War As Easy As Typing: Alex Gibney Spills the Secrets of 'Zero Days'
A lesson in the dangers of cyber weapons—which, like so many modern tools, are the dangers of unintended consequences, and the dangers of going too far.
A still from a scene in Zero Days built using DepthKit. Source: Participant Media
Documentaries about war tend to include at least one eye-popping scene of mortar blasts or roadside explosions or street carnage. In Zero Days, the latest from Alex Gibney's ever prodigious studio, one of the most exciting scenes depicts, in dark, high definition tones... a party balloon being inflated by a machine.
Under normal circumstances, an air compressor inflates the balloon to an appropriate festive size. But when the compressor is infiltrated by malicious code by hackers ("The Party P00per?")—possible because it, like an increasing number of machines, is controlled by a device connected to a computer network—the balloon keeps growing bigger and bigger and bigger until... pop.
Party = over.
The dumb, fun demo—think Buzzfeed's rubber-banded watermelon prank but with hackers—is meant to illustrate how a bit of innocuous-seeming code can creep out of the digital world to become physical and kinetic. Balloons, sure, but also: power cut, stock markets crashed, messages (and Buzzfeed headlines and videos) tampered with, cars and drones hacked into and turned, like so many things-of-Internet, into zombie weapons, causing moments and zones of chaos and confusion and worse. (For more on that, see the plausible and nerve-wracking speculations of Reeves Wiedeman's City-Gets-Hacked story.) The next wars won't be about spectacular, violent attacks, but insurgent and secret ones, incremental and even merely symbolic ones that on the long term may be even more damaging.
Zero Days, like the virus at its center, doesn't attempt to bombard audiences with too many more tableaus of cyber destruction, but trains its focus on patient, well, zero. In 2009, a bit of code on a USB flash drive did real-life damage for what may have been the first time: it covertly spun a set of uranium centrifuges at Iran's Natanz facility into smithereens, and set the country's controversial nuclear program back by a decade. (That was enough time, and enough muscle-flexing perhaps, to yield a nuclear deal a few years later.)
The bug itself was never meant to be found, of course, but an update to make it more potent likely inadvertently led the virus to spread. When independent computer researchers discovered it in the wild in 2010, clues in its sophisticated, unprecedented code had the signature of two nation states working together. The Symantec researchers derived the name from a combination of some keywords in the software (".stub" and "mrxnet.sys"). In 2012, anonymous sources in Washington confirmed for the New York Times the official name of the US-Israeli program: Olympic Games.
In an earlier era, such destruction would have been accomplished more overtly, as it was when a pair of Israeli fighter pilots flew into Iraq in 1981 and bombed the country's nuclear project to hell. Now, we're in a more covert mode. Thanks to some legal and technologic aerobatics, the drones that target and kill US enemies and others in Yemen don't officially exist (though the White House has promised some transparency, soon.). Nor does any official explanation for the rash of assassinations of Iranian nuclear scientists in recent decades. Now similar damage may be done even more covertly, without death or, it's imagined, with less risk of retaliation or collateral damage. It's a tempting thing, like an app or a bot: a weapon that, as complicated as it can be to build and use, also makes war no harder than typing.
And invisible. Because Stuxnet remains a secret inside the governments suspected of creating it—the US and Israel—and because it is a piece of sneaky code, how do you talk about it, much less visualize it? You get a balloon. "We had a lot of fun with that," Gibney said after a recent screening. "There was something about the balloon that seemed to make it so magical."
The detail of the balloon popping isn't actually there to make it more magical, but, hopefully, the opposite: to drain the black magic out of cyberwar by pulling back the curtain and talking about it in the open. The gimmick was suggested by two of the film's sources, Eric Chien and Liam O'Murchu, the security analysts at Symantec who analyzed Stuxnet in depth, and with whom Gibney and his team spent a lot of time trying to untangle its technical details and effectively reverse engineer the story of its making by the NSA and the Israeli Army's Unit 8200. (How the virus became un-covert is as much a part of the story and its lessons as how it was secretly made and deployed.)
Secrecy is one of the creepiest aspects of war fought with code: It can be very hard to know if you've been attacked, much less who attacked you. And even as evidence emerges of successors to Stuxnet—the film reveals another impressive piece of US-made malware called Nitro Zeus, prepared in the event of a failed nuclear deal—the prospect of a crippling cyber attack isn't just a concern for countries like Iran, but one that affects individuals and countries like ours.
"The reason I wanted to tell the story of Olympic Games is not simply because it's a cool spy story," said Gibney. "It's because we as a nation need to have a debate about how we want to use cyber weapons because we are the most vulnerable nation ourselves."
The default invisibility of the virus and its story led Gibney to rely on another device: using an actress performing an on-screen composite of NSA hackers who had spoken to Gibney and his lead researcher Javier Botero on the condition of anonymity. The technique is one he first used in Client 9, in which an actress plays the woman at the center of Elliot Spitzer's downfall. This time, in keeping with the film's theme, we don't literally see the actress: she's represented by data, through the technology of DepthKit, which captures a scene using lasers, enabling editors to go in after the fact, break down the image into its constituent lines and dots and move a virtual camera at will. (Read about how DepthKit has sought to turn itself from art project to business.)
It's another elegant little hack to a challenge that dogs any documentarian or journalist: representing things that can't easily be seen, or the critical thoughts and feelings of people who can't express them openly.
At a question-and-answer session after a recent screening in Manhattan, Gibney expressed some of his own thoughts about the film and cyberwar. (Zero Days opens in wide release on July 8.)
Why make a film about something that's invisible?
This film was suggested to me by [producer] Mark Shmuger, the guy who was one of the producers on my film about Wikileaks, We Steal Secrets. He described it to me as a spy story, and it seemed like an interesting story, but I had no idea when I started how difficult it would be either to get people to talk or to explain what went on in visual terms. So it was a challenge right up to the end. Even the visualization of the character we didn't work out completely until the end of the process.
Inevitably in this case, it was a little bizarre because—it was a little bit like, post-Hiroshima or Nagasaki, somebody saying 'what bomb?'
How do you decide how far into the weeds to go and how to get there?
Usually by the quizzical looks on the faces of those people we show it to in the office. 'What the fuck is this?' It's really trial and error. And sometimes the details are just great. But there was a deeper level we had gone at some point. And that's usually when my editor looks at me and says, 'Dude: forget about it.' I think it's always a balance. Because there's also a narrative and a narrative momentum you have to be concerned about. Hopefully you find the right balance.
How do you pace or prepare for an interview so you don't end up in a no-comment dead end?
To some extent in an interview I will talk around a subject: background, a sense of place, and sometimes I'll purposefully jump around, rather than start out with tell me exactly how Stuxnet was built and who was responsible? But usually we get to those questions. Inevitably in this case, it was a little bizarre because—it was a little bit like, post-Hiroshima or Nagasaki, somebody saying 'what bomb?' It had been widely reported that there was this Stuxnet event, but nobody was willing to comment on it at all, which I felt was really interesting.
What was the process for building your NSA source/character?
I can't say exactly but it was a bit of work over time, where slowly but surely sources became more comfortable in terms of talking, but also coming up with a device that made them comfortable. Part of the rationale for the character was source protection. This was a rationale they could get behind and accept.
It's the classic CIA case, where you have a quick fix for a solution and suddenly there's blowback in ways you can't quite envision.
The film seems to imply that Stuxnet drew first blood, and now we're in for it, because we did it to them, so they're going to do it to us. Is it naive to suggest that Iran or another country wasn't planning their own type of Stuxnet?
I think it's fair to say at least as far as anybody knows, Stuxnet was really the first cyberweapon to cross that barrier from the cyber realm into the physical realm. To create an autonomous weapon that would take over machinery and manipulate it. You know from the story that Iran hadn't even contemplated the possibility of something like that. Their engineers were running around thinking they had screwed up. Once they realized they had been hit by the weapon they started to build a cyber program they hadn't really activated until that point.
Obviously the Chinese and the Russians were tinkering. The thing about the Stuxnet code is that it gave everybody a Rosetta Stone to work from, to begin this escalating cyberwar. I'm not saying the Iranians were developing the nuclear centrifuges at Natanz for good and wonderful purposes. I just don't think their cyber program would have escalated nearly as quickly without the advent of this weapon. It's the classic CIA case, where you have a quick fix for a solution and suddenly there's blowback in ways you can't quite envision.
The film implies that things were going along swimmingly but the Israelis took the code and cranked it up to 11, and then it became too powerful for its own good. What happened after that, and if they hadn't done that, would Stuxnet not have gotten out there or would the nuclear facility not been broken?
We know from the code variations that the version of the code that got out into the wild was after the centrifuges had blown up. So the mission was accomplished—at that point the United States was saying, OK let's cool it now, nobody knows exactly what's happening. And then, the Israelis wanted more destruction. So they adapted the code and then tried to send it back in. Because the code was very virulent in terms of how it replicated, then it spread all over the world. But there was a flaw in the code that started shutting computers down. [That's what tipped off the researcher in Belarus who first discovered Stuxnet.]
The aesthetics of the film: At first it's reminiscent of Standard Operating Procedure, in its exploration of a story that few people want to discuss—but instead of photos you have code.
We worked very hard with the design team at [VFX firm] Framestore in terms of evolving that language as we were making the film. It wasn't something we imposed at the end. We were working very hard all along because we wanted the code to have a kind of character. We also worked with the people from Symantec to make sure—we actually had a copy of the code in the office—we made sure by working with Symantec that the elements of the code we used—and what you see in the graphics are actually elements of the actual Stuxnet code—were accurate to what we were trying to say every step along the way. And we also tried to create the sense of a code that had a certain character, that it was living on its own.
Did you get a sense when interviewing the Israelis and people in our government, as to how much that issue informed the relationship between Netanyahu and Obama?
The origins of the Stuxnet plan start in the Bush administration. Then Obama, like he did with drones, ratcheted it up. So I think it was a contributing factor. I think there were a lot of issues between Netanyahu and Obama, but this was certainly one of them. I think Obama inherited the idea from Bush that the whole notion of the Stuxnet weapon was not so much to attack Iran but to prevent Israel from dropping a bomb on Iran.
How did this affect the Iran deal? One way to look at is, this cost us leverage in that deal, and that ultimately we had to settle for a worse deal. But your source seems to imply the opposite, that everybody was thrilled with that deal.
The sources were thrilled with the fact that they made a deal. This is just a hunch, it's not something I can prove: that Obama knowing that he had Nitro Zeus, which is a far more powerful program [than Stuxnet], that informed the parameters of the deal, because they had an option in case Iran cheated on the deal. So in fact, another way to look at it is, while Obama was roundly criticized both in Israel and in this country for being too weak and not getting a good enough [nuclear] deal, another way to look at is, Obama is sitting there thinking, 'if they cheat, we have a new weapon that's going to make it very difficult for them.'
What did you take away in terms of how serious a moral threat this is? Should these weapons be equated to nuclear weapons?
From a moral perspective I think we should take it extremely seriously. I think that's the point I'm making in the film. Even though the weapons are at a relatively un-advanced stage—even though they're at a stage where they can shut down entire grids—now we should be looking at that. And that I think was actually the reason why a number of the sources came forward, because they were convinced that a number of people at [US] Cyber Command, particularly the military officials at Cyber Command, didn't really have a full enough appreciation of the damage these weapons can do.
Now the nuclear comparison can be overdone. Because when you shut down grids people aren't eviscerated in a thermonuclear explosion. Still, the weapons can be quite damaging because of the destruction they can now wreak on physical command-and-control machinery, and also because so much of that machinery and the controls that manipulate the machines were never intended to be integrated in a way with the internet that would contemplate people hacking in. It was just willy nilly: 'okay, we've got a power plant, let's hook it up to the internet, it will make it more convenient for everybody,' without thinking about what the problem might be ten to twenty years hence. So that is really a big issue.
But I think as a moral issue it's hugely important. Unlike what we ultimately got to with nuclear or chemical weapons, there's no agreement on their use. And the use can be kept very secret because attribution is very hard. Think about how long everybody was arguing about whether the Sony hack was really from North Korea or not. Now we see there have been a number of grid attacks by Russia on Ukraine and so forth and so on. So they're starting. One of the other things I should mention that Liam and Eric made clear to me, when they were first looking at Stuxnet back in 2010: there was one other nation state attack they saw. Now routinely they see hundreds and hundreds every year. It's expanding exponentially.
Maybe the danger is that, it seems so innocent, doesn't seem like a big deal, but it really can be.
Do you think there's a silver lining though, where this is replacing a traditional kinetic method of warfare? If war is fought digitally that somehow it's less bloody than conventional war?
I think it can be, and that's certainly how a lot of the military folks see it. If you look at drones for example, if you discount the bad intelligence and the lack of legal rationale for often how they're used as a weapon of precision, they're far more accurate than the bombs that were dropped on vietnam by B52s.
But I think the danger with Stuxnet is not in the code, it's the damage they wreak on the physical world once they've penetrated that physical world, and how interconnected we all are, and once those support systems shut down, how dangerous that can be. And maybe the danger is that, it seems so innocent, doesn't seem like a big deal, but it really can be.
What do you think about the US indictment of Iranian government hackers earlier this year, and how will it affect how we proceed with cyberwar.
I think it's a show of force, but what would we say if a number of people at NSA's TAO [Tailored Access Operations] were indicted by Iran's Department of Justice? I mean, what's the difference between what the Iranians did from a legal perspective, an international law perspective, and what we did to Iran with Stuxnet? That I think is one of the questions I was hoping to pose with this: How do you reckon with that in terms of international law?
[Launching a cyberweapon to destroy Iran's nuclear program] is certainly a good idea technically if you're afraid that Iran is going to develop the bomb or that Israel is going to bomb Iran and involve us in a nuclear war. Stuxnet is a pretty low cost effective way of stalling an Iranian march to the bomb. But looked at from the perspective of morals or international law, it sets a rather ugly precedent, which is to say: Even though we would regard an attack on critical infrastructure as an act of war, we would nevertheless be willing to do that on another country.
With respect to the moral issue, and the issue of the equivalence between nuclear and cyber, physical has a signature. Did you get into the discussion about signatures and attribution with respect to cyber weapons? Unless you can have attribution it's hard to understand how you could have any agreements.
I think it poses a problem but it's a technical problem that like most technical problems some of the people feel can be solved, you just have to start working at it. Attribution to me though is one of the scarier parts of cyberweaponry, because of the nature of false flags, and things like that where you can be attacked and you think you're being attacked by Russia when in fact it's China or Iran or vice versa. And then you launch a counter attack but it's not against the person who really launched the attack. That to me is one of the scariest things of all.
It's like the idea of encryption. Everybody thinks we've got a technical solution [to surveillance and hacking]—encryption! But we're learning that for everything that'd be encrypted likely there'll be something to decode that encryption. It's an ongoing process, which is why these agreements are so important, because of the escalation of the technology.
Do you think you'll be criticized for the way the film describes the role of Israel in this operation?
I suspect I will be criticized because anytime there's any criticism of Israel sometimes you get blowback. But I think that to me this is a really important object lesson for how that alliance can be extremely problematic, particularly when you're sharing military technology. And Israel, or certain parts of the Israeli defense establishment, and the US have very differing views on how those weapons should be used.
My understanding was that because it was a shared technology, the Israelis contributed quite a bit to the technology itself. And each side had the right to go alone if they so wished. But my understanding was the US made it very clear to Israel that after the explosion of the thousand centrifuges that now would be a good time not to push it because the Iranians still didn't understand what was going on. The Israelis or certain portions of the Israeli government decided no, that was not a good idea, and pushed forward.
Describe your level of paranoia before and after making this film.
Extreme—extremer. One of the things I'm learning now about cyberweapons is their increasing sophistication. It was reported recently by David Sanger that one of the weapons we're using against ISIS—that's by the way one of the first times the US is coming forward—now they're talking about changing text and information so that when you send an email—imagine saying 'I love you'—it comes out 'I hate you and I'm going to kill you.' That's kind of a scary thought.