Conficker are across the world. Computer analysts say its like a sleeper cell, and it may be poised to suck Sensitive Data out of millions and millions of computers. It takes time to read the manuals. Im gonna save you that time. cause i stay home on saturday nights and read them for you. You and the rest of the geeks . Theres millions of us out there. Everybody, lets hear it geek squad [cheering] welcome to 60 minutes on cnbc. Im steve kroft. In this edition, we take a look at technology. We examine how breaches in Digital Security threaten everything from Weapons Systems to bank accounts. Plus, we meet the mr. Fixits of the geek world. We begin with electronic sabotage. Nothing has ever changed the world as quickly as the internet. In less than a decade, the pentagons warning that it might be possible for a computer hacker to disable Critical Infrastructure in a major city and disrupt essential services has actually happened. Other online attacks have seen millions of dollars stolen from banks and Defense Systems infiltrated. Its why, as we first reported in november of 2009, some people are already saying that the next big war is less likely to begin with a bang than a blackout. Can you imagine your life without electric power . Until february 2009, retired admiral Mike Mcconnell was the nations top spy. As chief of national intelligence, he oversaw the Central Intelligence agency, the Defense Intelligence agency and the National Security agency. Few people know as much about cyber warfare, and our dependency on the power grid, and the Computer Networks that deliver our oil and gas, pump and purify our water, keep track of our money, and operate our transportation systems. If i were an attacker and i wanted to do strategic damage to the United States, i would either take the cold of winter or the heat of summer, i probably would sack electric power on the u. S. East cost, maybe the west coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker. Do you believe our adversaries have the capability of bringing down a power grid . I do. Is the u. S. Prepared for such an attack . No, the United States is not prepared for such an attack. Its now clear this cyber threat is one of the most serious economic and National Security challenges we face as a nation. Four months after taking office, president obama made those concerns part of our National Defense policy, declaring the countrys Digital Infrastructure a strategic asset, and confirming that cyber warfare had moved beyond theory. We know that cyber intruders have probed our electrical grid, and that in other countries Cyber Attacks have plunged entire cities into darkness. President obama didnt say which country had been plunged into darkness, but a half a dozen sources in the military, intelligence, and private security communities have told us the president was referring to brazil. Several prominent intelligence sources confirmed that there were a series of Cyber Attacks in brazil one north of Rio De Janeiro in january of 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on september 26, 2007. That one, in the state of espirito santo, affected more than 3 Million People in dozens of cities over a twoday period, causing major disruptions. In vitoria, the Worlds Largest iron ore producer had seven plants knocked offline, costing the company 7 million. It is not clear who did it or what the motive was. But the people who do these sorts of things are no longer teenagers making mischief. Theyre now likely to be highly trained soldiers with the chinese army or part of an organized crime group in russia, europe or the americas. They can disrupt Critical Infrastructure, wipe databases. We know they can rob banks. So its a much bigger and more serious threat. Jim lewis is a director at the center for strategic and international studies, and he led a group that prepared a major report on Cyber Security for president obama. What was it that made the government begin to take this seriously . In 2007 we probably had our electronic pearl harbor. It was an espionage pearl harbor. Some unknown foreign power and honestly, we dont know who it isbroke into the department of defense, to the department of state, the department of commerce, probably the department of energy, probably nasa. They broke into all of the hightech agencies, all of the military agencies, and downloaded terabytes of information. Terabytes . A terabyte is its hard to say. The library of congress, which has millions of volumes, is about 12 terabytes. So, we probably lost the equivalent of a library of Congress Worth of government information in 2007. All stolen by Foreign Countries . Yeah. This was a serious attack. And thats really what made people wake up and say, hey, weve got to get a grip on this. But since then, there has been an even more serious breach of Computer Security, which lewis called the most significant incident ever publically acknowledged by the pentagon. In november 2008, someone was able to get past the firewalls and encryption devices of one of the most sensitive u. S. Military Computer Systems and to stay inside for several days. This was the centcom network, the command thats fighting our two wars, and some foreign power was able to get into their networks and sit there and see everything they did. What do you mean, sit there . They could see what the traffic was. They could read documents. They could interfere with things. It was like they were part of the American Military command. Lewis believes it was done by foreign spies who left corrupted thumbnail drives or memory sticks lying around in places where u. S. Military personnel were likely to pick them up. As soon as someone inserted one into a centcom computer, a malicious code opened a backdoor for the foreign power to get into the system. So presumably, nobody at the pentagon is plugging in theyve banned them. My impression is most people understand that there is a threat out there. I dont think most people understand that there are incidents that are happening. You know, ive been trying to figure out why that is, and some of it is the Previous Administration didnt want to admit that they had been rolled in 2007. Theres a disincentive to tell people, hey, things are going badly. but it doesnt seem to be sinking in. And some of us call it the death of a thousand cuts. every day, a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody, and its like little drops. Eventually well drown. Even the countrys most powerful weapons are targets, so technicians at the Sandia National laboratories make their own microchips for Nuclear Weapons and other sophisticated systems. Jim gosler, one of the fathers of cyber war, says most commercial chips are now made abroad and there are concerns that someone overseas could tamper with them. So youre worried about somebody being able to get in and reprogram a nuclear weapon, or get inside and put something in there that would make it well, certainly alter its functionality. What do you mean by alter its functionality . Such that when the weapon needed to be to go operational, it wouldnt work. Have you found microchips that have been altered . We have found microelectronics and electronics embedded in applications that they shouldnt be there. And its very clear that a Foreign Intelligence Service put them there. Coming up how to take out an oil refinery from cyber space. The first thing we had to do was actually gain access to the network. And thatsweve just got that as launch attack, and then we turn up the btus. And then were turning off the recirculator pump. There we go. Thats ahead, when 60 minutes on cnbc returns. [ticking] every day were working to be an Even Better Company and to keep our commitments. And weve made a big commitment to america. Bp supports nearly 250,000 jobs here. Through all of our energy operations, we invest more in the u. S. Than any other place in the world. In fact, weve invested over 55 billion here in the last five years making bp americas Largest Energy investor. Our commitment has never been stronger. For over 60,000 california foster children, having Necessary School supplies can mean the difference between success and failure. The day i start, im already behind. I never know what im gonna need. New school, new classes, new kids. Its hard starting over. To help, sleep train is collecting School Supplies for local foster children. Bring your gift to any sleep train, and help a foster child start the school year right. Not everyone can be a foster parent, but anyone can help a foster child. Sean henrys job is to police potential targets all over the United States. He is an assistant director of the fbi in charge of the bureaus cyber division. He told us that criminals have used the internet to steal more than 100 million from u. S. Banks so far in 2009, and they did it without ever having to draw a gun or pass a note to a teller. The fbi became famous stopping Bank Robberies. Are there more Bank Robberies in terms of the amount of money stolen on the internet than there are guys walking into branches with guns . Absolutely. Really . Yes. Ive seen attacks where theres been 10 million lost in one 24hour period. If that had happened in a bank robbery where people walked in with guns blazing, that wouldve been Headline News all over the world. And the bank probably didnt want it known. Certainly when theres a network breach, the owners of the network are not keen to have it known that their network was breached because of their concern that it might impact their business. The case henry mentioned didnt involve just one bank, it involved 130, all of them victimized through an International Network of atms, an international caper that required dozens of participants on three different continents. How did they do it . It was a sophisticated operation, clearly organized, where adversaries accessed a computer network, were able to gain information from multiple accounts. They were able to decrypt pin numbers and then taking that data, able to manufacture white plastic that enabled them access to get into atm accounts. Whats white plastic . Take a piece of plastic thats similar in size and shape and weight to an atm card. Theyve got the card, theyve got the pin number, and they just drained the accounts . Almost 10 million in 24hour period. What cities . 49 cities around the world, in europe, in north america, south america, asia. All over the world. Do you have any idea what country these people were from . Yes. You care to share that with me . I would not. You would not care to share it . No. Have you caught any of them . Working on it. One top u. S. Intelligence official is on record saying that the chinese have already aggressively infiltrated the Computer Networks of some u. S. Banks and are operating inside u. S. Electrical grids, mapping out our networks and presumably leaving behind Malicious Software that could be used to sabotage the system. Can a penetrator or a perpetrator leave behind yes. Little things that will allow them to be there and watch and look and listen . Any successful penetration has the potential for leaving behind a capability. Do we believe that there arethat governments have planted code in the power grid . Steve, i would be shocked if we were in a situation where tools and capabilities and techniques have not been left in u. S. Computer and information systems. Of all the critical components in the u. S. Infrastructure, the power grid is one of the most vulnerable to cyber attack. Thats because the power grid is run and regulated by private utilities, which are unbeholden to Government Security decrees. Ill walk through the steps an attacker might take. Here at the Sandia National laboratories, department of Energy Security specialists like john mulder try to hack into the Computer Systems of power and Water Companies and other sensitive targets in order to figure out the best way to sabotage them. Its all done with the companies permission in order to identify their vulnerabilities, and this is a graphic demonstration of how they could have destroyed an oil refinery by sending out code that caused a crucial component to overheat. The first thing you would do is turn it to manual controls so that your automatic controls arent protecting you. What would be your main target here . The heating element and the recirculator pump. If we could malfunction both of those, we could cause an explosion. How would you do that . The first thing we had to do was actually gain access to the network, and thatswe just got that as launch attack. And then we turn up the btus, and then were turning off the recirculator pump. There we go. How realistic is this . Its very realistic. But the companies are under no obligation to fix the vulnerabilities, which was graphically demonstrated in a much more realistic fashion at the Idaho National labs in 2007 in a project called aurora. A group of scientists and engineers at the department of Energy Facility wanted to see if they could physically blow up and permanently disable a 27ton Power Generator using the internet. If you can hack into that control system, you can instruct the machine to tear itself apart, and thats what the aurora test was. And if youve seen the video, its kind of interesting, cause the machine starts to shudder, you know, its clearly shaking, and smoke starts to come out. It destroys itself. And what would be the realworld consequences of this . The big generators that we depend on for electrical power are, one, expensive, two, no longer made in the u. S. , and, three, require a lead time of three or four months to order them. So its not like if we break one, we can go down to the Hardware Store and get a replacement. If somebody really thought about this, they could knock a generator out, they could knock a power plant out for months. And thats the real consequence. This was the leap from theory to reality. When congressman jim langevin, who chaired a subcommittee on Cyber Security heard about it, he called representatives of the nations electric utilities to washington to find out what they were doing to fix the vulnerability. The committee was told that the problem was being addressed, but that turned out not to be the case. At a subsequent hearing seven months later, langevins Committee Members discovered that almost nothing had been done. What do you think we are, a bunch of jerks . Theybasically, they lied to congress, and i was outraged. And they admitted lying to congress . Thats right. They admit that they misled congress, that they did not give accurate testimony, and they subsequently had to retract the testimony. Have they made any progress since you caught them out in this lie . No, not sufficiently. The private sector has different priorities than we do in providing security. Their, in a sense, bottom line is about profits, and we need to change that. We need to change their motivation so that when we see a vulnerability like this, we can require them to fix it. Langevin and others have introduced legislation that would do just that. I look at this as, like, a pre9 11 moment where we identify a problem, we identify a threat, we know it exists, we know its real, and we dont move quickly enough to fix the problem. And what im worried about is, because of so many competing priorities, and so many issues that we have to deal with, we wont get we will not get focused on this problem until we have some catastrophic event. If the power grid was taken offline in the middle of winter, and it caused people to suffer and die, that would galvanize the nation. I hope we dont get there. But its possible that we will. Cyber war defense remains a top priority for president obama. In october of 2010, the newly formed u. S. Cyber command, led by general keith alexander, became fully operational. Its mission is to safeguard u. S. Military networks. It has no jurisdiction over Computer Networks in the civilian sector such as power grids or electronic banking systems. Their security continues to be the responsibility of the companies and the industries that operate them. [ticking] coming up a very secret agent. Imagine a network of spies that has infiltrated a country, and every day, all of the spies are calling in for their instructions on what to do next. A serious case of worms, next on 60 minutes on cnbc. [ticking] [ kitchen counselor ] introducing cascade platinum. Its triple cleaning formula delivers brilliant shine that finish gel cant beat. It even helps keep your dishwasher sparkling. New cascade platinum is cascades best. A frie