Transcript

Cyber War

SARAH FERGUSON, PRESENTER: Hello and welcome to Four Corners. As you watch this program you may be multi screening with your mobile, tablet or laptop - and if not you'll almost certainly have one of those devices within reach... Australians are famous for embracing technology, we own more than 70 million internet connected devices. And every one of them is vulnerable to being hacked. Tonight we'll take you into the world of computer hacking to show you how weak our cyber defences are against attacks from criminals on our personal information and at government level international sabotage. Linton Besser's investigation looks at the secretive operations of the government's cyber warfare fightback... but his story begins at the hackers' version of the olympic games...

KATIE MOUSSOURIS, CYBER SECURITY RESEARCHER: It's the hottest that it could be in the United States this week, in Vegas. It's a huge party in the desert. Literally this town, Vegas, is taken over for pretty much the entire week by hackers.

PROFESSOR DAVID BRUMLEY, DIRECTOR CYLAB SECURITY AND PRIVACY INSTITUTE: I think cyber security is a bit like, you know, what we call here in the US the Wild West. It's really a bunch of independent gun-slingers.

LINTON BESSER, REPORTER: At the height of summer ... tens of thousands of the world's top hackers have converged on Las Vegas.

GRAND CYBER CHALLENGE ANNOUNCER: What is the Cyber Grand Challenge? It is the world's first all machine hacking tournament.

LINTON BESSER: These hackers are here to learn new ways to attack computer networks ... in order to protect them.

KATIE MOUSSOURIS: Hacking is a crime in most countries um however there are- there are folks who call themselves ah, ethical hackers or white hat hackers etc and these are folks I- I like to describe as good people who know how to do bad things um, so you- you know, you wouldn't consider a ah, locksmith to be a burglar, but a locksmith knows how to pick locks um, hackers who come to these conferences and learn how to pick digital locks are essentially the same, same idea.

DEF CON VOLUNTEER: Track one on your left, track two on your right, track three all the way down to the end of the hall.

LINTON BESSER: I'm here at one of the world's biggest hacking conferences in Las Vegas. Everyone has told me to make sure my Bluetooth and Wifi are turned off ... because phones here are routinely hacked. I'm going to go and check it out.

DEF CON ANNOUNCER: The prize today is $15 per judge...

LINTON BESSER: In a world of internet-connected devices...almost everything is vulnerable to hacking ... from drones ... to fridges ... even cars.

CAR HACKING VOLUNTEER: They found you could wirelessly get into a vehicle. It took them a year and a half to be able to do that research and be able to figure out that they could get in that car...

LINTON BESSER: Despite the warnings ... a few people at the conference used wifi to go online ...their logins and passwords were plucked from mid-air and put on public display. They call it the Wall of Sheep ... because most of us have been blindly led to trust technology.

DAVID BRUMLEY: I think, I mean obviously technology is penetrating more and more of our lives. My computer is of course something I want to protect, but my car is also running a computer. So we look at cyber security from the traditional my laptop level, to the personal level - I want to protect my memories, to really the safety critical, such as cars, vehicles and airplanes. And it's just a growing domain. We should all be thinking about it.

GRAND CYBER CHALLENGE ANNOUNCER: I'd like to introduce everyone, to a special part of the Grand Cyber Challenge...

LINTON BESSER: There are so many hackers that have poured into Las Vegas for the DEF CON conference ... but there's only a few at the cutting edge.

DAVID BRUMLEY: So here in Vegas we have, you know, over 10,000 people at DEFCON. But if you really want to know who the elite are, you have to go into a backroom in DEFCON and there you're going to find, you know, about a dozen teams playing against each other, no more than a hundred people. And these are really the world's cyber elite. So many people think, you know, there's this many hackers in the world, but really there's this many who are really making a difference day to day.

LINTON BESSER: Teams of the best hackers from around the world are pitting their skills against each other.

LUKE HARRISON, AUSTRALIAN HACKER: The aim is to break into other people's services in order to capture the flag. We also get to patch ours, so to fix the vulnerabilities in ours while also trying to hack into theirs.

LINTON BESSER: They're all trying crack the codes that drive each other's computers.

DAVID BRUMLEY: I think like in any field if you're not following the trends, if you're not looking to the future, you're going to be behind. And if in cyber you're putting your head in the sand, you're going to be a victim. People are going to come after you.

LINTON BESSER: Challenges like these draw out skills that are highly sought-after ... including by the government.

KATIE MOUSSOURIS: The US government you know, basically said we're in you know just like everyone else on the internet we're being attacked, we are- our methods of securing everything have not been adequate, we need to reach out to the- the private industry and find out what industry best practices are working for them, and actually create more programs that can rapidly bring in the best and the brightest.

ASH CARTER, UNITED STATES SECRETARY OF DEFENCE: It's great to be here this afternoon with a few of the dedicated people who defend our networks, everyday, as well as some of the technologists and hackers who have contributed to our defence mission by taking part in Hack the Pentagon.

LINTON BESSER: These are the winners of a Department of Defence competition ... their challenge was to hack the US military's headquarters at the Pentagon.

KATIE MOUSSOURIS: That was the very first time that the United States government allowed people to hack them legally and also ah, paid money to them, the Secretary of Defence congratulated these hackers, handed them challenge coins. Basically wanted to talk to them because he's- he's in a position where he's realised that we can't actually recruit through the normal methods anymore. We have to reach out to this population and we have to make it something where they are welcome in places like the Pentagon.

GENERAL MICHAEL HAYDEN, FORMER HEAD NSA / CIA: Let me be very, very candid, alright? I was a Director of the National Security Agency here in America, the American equivalent o-of ASD, right? The last 15 years have been the golden age of electronic surveillance.

LINTON BESSER: Michael Hayden has been the head of both the Central Intelligence Agency and the National Security Agency in the United States. He staffed the US Government's elite cyber unit from the ranks of the hacking community.

MICHAEL HAYDEN: The most sophisticated office at the National Security Agency is TAO, Tailored Access Operations. It's our, it's our hackers, it's our cyber espionage folks, alright? We began to rapidly expand that while I was director, about 2002, alright? [02:48:46] We were bringing in a whole bunch of very young people and we were taking those young people because they had the talent, and we were putting on- putting them on our most sensitive operational activities.

LINTON BESSER: In his youth, Kevin Mitnick was one of the United States' most infamous hackers. He spent years hacking major corporations including Nokia and Motorola ... until the FBI caught up with him.

KEVIN MITNICK, HACKER: Eventually I pushed the envelope so far that I ended up in federal prison for five years and in fact one year was in solitary confinement because a federal prosecutor told a judge that not only do they have to hold me in prison, because I'm such a danger to national security, but they have to keep me away from the phone and the judge was like a little bit confused, like why? And the prosecutor went on to say that if we let Mr Mitnick near a phone he could, whistle into the phone and launch an ICBM.

LINTON BESSER: Today Kevin Mitnick is a cyber security adviser to top companies. We met him in Melbourne. He says we don't realise how vulnerable we all are. He's about to demonstrate just how easy it is to hack into my bank account. In this alleyway he's just set up a fake wifi network.

KEVIN MITNICK: So Linton's sitting over there think he's really connecting to Telstra air C3. But what he doesn't know is that he's connecting to my fake access point. And what we're gonna do is we're going to take over his computer.

LINTON BESSER: As soon as I logged into it ... he was able to record all of my keystrokes -including my banking password.

KEVIN MITNICK: And then what I'm gonna be able to do is steal his passwords, and I'm gonna be able to inject fake updates, so when he installs them we gain full control of his computer system. And he'll never know the better. Back when I started at hacking you didn't have the tools that you have today. Basically you had to develop your own exploits, systems were not as secure, the reason being there was a much lower level of security awareness. But now we fast forward to today and you have tonnes of tools that a high school- a junior high schooler could download and use to exploit systems.

LINTON BESSER: A similar wifi scam was behind a fraud shown on this CCTV footage from inside a Westpac branch in Sydney. It was recorded in December 2014 ... and shows two men setting up a bank account. In fact, they're members of a criminal syndicate ... and the account was opened with a stolen identity.

ARTHUR KATSOGIANNIS, NSW POLICE FRAUD & CYBERCRIME COMMANDER: So that's both of them there, actually producing these false drivers license, which is pretty good high quality

LINTON BESSER: The syndicate they're working for had obtained people's personal details after they hacked their phones through a free wifi network.

ARTHUR KATSOGIANNIS: They were able to convince the bank they were the actual legitimate account holder

LINTON BESSER: NSW Police Detective Superintendent Arthur Katsogiannis oversaw the strike force that busted open the crime ring.

ARTHUR KATSOGIANNIS: That's a good shot of them, shows you how calm they are. Some of the techniques and methodology used by this particular criminal syndicate are the use of um malicious software which is ah placed on a person's computer to take their personal details and account details. They then port the individual's phone without the victim's knowing to bypass the two factor verification and then they recruit mules, most of them are international students or foreign, who go to the banks, open up fraudulent bank accounts there, take the identity of the victim, then withdraw all their money over a period of days. It's as simple as that.

LINTON BESSER: The police have arrested almost 50 people in connection with the crime ... after they stole more than $6 million.

ARTHUR KATSOGIANNIS: Cybercrime poses one of the greatest challenges to law enforcement this century. No longer do we have that individual who carries a firearm and wears a balaclava to disguise their identity. It's a lot more profitable and a lot easier for someone to pick up a laptop, sit in the comfort of their lounge room behind the anonymity of the internet and take the bank for millions of dollars.

ALASTAIR MACGIBBON, SPECIAL ADVISOR TO THE PRIME MINISTER, CYBER SECURITY: Criminals recognised cyber was a great frontier at the very early 2000s, so they've been going at this for 13 or 14 years. What they've realised with cyber is the cost of entry is very low, the likelihood of getting caught is still low and they only need to steal a small amount from lots of people to aggregate a large amount of money.

MICHAEL HAYDEN: Here's what's happened over the past 10 or 15 years. All of us, myself included, businesses, governments, we've taken things that we at least would keep in a desk drawer or a wallet, sometimes even in a safe, and we've decided to put them in our phones or to put them in something called the cloud. And I think we did it indifferent to the dangers we were creating for ourselves by putting our precious information, where it was personal or governmental, in locations that were not nearly as safe as they were when we kept them in the physical domain.

LINTON BESSER: What many computer users don't know is that any device linked to the internet is potentially vulnerable. A few weeks ago Four Corners located a website that identified thousands of private hard-drives that are connected to the web. About 400 of these are owned by businesses and individuals in Australia. But the vast majority of them are not secure and are sitting open on the internet. Here ... I'm looking at the files owned by one man in north-west Sydney ...I can see all of the files in his hard-drive ... from insurance documents ... to information about his business clients. Hullo Matthew, it's Linton Besser from Four Corners, how are you? We contacted the owner of the hard-drive, Matthew Edwards ... who is a telecommunications engineer. Ok, we'll jump in the car and see you shortly. Cheers. So this is the home office here?

MATTHEW EDWARDS, BUSINESS OWNER: Yes, absolutely.

LINTON BESSER: Matthew Edwards was disturbed by what we told him about the hard-drive he was using to store his information. So when we contacted you Matthew, what went through your mind?

MATTHEW EDWARDS: I wasn't very happy. I was unbelieveable, initially I thought, I was thinking this has gotta be some sort of a scam.

LINTON BESSER: What kind of sensitive information was stored on here ...

MATTHEW EDWARDS: My personal data, as I said it's my, initially it's all the quotations, I've just been doing and I'm starting a new business, I didn't want that out

TIM WELLSMORE, FORMER MANAGER, AUSTRALIAN CYBER SECURITY CENTRE 2013 - 2016: It shows how simple it can be to enable the cyber security threat and by putting infrastructure or computers in your home without giving any thought to the cyber security threat.

LINTON BESSER: And they've been horrified when we've called them, I mean they've had no idea.

TIM WELLSMORE: Yeah unfortunately it's the power of what the internet can enable is great for business and great for enterprise, unfortunately it's equally as good for the bad guys. Ok so we've got the attacker one. He came through here. This is obviously the first campaign, came through and created an incident.

LINTON BESSER: Former Australian government cyber security official Tim Wellsmore, says it's not just individuals whose secrets are vulnerable to others. In fact governments and businesses in Australia are attacked and compromised all the time. Hacking happens so often there is a marketplace in the dark corners of the internet where access to hacked computer servers is bought and sold.

TIM WELLSMORE: We also had another victim, and the first compromise occurred on this system. You could buy one of those compromised servers for anywhere between five to ten to twenty dollars depending on on where it was and what type of system it was.

LINTON BESSER: I mean that's just staggering isn't it?

TIM WELLSMORE: It's a market driven economy unfortunately. To me it shows, it's starting to show that the threat really is everywhere. That the price of of a compromised system of five dollars probably just shows you exactly how far down the road we are of the cyber security story.

LINTON BESSER: This year security firm Kaspersky released a report which said a huge volume of computer servers around the world had been hacked ... their logins and passwords put up for sale online. Kaspersky then published a separate list identifying 170,000 computers which may also be suspect, including thousands in Australia owned by companies, local councils, law firms and schools. Computers like these can be used to launch what's called 'denial of service' attacks ... where a website is flooded by artificial traffic, much like jamming a switchboard.

TIM WELLSMORE: There's a there's a lot of computers for sale on the dark web that have actually been hacked and compromised and are sitting there waiting to be used for attacks. That marketplace exists and there's quite a strong marketplace because for these attacks to occur, they don't want to use their own computers to launch them, they want to use somebody else's that doesn't look like an attacker and unfortunately there are there are thousands of these servers or computers out there for sale um that can be used for these attacks.

DAVID KALISCH, HEAD STATISTICIAN ABS: I would like to firstly apologise again to the inconvenience that has been caused for many Australians.

LINTON BESSER: Australian institutions have shown themselves to be woefully unprepared for even basic cyber security threats.The recent Census debacle was a case in point.

DAVID KALISCH: The ABS took the early prudent precaution of taking the system down around 7:45pm last night to be assured of the integrity of the data.

LINTON BESSER: Facing a low-level denial of service attack ... by an unidentified attacker ... the ABS panicked and took the Census off-line ...

ALASTAIR MACGIBBON: That attack the denial of service attack easily predictable and certainly was not of a scale or sophistication that should have caused any significant problems. That combined with a series of events, at least as we know them at the moment, that end on end led to the ABS taking the site down, should have been predicted and prevented.

LINTON BESSER: Alastair MacGibbon is the Prime Minister's cyber security adviser. His job is to roll out an ambitious cyber security strategy designed to protect Australia from the growing threats online.

ALASTAIR MACGIBBON: The Commonwealth Government takes these matters very seriously. The launch of the Cyber Security Strategy in April is the start of what I would say is the next wave of cyber security capabilities in this country. A step change.

MALCOLM TURNBULL, AUSTRALIAN PRIME MINISTER: Well good morning and thank you very much Jennifer. My friends the internet is the most transformative piece of infrastructure every created...

LINTON BESSER: When the Prime Minister launched the strategy in April... he made an extraordinary admission.

MALCOLM TURNBULL: The Bureau of Meteorology suffered a significant cyber intrusion which was first discovered early last year ...'

LINTON BESSER: It was the first time there was official acknowledgement that a critical Australian Government agency had been penetrated by a sophisticated cyber attack.The government didn't say it publicly, but intelligence sources have confirmed to Four Corners that China was behind the attack ... something Beijing continues to deny.Four Corners has been told that China's true targets may have been the Australian Geospatial Intelligence Organisation ... which provides satellite imagery for sensitive defence operations... and a high-tech radar system operated by the Air Force.

ALASTAIR MACGIBBON: I would say to you that people who compromise systems will usually try to find a way to move laterally through it. If that means through a third party that's what they'll try to do.

LINTON BESSER: And is that the case we saw with the Bureau?

ALASTAIR MACGIBBON: I don't know. I don't know what the intention of the people that compromised the system was

TIM WELLSMORE: There is a lot of assets in the Australian government that would be of interest to China and other Nation State actors specifically why the why the Bureau of Meteorology or as you as you speculated the AGO was actually ah was a target, there's obviously some sensitive intelligence information within some of these organisations that would obviously be to give advantage to other to other nations to understand those.

MICHAEL HAYDEN: Australia and the United States and other friendly similar nations around the world ah need to protect their data, because what you just described to my mind fits the definition of legitimate state espionage. And look, we have every right to complain about espionage. We criminalise it when our own citizens do it, of course, alright? But it is what adult nation states do to one another.

LINTON BESSER: It was the first time there was official acknowledgement that a critical Australian Government agency had been penetrated by a sophisticated cyber attack.The government didn't say it publicly, but intelligence sources have confirmed to Four Corners that China was behind the attack ... something Beijing continues to deny. Four Corners has been told that China's true targets may have been the Australian Geospatial Intelligence Organisation ... which provides satellite imagery for sensitive defence operations... and a high-tech radar system operated by the Air Force.

ALASTAIR MACGIBBON: It would seem appropriate the nation states would be interested in the defence science area and of course the defence science area is aware of needing to keep itself secure. The Australian Government knows it needs to protect these things, it knows it can't ever be static in how it does those things and will continue to strive to stay ahead of whatever the threat environment is.

LINTON BESSER: It's here at the Australian Signals Directorate ... that the work of protecting vital national assets is done. But what really troubles people like Alastair MacGibbon ... is when other countries use their powers against individuals and businesses.

ALASTAIR MACGIBBON: We believe in a free and open internet. And that means that you don't use those types of, in a way calling it weaponised capability against other people's intellectual property or to their economic wellbeing.

LINTON BESSER: But this is something that China has been doing over and again against businesses in Australia for some time isn't it?

ALASTAIR MACGIBBON: It's not useful for us to talk about any particular nation states.

LINTON BESSER: Newsat was once Australia's biggest specialist satellite company until it was sold off last year.

LINTON BESSER: Newsat was once Australia's biggest specialist satellite company until it was sold off last year. It carried sensitive communications for resources companies, as well as the military. But its jewel was a 5-tonne state of the art satellite called Jabiru 1 which it promised it launch over Asia. The company's former IT manager Daryl Peter said the Lockheed Martin-designed satellite made it a target for Chinese spies.

DARYL PETER, IT Manager NewSat 2012 - 2014: Their ambitious plan to build a satellite and of course the confidential design plans for it make it a very attractive target. There are certain countries where they may not have those available so getting those confidential designs would be very beneficial for them.

LINTON BESSER: In a meeting called by the Australian Signals Directorate, Daryl Peter was told the company had been seriously infiltrated by foreign hackers.

DARYL PETER: They'd been inside our network for a long period, so maybe about two years. And the way it was described to us was they're so deep inside out network it's like we had someone sitting over our shoulder for anything we did. Newsat had been hacked. And not just by teenagers in the basement or anything like that. Whoever was hacking us was very well-funded, very professional, very serious hackers.

LINTON BESSER: Newsat's former chief financial officer Michael Hewins said the company's IT staff were told Newsat's computers had been so compromised they would not be allowed to launch the satellite until major changes were made.

MICHAEL HEWINS, CHIEF FINANCIAL OFFICER NEWSAT 2011 - 2014: They were told something of the order of, I'm not sure if it's a direct quote, but that we were a joke, that we hadn't taken seriously what we'd been told and that our network was as far as they could see the most corrupted they'd seen. Period.

DARYL PETER: They actually said to us that we were the worst. Which was, given the organisation it is, it was very scary for me of course because all the government organisations that of course sometimes do get hacked, for a small company like Newsat to be the worst they'd seen, it made me feel like fixing that would be quite an issue.

MICHAEL HEWINS: The process was pretty nerve wracking what was going on because every day was something you were finding out. It's one of those things, you know, you can't see the problem and suddenly you open the door and you go, oh my God, it's like Pandora's Box.

LINTON BESSER: As Daryl Peter investigated - with the assistance of Australia's cyber spy agency - it became clear to him who was behind the attack.

DARYL PETER: With the more specialised security tools that we had we were able to determine the location of the attacks and the majority of them were coming from China.

LINTON BESSER: And what did ASD say about all of that?

DARYL PETER: They thought that of course it was all very interesting but it wasn't too surprising.

LINTON BESSER: Why not surprising?

DARYL PETER: China tend to target more government organisations or organisations in that space there's been a number of publicised hacks by China.

MICHAEL HAYDEN: Where I'm really concerned and where I think Australians should be really concerned is the Chinese not attacking the Australian government or the American government; our governments should be able to defend themselves. Again, not shame on China, shame on us if they steal our secrets. It's a really unfair fight though if a nation state like China attacks private enterprise in Australia again not for legitimate state espionage purposes, but for industrial and commercial advantage.

DARYL PETER: Given we were up against China, state-sponsored, a lot of money behind them and resources, and we were only a very small IT team, it certainly wasn't a fair fight for us, I mean we didn't have any specialised security skills

LINTON BESSER: One of the cyber world's foremost experts, Washington-based Dmitri Alperovitch, says Australia has not done enough to warn industry about online threats.

DMITRI ALPEROVITCH, COMPUTER SECURITY INDUSTRY EXECUTIVE: The reality is that the Australian government is very well aware of these activities but they have not really come out and publicly acknowledged it, they have not done a good job in my opinion educating the public about this threat and ah, as a result there's a sense of complacency often times amongst industry because they don't appreciate that even in Australia you can be targeted and China happens to be your biggest trading partner, there's a lot of reasons why wo- they would be hacking into your industry, to try to steal intellectual property, try to get a advantage in trade negotiations and it's happening very very often and ah, very little is being done about it.

ALASTAIR MACGIBBON: You must remember it was only in April this year that the Prime Minister announced the compromises of the Bureau of Meteorology and of the Parliament House network. They are pretty remarkably big steps forward in what was otherwise a very very closed community. You have to give us some time as we work through what can be said, how it can be said to increase the level of engagement.

LINTON BESSER: In April Dmitri Alperovitch's firm got a call from the US Democratic Party ... concerned their computer networks may have been hacked. His staff found something alarming.

DMITRI ALPEROVITCH: He said basically take a look at this, this is very interesting. I starting looking at the evidence and realised right away that there's complete certainty in what we're seeing. We found ah a couple of big whales here and ah, it's a, actors that we affiliate with the Russian Intelligence Services and ah, one of them specifically with the GRU, the Military Intelligence Agency of Russia.

LINTON BESSER: What they discovered was a spying campaign against a major US political party. The last time there was a major bugging operation that targeted the US Democrats was in 1972, when the Watergate building behind me was broken into. Now in 2016 the Democrats have been infiltrated again.

HILLARY CLINTON, DEMOCRATIC NOMINEE: The Russians and according to the reporting who did this hacking were, it's most likely in the employment of the Russian government

JUANITA PHILLIPS, ABC NEWSREADER: The Democrats are in disarray after a damaging email leak

LINTON BESSER: Three months after the hack was discovered ... embarrassing internal emails from within the US Democrats turned up on Wikileaks and led to the resignation of two senior party officials.

DEBBIE WESSERMAN SCHULTZ, SENIOR DEMOCRAT OFFICIAL: Good morning Florida, alright everybody now settle down.

MICHAEL HAYDEN: If this were done by the Russian security services, and I think there's a body of evidence that that's probably true, I'm not so sure that the inner workings of a powerful American political party is an illegitimate target for Russian espionage, alright? So let me just make that very clear. Now, what really makes this interesting is that it appears the Russians didn't stop at espionage. They've taken the information, and here's a phrase I would like to share with you, they've weaponised the data made it public through WikiLeaks, in order to do something with the American political process. That's really interesting. That's really new.

LINTON BESSER: It is the United States however - not Russia - that's been blamed for the most destructive cyber weapon to have ever been deployed. Stuxnet was a highly dangerous piece of code launched a decade ago against Iran's nuclear enrichment program. By secretly causing the centrifuges at the Natanz facility to spin out of control... hundreds were destroyed before their operators knew anything was wrong.

KEVIN MITNICK: Well, well Stuxnet was a piece of malicious code ah, allegedly developed by the United States in co- in cooperation with Israel. A piece of- of government malware that was targeting the Iranian centrifuges. The impact was damage, physical damage from that attack.

LINTON BESSER: Stuxnet marked the beginning of the cyber wars of the future.

JILL SLAY, DIRECTOR AUSTRALIAN CENTRE FOR CYBER SECURITY: Some of the literature claims this is the fir- first real documented evidence of cyber warfare. People will claim that was cyber warfare. So once you have an example um it can be replicated. Other people will copy it.

MICHAEL HAYDEN: A nation state, had just used a weapon comprised of ones and zeros during a time of peace to destroy what another nation could only describe as critical infrastructure. Now, even I with my background looking upon th-the destruction as an unalloyed good, even I recognise that's a really big deal. That, I've used the phrase in the past, um that's a legion crossing the Rubicon. Now th-that's a legion on the other side of the river now. That's the first time that's ever happened in human history, and our species doesn't have a history of putting such weapons back into the sheath after they've been used once.

LINTON BESSER: Just for the record General Hayden, was Stuxnet an operation of the US Government?

MICHAEL HAYDEN: What I say to those kinds of questions is, given my background, it would be irresponsible of somebody with my background to even speculate as to who may have been up to that.

LINTON BESSER: Cyber weapons like Stuxnet rely on software flaws or vulnerabilities that hackers use to get into sensitive systems. They're known, in the jargon of the hacking world, as zero day exploits.

KEVIN MITNICK: A zero day is a vulnerability that has been identified ah, that nobody knows about, right. Maybe another researcher could have stumbled across the same security flaw, but a zero day is something that hasn't been reported to the manufacturer be it, Microsoft, Apple, Cisco or any of the major manufacturers out there and then it allows the attacker to continually leverage that zero day to compromise systems.

TIM WELLSMORE: A zero-day is one of those um vulnerabilities that have been discovered but haven't been haven't been disclosed to the public or to the software developer. So therefore it can be used in a weaponised sense to actually then to be used to attack that system and and gain a foothold on that system. Zero-days um are common place in in this type of industry and and they're obviously um quite are valuable assets.

LINTON BESSER: Incredibly ... there are people who buy and sell zero-day exploits to companies and governments across the world. The trade in software vulnerabilities is actually a pretty murky marketplace with many of the transactions happening underground.Some say it's the arms race of the 21st Century but it's one where no-one really knows who's buying these exploits and what they're buying them for.

TIM WELLSMORE: I've seen some prices on the internet which are quite significant. You know you can pay sometimes in the hundreds of thousands of dollars, over a million dollars. I don't know if people actually pay those prices, but I've certainly seen them o-seen them on the internet and on the dark net, um so obviously if if it's a market demand and and that's the price they're putting on them somebody must be paying for them.

LINTON BESSER: This company Zerodium publishes its price list for zero-day exploits online ...Those which allow you to hack into an Apple iOS system - used by iPhones - are worth half-a-million dollars.

KEVIN MITNICK: Basically what a zero day broker does is when researchers find vulnerabilities in systems that haven't been reported what they do is they broker a deal between the individual that found it and a party, usually a government agency that need- that wants to purchase it.

LINTON BESSER: High-profile hacker Kevin Mitnick is one of these brokers but he doesn't want to talk about it.

LINTON BESSER: I noticed on your website you said you sell them to countries and corporations.

KEVIN MITNICK: I can't discuss it sorry.

LINTON BESSER: How can you be certain you know who you're selling them to?

KEVIN MITNICK: I can't discuss the program.

LINTON BESSER: Can you sit here today and say you're 100 per cent confident that nothing you have sold has gone into the wrong hands?

KEVIN MITNICK: I could say I'm a 100 per cent confident that I can't discuss the program with you.

MACOLM TURNBULL: Now while cyber security measures sit at the forefront of our response to cyber threats, defensive measures may not always be adequate.

LINTON BESSER: It was only a few months ago that the public was told - for the first time - that Australia was in the business of cyber warfare.

MACOLM TURNBULL: An offensive cyber capability, housed in the Australian Signals Directorate, provides another option for Government to respond.

LINTON BESSER: This offensive cyber capability includes developing zero day exploits to be used against overseas targets by Australia's electronic spy agency.

ALASTAIR MACGIBBON: In terms of offensive capabilities, they would be very very specific and very very tailored activities. We're not talking mass vulnerability that will infect all of us and that the Australian government sits on. That would be improper, isn't done and nor should it be done.

DMITRI ALPEROVITCH: Just like any country, um ah, any advanced country we have to assume that um, they're developing capabilities in order to both defend themselves and take offensive actions should it be needed in cyberspace. Really most modern countries now are treating cyberspace as another military domain in addition to land, air and sea.

CYBER TRAINER: OK, let's start looking at these targets, what have we got?

RED TEAM ATTACKER: Two targets, the water tower and the power station.

LINTON BESSER: To prepare for the cyber domain ... this is where Australia's 21st century soldiers train... a secure facility at the Australian Defence Force Academy in Canberra.

RED TEAM ATTACKER: Initiating scan...scan complete, chopping across the database.

CYBER TRAINER: So we've got some options on that first host, let's start there, Pete that first host on the perimeter, OK, let's try and get into that, ok so once we've got this foothold, I want you to do a scan on the DMZ for the pivot, so let's start that scan again

RED TEAM ATTACKER: Initiating scan

CYBER TRAINER: Let's get into it

LINTON BESSER: Two rival teams are competing ... one's on attack ... trying to turn off the power across this imaginary city ...The other team is trying to defend the city.

RED TEAM ATTACKER: Target one is offline

CYBER TRAINER: Good job, keep watching it ok exploit...ok, take out the power grid...Ok Red Team power is going down, what I want you to look at now, do as much damage as you can, we probably don't have very long until we get kicked out...ok we're starting to lose this one.

JILL SLAY: We're teaching them how to defend um critical infrastructure networks and we actually teach them what the bad guys might do in offensive warfare against us so that when they go to work they will be able to recognise an attack and and to do something about it.

RED TEAM ATTACKER: The tower should be overflowing.

CYBER TRAINER: Good job Pete

LINTON BESSER: The red team manages to flood the water tower ... and take out the power grid ...

CYBER TRAINER: Ok that's it, we're out. Good work guys.

LINTON BESSER: It's not as far-fetched as it might seem ... in December last year ... a major power outage in in western Ukranian... was attributed to a cyber attack launched from Russia.

MICHAEL HAYDEN: In the industrial age, okay, electrical power grids were all always considered a legitimate military target alright? So in WWII we bombed and destroyed the electrical infrastructure of our enemies Now we have the ability through a cyber attack to just shut the grid down.

ALASTAIR MACGIBBON: We've certainly seen essential utilities targeted in other parts of the world, successfully so. So we'd be churlish to think that that couldn't happen in Australia. I would say that the Australian Government and working with our allies offshore has invested in helping educate the owners of critical infrastructure in how to secure these industrial control systems to reduce the likelihood of things going wrong. Given the size of the networks, given the scale of the networks, and the ever-changing nature of them, it's a bit like the harbour bridge, you start painting at one end and by the time you finish you start painting again.

LINTON BESSER: In Las Vegas the hacking conference came to a dramatic close with a major milestone in the evolution of cyber security .

CYBER GRAND CHALLENGE COMMENTATOR: Alright, Welcome everyone to the first ever, fully automated, cyber security, automated competition, the Cyber Grand Challenge.

LINTON BESSER: Sponsored by the US Department of Defence a major new hacking competition has redefined the landscape again.

CYBER GRAND CHALLENGE COMMENTATOR: The winning team will take home the top prize of two million dollars, we now have seven finalists who will compete here today using automated systems designed to hunt for vulnerabilities and search for weaknesses on competitors systems

LINTON BESSER: This team of developers has designed an artificial intelligence that could take cyber warfare to new levels. It's called Mayhem.

DAVID BRUMLEY: Right now a lot of the computer security mechanisms we have are really about a person on a keyboard, and that's just too slow. So they put out a Grand Challenge - can we have a fully automated attack and defence system? And that's what this week is about. That's what this challenge is about, can we build fully automatic robot computers that can hack and defend against being hacked?

CYBER GRAND CHALLENGE COMMENTATOR: Let's see what's going on here with the rest of the game.

CYBER GRAND CHALLENGE CO COMMENTATOR: It looks like again, it's still a very close game

CYBER GRAND CHALLENGE COMMENTATOR: Alright so, Mayhem and Rubeus are battling for the lead.

LINTON BESSER: These machines on stage are firing off cyber attacks against each other - and they're doing it without any humans involved.

CYBER GRAND CHALLENGE CO COMMENTATOR: Score board seven, we will actually see Mayhem overtake Rubeus to take first place.

CYBER GRAND CHALLENGE COMMENTATOR: Alright, let's see scoreboard seven!

CYBER GRAND CHALLENGE ORGANISER: And now the winner of the Cyber Grand Challenge, for AllSecure and their Bot Mayhem!

LINTON BESSER: Technology has brought us together in new ways ... but it's exposing us to dangers we're only beginning to see.

KATIE MOUSSOURIS: Well, the internet was never designed to actually be secure right, so, we're fighting- we're fighting an almost untenable problem space. We're realising that we've created so much technology, we've created technology faster than we have the ability to secure it as human beings.

SARAH FERUGSON: The Chinese government - through its Embassy in Canberra - has denied it was behind the cyber attacks in Australia, describing the allegations as nothing but false clich. Next week...a special program from the BBC - inside the Battle for Britain - how the Brexit campaign was won. See you then.