Are 'Stuxnet' Worm Attacks Cyberwarfare? Computer experts say a sophisticated computer worm dubbed "Stuxnet" exploits vulnerabilities in Microsoft Windows to attack industrial control systems, including one at an Iranian nuclear power plant. Computer security experts discuss the worm and its impact on security.
NPR logo

Are 'Stuxnet' Worm Attacks Cyberwarfare?

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Are 'Stuxnet' Worm Attacks Cyberwarfare?

Are 'Stuxnet' Worm Attacks Cyberwarfare?

Are 'Stuxnet' Worm Attacks Cyberwarfare?

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

Computer experts say a sophisticated computer worm dubbed "Stuxnet" exploits vulnerabilities in Microsoft Windows to attack industrial control systems, including one at an Iranian nuclear power plant. Computer security experts discuss the worm and its impact on security.

Eric Chien
technical director, Symantec Security Response
Santa Monica, Calif.

James Lewis
director, Technology and Public Policy Program, Center for Strategic and International Studies
Washington, D.C.

Bruce Schneier
writer and security technologist
Author, "Schneier on Security" (Wiley, 2008)


Computer experts say a sophisticated computer worm that attacks computers used in industrial controls has infected thousands of machines around the world. But unlike other malicious computer viruses and worms, this one, called Stuxnet, doesn't seem to be designed to steal your money our your credit card numbers. It seems to have been designed to interfere with the operations of industrial plants.

It targets a specific operating system that is used to control valves and pipelines and other industrial equipment.

The worm has shown up in computers in an Iranian nuclear plant, but whether that was the intended target isn't quite clear. Maybe it just showed up in that one, and maybe in a lot of other places, too.

Most experts say the worm is a sophisticated piece of coding. But who designed it? Why? Well, what's happening? That's the subject of a lot of speculation and what we'll be talking about now.

Joining me now to talk more about the worm and what security experts know about it is my first guest, Eric Chien. He is technical director for Symantec Security Response Unit. Thanks for talking with us today.

Mr. ERIC CHIEN (Technical Director, Symantec Security Response): No problem.

FLATOW: Welcome to SCIENCE FRIDAY. James Lewis is director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington. Thank you for joining us today.

Mr. JAMES LEWIS (Director, Technology and Public Policy Program, Center for Strategic and International Studies): Thanks a lot.

FLATOW: Bruce Schneier is a writer and a chief security technology officer at British Telecom. His latest book is called "Schneier on Security." Thank you for being with us today.

Mr. BRUCE SCHNEIER (Security Technologist, Author): And thanks for having me.

FLATOW: Eric, tell us about this Stuxnet worm. And what makes it different from other worms?

Mr. CHIEN: Well, you summarized it pretty well. Basically, it's one of the first worms that we've seen that is targeting industrial control systems, and industrial control systems are things like gas pipelines or power plants.

Typically, the threats that we see today are attacking sort of individual assets or even virtual assets, like a credit card number or, you know, someone maliciously posts your Facebook wall.

What we're looking at here is someone's essentially trying to sabotage one of these plants, potentially to do things like make it explode.

FLATOW: And how many machines do you estimate that it has infected?

Mr. CHIEN: Well, you know, the number of machines is sort of a bit of a red herring, to be honest. I mean, we have about 100,000 machines that are infected, but the vast majority of those, we believe, are what we call collateral damage. Stuxnet likely was trying to target a very specific installation, and everyone else who got infected was basically just by accident.

FLATOW: Now, there are reports that it was targeted at an Iranian nuclear power plant. Tell us what you know about that.

Mr. CHIEN: Yes, we can't confirm that. But basically what we see is we see that the vast majority of initial infections, before the data starts to get very noisy, as it begins to spread, were originating in Iran. So that's sort of the basis for that speculation.

In regards to, you know, a particular industrial plant, something like a power plant, you know, a nuclear plant or a gas pipeline, what we do know is that whoever the attackers were, they were likely after a high-value target.

They weren't after, for example, a factory floor that was designed to package up boxes to ship to a retail store. There was a lot of resources invested in creating this threat, such that they were definitely after something more high-value.

FLATOW: So they weren't - in other words, they weren't going to waste their time on a robot making car parts or something like that.

Mr. CHIEN: Yeah, that's correct. The resources involved was probably at least five to 10 experts in a variety of fields over six months, and that's probably just a core team of developers. It didn't include things like the quality assurance, management, people to set up the hardware. It appears it likely may have required some insiders to steal design documents ahead of time. So this was a very big effort.

FLATOW: All right that's - wow. We're going to get into all of this. Stay with us. Our number, 1-800-989-8255 is our number. You can tweet us @scifri, @-S-C-I-F-R-I. We'll talk - bring in our other guests, not only Eric Chien, but James Lewis and Bruce Schneier.

What do you think out there about the threat from a computer worm like this that seems to take control over equipment that runs at factories, may run a power plant? So stay with us. We'll be right back after this break.

(Soundbite of music)

FLATOW: I'm Ira Flatow. This is SCIENCE FRIDAY, from NPR.

(Soundbite of music)

FLATOW: We're talking about computer worms this hour, specifically the Stuxnet worm, which was been, we understand now, it's been infecting 100,000 computers and systems, and it controls machinery. It's not controlling your credit card numbers or stealing bank accounts or things like that.

We're talking with Eric Chien, technical director for Symantec Security Response Unit. Is there - and you say this worm is so sophisticated, that it must be the work of a sophisticated group. That would seem to me that you're ruling out hackers, but maybe people who belong to a government or something like that.

Mr. CHIEN: Yeah. That definitely would not be out of the realm of possibilities. I mean, if someone told us the story of the Stuxnet worm, you know, maybe six months ago, to be honest, we probably would've laughed. We would've said oh, yeah, it's all possible in theory, but that's really a movie plotline. Well, unfortunately, now we really have it.

FLATOW: Can you tell by looking at the code who might have written it or where might it have originated?

Mr. CHIEN: No. I mean, we can't really tell by looking at the code. There are some markers, interesting markers, in the code, some specific dates and some other terms.

There's this term that's basically a plant. It's (unintelligible) is the family and guava, the fruit. Those strings are in there, and there's some speculation and theory around these terms. But what I would do is caution people that just because they think these special dates and these terms point to a particular country or a particular attacker, that doesn't really give those terms credibility.

You know, if you were an attacker, you would likely put in terms like this to basically throw the scent off yourself and implicate someone else.

FLATOW: Eric, can you stay around a while? Do you have to run?

Mr. CHIEN: Yeah, no problem.

FLATOW: Okay, let me because I want to bring out some other guests. James Lewis has been waiting. He's director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington; and Bruce Schneier, who is author of the book "Schneier on Security."

James Lewis, do you think this is an act of cyberwarfare?

Mr. LEWIS: Well, you know, one of the nice things about this is there's so little hard data that we can speculate whatever we like. But it sure looks like one. It's a good hypotheses. Can't rule it out.

FLATOW: And Bruce Schneier, you take issue with the use of the word cyberwarfare, right?

Mr. SCHNEIER: Well, I mean, it doesn't feel like warfare, but it's certainly possible that this is something that's targeted. We're getting new news every day. My opinions early this week are changing as we're getting more. And really, Eric's summation of what we know is real good. We don't know, but this does seem to be different than a lot of other things we're seeing.

FLATOW: And I'll address all of you now, as I ask a question: The fact that it's been found in an Iranian nuclear power plant doesn't necessarily mean it was targeted for that, does it?

Mr. SCHNEIER: Well, no. It could be going around everywhere. We don't know what its intention was. The worm is spreading pretty much indiscriminately. It's found there. I'm sure it's in other nuclear power plants. So correlation doesn't mean causality. I mean, it's a nice theory, but, you know, it is just speculation.

FLATOW: And how yeah, sure.

Mr. SCHNEIER: It's been found in multiple places in Iran, and not just, you know, someone's home computer, but industrial systems in Iran.

You know, there's public information that was also found in where they do uranium enrichment, as well. It was found in places where they deal with gas pipelines, as well. So it could be any number of one of those places.

Mr. LEWIS: And just to complicate things, this isn't really a military act, for me. It's more like an intelligence exploit. And, you know, one of the questions I'm asking is maybe the guys who wrote this wanted to be found, and they're trying to signal somebody about something. And that's what we have to figure out, is they spent a lot of money, and it popped out in the open. Maybe it was found. Maybe it was intentional.

FLATOW: You mean just as a warning, saying hey, we know how to do this, beware?

Mr. LEWIS: Yeah. That's been done in the past. This could be another example.

Mr. SCHNEIER: And it's certainly possible. If you were actually targeting the Iranian nuclear power plant, I think you'd do it different than this. So we're left with trying to reverse-engineer motives from the actions of the worm, which is hard.

But Jim is certainly correct. We have seen other worms that we believe have been demonstrations of capability, either by criminal organizations or by governments. We don't actually know. I mean, maybe this message is intended for someone who has more context than we do, and we're just speculating because we don't know what's going on.

Mr. LEWIS: Yeah, now the Iranians have to feel a lot of angst and, you know, go out and replace all their PCs with Macs. So it's, you know, if there was a message, maybe they got it.

FLATOW: Well, let me ask you how it got in there, then. I mean, how are you sure it came from the outside, and how would it get in? Isn't there tight security on these systems?

Mr. LEWIS: We don't know, and certainly networks are porous. I mean, there aren't networks where worms don't get in. Even classified military networks, worms make the jump by somebody's USB stick, or somebody dials in from home or does something they shouldn't do.

You know, we know that worms crossover. And I wouldn't expect an Iranian nuclear power plant's security to be any better than all the other mediocre security systems out there.

Mr. SCHNEIER: Yeah, whenever human beings connect to a network, there's a way in.

FLATOW: How? You mentioned before that if this really were targeted at an Iranian nuclear plant, it would have been a different message. What message would it have been?

Mr. SCHNEIER: Well, I think it would be something more targeted. I mean, we have a worm that is wandering around the planet, and if you're targeting something, especially if you're a government, I think you'd want to minimize collateral damage to countries that you're friendly with. So it just feels like the wrong tool for the job.

There's been speculation that the worm was intended to be very - was tightly targeted and mistakenly got released. I mean, that's certainly possible. We've had a lot of worms, several, that have been released mistakenly.

FLATOW: Eric Chien, did you want to jump in there?

Mr. CHIEN: Yeah, there is something really interesting about the code, and, you know, he's absolutely right that when you're talking about self-replicating code, which is what this is, it gets out of control. And there's sort of no way to stop it.

And, you know, and maybe a year from now, people's home computers in the U.S. will also be infected, and it will be useless on their machines, but they'll be infected.

And what's interesting about the code is it was definitely built in stages. And they got more and more aggressive as they went along.

So right now, it uses four zero-day vulnerabilities, and what zero-day vulnerabilities are, basically, vulnerabilities that can be exploited to allow them to automatically run on your machine, unauthorized, due to a bug in that software.

And when the threat first started, it actually didn't have these vulnerabilities. It used more traditional ways of trying to jump from one machine to another, ways that were probably a little bit less effective.

And so it's possible, as they went along, they were reaching hurdles in the environment they were in, and they were trying to jump over those hurdles to get to the industrial control system.

Remember, these industrial control systems normally aren't connected to the Internet, and the way they're updated is actually, usually the USB. So eventually, they were adding vectors to get to those industrial control systems. And one of the vectors they added later was the ability to infect USB key drives in an automated fashion, using one of these exploits.

Mr. SCHNEIER: There's two interesting points there. The first is it's suggestive that there were four zero-day exploits because if it would have been criminals, they would have taken the first one and been off trying to make money. So somebody who had the patience to wait and use four might be a government.

On the USB thing, you know, again, it's a pretty standard trick. I'm kind of sorry to see it becoming so public. Now everybody knows about it. But it's a great way. You can count on it almost always working because, you know, someone will pick it up and stick it in without thinking, and there you go.

FLATOW: You mean you just sprinkle USB drives around the place, and people just pick them up and say hey, what's on this thing?

Mr. SCHNEIER: Or a trade fair, you can swap them, and you can mail it to them and say congratulations, you're the 1,000th visitor, here's your USB stick.

I gave a speech in Beijing, and the Chinese government game me a USB stick as a speaker's gift. So, you know, it's a standard delivery mechanism.

FLATOW: Here's a question from the Web, from Deacon(ph). It says, and this is a good one: What specific machine control operating system is targeted, and what part of the machine does it go to? Eric?

Mr. CHIEN: There's two pieces. So it has a Windows component that allows it to sort of spread, let's say, within the target organization, looking essentially for a developer or someone who maintains the industrial control system.

The industrial control system itself is Siemens, in this particular case, Siemens PLCs. PLC stands for programmable logic controllers. And these PLCs basically have a small CPU inside of them, and they run an assembly code called STL, or statement lists. And it's a very rudimentary assembly code language.

And that's what they use to program in. And Stuxnet, what it does is once it finds someone who programs these industrial control systems, it hijacks their programming environment, and unbeknownst to them, will insert this STL code onto the target PLC, essentially sabotaging that industrial control.

FLATOW: Why is it called Stuxnet?

Mr. CHIEN: It's basically just some strings that were inside that were sort of - the letters were taken and reversed around to make something that sounded reasonable.

FLATOW: Let's go to the phones - Beth in Charleston, South Carolina. Hi, Beth.

BETH (Caller): Hi, there, Ira. I might be overreacting, but I'm feeling a little terrified. I wonder if this worm could even eventually lead to a nuclear meltdown in a plant somewhere.

FLATOW: James, any...

Mr. LEWIS: No, probably not. You know, it's a handy thing, but I think that it wouldn't, as far as we know, cause that kind of problem. And so...

Mr. SCHNEIER: I agree. It's unlikely. But it is - you know, there are vulnerabilities in these systems.

BETH: And that could lead to one vulnerability, that may lead to them finding some other way to get in further.

FLATOW: Beth's making a good point. Could they be saying look, we can get into the system and control the parts that aren't important? Imagine if we get in and get to the parts that are important.

Mr. LEWIS: They didn't need to say that to us because we already knew it. We already knew we were open, vulnerable, undefended. So I don't know who they were saying. They were probably saying something else. But, you know, is the electrical grid a target? Absolutely. Will people think about sabotaging it? Yes, we know they have. And is this the latest example and maybe the most sophisticated example that we've seen? That doesn't mean there aren't others. Yeah. So it's not an impossible scenario if we get into some kind of cyber conflict, whatever that would be, expect electrical grids to have problems.

Mr. SCHNEIER: Jim is correct. These are vulnerabilities we've known about in the industry, but we're now seeing it more talked about it the wider press. So the message is not we can get into these systems. The security people have known that for years.

FLATOW: Mm-hmm. So in other words the people who are in inside this box of your community know exactly that this could happen. This was a message for some other reason.

Mr. SCHNEIER: Right. And (unintelligible) something important that Eric said. This is an expensive worm. Zero-day vulnerabilities(ph) are valuable. They have enormous value because you can infect a lot of machines. To use four of them on one exploit is, you know, a very spendy proposition. So whoever did this is spending a lot more resources than the average criminal worm. It doesn't mean it's not of a criminal organization, but it's different than your normal criminal behavior.

FLATOW: The fact that this is now discovered, does that take it out of circulation? There's people watching for it and they can neutralize it.

Mr. SCHNEIER: It does to some (unintelligible) I mean the vulnerabilities are being corrected, but patching is sloppy. Some of these control systems are very hard or impossible to patch. And the worm has the ability to update itself. I mean, Eric talked about that earlier. So you could see the worm mutating again. On the other hand, you know, we now know about the control systems so we're going to be neutralizing that. You know, it mitigates its effectiveness, but it doesn't remove it. And we had worms that have...

Mr. LEWIS: The worm has a built-in peer-to-peer updating system. That's really cool.

FLATOW: What does that mean?

Mr. LEWIS: It means that it doesn't need to call home to update itself. It means that it can look for another infected machine and say, hey, do you have a more recent version? That's pretty cool.

FLATOW: Wow. Could it be doing a surveillance routine? Just going through and seeing what you have, seeing where your vulnerabilities are, and then reporting home what those things are.

Mr. LEWIS: I've been asking people that. We've been assuming it's an attack and that the attacker piggybacked a collection scheme onto it. And maybe we got it backwards. Maybe it's a collection scheme and the attackers piggybacked a potential sabotage mechanism onto that.

Mr. SCHNEIER: Well, I think that's absolutely right. In fact, there had to be collection that had to happen ahead of time. So, you know, these industrial control systems are very customized. In order to inject code into them, you have to, sort of, know how they work, that particular one works, and how it's been set up in that particular environment. So they definitely had to do collection of data system environments first and that could have definitely been done by an earlier version of Stuxnet and then to that version of Stuxnet they've then(ph) added now the code to actually inject into the TLC(ph).

Mr. LEWIS: And it's not gonna make your caller in South Carolina feel any better, but there is some evidence that other people have done that to the United States. So stand by.

FLATOW: All right. And you stand by for a second as I tell everybody this is SCIENCE FRIDAY from NPR.

I'm Ira Flatow, talking with Eric Chien of Symantec and James Lewis of the Center for Strategic and International Studies in Washington; Bruce Schneier, author of "Schneier on Security."

You know, when these things happen, we sort of get a little glimpse into the inside of your industry. And when you open that little door, it looks very scary in there. You know, when you say, oh, we know about this, and you say that, you know, we think that there's - an attack already has been attempted on United States and this security is vulnerable, how scared should we really be?

Mr. SCHNEIER: Well, to put in context, you know, I mean, look outside, we're all doing fine. I mean, there are a lot of these vulnerabilities. We in the industry spent a lot of time being paranoid and worrying about them. But, you know, for the most part, everything runs okay. I mean, there are definitely is worry. These are vulnerabilities. But, you know, within context, I think - I don't lose any sleep at night.

FLATOW: Well, there's talk, you know, in Congress. We had - after 9/11 we had the ability to tap into our phone systems. And now Congress is being asked to give us the ability to tap into our Internet and turn the Internet off.

Mr. LEWIS: That's kind of unrelated. And these people think it's related, but basically the technology - this is the fourth time in at least 20 years that DOJ and Justice and FBI have had to go back and say please update the laws so we can stay up with the technology. Prosecutors won't win their cases if they can't use wiretap evidence. But you could pass this change or you could not pass it and it won't affect cyber security at all.

FLATOW: Mm-hmm.

Mr. SCHNEIER: Yeah, I agree with that. It's a huge political debate and, you know, something Jim and I are both involved in, on different sides, but it's actually not this issue.

FLATOW: All right. Let me get a phone call or two. Let's go to George(ph) in San Jose. Hi, George.

GEORGE (Caller): Good afternoon. I'm echoing the prior caller. This worm is very concerning because it could affect the safety of nuclear power plants. And since it isn't clear how the worm is acquired or what it can do, should we simply shut down our nuclear power plants until we understand this problem better?

Mr. SCHNEIER: I think if you do that, you're shutting down all technology forever because I don't think we'll ever get to the point where we understand this problem better. We need to improve security, not just in nuclear power plants, in all industrial control systems, in all - Internet banking systems, everywhere. I mean, there are serious threats. But, you know...

FLATOW: Well, let's talk about what concrete steps we need to do then.

Mr. LEWIS: Well, that's a hard one.

(Soundbite of laughter)

FLATOW: How do we learn from it? How do we learn from it?

Mr. SCHNEIER: You know...

Mr. LEWIS: Now you've started it.

Mr. SCHNEIER: Yeah. You know, if that was easy, we'd all be doing it. You know, there are things that - they're not easily soundbite-able. They're not easily summarized. You know...

FLATOW: Are you just afraid to say them?

Mr. SCHNEIER: No, no. (Unintelligible) to say them. They're just actually really hard to say; in some of the cases we don't actually know what they are. We just (unintelligible) do more research and figure out how to make this better.

Mr. LEWIS: That's true. But we could do a couple of things in the interim. The first thing we could do is we could start making critical infrastructure, like the electrical grid, do a better job, at least as far as we know. And the second thing, and this gets much more difficult, is we need to think about how to create a national defense and we need to think about the role of the Defense Department in meeting these advanced threats. And currently we don't like to do that because that means letting NSA maybe defend some of our networks.

FLATOW: When you say do a better job with our grid, what do you mean by that?

Mr. SCHNEIER: Well, the - a couple of years ago, the North American Electrical Reliability Council, NERC, testified before Congress that they were doing a good job of securing the electrical grid. And then people went out and looked and found out, well, actually it was really uneven. Some power plants do a good job. Other power plants are completely vulnerable. And we don't want to have a system like that where it's kind of hit or miss, some are in good shape, some aren't. That's not national security. Bring them all up to a common standard. And there are bills now in Congress that might be able to do that.

FLATOW: All right. We have to take a short break. We'll come back and talk lots more about this Stuxnet worm. Talking with Eric Chien of Symantec, James Lewis of the Center for Strategic and International Studies in Washington, Bruce Schneier. Bruce Schneier is a chief security technology officer at British Telecom and his latest book is "Schneier on Security." Our number, 1-800-989-8255, @scifri, @S-C-I-F-R-I. What would you like to see happen? Stay with us. We'll be right back.

(Soundbite of music)

FLATOW: You're listening to SCIENCE FRIDAY from NPR. I'm Ira Flatow. We're talking this hour about worms and cyber warfare with Eric Chien of Symantec, James Lewis of the Center for Strategic and International Studies in Washington, Bruce Schneier, author of "Schneier on Security." Our number 1-800-989-8255. Just a few minutes to go.

Eric, do we know where it originated from? Do we know the server that it came off of?

Mr. CHIEN: Yes, we don't where it originated from, but we do know the server that it talked back to. So these worms or these attacks, targeted attacks, tend to have a command and control server, a place where it checks back in and the attackers then are able to give it additional commands. Theres two servers, one was located in Malaysia and one was located in Denmark.

Mr. LEWIS: Now, that doesn't mean anything, of course. I mean, an attacker from anywhere on the planet could have taken over those two servers. So it doesn't tell us much. Unfortunately, we believe the worm did - was propagating for a while before it was discovered. So the early history really we know very little about, unfortunately.

FLATOW: Let's go to Hein(ph) in Tucson, Arizona. Hi, there.

HEIN (Caller): Hello. First of all, let me start by expressing my appreciation for you guys trying to work with this problem. But also, isn't there a lesson to be learned with all the PCs that are constantly attacked, isn't there a better operating system that people should go to like Mac or something else where - it seems like it's always a PC problem, a Windows problem.

Mr. LEWIS: Well, it's a PC problem...

Mr. SCHNEIER: Well, it's primarily a Windows or PC problem because that is the machines that everyone uses, right? If they targeted installation that they wanted to attack or if general home users all over the world use, you know, the Foobar operating system, then criminals and, you know, the targeted attacks will be attacking the Foobar operating system. I think that's really more of a nature of that's what everyone is using out there in the world.

Mr. CHIEN: Yeah. I'm sympathetic to the question, but the answer is completely right. I mean, we have very sophisticated opponents and if they can't come in the left door, they'll come in the right door. And so it doesn't make that much difference for this level of attack.

Mr. LEWIS: Well, but certainly for criminals, your average home user, using an operating system that's not a big target makes you a smaller target, not because the operating system is better, just because the criminals get less bang for their buck by writing a worm that attacks Linux because theres so much fewer Linux installations out there.

FLATOW: Bill in Portis(ph), Michigan, hi.

BILL (Caller): Hey, good afternoon, gentlemen. Thank you for taking my call. What I'm wondering is why is it a necessity that all these various systems that are susceptible to this invasion and others - why do they have to be interconnected on the Internet? Why can't, say, a nuclear power plant with staff on hand and all of the built-in monitoring equipment be a stand-alone facility? We have other means of communication, and we could still use Net for a simple, you know, communication of data without having access to the operating system itself.

FLATOW: Yeah. Good question.

BILL: Why do all of these things have to be connected to the Internet? Is there no option for that?

Mr. LEWIS: Remember that Stuxnet was designed to infiltrate even non-connected systems. So imagine that the power plant is off the grid. You're writing a file, but it has to move now onto the secure network so you put it on a USB stick and it transfers. Stuxnet anticipated that and had an infection mechanism that would use that.

So just unplugging a computer from the Internet doesn't make it safe, because people move back and forth, and data has to move back and forth. So we do see infections even in disconnected systems, even secure classified U.S. military systems. Worms make the jump because somebody did something stupid.

FLATOW: All right. Let me go to John in South Carolina. Hi, John.

JOHN (Caller): Hey, how you doing, Ira?

FLATOW: Hi there.

JOHN: Happy Friday to you.

FLATOW: Thank you.

JOHN: I'm in the production of fissile material and the design and construction of nuclear facilities. And I guess I've got to just say one thing. You should thank your - you should thank your sweet (unintelligible) and thank God that the Department of Energy is vigilant in this area. They recognize that a long time ago, you know, in 2005, it was very much elevated and it's at a peak right now. I say peak, but it's even more hightened, even before Stuxnet.

And you've got to understand that nuclear facilities are off the grid. They do not connect, and as your experts say, people doing stupid things - there are many, many safeguards put in place. And, you know, it's not just PCs. There's embedded software on every kind of device you could - if you've got two wires (unintelligible) you probably have some small little chip with embedded software that can carry the bug. It doesn't have to be PCs. And...

FLATOW: As you just say, somebody takes a USB stick and sticks it in there, it doesn't matter what you do.

JOHN: No. I mean, it builds - the point is the chain of custody for all industrial machines. The chain of custody from the factory, all the way back to the end use, has to be very rigidly adhered to and can't be interrupted, because you have sabotage potentially along the way. And that's what...

FLATOW: All right, John. Let me get a reaction. Thanks for calling.

Mr. LEWIS: Well, you know, we have a lot of classified networks here in Washington, and a lot of them are disconnected. And a lot of the people that use them right are the Metro, the subway system. And some of those folks listen to their iPods and they know, don't connect to the Internet. Don't put in the USB stick. But it really won't hurt if I just put my iPod in to recharge it while I'm at work, will it?

JOHN: Got you.

(Soundbite of laughter)

Mr. LEWIS: So that's the kind of thing. Human mistakes always going to find a way in. We can create better defenses, but the other side is really good at thinking about ways around them. So this isn't a state where we'll ever find permanent security unless we keep moving.

FLATOW: All right. I want to thank all of you for taking time to be with us. We will continue this discussion, I'm sure. This is not the last one we'll hear about it. Eric Chien, technical directory - director for Symantec Security Response Unit. James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington. Bruce Schneider(ph), writer and security technology officer at British Telecom. His latest book is called, "Schneier on Security". Thank you all for taking time to be with us.

Mr. CHIEN: Thanks, Ira.

Mr. SCHNEIER: Thank you.

FLATOW: You're welcome.

(Soundbite of music)

Copyright © 2010 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.