(mysterious music) - [Johnny] It's November 10, 2008. Barack Obama just won an election, and he travels to the White House to meet with the outgoing president, George Bush. In that meeting, Bush told
Obama about a top-secret weapon that the U.S. military had been developing with Israel since 2005, code
named Project Olympic Games. This weapon was intended to hit one of Iran's most fortified
nuclear facilities, buried deep underground, where centrifuges spin
uranium to enrich it for use as energy or,
with enough spinning, to be used in a nuclear weapon. (dramatic music continues) But this secret weapon wasn't a missile. They weren't planning an air strike. Instead, it was a computer file, less than a megabyte in size, 150,000 lines of pristine code. This is the weapon that the president had
to tell Obama about. This little file had been planted in Iran, where it spread throughout
the whole country. But it didn't do anything. It laid dormant until it found its way onto a flash drive that
was then plugged in at this underground nuclear facility. (air whooshing) And then it spread, finding its way to its final
target: this one machine. And then, the weapon started working, quietly reprogramming the software to very subtly sabotage these
delicate spinning centrifuges, opening a valve to change the pressure, telling the centrifuge to spin
a bit faster or a bit slower, all while telling the technicians that everything was working properly. (mysterious music) Over time, these subtle manipulations destroyed these centrifuges. This was one of several weapons
that the U.S. had planted in Iran using sophisticated computer code. Now, if a war broke out with Iran, the U.S. could turn off their power, could turn off their
military defense systems, making it so they couldn't
shoot down planes. They could turn off their
command and control systems so they couldn't talk to
each other during the fight. This was a real war plan
executed by thousands of American military personnel, hundreds of millions of dollars, and a cyber operation that would, quote, "Prepare the battlefield
by weakening Iran's ability to fight," all of it using code. The code that sabotaged
the nuclear facility was eventually discovered and named after some of the
elements that were inside of these many lines of
code: .stub or MRxNet. They called it Stuxnet. Now, this weapon did slow
down Iran's progress at first, but it didn't stop them. But what this did do was
showcase a new style of war: the use of quiet weapons in
the form of a tiny text file that could self-replicate and wreak actual physical
damage on an enemy. We call this cyber warfare, and it has become a
fixture of modern conflict. Let me show you how it works. (mysterious music continues) - [Speaker] We're moving
into a new era here. - [Speaker] People are
actually getting killed. - [Speaker] Dismantle our
communications systems. - [Speaker] At the click of a button, you can bring down nations to their knees. (mysterious music continues) - Before Stuxnet, most cyber
warfare was pretty basic. Like in the '80s, you had this situation where an East German hacker broke into some military
computers in the US looking for secrets for the FSB, which was like the Soviet spy agency. Or more recently, like in 2007, where Russian hackers attacked
a bunch of Estonian websites in the financial, government,
and media sectors, shutting them down, as retaliation
against Estonia deciding to relocate a Soviet monument. These were cyber attacks, but they were pretty
weak and unsophisticated, especially compared to
what was soon to come. So we live in a weird time. Our information is less secure than ever. And now my phone and my email and my physical mailbox are inundated with stuff I don't want to see. I feel like my information
is just leaked out to anyone and everyone who wants it. And this, of course, is
a part of today's video. But it also has to do with
the sponsor of today's video, which is Incogni. Incogni is a platform that allows you to get yourself off of the lists that data brokers use
to get your information. It's really cumbersome and time-consuming to go through the process
to be taken off these lists. The companies make it
intentionally hard at times. So what you do is you sign up for Incogni and you give them permission
to act on your behalf to go out and request
that you be taken off of these data broker lists. There's a link in my description. It is incogni.com/johnnyharris. When you click the link, it helps support the
channel, you get 60% off when you sign up for the annual plan. The annual plan allows Incogni
to month after month go and strip you off of these lists so that you can retain
your privacy over time. So thank you, Incogni, for
sponsoring today's video. With that, let's dive into
this deep, complicated, intense, wild story of cyber warfare. (dramatic music)
- The true power of the internet. - [Speaker] Empowering
the internet generation. - [Speaker] I got on the internet. - We have to remember
that, in the early 2000s, most of the world wasn't
built off of the internet yet. Internet speeds were getting good, software was getting sophisticated, and computers and their
software were becoming the foundation to many
big invisible industries, like shipping, finance, and energy. And crucially, hackers, who
had grown up on the internet, were getting really good
at finding vulnerabilities in these systems, breaking into them, learning to exploit them. Now, how those hackers ended
up selling their secrets to the U.S. government in the
name of making cyber weapons is the next part of the story. (mysterious music) But first, a quick word on software, this thing that runs our modern life that is mostly invisible but
that is endlessly important. That ensures that you have electricity and that you can access your
bank account and do your job. All of this is made possible
because of something that looks very simple: lines and lines of code. They're just basically
lists of instructions on how a system should run, what it should do in every circumstance, and who has access to what. But because more and more of
the world is run on software and software contains
sensitive information, like your Social Security
number or bank account number, whatever, developers build
their software like a castle. (mysterious music) So this is our software castle. It has walls and locked doors that only authorized users
are allowed to get into. But inevitably, because
it's a big, complex castle, the builders of this castle, on accident, left little holes, little vulnerabilities, weak spots, secret doors, that if an intruder could
find would allow them to get in, where they can steal things or even take control
of parts of the castle. They can lock the owner out
and only give them access in exchange for money. Or they could just leave little time bombs that will blow up later. Almost all software has
some kind of vulnerability that would allow a hacker to
get in and control things. But the worst kind, arguably,
and the nightmare scenario for software developers is the zero-day. (mysterious music) It's called a zero-day exploit because, by the time the intruder gets into the software castle, the developers had known
about this for zero days, meaning they didn't
know, they were unaware. They were blindsided by this attack. It was a hole in their
castle that somebody found, and now they're screwed. Now, once a hacker gets in, developers often know that
there was a vulnerability. They can work on patching it, but that takes time, and then, of course, they have to get the users
to update their software in order for that patch to actually work. And we all know how kind
of annoying that is. A zero-day exploit is a
software developer's nightmare, which, in turn, makes it a hacker's dream. Some hackers will spend their time looking for zero-day exploits in
really powerful software, like the software that runs your iPhone or Google Chrome or
Windows operating systems or a million other pieces of
software that run our world. Some are interested in doing this so that they can get money or passwords. That's the criminals. Or others are interested
in gaining control of underground nuclear
facilities and electricity grids. That would be the government. (mysterious music) Okay, so let's say that you're
a really sophisticated hacker and you have somehow
found a zero-day exploit for an Apple iPhone iOS. You can get into someone's
iPhone and control it. That's a really valuable thing. You now have a few choices on what to do with that information. Number one, you could go right to Apple and you could give it to them. And they will pay you handsomely. Right now, they will pay you $1 million in exchange for a zero-day exploit that allows you to hack into their iPhone. Every big software company does this. Like Google will give you $150,000 if you can find a way to take
over one of their Chromebooks via a website. Software companies
offer these bug bounties because they want to know where the holes in their castle are. They want to patch them. They want to avoid the
nightmare of being hacked into and compromising the security
and privacy of their users. So yeah, that's one of your
options, sell it to Apple, get a million bucks, totally aboveboard. We'll call this the white market. But you could also sell
it on the black market to criminals who want
to use these exploits to make money, which happens. Like in 2016, there was
this case where hackers that may or may not have
been linked to North Korea were able to hack into the central bank of the country of Bangladesh. They were able to make all
these fraudulent requests and like hijack the Swift system that transfers all the money. And in the end, they were able to get
$81 million transferred to their bank account in the Philippines. Their end goal was to
get closer to $1 billion, but because of a typo in one
of their fraudulent requests, they got caught and it got shut down. But the point is that
there's a black market for zero-days because there's
a lotta money to be made if you can hack into a financial system. But you also have a third option here. If you have a zero-day exploit, you can sell it to a
government or a military. They tend to have pretty big budgets. And more and more, they interested in developing cyber weapons,
hacking tools that they can use against their enemies. We'll call this the gray market, and the money here is pretty big. (mysterious music continues) So there's all these middlemen
brokers for zero-days. They're like dealers. There's one Russian zero-day dealer who, a few months ago, tweeted out that, "Due to high demand," their
clients are now willing to pay $20 million, a hundreds times more, for a hacking tool that
uses zero-day exploits that allows them to fully hack
an iPhone or Android device. And then, they specified that their client is a non-NATO country, which experts basically
say is them saying like, "This is Russia. Like our client is Russia." (mysterious music continues) These three markets for zero-days show us just how valuable
these little bits of code have become, because they
aren't just little bits of code. They are now weapons. They are access to very
valuable castles of software. Criminals want them. Software companies want them. But more and more, governments want them. And this is how the U.S.
and Israel built Stuxnet, their big weapon against
Iran, using zero-days. Not just one zero-day exploit, but four. - [Journalist] And what
Iranian official describe as an act of nuclear terrorism. - And this is the reason why experts and the ex-director of
the CIA call Stuxnet a game-changer for warfare. Because whenever a county
uses a big new weapon, all of the other countries, especially the rivals, realize
that they have to match that capability and ideally one-up it. That's how arms race works. That's how nuclear weapons have worked. And that explains the concern
of the ex-director of the CIA. - This has the whiff of August 1945. - 1945 being the year that a
nuclear weapon was used in war, thus changing the world
and the balance of power between countries forever. - Somebody just used a new weapon. And this weapon will not
be put back into the box. (dramatic music) - So by the end of the
early 2000s, after Stuxnet, it truly was the beginning of a new era, a new era of cyber warfare. (mysterious music) In 2012, Chinese-backed hackers broke into the computer systems of over a dozen oil and gas companies. There was an investigation, and the FBI and Homeland
Security concluded that the attack wasn't to steal anything or even to sabotage the infrastructure, but rather, to quote,
"Gain strategic access for future operations," meaning to gain leverage
over the United States. Investigators said that
this was the first time that they had seen anything like this. That same year, an Iranian hacker group attacked
Saudi Arabia, Iran's enemy, using a cyber weapon that is
kind of like a digital bomb. It was a virus called Shamoon, and it got into the computers of Saudi Arabia's state oil company, wiping their hard drives clean. This thing spread across
the company's networks, ultimately wiping data from
tens of thousands of computers and rendering them totally inoperable, a huge blow to the company. In 2015, a huge cyber attack occurred when the Russian hacking group
Sandworm shut off the power to a quarter million
Ukrainians by gaining control of the computers that
ran the power stations. This is actual footage of
them remotely controlling these stations' computers. - They used a piece of
automated malware to do that, which is a sign that they will probably
wanna use that again. That looked like a kinda practice rounds to develop the capability
that they wanna have to use globally. - This set a new precedent. People theoretically knew that
cyber weapons could be used against electricity grids, which is like the lifeblood
of our economy and society, but it hadn't actually happened
until this 2015 attack. (mysterious music continues) These are just a few examples, but they're examples that
show how cyber weapons became employed in a war
context between countries. It wasn't just hackers
trying to steal money. It was countries trying
to hurt their enemy, trying to demonstrate their capabilities to deter their enemy, to let them know that they have power over them, a tool of war, of national power. And indeed, in 2010, the U.S.
acknowledged this very overtly by adding the U.S. Cyber
Command as a new department to the military. Cyber war was here and
it was here to stay. - Today we face threats
that have increased in sophistication, magnitude, intensity, volume, and velocity. - But here's what's crazy is
that these aren't weapons. These aren't like missiles, where a country has a monopoly
over buying and using them. Cyber weapons are just bits of code. They're text files that are really small and easy to transfer around. So what happens when a
cyber weapon developed by a military gets into
the hands of everyone and they can use it however they want? Well, that's exactly
what happened in 2016. - [Speaker] The DNC has called the FBI after a deleting attempt to
hack into voter databases. - [Johnny] During the 2016
presidential election, the U.S. was hit with a
barrage of cyber attacks. This included the hacking of emails of the Democratic Party, a misinformation campaign on social media, and even an attempted hack of
voter registration databases in several states. American intelligence
agencies came together, they investigated, and they
concluded that this was Russia. It was Russian hackers that were supported and directed by the
Russian government itself. And the goal was to sabotage
the American electoral system. - The Russians were responsible
for hacking the DNC. - This was like a frenzy
here in the United States. Like everyone was talking about it. It was a huge deal. But in the middle of all of this, a post quietly appears on GitHub from a user by the name
of theshadowbrokers. This was a few months before the election. It was a tense time for a lotta reasons. They claimed that they had
super powerful cyber weapons from the American government's
most elite cyber war group, the ones who created Stuxnet, and that they would sell
these hacking weapons to the highest bidder. They would take their bids in Bitcoin. They released a few
pretty impressive samples that actually looked pretty legitimate. They released an encrypted file that said contained more hacking weapons, but you needed the password for it. But they held onto it, posting every once in
awhile with a trickle of more information, and honestly, a lot of like bizarre
rants on American hypocrisy and broken English that felt kind of intentional and caricatured. They didn't end up
getting very much money, and it all looked fairly ridiculous. But then, out of nowhere came this post. (mysterious music)
- [Computer Voice] "Last week theshadowbrokers be
trying to help peoples. This week theshadowbrokers
be thinking (beep) peoples." - They were getting
pretty spicy, and indeed, they released this password, this weird, weird password that they said was the password to that encrypted file that they had posted earlier. And when you put that password
in the encrypted file, you discover that it is exactly what theshadowbrokers said it was. (intense music)
67 files that comprised some of
the most sophisticated and dangerous cyber weapons
that the NSA had ever created. (intense music continues) And among them, the most
powerful of the bunch, a tool called EternalBlue, which allowed hackers to break into and control the Windows operating system, which is what most
computers in this world use. EternalBlue was like an open door. Back to our castle analogy. This was like a door
into millions of castles and the power to spy inside of the castle, to unlock any door, to steal
the contents of the castle, to disrupt and break and
destroy whatever you wanted inside of the castle, to lock people out of their own castle. Yeah, I mean, this was like a
sophisticated military weapon that had just been
duplicated and sent to anyone who had an internet connection. And what it meant was
that theshadowbrokers, in all of their like
caricatured broken English, were actually legit. They had hacked in to our
National Security Agency, our secret spy agency, and
stolen the cyber weapons and sent them out to the entire world. Not just to other
governments, but to anyone. So who are these shadowbrokers, and how did they do this? The answer and the kind of
scary thing about cyber war is that we don't totally know. Experts think that Russia did this to send a very clear signal to the NSA and to the United States at-large that, "Hey, we can do this. We have the power to break
into your biggest secrets, and we will release them if we want to." So now, after 2016, we enter a new era of cyber warfare. Stuxnet was a big turning point. Theshadowbrokers and EternalBlue
is our next turning point. From here on, you see a new
genre of more sophisticated, more powerful cyber attacks. (mysterious music) Barely a month after the
NSA's secret weapons leak out by theshadowbrokers, a North
Korean-linked hacking group uses them to deploy a virus that spreads to nearly every country
on Earth within hours, locking up hundreds of
thousands of computers, making them unusable, which
halted hospital equipment, police departments,
governments, and railways in over 150 countries. (mysterious music) You're sitting there on your
computer and this pops up, saying that your files are locked and that you can get
them back, but, quote, - [Computer Voice] "You
have not so enough time." - [Johnny] Close quote, and that, quote, - [Computer Voice] "You need to pay $300 worth of Bitcoin to do so." - [Speaker] Malicious software
(intense music) has been taking computers hostage in an unprecedented worldwide outbreak. - This is called ransomware. Basically, you ransom the computer files and you have to pay. This happened in a matter of hours. It was only stopped because
a 22-year-old researcher accidentally activated a kill
switch baked into the code. So the bigger crisis was kind of diverted, but even still, in just that few hours, as WannaCry was spreading
to 150 countries, it caused hundreds of millions of dollars, maybe even billions of dollars, of damage and economic loss. This showed us how powerful
these NSA weapons could be in the hands of bad actors. And we learned this lesson once again when these same weapons were used by the masters of cyber warfare: Russia. (mysterious music) - [Speaker] The single
biggest attack on record. - [Johnny] It was June of 2017, the night before Ukraine's
Constitution Day, when the Russian hacking group
Sandworm deployed an attack that was similar to their
2015 electrical grid attack. But this time, they had the
NSA weapons in their hands, so it was a whole new level. This one was called NotPetya. This thing was potent. It spread very quickly, and soon, Ukrainians were seeing this scary screen on their computer that
literally started with, quote, - [Computer Voice] "Ooops, your important files are encrypted. Perhaps you are busy looking
for ways to recover your files, but don't waste your time. Nobody can recover your files without our decryption service." - It looked like another
ransomware attack, saying that you have to
pay $300 worth of Bitcoin in order to get your files released. But meanwhile, it was spreading super fast and wiping everything out in its path. It took down Kyiv's mass transit system, airports, hospitals, and it rapidly spread through government agencies. Gas stations and power grids went down, credit cards stopped working, and it shut down almost every
ATM machine in the capital. One person who was caught in the middle of this cyber attack described it as, "Life went very fast from,
'What's new on Facebook?' to, 'Do I have enough money
to buy food for tomorrow?'" And it's a moment like this
that we can really grasp just how fundamental this
infrastructure is to our lives. And in this case, there
was no kill switch. It was so viral that it spread
beyond its target of Ukraine into other parts of the region, hitting the systems of
a bunch of companies, like FedEx or the shipping company Maersk, and soon tens of thousands
of trucks were stuck for days with no computers to guide them. I mean, that's a lotta trucks. And many, many others. It affected tons of companies
and agencies and systems, all because of this one virus. Unlike a missile or an invasion, cyber can hide behind this
hackery-looking screen. This doesn't look like a state entity. This looks like a hacker
doing a ransomware attack so they can make some money in Bitcoin. But that's not what this was. This was a coordinated,
sophisticated attack by the Russian government
using an American cyber weapon to make it more viral that
caused an estimated $10 billion in economic loss and damages. And in the process,
really blurring the lines of the rules of war, where usually like, you know what a country did to you and you know how you're
supposed to respond. And all of that creates this nice balance of like deterrence. That's kind of the lifeblood of stability in our global order. When you've got these like shadowy, like deniable attacks,
it makes it way harder to know how to respond, to whom to respond, and like what's proportional. It just changes our view of conflict. Which is why regimes like
North Korea or Russia have leaned very heavily
on this type of engagement, because as they become more isolated and as their military
becomes less effective, this is a way for them to stay relevant, for their enemies to
continue to fear them, because cyber is an
actual weapon of war now. (mysterious music continues) But let me just say something
that is probably not obvious and might be surprising to you
here at the end of the video. Which is that the biggest
threat in the future, the thing that's gonna be the
biggest part of cyber warfare isn't gonna be these big, splashy, like shut down the electrical grid, doomsday scenario situations. Those might happen.
Those are real threats. We need to prepare for them. But like any weapon of war, cyber is turning into a weapon that is being deployed subtly, that countries will use
to get into the minds of their enemies. Like right now, we could be pretty certain that Russia and China have
quietly infiltrated parts of our infrastructure systems. They haven't done anything with that. But they're probably there, at least that's what a lot of
analysts and experts think. And that we have probably
done the same to them. And that we're all just sitting there with our little time bombs
put into our enemy's castle in case we need to use them. And we want our enemy to kind
of know that we're there. There's this list that
I've been looking at of all of the cyber attacks. CSIS, the think tank that I used to work at, documents these. And I was surprised that I hadn't heard of almost any of them
because they're small, but they're frequent. To me, this is the
future of cyber warfare. It's not Stuxnet and WannaCry. It's these death by 1,000 pokes, psychological warfare,
revealing to your enemy that you have capabilities
to infiltrate their systems. And in that sense, cyber warfare starts to look
a lot like nuclear deterrence, like a shadowy, hidden
submarine with nuclear weapons floating through the ocean somewhere, capable of hitting your enemy. And your enemy knows that. They don't know where it is, but they know that it's there. And any calculation that
they make on conflict takes into account that
that weapon is there and could be used at any point. This is the weird paradox of
war and peace and deterrence. That one of the forces that
has kept our world stable and rid of great powers
conflict since 1945 has been the fact that we
have very powerful weapons all pointed at each other. And therefore, we don't use them. Cyber weapons are going the
way of that kind of deterrence. Hopefully, they'll
never be used in the way that we fear, that the
sort of doomsday scenario of like they shut down the electrical grid and they do a full-scale attack. Yes, there will continue
to be these moments where viruses spread, and to avoid those, just update your damn software. I hate it as much as you do, but like, two-factor authentication, we gotta do it. All that stuff, it's there for a reason, because we live in a new world, and we should be prepared for that world. As for the war and the
geopolitics of it all, I'm gonna keep an eye on it, because one thing in
all of this is certain: cyber is here to stay. It is something we have to
think about and understand if we're going to understand
the future of war. (mysterious music continues) Did you guys notice
that this thing is here? Nick, the studio manager,
who's right over there, brought this in and made it amazing. And every time I talk, it moves. And that is just freakin' cool. Good job, Nick. Also, Alex,
(hands clapping) good job to Alex as well, who is the visual producer. I want to say a giant
thank you for all of those who are here and especially
those who are a part of The Newsroom, which
is our Patreon community. We're doing this thing
called independent journalism on YouTube, and it is exciting and fun and it's a lot of work. And it is a lot of meticulous effort. So I am very grateful for
all those who support monthly over on Patreon. For those who do support over on Patreon, you get access to my scripts. You get this behind-the-scenes vlog where you get to meet the team. You get to see some
behind-the-scenes action of like what we're up to, including like setting up this set. We like filmed some of this, and like you get to see
sort of how it works. You get to meet all of
the like creative people who are a part of it. If you're looking for other
ways to support the channel, we have a poster that has
a bunch of maps on it. I don't know if by the
time you're watching this, it is still in print. It could be sold out
because we're only doing like 1,000, I think. So go click on the link in the description and see if it's still there
if it's interesting to you. We also have LUTs and presets, which is what we use to color
our videos and our photos. And oh, I don't know if you know this, Tom Fox, who composes all of our music, is now offering all of his music for free for you to use in your videos. That is a thing. You can now use all of
the music that you heard in this video,
(mysterious music continues) which is like sick synth music that we developed just for this video. This is Tom Fox's synth. You can download it for free,
you can use it for free. The caveat is, if you use it
and you monetize your videos, we will split the revenue 50/50. And if you wanna license it
for like one of your projects or something, like you're
making a documentary, reach out to music@johnnyharris.ch and we license music for your projects. So that's cool. A lot of you don't know, but
we launched a new channel. It is called Search Party. It is with my old Vox
colleague, Sam Ellis, who is leading out on
building this amazing new like news brand that explains geopolitics, as well as global sports,
which strangely intersect in more and more ways in our modern world. That is Search Party. It is live now. There's loads of videos
you can go check out. They're similar to what I do here, but Sam has his own
style, his own approach, very good, concise, journalism. So go check that out, go
subscribe, support that channel. And I think that's it. So yeah, that's it for me. I guess I should say the
thing that is strange. Subscribe to my channel. There's some real
psychology around if I say, like if you're not
subscribed to the channel, let me tell you that here, it matters. Like the subscriber number really matters, and it means that the
video has a better chance of doing well, which is the lifeblood of everything we do here, is like getting this journalism out to as large of an audience as possible. So if you're not subscribed,
click the button. And yeah, that's it,
that's all I have to say. Thank you all for being here. Thanks for watching. We've got a lot more videos coming up, and I will see you in the next one. (mysterious music continues) Bye. (screen hissing and whooshing)