Authors and Panel Discussions about race and immigration we do lots of classes and conferences. If you have not received the latest news order please purchase a book at the end of the night it will tell you what is coming up over the next six weeks and a quex reminder. It is critical for every person alive in the 21st century in addition to taking on a journey of understanding the awardwinning author and journalist takes a stab at what motivates the sand worm hackers and how they protect the Critical Infrastructure and what lessons have we learned a new era of the most dangerous hackers you would think youre picking up the latest tom clancy novel however it really happened spending three years researching the story in the process to ukraine denmark and russia looking up sand worm on the internet i am not a Science Fiction aficionado its a animal that appears in the doom novels and for wired magazine with privacy information and hacker culture the author of the machine killed secrets and the wired cover story winning an award from the professional journalist and lives in new york with his dark wife a documentary filmmaker and we are honored to have in conversation with andy about Computer Security and privacy he wrote about Cloud Business computing and a bit coin and lives in San Francisco please give a welcome to andy. [applause] thank you so much for having us here its really wonderful to be in a full service bookstore like this. I will get to your question about sand worm but i want to start like i feel like i should apologize because his first book came out i just read a little blurb and i said that story about Julian Assange and cryptography and the quest for conversation on the internet and these technologies that allow wikileaks to have them but now i dont know this will catch on but i remember writing im not sure this wiki thing might be overblown. Like theres no point in the story of leaks and then i forgot everybody forgot that i wrote a book about the leaks lamented just kept coming and now its part of the culture almost like generational of those millennia is one millennials of post millennials this is a wonderful time to be a journalist one of the big stories in the news right now is about a whistleblower. It really took off so a few years later have you connected that if technology really did build a new sentiment of the leaker generation. I didnt expect to be talking about this book but it was mega leaks and with that data digitally and anonymously yes that is happening like the Paradise Papers that followed have dwarfed all of the leaks i wrote about in that book and continue with the exponential trend line that it shows we are in this new era of liquidated information that can be leaked and talking to the german reporters who are paying the penalty now every newspaper has the same cryptographic protected anonymous inbox that wikileaks invented and popularized now the wall street journal has those the wire has one and then the New York Times with serious Investigative Journalism maybe it was too early because it came after wikileaks and then it became very much news the 2016 i hope this book has better timing. I hope you are wrong this book is terrifying. Really the book puts the risks of cyberwarfare in a context and perspective that if you would have asked me of this would have happened ten years ago i wouldve laughed at you at that time i thought of cyberwarfare as a term for espionage or Software Related to in fact the nuclear version but it was Science Fiction but the book captures the whole context so the first question to start with about sand worm tell us how your book came to be called sand wor worm. In 2016 after the Election Hacking by the russians my editors were obsessed as anyone and wanted to find the big story of cyberwar and like you i didnt say this out loud because i do what editors ask for but i was resistant to the idea that they stole the information from the dnc to me that seem to be republic but not cyberwar but i went looking for what could be a real cyberwar story but mike colleague had written the story about the first ever blackout happening in ukraine so talking with what was happening in ukraine and with that bigger context in 2014 they had this revolution that was breaking free of the influence and russia had responded by invading and they were accompanied by wave after wave of cyberattacks not just one blackout but were they tried to spoof the results of the ukrainian election before they tried to mess and they had Government Agencies and private industry destroying hundreds of computers in the networks and then finally that first blackout had the climax from the first attack and with ukrainian civilians the first time that has ever happened anywhere in the world and then there was a second blackout so the story was still unfolding and it wasnt real war it is an actual nationstate hacker group with Critical Infrastructure and in the midst of a physical war and then trying to figure out who was responsible and who were the Russian Hackers and entrance raising their company outside of dc and they discovered these hackers and they seemed to be russian in 2014 and the group they appeared to be russian because they left one of their servers open and the United States analyst found russian language for the malware they were planting on the targets in Eastern Europe so it seemed they were doing typical espionage stuff but then they began to notice some of the targets did not look espionage back Critical Infrastructure for even in the United States american grid targets had the same malware planted in fact this group use them as the first step but the reason and this group would be called sand worm is each of the victims of that first round of attacks was identified in the snippet in each of those references was a little name from the Science Fiction novel dune that was called sand worms so we just named it sand worm and looking back it was incredibly appropriate because it is a monster that hides beneath the surface and only occasionally surfaces to do terribly distraught one disruptive things which was very appropriate for this one group of hackers to become the first real cyberwar. Is it big in russia quexs. [laughter] but they were using that same server to control this malware. Actually thats what tied the attacks together in the first victims of the 2014 campaign. But the stories that you talk about we had heard about cyberattacks on the grid for years and they were always wrong or like a squirrel or transistors so when this happened when people were suggesting it could be a cyberevent . I got in late 2016 and then it was a year since the first in fact the mechanics were laid out by a cybersecurity analyst who eventually became the central characters in my book and the mechanism of that first blackout is so interesting starting with the typical documents and a fishing email that is the malicious part of it then they would steal your passwords and then the vpn to move into the other part of the electric grid network and that is what trolls like Circuit Breakers but then the way they took control was insidious they hijacked the Remote Desktop like it administrators would to remote into your machine and then the poorer grid operators in the control room watched as the mouse started moving of its own accord but then they could not click through all the Circuit Breakers and then turn off the power to thousands more there was nothing they could do about it i was very drawn to this hacker group and i got this by going to that utility and you Eastern Ukraine and then it airdropped into my iphone it is something that i heard about but then we could see it. You write a lot of interesting stories about cyberoffense but at what point did you feel this was a topic for a book quexs. I eventually delivered for wired which was the ukrainian federal wars that by early 2017 i had gone to ukraine and what was happening with this one group of hackers that we came to know as sand worm carried out these escalating attacks and the thesis of that story is we have to Pay Attention to ukraine thats where russia shows the capabilities and using ukraine as a test lab for innovation and we can see cyberwar and we can predict lightly what happened to ukraine can happen to the rest of us. And the day it hits the newsstands and it was released by the same with the worst cyberattack in history it to take down the Worlds Largest shipping firm and fedex and on and on with this prediction and on the very day that you print it that is what happens and that ukraine was a canary in the coal mine. It took a little while to recognize what it was now i have to define sand worm but that this piece of malware that spreads from computer to computer automatically which is amazingly dangerous. And that is what happens but it looked like ransomware you have heard of that and then demands a certain ransom. And then to gain access. And then people realized even with 300 you could not get it back and a destructive form pretending to be ransomware it was a cover story that hits ukraine very quickly and destroys the networks of 300 companies of Government Agencies and many hospitals and transportation, atm it was the carpet bombing of the countrys internet but it wasnt initially clear but as they reported to their shareholders 300 million in damage. With those Ransomware Attacks it cost 20 million ultimately. From one company and losing 750 million. In this is quickly turning out to be the worst attack in history but none of them would talk about their experience or how they would lose that much money to this attack so it was becoming clear it was something unusual to see the full scale it ultimately cost 10 billion but we quickly could see the forensic link and the earlier sand worm attacks that turned off the lights. This is the work of one group and i could see there was an arc to the story and thats when i began to work on the book. Its crazy because it was designed to spread like a worm around the world. So we have the two attacks that are linked to russian intelligence and one causes widespread damage including taking out companies in russia. Why . s. When you try to figure out what it was intended to do, it worked by hijacking the ukrainian Accounting Software. And then piggyback on the Software Updates and pretty much anyone in ukraine who wanted to file taxes or do business had to had this Accounting Software its equivalent to turbotax. That was how it was targeted ukraine but it seems that sand worm in this way that i have come to associate the Russian MilitaryIntelligence Agency that thought sand worm was a part of what is insanely reckless and brazen attack to shoot first to destroy the internet without considering the collateral damage. Not only russia but i spent nine months reporting this book delving into the experience of the Multinational Companies to capture what it looks like when the entire global conglomerate is online. My favorite part is that shipping giants there are 18 wheelers turned around at the ports around the world and just to the global traffic is frozen by the ransomware and at minsk they almost lost everything almost all Domain Controllers but they got lucky. Because in the beginning of the story at their headquarters in copenhagen they never returned my calls. None of these Massive Companies that would talk officially what happened to them or that it was russia it took back channel investigative reporting and it starts with the it staffer who told me his screen was black and then he looks up to see there is a wave of black screens going across the room in the office as every screen Global Headquarters turns black and then shows a ransom message. People are running down the hallway everybody turn off their computers before they can be infected going into middle of meetings to jumping over turnstiles even the physical Security Systems were already locked and paralyzed by the malware. And those terminals and then to carry another Empire State Building worth and they couldnt figure out what was on the ships they didnt have Inventory Software did not know how to unload them. Seventeen terminals around the world so the trucks are lining up by the Thousands Miles long nobody is telling them where to go they cant even send an email to tell them whats happening one staffer who was enterprising went into his own Gmail Account but the entire network was down tens of thousands of trucks had to figure out where to send their containers but is part of the just in time supply chain. And that is 17 ports around the world. And with that pharmaceutical science and then fedex and each one has that disaster story. And that cannot even be quantified and hospitals across the United States and that is speech Detection Software that allows doctors to read changes into a medical record to have them automatically update from an audio file. But nuance was taken down and lost 92 million but the bigger cost is that new wants failed so that all the hospitals and one executive told me she was on a Conference Call were hundreds of people were trying to get answers so there were dozens or hundreds of hospitals had doctors who were reading changes in to the software and it was lost. Like procedures to be followed for surgery. Everything. Talking about someones treatment but a test that is necessary before surgery it took one it administrator told me that one week later i should say in some cases they had many millions of changes to medical records that were lost. And an it administrator was panicked by a nurse we have to transfer the patient and we dont know if they had the test necessary to clear them for the procedure and then it was a few hours before it was scheduled to happen and then find the lost audio file to make the change manually and they did it just in time but it happened three more times just in this one persons experience in that week. And then you multiply that by how many patients were affected it was hundreds of thousands and hundreds of hospitals i did not actually confirm anyone was killed, but you do start to question how did that not have somebodys Health Seriously harmed on such a massive scale. I will come back for questions in a few minutes. And built on a couple pieces of software that was created by the nsa and another by a french man. There were two pieces that were not created to do this. Basically there were three main ingredients. With this armageddon moment there was that hijacking moment. Not that you have a foothold and with the nsa hacking to all. And we still dont know how they steal those tools from the nsa that could break in with this technique that was paired with a demonstration that was intended to mean cute cats but it was a dangerous component because they could take all the passwords on the computer and then use those to gain access that the password had the access to so if they intertwine and seeding that out given the initial foothold on the network with any of these ukrainian institutions in seconds it could saturate every computer on the network. You have 10 billion in damage in part because of the nsa hacking tool. How much of that is nsa quex. Eternal blue this tool was leaked by the rogue hackers but they did their best to respond and they pulled microsoft before it was leaked publicly they try to help them put out a patch to protect people but it turns out patching is a problem you have to convince millions of people to install the patch and a lot of people dont. Do you blame the nsa the tool was taken and misused . To use it almost exclusively but they just spy on a global scale but they will use the same hacking tools to disrupt the same way sand worm does. But what you can criticize them for before it was stolen and leaked. Thats the theme of the book that the Us Government has its entire story to be so much more interested in these capabilities to push forward the arms race of cyberwar than trying to control these incredibly dangerous hackers and the ark of the book is how the us watched cyberwar. As sand worm turns out with thousands of ukrainian civilians even though ukraine is not nato to say thats not okay you dont do that to anyone especially was cyberwar crimes. So what do you think the red line should be . Where would it be quex. Its probably never okay but that indiscriminate mass scale of the first of these quarter million ukrainian certainly thats not okay but when i put this both to obama and Trump Administration officials they both made the argument we want to be able to do that ourselves we dont really want to call out russia or have the Geneva Convention for cyberwar we want to turn that off and destroy entire networks. But it should so shortsighted because we lived in that targeted way but when you call out russia to set the rules nobody should do it then sand worm does it in this way that is entirely indiscriminate they dont care that much of their own people are hit. So from your perspective is still the wild west i dont know if you have a read since the Obama Administration. The Obama Administration tried they indicted iranian hackers for disruptive attacks and president obama gave a speech talking about north korea had hacked and thats what they failed to do for ukraine they watch the ukrainian cyberwar from a distance and said nothing as a terrible and unprecedented act ofs attacks on civilians continued until it blew up in hit us as well even with all the warning of in ukraine and out that were watching that that this was a dangerous and unfolding phenomenon. The Trump Administration has their own blind spots so on american soil billions of dollars of damage to American Companies to shut down the medical record systems and took eight months for the Trump Administration to even say anything. And in part and then to talk about Russian Hackers. And then there was a statement that it only takes the government years into this calamitous global cyberattack to Start Talking about the cyberwar in ukraine. To say this is russia we will do something about this. And the coordinated statements. And then to give credit to some in the white house that made this happen. And sand worm was called out at all. And that accounts for something and that six days before the chubb Administration Even made that statement the same agency had carried out another destructive cyberattack on the Winter Olympics in korea but still were not held accountable the government still had said nothing. That is also a great story but before we go further if anybody has a question . My first exposure was through security and with constant attacks and it tended to be from the suspects then you could think why people want to talk about this i would love to hear more about where we are now not just the administration but the private and Public Partnerships and where they are to stay current and are we falling behind quex. So in the context of these terrible issues are we falling behind . Are we ready quex. Potentially you saw those attacks but we use to talk about cyberattacks like somebody trying to hack your network but when they do that with the most common version is some sort of espionage. But now what i call cyberattacks is to do something disruptive to take downhole networks to mess with infrastructure thats the new world so the question is are we protected . We have learned a lot of lessons over time embracing that community but really isnt technical cybersecurity like an endless uphill battle in any kind of setting in the geopolitical sense of drawing the redlines in like the Obama Administration started to do that calling out certain actions we will indict your hackers like they did for the russian meddling but those rules break down when you watch a couple of blackouts. What do you make of the fact the first nation to have a self replicating piece of software to attack medical systems was the United States quex. Thats part of cyberwar. I think of it like pout lord of the rings and they all think they can use it for something good what they think is important for their agenda and none of these players in the global stage want to destroy it but the us did stuck with the piece of malware to destroy the centrifuge that was a new demonstration with just a piece of code you can destroy physical equipment. And spread through 30000 computers and targeting with software thats not supposed to be there. In some ways it was definitely a mistake and may be had not been identified but the important thing to point out is it didnt start spreading around the world and blowing up like the iranian centrifuge but for the most part it just spread and that was just the opposite and that was a big mistake in those iranian facilities and it got out of hand. If they typically targeted ukraine . Why did russia target ukraine quex. It has a very abusive relationship with ukraine it was part of the soviet union in fact Many Russians consider them to be an offshoot of their culture as part of their thousand year history. And also ukraine has things that russia wants like warm water ports in the previous generations that it was just part of the sphere of influence and when it embraced the left instead of 210 with the buffer zone that russia wants to create so russia invaded and this is a frozen conflict that putin did not want to conquer ukraine but place the war they are that never ends to weaken the country to make it a permanent war zone. Thats where cyberattacks come in and why cyberwar so effective because you can project to the uncertainty and that loss of confidence well beyond the military front to demoralize civilians and the rest of the country. You have great descriptions of people trying to make atm machines work the gas stations are not working so the fears that my boss is annoying. Ultimately that type of disruption of mass societal creation of fear is a kind of terrorism you dont have to gain that much in your war against ukraine by preventing people from taking the metro because they cannot buy groceries but it is a psychological blow that makes the populace wonder if they really should be supporting a government or maybe they should feel nostalgic for that previous regime they overthrew when things were more stable. With the multinational corporations with the existential crisis with Political Capital to prevent this from happening again if you see them respond that could be effective or is this just inevitable . What are corporations doing . And talk about microsoft. A lot of these attacks were on their system. I thank you are asking about the victims . The reason we tell the story of what it felt like internally is because of victim shaming but i did my best not to do victim shaming and why they were vulnerable because i do believe a lot of this could happen not quite any Multinational Company but many of them. It was a very insidious and sophisticated attack using a secret vulnerability among other things but nonetheless now i will shame this because they had developed a new security plan i learned that was involving upgrades to all of their computers and operating systems which is exactly what would have protected them and they had a budget for this but the it team never took it forward because the bonus Incentive Program did not do it so they paid a massive price afterwards of course they did had to rebuild everything with 45000 pcs and so they built them in a more secure way. But that was after the fact. I really want to tell the story of the main controller. [laughter] i dont know how they backed them up now but Domain Controllers are servers that are the backbone of the big it network and have access for you cant really have a Massive Network without those rules. And they created a desperate recovery operation outside of london where people are sleeping under desks and in hallways days on end and one of the first things that they encountered they did not have a copy of Domain Controllers or have a backup and miss cad more than a hundred all over the world. But they were designed to back up to each other you cannot have 25 go down but have dozens of others i had a copy of the same data but what they did not plan for where all the Domain Controllers go down so when they realize there was panic to call all the data centers around the world and finally found in ghana because this one data center had a normal blackout not a hacker and the result was that the one domain controller had been offline at the moment it hit so the backup was preserved so it had the data that was a lifeline for their entire network in ghana they sent that to the Recovery Operation Center but they couldnt get enough bandwidth. So they try to fly them to london on a plane but they didnt have the right visa so they had to fly the canadians to nigeria. So with this handoff in the nigerian airport and then fly back where they were doing the recovery operation and then rebuild the entire Global Network so the result is. And then you have to say. I heard a little bit about merck as well the backup of all the data it was a hot backup rather than a cold one so they could more easily update their backup and that was destroyed as well. Companies are making efforts but it is an extra bit of defense that you never actually expect to arrive. I think they are doing it now its hard to know but that they are learning their lessons until they win the hard way because this is what we should be spending money on. We are out of time thank you for chatting. We could go on and on but we are out of time. I cannot stress enough the way the book put the context of the physical cyberthreats in the proper place is remarkable. [applause]