Here is the full transcript of Distrix Networks’ CEO Eric Winsborrow’s TEDx Talk: Confessions of a Cyber Spy Hunter at TEDxVancouver conference.
Listen to the MP3 Audio: Confessions of a Cyber Spy Hunter by Eric Winsborrow at TEDxVancouver
Eric Winsborrow – CEO, Distrix Networks’
We see it every day, in the news, for the past decade the battles that are being waged across the Middle East. On the YouTube and Facebook we get instant updates through satellites, to give us a front-row seat into the action like never before.
But what the cameras don’t capture is that there is another war going on beneath the surface — a digital cyber world where the battles are not being fought with bombs and bullets but with bits and bytes.
My name is not Doug Schmidt, but it could be if I wanted it to. My real name is Eric Winsborrow, and for the past two decades, I have been involved in creating the next-generation disruptive technologies at companies, such as Symantec and McAfee. I currently run a cyber-security company made up of PhDs from MIT and scientists from the National Labs who were tasked by the U.S. government to create the next generation of cyber technology. Our customers include the Office of the Secretary of Defense, and the Department of Homeland Security.
If there’s one thing I’m certain of, it’s this: that what’s going on today in cyber espionage will profoundly impact our lives, and we may never even realize it. If you think about it, a lot of technologies that impact our lives have been coming from government-sponsored research into next-generation defense technologies.
Last generation, the Cold War created technology such as the computer, satellite communications, and navigation and even the Internet. It is so permeated our everyday lives it’s gotten to the point where we can’t imagine ever having lived without it, to be able to see halfway around the world instantly or just navigate around the block.
So if yesterday’s next-generation technology has such a profound impact on us today, then what’s today’s next generation technology? I’m going to show you the future of cyber espionage with technology that’s actually being created today to protect nations. There are cyber battles taking place throughout the world and we don’t even realize it.
It’s gotten to a point of a confluence, emerging between man and machine in a digital cyber world where we can never tell them apart. This is the age of the cyber spy.
Now when we think of spy, we might share Hollywood’s image of a dashing and daring secret agent who sneaks into some underground nuclear facility, somewhere halfway around the world to protect us from a nuclear threat. Sometimes Hollywood goes a bit too far. In this case, however, they don’t go far enough.
You see governments today would never send a human operative into such a secret location he’d never get in. Today’s spies are cyber spies. You see it used to be that James Bond used technology. Today James Bond is technology.
I want to walk you on a journey into the future. But before I can take you there, I have to take you to the past to where the first virus actually started and the beginning of this journey of convergence.
The first virus was actually written into a floppy disk video game and inserted into a Macintosh. Yes, ironically the world’s first virus was aimed at a Mac. My, have the world has changed and we call these types of viruses ‘sneakerware’, because you literally had to walk around to install it. This is the first level of convergence where man is completely separate from machines, joined only by a pair of red sneakers. If James Bond wanted to insert a virus into a computer in a nuclear facility, he’d have to sneak in in his scuba gear and install it himself.
I love you. Well, not you, we’ve only just met. I’m talking about Melissa. Melissa is not my wife, she’s a stripper from Miami. You see around the year 2000 or Y2K, the Melissa virus named after the virus writer’s favorite stripper from — was the world’s first email born virus. It was inserted into an email attachment and sent with the subject line: I love you. Once the attachment was opened, the process repeated itself and within three months the world’s email systems were clogged up, inadvertently becoming the world’s first spam. But this also marks the second leg of our convergence story, because this is now the first time where man is leveraging technology to do work. This would be the time that James Bond used technology.
But then in the September of 2001, the world changed, and I’m not talking about 9/11. I’m talking about one week later when the Internet world changed. This was the introduction of Code Red. Code Red wasn’t an email virus; it wasn’t a zombie, a trojan; it was all of the above. It was the world’s first complex blended threat and it went around the world in three days.
By September 21st, it infected 2.2 million systems worldwide. Governments took notice, because they realized they could take this technology and bring it up to a whole other level, to do the work its human spies could not. This enters the third phase — the phase where technology replaces people. This is the beginning of the era of the cyber spy.
I’m going to tell you a little bit about how this cyber spy technology works. I’m going to take you on a real life mission that happened just before the end of last decade, way off in the Middle East. You might already have guessed its mission: to sneak in to an underground nuclear facility, halfway around the world to protect us from a nuclear threat.
This is the Natanz nuclear fuel enrichment facility in Iran and so is this from space. The Allied nations were worried that this man, President Ahmadinejad, was using those very centrifuges to create more nuclear fuel than he needed for electrical energy production. And they were right. He was also using those centrifuges to create nuclear fuel for atomic weapons. They needed to destroy those centrifuges.
But how are they going to do it? They couldn’t send in a human agent in a scuba gear, they’re in the middle of a desert. And they actually debated sending in fighter jets to drop bombs and blow the place apart. A little messy and not good PR. I mean, imagine the fallout — you know, I know, I know. You just wait.
So instead of dropping a bomb they dropped a bug. Very clean. It was — they called it Operation Olympic Games. What a great name for such a clean operation! I was here for the Olympics in Vancouver; it was clean, it was fun; it’s a great name. It’s great name.
You know, if they wanted to stick with their old plan and set fire to everything and have fallout for years they would have called it Operation Stanley Cup. I was actually expecting some booze there a little bit. But they had to get the agent in and there are several ways they do it. I can’t describe them all but one that was at least publicly shared was this one, so that’s what we’ll go with. And it’s true. They did insert the agent program into USB sticks and then they scattered those USB sticks around the compound, some workers did manage to pick them up and insert them in their computers. You know the story.
Before you get too judgmental, think about this: what would you do if you found a USB stick? Think about that the next time you go to a trade show and some stranger from marketing he says hand your USB and says read my collateral. I don’t know how many security trade shows I’ve been to where that’s happened. Now that is a different story.
But the agents did get in. Then they did what all good agents do. They started doing reconnaissance. They started working their way around the network, walking the hallways so to speak, looking for its target, and its target was that Siemens box. That Siemens box was a controller for the centrifuges and once they found it, they inserted a rootkit and a weapons payload that, forgive me, altered the programmable logical controller of the Step7 software in the application. And then it phoned home in several ways. Phoned home and gave the Americans and Israelis full command and control over that Siemens controller which then of course went and spun up the centrifuges to such a state of supersonic speed that they literally fell to pieces. They destroyed the centrifuges for months quite frankly without ever stepping foot into the facility. The program was a smashing success.
Ahmadinejad was beside himself, he was firing his best scientist because he thought they were incompetent. One small problem, though, the Allied spent so much time trying to get this agent in, they didn’t think about what if it actually got out. And bits of the program actually did and it did its job. It started searching its way for other Siemens controllers, first in Iran, then the Middle East, then Europe and all the way to the doorstep of the nuclear facilities in America.
Now before we get a little nervous, this spy knew its programming, it was told to look for a specific signature of that controller in Natanz, so it didn’t do anything. However its cover had been blown. The security industry, chiefly a researcher from Kaspersky Labs found it. And what was once a covert operation to protect us from a nuclear threat became known as the advanced persistent threat Stuxnet. In case you’ve ever heard of it.
Now there are battles like this going on all around the world and even in our backyards and we don’t even realize it. The Chinese are particularly good at this, that video you saw earlier that’s just marketing, you don’t see what else goes on. So let me explain a bit.
Last year the Chinese successfully hacked into the RSA security company through the HR department, and like Stuxnet, they weave their way around to find what they were after. They found the confidential customer passwords for secure ID tokens. What do these tokens do? They get you into networks, like military contractors Lockheed Martin, Northrop Grumman, L3. Now given Lockheed Martin makes stealth fighter planes you can imagine why that’s a good target, but they also focused on business. Operation Aurora, you might have heard about, because it was famous for successfully breaching Google’s Network.
But what people don’t realize is that Operation Aurora was about successfully targeting more than 20 companies from Intel to Morgan Stanley and here at home, companies like Nortel were not immune. The Chinese had CEO level access to confidential information and documentation for nearly ten years. And if you’re involved in natural resources, for example, bidding in the oil sands, especially against the Chinese, a little bit of a wake-up call. You might want to look up something called Operation Night Dragon. It brings whole new meaning to the term bidding wars.
Now these researchers at Kaspersky who discovered Stuxnet also recently released a report, that said that the number of network intrusions around the world in a single year had skyrocketed from 220 million, now that’s already a big number, to 1.3 billion.
What is going on? What’s the implications for all of us nationally or even personally? Well, nationally you can see why governments are so concerned. It’s not just about international espionage; it’s about the own infrastructure that we have. After all if you can take out a nuclear facility in Iran, what’s to stop them from returning the favor? And if you’re going to attack a nation you want to take out the communications network and the infrastructure like banking.
And while we’re talking about technology replacing people in this current level of convergence, then who flies commercial airplanes these days? Is it pilots or programs? If a decade ago, a number of operatives, human operatives, could storm into the cockpit of an airline, what’s to stop a program from invading an autopilot or the air traffic control?
Just last week Leon Panetta, the secretary of defense for the United States publicly went on record and said there’s a high probability, and I quote, “of a cyber Pearl Harbor with physical destruction and loss of life”.
Now what about us individually? There are a lot of hackers who are so intelligent they know how to reverse engineer these types of attacks and use some of those techniques for their own gain. You might have heard last year over a hundred million user accounts were stolen from Sony PlayStation Network. I see some nodding heads but you know what you might not have known is that those attacks actually happened over a series of several months, many different individual attacks and Sony never realized it. And as we get more and more dependent on internet appliances, you know I wonder what’s next, taking over our food supply, maybe creating killer cookie robots, you know the government always warned me about cookies were bad for our children but I just never knew.
But a little bit more seriously, if we think about those centrifuges off in Iran where we could spin them up and out of control until they fell to pieces, what other devices are we reliant on under the assumption of perfectly secure wireless internet connectivity? If this scares you just a bit, remember this that our parents generation were so terrified of the technologies that were getting invented during the Cold War that they built bomb shelters. And yet they survived and those very same technologies that terrified them are changing our lives today in a way where we can’t ever imagine living without them.
Now also remember this: those technologies I’m talking about were invented last decade. I promised you that I would take you on a vision to espionage of the future with technologies that are being invented today. So let me share that with you now.
I’m going to take you down a digital wormhole — a wormhole by the way that we plan to send those attackers. You see if you’re going to defend yourself against technology that replaces people, then the next step of convergence is to create technology that behaves like people, that in a digital world you cannot tell one from the other. We’re capable of creating massive networks so real that you cannot tell them apart. So when those attackers come in to a nuclear facility or to an HR department instead of finding the real network they find ours. And they walk around it just like Stuxnet tried to do or the Chinese did, looking for systems to infect but instead of finding real ones they find ours, these shadow systems that look and behave just like real employees checking their emails or spending too much time on Facebook.
Yeah we know, but here’s the thing, if one of those attack programs send us an email attachment and ask us to open it we gladly do. If they ask for confidential data we happily hand it to them hoping they call home, because in these shadow networks we’re watching and recording. I’m actually going to show you such a recording.
Now I got to be honest here we couldn’t show you everything. We had to actually change a lot of names, scribble out some IP addresses and we’re not allowed to bring you as deep into the network as we want; it’s a good thing because if we showed you everything we’d have to shoot you or even worse — even worse make you a government employee.
So this is like I said a real video — those aren’t the real locations, of course, but what is real is it did attack — did start in the HR department, it actually did, maybe a coincidence. Those are real real systems doing emails, real people sending out backing up their systems but they’re actually impacted with this spy program and we don’t know it. So then we turn on our shadow network, these are systems that behave like real, they interlace with the actual systems and they start communicating. In fact, it’s the bad guys that communicate to us into our systems and we let them come on in, send me an attachment, because when they do that we have every bit of information, because we can’t look into the real computers but we can look into ours and we can see what processes they use and then decide to quarantine the actual system using software-defined networking, and then they can’t talk out to the real word. And instead we tunnel them down to a shadow HR department that isn’t real, but just behaves like real and they can take whatever they want and we know exactly where they’re going.
Now what would we do with this kind of information, or more importantly what would James Bond do? James Bond had a license to kill or at least kick them really hard where it hurts. Now today 007 has an eye line, agent 001. So we’ve come to the end of our journey of convergence of man and machine, of confluence between two separate streams that come together to make things more powerful.
We’ve seen technology go from completely separate from man to leverage, to replacing man to behaving like man. What comes after behaving I wonder. Well if history is any guide, the question shouldn’t be if this technology will one day profoundly impact our lives, the question should be: will we ever even realize it?
Thank you very much.