he looks up and he sees, in fact, there is a wave of black screens going across the room in the office, and it's just black, black, black, black, and every screen in the headquarters turns black and then shows this ransom message. and soon people are running down hallways and yelling at people to turn off their computers before they could be infected, unplugging i computers, jumping over turnstiles to get to other parts of the building because even the physical security systems had already been locked and paralyzed by this malware. but as bob was saying, like,

mersk is not just an i.t. company. they control a fifth of the world's global shipping capacity. they have 76 terminals and ports around the world where these shipping containers the size of the empire state building arrive carrying another empire state building's worth of cargo on top of them. and suddenly mersk was just brain dead and couldn't figure out what was on these ships. they didn't have inventory service ware. the gates, as you said, outside these terminals -- 17, ultimately out of the 76 -- 17 terminals around the world the gates were paralyzed so that trucks are lining up by the thousands and lines going miles long. and the trucks can't get in, nobody's telling them where to go, mersk can't even send them an e-mail to tell them what's happening -- >> through even gmail, right? >> one enterprising guy went on his g mail account from his phone, i guess. but all of the windows machines, their entire network was down.

tens of thousands of trucks, ultimately are, had to figure out where to send their containers paying massive premiums of their, as you said, perishable things are rotting because they can't figure out where to keep it or it's part of some just in time figure supply chain. so this is how you lose $300 million in a cyber attack. and that is just one company. what i just described is multiplied by 17 importants around -- ports around the world. and then there's also merck and, you know, this massive pharmaceutical giant that faced a cost that was more than twice as much. there's fed ec, and each one of these -- fedex, and each one of these companies has that disaster story. >> was that linked to the translation problems that they were having with the voice translation software? >> well, you're getting at something else. that was not mersk or merck, that was hit by this speech to

text -- >> right. >> what you're getting at is this part that can't even be quantified in that $10 billion. it hit hospitals across the united states too. and the way it did that for the most part, it actually directed infected a few hospitals can and shut down all their computers, but much more common was this experience where hospitals use this one speech to text recognition software called nuance. and nuance allows doctors and nurses to read changes into a medical record and has them automatically updated from a, you know, an audio file. and nuance was taken down and lost $92 million, which is, you know, not that big in the scheme of things, but the bigger cost is that nuance failed in this silence way so that all of these hospitals and one executive told me at one hospital told me that she was on a conference call at one point where hundreds of people were trying to get answers from nuance.

so it was likely dozennens or hundreds of -- dozens or hundreds of hospitals. hundreds of hospitals had doctors who were reading changes into nuance's software, and they were being lost. >> so these are, like, proceed yours that are to be followed before surgery -- >> these are all kinds of updates to records, medical records. they can include drug changes or, you know, any kind of like minutiae of a change in someone's treatment. but, yes, they can include like a test that's necessary before surgery. and i spoke to one i.t. administrator at a major american hospital who told me that she about a week after, because these hospitals had, i should say, that had in some cases millions of changes to -- i would say in total they had many millions of changes to medical records that were lost. this i.t. administrator was approached by this panicked nurse who was saying we need to transfer this child patient for surgery, and we don't know if the child's had the tests

necessary to clear them for that field your. so -- procedure. so they had to hunt town that raw audio file. they only had a few hours before this proceed your was scheduled to happen. they had to find the lost audio file and make the change manually to the medical records, and they did it just in time. but then this happened three more times over the course of the week just in this one person's experience. so is again, you kind of take that experience, you multiply it by just how many patients were affected here, hundreds or thousands in each of dozens or hundreds of hospitals, and you start to question, you know, i didn't actually confirm that anyone was killed by it, thank god, but you do start to question -- >> right. >> -- how did this happen without anyone dying or having their health seriously harmed by this just such a massive scale of outage. >> by the way, if anyone has a question, i'm going to come back for questions in just a few minutes, so just think about it if you want to ask andy anything. but i want to pivot a little bit

because it was built on a couple of pieces of software, one which was allegedly created by the nsa and another which was created by a frenchman that you interview. so there are two pieces of software that basically were not created to do this type of activity, right? like not be part of a global worm. >> yeah. so it had basically three main ingredients, the story that i tell in, you know, the runup to this kind of armageddon moment. there was that hijacking of the ukrainian accounting software. but then once it had a foothold, it would spread with these two kind of intertwined tools that bob just mentioned, one of which was a stolen nsa hacking tool that had been stolen and leaked

by this very mysterious group called the shadow brokers who have still not been identified. we don't know how they managed to steal these tools from the nsa. but this was kind of like a skeleton key hacking tool that hackers can use to break into any windows machine around the world that was missing the patch for this, you know, break-in technique. of which there were many hundreds of thousands. and that was pair ld with this other kind of really like a demonstration hacking tool. an open source hacking tool developed by this french researcher called media cap which he has intended to mean -- [inaudible] but it's a very dangerous component because it was capable of, it ran on a computer. it could take all of the passwords that were in the computer's memory, lingering in memory, and then a hacker can use those passwords to gain access to another computer on

the same network, anyone that that pass password had access to. so with these tools intertwined and that kind of initial seeding out from the ukrainian accounting software, they would get an initial foothold on a network on one of these companies or any of these ukrainian institutions and just spread in an instant. in seconds it would saturate thousands of essentially every computer on the network. >> you've got, in part, you've got $10 billion in damage, potentially lives threatened in part because of an ns is a hacking tool. i -- nsa hacking tool. i mean, how much of that is on the nsa? >> this is a big question. this tool called eternal blue, you know, it was leaked by these rogue hackers who somehow stole it from the nsa. but the nsa did actually do their best to try to respond to this. they told microsoft when the

tool was stolen before it was actually leaked publicly. they tried to help microsoft put out a patch to help protect people. but it turns out patching is this kind of epidemiological problem where you have to convince, you know, millions of people to install the patch. and a lot of people don't. so then do you blame the nsa for the fact that their tool was taken and misused. nsa, it seemed, uses this tool almost exclusively for spying, which is what the nsa does. they just spy on this global, vast scale. occasionally, they're partners in this other -- their partners will use the same kind of hacking tools to disrupt something the way that sandworm does but only in the most targeted fashion. the nsa is, you know, pretty responsible with their use of this. but what you can kind of criticize them for is the fact

that they kept this hacking tool secret for years before it was stolen and leaked. and that gets to a kind of theme of this book which is that the u.s. government had for this entire story been so much more interested in maintaining itzhaking capabilities -- its hacking capabilities than they are in trying to control russia's or restrain these incredibly dangerous hackers like sandworm. the around of the book in some -- the arc of the book in some ways is how the u.s. watched this cyber war build and escalate for years in ukraine and didn't say anything as sandworm turned out the power to hundreds of thousands of ukrainian civilians. this act of cyber war that should have from the very beginning been called out as crossing a red line. you don't -- even though ukraine is not nato, they're not us, we should have in the u.s. said that's not okay. you don't do that to anyone.

that's, essentially, a cyber war crime. >> so targeting civilian, critical -- what do you think the red line should be, targeting critical civilian systems with cyber weapons or what would it be? >> well, i would say that targeting critical infrastructure for civilians is probably never okay. targeting critical infrastructure at that kind of indiscriminate, mass scale where you're turning off the power to, in the first of these blackouts, a quarter million ukraines januaries is certainly not -- ukrainians is certainly not okay. but when i put this to both obama and trump administration officials, kind of did these exit interviews with both administrations, they both made this argument that, well, you know, we kind of want to be able to do that ourselves. hike, we don't really want to -- like, we don't really want to call out russia. we don't really want the geneva convention for cyber war because we also want to be able to turn

out the power in the midst of war, destroy entire networks. but it's so short sight ld because when we do that, we do tend to do it in a pretty restrained and targeted way. so when you, but when you fail to call out russia or try to sent the rule that nobody should do it, russia seems to do it, sandworm seems to do it in this way that is entirely indiscriminate. they don't even seem to care that much if their own people are hit by a worm. >> right. so it's still, i mean, from your perspective, it's still the wild west. there's -- i don't know if you have a read on how our discussion of cyber norms has a evolved since the obama administration, but if you do, i'd be interested in hearing that. >> well, you know, the obama administration tried to set some cyber norms. they did, you know indict iranian hackers for hitting u.s. banks with disruptive attacks, and they also called out --

president obama gave a speech where he, you know, talked about the fact that north korea had hacked sony. those are the kinds of things that the obama administration failed to do for ukraine. the obama administration watched the ukrainian cyber war from a distance and said nothing as these kind of terrible and unprecedented acts of disruptive attacks, cyber attacks on civilians just continued until they built into this thing that, you know, did blow up and hit us as well, fulfilling every warning of all of the kind of cassandras who in ukraine and out who were watching that ukrainian cyber war and trying to warn that this was a dangerous, unfolding phenomenon. the trump administration has their own blind spots about russian hackers, as you can imagine. so when the attack hint american

soil, did billions of dollars of damage to american companies, shut down the medical record systems of american hospitals, it nonetheless took eight months for the trump administration to even say anything about it. which i, you know, i still kind of scratch my held about. but i think that may in part be you don't go into the oval office of president trump and talk about russian hackers. it's not a subject that he -- >> just for context, the sony attribution, so after sony was hacked, there was a statement from the department of justice, i think, within was it weeks or -- >> days. >> yeah. >> it was very, very quick. and not only did it take the government years, it took until, it took this calamitous global cyber attack for us, for our government to start talking about the cyber war in ukraine. but even after that cyber attack took place, it took eight months

for the trump white house the talk about it to say this was russia, this was the worst cyber attack in history, we're going to do something about this. and it actually was a coordinated statement with four other countries' governments. i think you have to give credit to some adults in the trump white house who knew this happened. this was, in fact, the first moment the sandworm was called out at all, and that counts for something. but i do believe it was too little and too late. and, in fact, the lesser told part of that story is five or six day before the trump administration even made that statement, the same agency likely, in fact, sandworm itself had carried out another destructive cyber attack on the winter olympics in korea -- >> right. >> -- for which they hadn't, still have not been held accountable, for which the government still has said nothing at all. i find that to be bizarre. >> that's also a great story,

but before we go further, i just want to -- does anybody have a question? you have a question? >> [inaudible] >> why don't you start with one, and i'll repeat it so we can get it. oh, you have a mic there. great. >> i can -- >> go for it. >> so my first exposure to working with security -- [inaudible] from people -- back then we were getting constant attacks on doe, department of energy, all over the place, all these -- russia, china, eastern europe, etc. but you can think that why people wouldn't want to talk about this, it exposes their weakness, and it is an ongoing war. i would love to hear more about where we are now. and not our particular administration, but where our u.s. defense, private and public

partnerships are in staying current and where are we? are we falling behind? >> right. okay, got it. i'll just repeat it in case you couldn't hear. the question is how is it, in the context of these terrible weapons that andy's been describing, how do things look for the u.s.? are we falling behind, are we ready for this? >> well, it's interesting you started out by saying that when you worked at doe, you saw attacks constantly. >> i didn't work there, other friends -- [inaudible] >> i see. we used to talk about cyber attacks as, like, somebody trying to hack your network. but usually when they're doing that, they're -- i would say the most common version of that is some sort of espionage. they were trying to break in to steal information. now, like, the cyber attacks, what i would call cyber attacks now is an attempt to do something disruptive or destructive to destroy computers, to take down hole --

whole networks, to mess with infrastructure. i think that's the kind of new world in the kind of escalation we've seen. so the question is now are we protected against that new era? and in many ways cybersecurity has not really improved. we've learned a lot of lessons from friendly hackers in the u.s. over time and kind of embracing the hacker community. but the big failing that i'm focused on is not really in technical cybersecurity which is a terribly kind of, like, endless uphill battle. it's always eetzier for the attacker. been -- easier for the attacker. kind of setting norms in the kind of geopolitical sense of drawing red lines and -- >> we haven't done that. >> we haven't done that at all. as i was saying, the obama administration kind of started to do that by calling out certain actions by foreign governments against, you know,

u.s. targets and saying that one's not okay. we're going to indict your hackers for that one. that one's not okay, we're going to impose new sanctions hike they did for the russian melding in the election. -- meddling in the election. but when you watch blackouts against hundreds of thousands of people and you say nothing -- >> what do you make of the fact that the first nation to create a self-replicating piece of software that, in fact, critical systems was the united states? >> that is another way in which the u.s. has pushed forward the vanguard of cyber war and attracted this power. i mean, i sometimes think of it like lord of the rings where everyone is just attracted to the power of this new weapon, and they all think that they can use it for something good because they're, you know, what they think is their important agenda, and none of these

players on the global stage want to constrain that power or destroy it. but, so the u.s. did, you were getting at stucks innocent, this -- stucks innocent that this -- stuxnet that destroyed iranian nuclear centrifuges in this underground facility, that was a new kind of demonstration to the world that with just a piece of code, you can destroy physical equipment. and that was incredibly powerful. >> but it was also, it was interesting, because it was also spread amongst 30,000 computers that it wasn't targeting them. >> right. >> software that's not supposed to be there is -- >> it did spread. and that was in some ways that was definitely a mistake in part because it allowed stuxnet to be discovered. >> right. >> it may have never been identified by the global cybersecurity community if it hand spread. but -- hadn't spread. but the important thing to point

out is it didn't start spreading around the world and blowing up equipment the way it did those nuclear, those iranian nuclear centrifugings. it would sometimes crash your computer if you were this. for the most part, it just spread in this inert way. really, the opposite. it wasn't designed to spread indiscriminately. that was a big mistake. it was designed to just spread inside the iranian facilities, and it kind of got out of hand. >> i want to keep moving to questions. you had a question in the corner there. >> just wondering why russia specifically targeted the ukraine as opposed to other places in europe. >> right. well, why did russia target ukraine. >> russia has this very special, very abusive relationship with ukraine. ukraine was part of the soviet union. in fact, ukraine -- many russian areses consider ukrainians to be an offshoot of their culture,

not a real country for its entire 1,000-year history. and also ukraine has things that russia wants like warm water ports and, you know, and in previous generations it was the kind of breadbasket of russia. but i think that it was just part of russia's sphere of influence. and when it kind of turned to the west, when it embraced the west instead of putin, that starts to erode this buffer zone that russia wants to create. so russia invaded, and people talk about this as a kind of frozen conflict. like putin did not want to conquer ukraine. putin wanted to place a war in ukraine that never ends to weaken the country, to make it a permanent war zone to drive out investment. and that's where cyber attacks come in. that's why cyber war is so effective, because you can project that uncertainty and that loss of confidence well

beyond the military fronts and start to demoralize civilians in the west of the country, in the capital of kiev. >> you have great descriptions of people trying to make atm machines work and finding them all offline, going to gas stations, lining up at gas stations because gas stations aren't working in these types of environments, not being able to buy groceries. people really -- your -- [inaudible] oh, my boss is annoying at work to am i going to get food for my family tonight. >> right. and i think, you know, ultimately it is that kind of disruption and that kind of mass societal creation of fear and uncertainty and doubt, it is a kind of terrorism where you're not, you know, you don't tactically gain that much in

your war against ukraine by just, you know, preventing people from taking the metro because they can't pay with their credit card or buying groceries or, you know, just by destroying all of the government agencies' networks. it wasn't like russia then accompanied that with a physical advance from the military. but it's absolutely a psychological blow. it makes ukraine look like a failed statement. it makes the populace onlier if they should be -- wonder if they should be supporting this government and maybe they should feel nostalgic for the previous regime when things were a little more stable. >> wow. i is have a couple more questions. first to you, sir. >> i'm interested in the corporate response. multi-national corporations, when faced with a potentially existential crisis, can focus enormous financial resources and political capital on preventing this stuff from happening again. are you seeing corporations start to respond in ways that

could be effective in preventing a future attack? or are these things just inearth signal. >> just to repeat it, what's been the corporate response to this, what are corporations doing. >> yeah. >> and talk about microsoft, because you mentioned -- [inaudible] that microsoft flaw, and there's a lot of these attacks were on their systems. i'd be curious about that as well. >> yeah. i think you're asking about the victims, right? like mersk, for instance. and, i mean, the reason that none of these companies wanted to tell the story of how they got hit and what that felt like internally is because of victim shaming. and i did my best to not make this a story of victim shaming and why were these companies vulnerable. because i do believe that a lot of this could have happened to, you know, not quite any multi-national company, but many of them. this was a very insidious and sophisticated attack that, you know, used essentially a secret vulnerability in this ukrainian

accounting software, among other things. but nonetheless, i'm going to now shame mersk and talk about their vulnerabilities which is they had actually developed a new security plan, i learned, that would have involved upgrades to all of their computers, operating systems, would have segmented the network better which is exactly what would have protected them. and they had a budget for this, and they green lit it, but the i.t. team never carried it forward because of their bonus incentive program just didn't actually motivate them to do it. they wouldn't have gotten bonuses for doing it. so is it never happened. and they paid this massive price. afterwards, of course, they did have to rebuild everything, had to rebuild 45,000pcs and 7,000 servers. is so they built them in a more secure way. but that was after the fact. >> did they back up their domain controllers? >> i think bob really want with, i really want to tell the story about the main -- >> it's a little geeky, but why

don't they back up their domain controllers? >> i don't know how they do now, actually. domain controllers are these servers that are the kind of backbone of a, a big i.t. network. they sort of govern who has access to what. and that's a really big deal. you can't really have a maas e network -- massive network without those rulings. and when it just devastated mersk's global network, they created this really desperate recovery operations center out of london, and they just sent all of their i.t. staff to this one building where people were sheeping under desks and in hallways for just days on end, 24/7. and one of the first things that they, one of the first hurdles that they encountered was that they did not have a copy of their domain controllers. they didn't have a backup, a single backup of their domain controllers. and mersk had more than a hundred domain controllers all around the world. but they were designed to back

up to each other. so you couldn't have one go down or 25 go down, but you would have dozens and dozens and dozens of others that had the same copy of the data. what they hadn't planned for, and it's maybe rational, but they hadn't planned for a situation where all of the domain controllers go down at the same time which is exactly what happened. so when they realized it, there was this kind of panic, and they had to call all of their data centers around the world looking for one backup of a domain controller. finish and they finally found it in dana. because in dana, this one data center had a had a blackout, a normal blackout, not a hacker-induced blackout. and the result was that the one domain controller in that data center had been offline at the moment that the attack hit, and so its backup was preserved. so they had their data that was the kind of lifeline for their entire network. it was in ghana. they tried to send it to their

recovery operations center outside of london, but they couldn't get enough bandwidth to do a secure or connection. so they tried to fly the ghanaians to london on the plane, but they didn't have the right visas, so they had to fly to nigeria and send somebody from london to nigeria and do this kind of relay race handoff in the nigerian airport and then fly back, drive this hard drive from london to this town outside of london where they were doing the recovery operation. and only then begin to rebuild their entire global network. and so the lesson is, you know, just keep the domain controller offline to begin with. [laughter] >> okay. that's a good story. you don't have to go into why microsoft never -- [laughter] you were going to say more. >> yeah. i eventually herald a little bit about merck's story as well. they had a backup of all of

their data, but it was a hot backup rather than a cold one meaning that it was connected so they could more easily update their backup, and that meant that it was infected and destroyed as well. so companies are making efforts to do this, but it's just an extra bit of expense to prepare for an actual cyber armageddon that you never actually expect to arrive that they didn't do. >> [inaudible] >> merck, i think, is doing it now. i would say that, i would guess that, you know, it's hard to know for the majority of the companies. but i think the most of them still are not actually learning these lessons til they learn the hard way. because it's just hard to convince the ceo that this is what we should be spending money on. >> yeah. we have, i think we're out of time right now, so i'm just going to -- we'll have the talk to you about your question after this is over. >> the black hat definitely needs to get to ask a question.

>> i have a quick question. >> okay, great. well, i just want to thank andy for chatting with me. i could go on and on about this, but we are out of time now, and it was just -- i can't stress enough just the way this book puppets the context of -- puts the context of physical cyber threats in the proper place. it's a really remarkable and disturbing read. [laughter] so thanks for sharing a little bit of it with us tonight, andy. >> thanks, bob. [applause] >> guys so much. we so appreciate this. if you'd like to purchase a book, i encourage you to do so -- [inaudible] it will make a fabulous gift for the holidays. we have them available at the register, and we're going to reset the stage for signing, and you can chat with andy a little more if you'd like to and -- [inaudible] [inaudible conversations]

>> here's a look at some of the most notable books of 2019 according to "the new york times." midnight in chernobyl, the world's worst nuclear power plant disaster. journal i'm sorry rachel louise -- journalist rachel louise is schneider in no visible bruises. in the club, the regular gatherings of bresch philosophers, artists and economists in london in the late 8th century. -- 18th century. and sarah broom, she was this year's winner of the national book award for nonfiction. >> in this room tonight my mother, ivory may, poet in her own right -- [cheers and applause]

how as a child i watched her every move, seeing her eyes fall upon every word anywhere encountered in the grocery store, on the bus, pamphlets, the package label, my high school textbooks. she was always wolfing down words, insatiable, which is how i learned the ways in which words were a kind of sustenance, could be a beautiful relief or a greatest assault. how i learned that words were the best map made me know my mother was always saying in between raising 12 humans. i am in this room, semicolon, and so is my mother. [cheers and applause] in this room my big sister lynette who left the yellow house, went back to school in

new york city when she was only 19 which then felt like a lurching mission to planet unknown. in this room tonight, my love, dee reese, a fellow artist, the most inspired accompaniment of my life. and the chorus, my siblings, not here, but whose voices exist in mine. carl, michael, karen, darren, byron, troy, eddie, deborah, val everything ria, thank you for telling me the stories in the first place and for trusting me to make something of them, for allowing me to call your names because it is no small thing to recover the names. these, there are other names that my family who told me the history of myself, some of whom died before this book was finished and in the world, these absent presences, my auntie elaine, my mother's only sister, my uncle joe in january of this

year and in the swiftest blow, my oldest brother simon jr. who died the day after this book appeared in the world. >> most of these authors have appeared on booktv, and you can find their programs in their entirety at booktv.org. type the author's name in the search bar at the top of the page. .. >> ready? all right. good evening and welcome to the rare book room. i help coordinate events &. a special shout out to c-span for filming the event, thank you very much. a little history of the strand.