“Science fiction cyber-war is here”: Alex Gibney on “Zero Days” and Stuxnet, the secret weapon that got away

Alex Gibney has made documentaries about Enron and the Church of Scientology and pioneering gonzo journalist Hunter S. Thompson and Jack Abramoff, the über-lobbyist who corrupted American politics more than any other individual. (That film went almost unnoticed by the larger world, which tells you something. It isn’t something good.) Most notably, Gibney won an Oscar for blowing the whistle on the Bush administration’s torture policies with the devastating exposé “Taxi to the Dark Side,” one of those “Inconvenient Truth” moments when a documentary can shift public opinion and shape policy.

But none of Gibney’s movies since that one, and perhaps none at all, have explored a secret as deeply buried or as important as the one he explores in “Zero Days,” which just opened in New York and Los Angeles with wider national release to follow. As he explains it now, Gibney set out to make a “small film” investigating a strange news story that many of us noticed around 2010 and rapidly forgot about again. (Quite likely because it was too troubling, and too difficult to understand.) That was the discovery of an anomalous piece of computer malware that data engineers dubbed Stuxnet, which was far more sophisticated than those used in ordinary cyber-crime attacks and had shown up in computer systems all over the world.

It rapidly became clear that Stuxnet had to be the work of a “state actor,” to use the relevant term of art, rather than the work of hackers in Estonia or East L.A. who simply wanted to steal credit card numbers or make a political statement. Some intelligence agency somewhere had designed and perfected Stuxnet to perform a particular purpose. But who was that, and what was it meant to do? In “Zero Days,” Gibney shows a clip from a Senate hearing at which Sen. Joe Lieberman asks Seán McGurk, who then headed the Department of Homeland Security’s cybersecurity unit, exactly that question. McGurk assures Gibney during a subsequent interview that he was telling the truth when he responded that he didn’t know who had designed Stuxnet, and what its real purpose was.

He wasn’t meant to know, of course, because Stuxnet — or Olympic Games, to use its NSA codename — was a secret weapon built by the United States government. To get more specific, it was a weapon jointly designed by U.S. and Israeli intelligence, meant to infect the supposedly secure computer system at Iran’s nuclear enrichment facility. It targeted a specific brand and model of electronic controller called a PLC, in effect overriding the unit’s safety features and causing nuclear centrifuges to spin out of control until they broke apart or exploded.

O.G., as NSA technicians called it, had done its job, perhaps delaying Iran’s nuclear program for a year or more while engineers struggled to figure out what diabolical gremlin was causing repeated failures and breakdowns. As one Israeli general observes in the film, it was a weapon of ingenious design, meant to remain invisible and cause the Iranians to question their own capabilities. But the Israelis, at least according to the story told by anonymous NSA sources in “Zero Days,” wanted more. So against the wishes of their American partners, and perhaps without their knowledge, Israeli intelligence designed and released a juiced-up version of O.G. known as Nitro Zeus, which spread itself from machine to machine and network to network far more aggressively.

It was that second, Israeli-modified version that escaped from containment, infected computer networks all over the world, and introduced all of us to the idea that cyber-warfare was more than a metaphor or a science-fiction plot device. That was the one that became known as Stuxnet, after an enterprising computer engineer in Ukraine identified it and technicians at Symantec spent months picking it apart. And as with nuclear weapons and chemical weapons and drones, once the genie was out of the bottle there was no way to put it back.

Within months, Russian intelligence and Chinese intelligence and Iranian intelligence were using the revelation of Stuxnet to design their own cyber-weapons with real-world effects. Since 2012 there have been several waves of cyber-attacks on American and European banks, variously blamed on the Iranians, the North Koreans and “non-state actors” who may or may not be allied with those governments or with terrorist groups. Essentially your tax dollars and mine paid for the development of a secret weapons program that has never been the subject of public discussion or debate, which was then used against a country with which we are not at war, with little consideration of what the blowback or long-term consequences might be once it wasn’t a secret anymore.

Cyber-warfare is not the sexiest or most photogenic form of warfare, and is poorly understood by the public. But that’s pretty much the point. “Zero Days” is a weapon too, arguably, or at least a tool meant to pry open the lid on this issue and enable discussion of an extraordinarily dangerous issue that is likely to define international conflict in our century. I spoke to Gibney on the phone just before his film opened in New York.

Alex, you obviously had a lot of trouble getting anyone in the intelligence community to talk about Stuxnet, or O.G., as they called it. How have folks in that world responded to the film?

Well, it’s about the same response I got when I asked questions. There’s been kind of a deafening silence. I don’t know quite how to interpret that. There’s part of me that thinks they’re pissed off and horrified about another leak. There’s part of me that thinks that this was the kind of leak that they like, particularly in the Obama administration, because it shows them being tough. It’s hard to know.

This strikes me as one of the most important issues that you’ve covered in a film, but also one that is particularly difficult to summarize, and for people to get their heads around. Do you think that’s true?

I do think that’s true. When people start to think about computer code their eyes kind of glaze over. It doesn’t feel like it’s flesh and blood, even though the implications are pretty profound. I think it’s kind of getting into that weird territory where suddenly we realize how connected we are, and therefore how vulnerable we are in a way that nobody ever thought about before. One thing I heard last night was they’re now teaching people in the Navy how to navigate by sextant again. The reason being that they figure during a conflict all the sophisticated electronic communications will be jammed or shut down or compromised by malware, and they’ll need to go back to the old school.

Right. I think you’re making the case here that this is really about the interaction between computer networks and the physical world. Which has always existed and to some degree was always the point. But people have this reaction, “Oh, they’re gonna steal my data. Big deal. I can get a new credit card tomorrow, and who cares if the government reads my email.” And this is about something ultimately much bigger and more threatening than that.

That’s right. And that’s what Stuxnet was. That’s the origin story of Stuxnet. There were other kinds of cyber-attacks and cyber-weapons prior to Stuxnet, but Stuxnet represents the Zero Day, in a more metaphorical sense, meaning the moment when code crossed the threshold from the cyber realm to the physical realm and started taking control of machines. That’s the vulnerability that nobody really ever thought about. The idea that we had all of this infrastructure and all of this machinery but we blithely connected it to the internet, thinking, “Oh, that’s a really good thing. It’ll make it more efficient.” But it also made it much more vulnerable.

So yes, it’s the connection between the cyber world and the physical world that makes these weapons so powerful. That and the fact that — I think Michael Hayden [former head of CIA and NSA] makes this point in the movie — because it comes out of the espionage world, there’s almost the de facto view that it should be secret, and then it’s both a spying tool and a weapon. And that’s also a little bit scary. So it’s taking the spying element, which we know from Snowden and all of that, but taking it one step further.

Yeah. There’s the point made by Richard Clarke, who was the counterterrorism czar under George H.W. Bush and Bill Clinton. Ultimately we decided, as a society, that biological, chemical, and nuclear weapons were so dangerous that they demanded political control and a fairly high degree of transparency. How do you deal with that in this case, when you’re talking about weaponized computer code? It’s uniquely difficult.

It’s very difficult in this case, because of what the Symantec guys point out [in the film], which is that it’s very hard to do attribution in cyber. On the other hand, it’s not impossible, and I think Richard Clarke’s point is a good one. A lot of people said the other agreements [on other types of weapons] were impossible also. What would happen if people breached those agreements? And so on. There are technical solutions, but beyond that, the bigger problems here are moral, legal, and precedential. You can look at Stuxnet and say, “What a brilliant device. How clever. How genius to upend the Iranian nuclear system to forestall Israel from bombing and to do so with a device that is so smart and so secret and uses that ‘Ocean’s Eleven’ capability to make the Iranians think that it’s their fault.” Genius!

But not so genius when you put it in the context of having launched a weapon and having used it at a moment where now everyone can do it. And we’ve established a norm of behavior that’s not a particularly good one, which is, as Gary Brown says, “Do what you can get away with.” I don’t know if you noticed this in the news, but the Department of Justice charged a number of named Iranians in the cyber attack on U.S. banks. Well apparently, there are a lot of people in a different side of the government of the United States of America who were extremely concerned about that because they expected at any moment a number of named individuals at the NSA to be charged by Iran for the Stuxnet attacks.

How do you respond to people who say, “So the U.S. and Israel launched this attack on Iran to disable their nuclear weapons program? That’s great! What’s the problem?”

The problem is always the unintended consequences. You see this over and over and over again — it seemed like a great idea at the time to arm the Mujahedeen so they could start shooting down Russian helicopters. It didn’t seem like such a great idea when those weapons suddenly found themselves in the hands of the Taliban.

Likewise with drones; it seemed genius. We’ve got weapons that are so precise. They’re not like bombers. They can target individuals. And, by the way, we can get them in out-of-the-way areas that otherwise wouldn’t be remotely reachable, and we’re taking out bad guys who were gonna do us harm. Sounds good, until you start taking out civilians and setting in motion a blowback against a policy of targeted assassination and that becomes a recruiting tool.

In the case of Stuxnet, the genius of the device is unquestioned. It was brilliant. But the issue is more what it sets in motion and then the secrecy surrounding it, particularly after the operation is blown, that encourages other nations to follow suit, to say, “OK, we’re gonna develop our own secret cyber program and we’re gonna start putting implants in the U.S.” And guess what? We’re the most vulnerable because we’re the most interconnected. It was a good technical solution. It was not a good diplomatic, legal, or long-term strategic solution.

Perhaps the most explosive part of the film comes in an allegation made by one of your anonymous NSA sources — I take it that it was multiple sources who are being voiced by the actress in the film? Roughly how many people?

I’m not going to say how many people.

OK. A plural number?

A what number?

A plural number. More than one person.

Yes, more than one, exactly. And more than two. And by the way I should note that the device we invented, and we invented it along the way, was one of the reasons that number of people felt comfortable enough to come forward.

OK. I was asking about the allegation that the Israelis took Stuxnet and concocted a more powerful version, without the U.S. side knowing they were doing that. And that more lethal version is the one that escaped from containment and infected computer networks all around the world. That’s pretty explosive. Have you been able to fact-check that in any way? Is that even a fact-checkable claim?

Yes. It’s not …; I didn’t get anybody to say it in a way that was attributed, but we checked with a number of sources, both here and in Israel, and pretty rigorously cross-checked it a number of different ways. I guess that would be the best way to put it. It seems to be the case that that’s what happened.

So you feel fairly clear on that one? That’s not the NSA or CIA trying to cover its tracks and blame somebody else?

Yeah, I think so. I mean, there were people who said that it didn’t happen that way, but we confirmed with a number of key and credible sources, without coordinating them, in ways that made us very confident that we were absolutely correct on this.
The other thing we discovered was that according to the terms of the agreement on this covert operation, the U.S. and Israel each had the right to make changes in the code on their own. Israel had the right to do what they did but, so far as we know, the U.S. was very much urging them not to.

Once the attack on the [Iranian] centrifuges had happened, the U.S. had already done a bit of clean-up on code that had gotten abroad and they strongly urged Israel not to pursue a more aggressive version. It was the delivery system that became much more aggressive, and the [American] concern was, if it gets out, that’s a bad thing. And for the moment it had done its job. But there is a view that — and I don’t know precisely the motive, whether Netanyahu wanted to blow stuff up or whether they wanted to send a message to Iran — the Israelis wanted to say, look, we can fuck with you this way just the way we fuck with your nuclear scientists. [It is widely believed that the Mossad assassinated an Iranian nuclear scientist and tried to kill another.] In any event, Israel decided they wanted to send a bigger message. So it raises questions, really, about this issue of shared intelligence and shared technology with a country that doesn’t necessarily share our strategic goals.

Yeah, and has shown a willingness to — I don’t want to put words in your mouth, but let’s say a country that has shown a willingness to try to distort our policies and our strategic goals to conform to its own.

Correct, and that’s something Michael Hayden says in the film which really surprised me. When they were presenting scenarios to George W. Bush after he was already in Iraq and Afghanistan, they figured that if Israel went and bombed one of the nuclear facilities in Iran, that the Israelis didn’t have the capacity to destroy Iran’s nuclear facility. They just had enough capacity to draw us into a war with Iran, which we did not want to get into. And they perceived at the time that would have been the goal of such an attack.

Right. That’s a big moment, to say the least. It’s clear from the way you construct this film and your responses within the film there were certain aspects of the story that surprised you or that you did not expect. What was the biggest of those?

The biggest was the revelation about Nitro Zeus. [That was the codename of a far more ambitious program launched by the NSA and U.S. Cybercommand aimed at shutting down much of Iran’s infrastructure. CORRECTION: In an earlier draft I suggested that it was identical with the Israeli version of Stuxnet. That’s not true.] The fact that things had moved so far so fast, so that this one device that was limited to a PLC relating to nuclear centrifuges had now become a massive piece of malware that was capable of shutting down a country’s grid, that was a shocker to me. It meant, as someone says in the film, that the science fiction cyber-war scenario was here.

The other thing that shocked me — well, it didn’t shock me, but it’s a huge problem now, is this kind of idiotic overclassification. Where so much is secret, it shouldn’t be surprising that we have Chelsea Manning and Edward Snowden, because there are so many secrets so rapaciously kept. It’s not a good thing. It’s actually putting us more at risk; it’s making officials in the government utterly unaccountable. So you have this weird kind of emperor’s new clothes situation in reverse, where you know stuff is going to happen and people aren’t willing to see it. Yes, it’s a covert operation and it’s been blown and it has enormous consequences. It’d be like Truman saying, after Hiroshima and Nagasaki, “What bombs?”

It’s analogous to the way — and I bet you’ve had this experience before — that no one who has ever worked in the intelligence community, to this day, can talk about Israel’s nuclear program. Which has to be the worst-kept secret in the history of secrets. I can go to the public library and get books about how and when and where Israel developed the bomb, but a retired CIA agent has to pretend he or she never heard of any such thing.

Right, how bizarre is that? That’s why I went out of my way to show footage of the Dimona plant in Israel. Which you can drive by on the highway. It’s an open secret. But officially, you’re not allowed to photograph it. That reminds me of what happened when I went down to Guantánamo in 2006 and we were taking some establishing shots. We pointed our camera in one direction and our minder said, “You can’t shoot that mountain.” I asked why not and she said, “That mountain is classified.” [Laughter.] Even the lieutenant who served as our liaison was like, yeah, that’s ridiculous. So we all got on the computer and looked it up on Google Earth.