HARI SREENIVASAN: Now: A new documentary lays out a sobering view about the use of cyber-warfare, a future that’s accelerated since intelligence agencies sabotaged Iran’s nuclear program.
The film, called “Zero Days,” opens in more than a dozen cities tomorrow and will be available online.
Its director stopped by as part of the recent AFI Docs festival.
Jeffrey Brown has our conversation.
JEFFREY BROWN: The 2010 cyber-attack on an Iranian nuclear facility dubbed Stuxnet, the first question was, what exactly was this sophisticated weapon, the second, who created and carried it out, and in the years since, many new questions have arisen about cyber-warfare and the new world we live in.
The documentary “Zero Days” pulls together what happened with Stuxnet and since.
Alex Gibney, Academy Award-winning documentary maker of numerous films, joins me now.
Welcome to you.
ALEX GIBNEY, Director, “Zero Days”: Thank you.
JEFFREY BROWN: Why was this a subject you wanted to tackle?
ALEX GIBNEY: It seemed like it was a story that was about the Internet and the militarization of the Internet, but wasn’t properly understood. And I certainly didn’t understand it, so it made me want to dig in.
JEFFREY BROWN: Remind us briefly what Stuxnet was and how you figured out a way to capture it.
ALEX GIBNEY: Stuxnet was a piece of malware that was self-replicating.
So it didn’t — you didn’t have to click on it in order to cause it to spread from computer to computer. But it was unique, in the sense that it crossed the threshold from the cyber realm to the physical realm. And it was introduced to the Iranian nuclear facility in Natanz, and it took over the machines there that controlled the centrifuges and caused the centrifuges to spin wildly out of control until they blew up.
But, interestingly, it had an “Ocean’s 11” kind of component, which then relayed a message to the engineers that all was well, so it sowed tremendous doubt in the minds of the people at Natanz.
JEFFREY BROWN: So, there’s — the beginning, the first part of your film is this detective story. You go to cyber-security experts.
And I want to show one clip where two of them are sort of trying to figure out what it is and where it might be, what it might be aimed at. Let’s look at that.
MAN: It spread to any Windows machine in the entire world. We had these organizations inside the United States who were in charge of industrial control facilities saying, we’re infected, what’s going to happen?
MAN: We didn’t know if there was a deadline coming up where this threat would trigger and suddenly would like turn off all electricity plants around the world or it would start shutting things down or launching some attack.
MAN: We knew that Stuxnet could have very dire consequences, and we were very worried about what the payload contained. And there was an imperative speed that we have to race in trying to beat this ticking bomb.
Eventually, we were able to refine this really, and we saw that Iran was the number one infected country in the world.
MAN: That immediately raised our eyebrows. We had never seen a threat before where it was predominantly in Iran.
JEFFREY BROWN: How do you capture something like this, right? These aren’t bombs that go boom. These are things that we can’t see. This is the digital world.
ALEX GIBNEY: We had three approaches that really helped us tell the story.
One is, we had two detectives. It became a detective story. And our two detectives were the cyber-security experts from Symantec. And they led us through the weaponry a step at a time. And so it revealed things like a detective story.
Two, we worked in partnership with a great special effects and graphic company called Framestore. Our main character is a piece of code, but we made it live and breathe as if you’re inside it. And we used elements of the real code, so it’s 100 percent accurate in terms of how we portrayed it.
The last thing was, we did have a number of people who came forward to reveal information that was classified that was of a kind of a shocking nature. In order to protect their identity, we came up with a means of a kind of cyber-generated character who spoke their words.
JEFFREY BROWN: Yes.
One of the running themes throughout the film is, of course, secrecy.
MAN: I don’t answer that question.
MAN: Unfortunately, I can’t comment.
MAN: I do not know how to answer that.
MAN: Two answers before you even get started: I don’t know, and, if I did, we wouldn’t talk about it anyway.
JEFFREY BROWN: No one wants to talk about this.
ALEX GIBNEY: That’s right.
JEFFREY BROWN: And that’s the nature of this new weapon system that you’re up against.
ALEX GIBNEY: I think it goes beyond it.
We can all accept a certain amount of secrecy, particularly when you’re protecting agents in the field and when human life is at stake, but I think, in the case of cyber-weapons, we have a whole new generation of weapons. It’s a whole new kind of warfare that is being practiced in the field, both by us and against us, and yet we’re not allowed to talk about them.
People at a very high level won’t even admit that there was, A, a Stuxnet, that the U.S. and Israel were involved, and, thirdly, that we’re using these offensive cyber-weapons routinely and that they’re also being used on us. That, it seemed to me, was a really big problem.
JEFFREY BROWN: Some people would argue, I think, that the program, Stuxnet in particular, achieved its purpose, at least in the sense of bringing Iran to the negotiating table.
ALEX GIBNEY: The Stuxnet worm did accomplish a very targeted short-term goal, but in its release — and we tell the story of how and why it was released into the world — it started a new arms race that has destabilized the world that it was intended to secure.
JEFFREY BROWN: And, to that end, in the last part of your film, you have various experts talking about the potential uses against us of these cyber-weapons. How fearful, in other words, are you after watching…
ALEX GIBNEY: Well, I’m fearful because I don’t think that the current administration or the previous administration have taken seriously enough the need for a kind of international regulatory system, the way we have with nuclear weapons.
And, furthermore, they seem to be emphasizing deterrents through offense, secret offense, rather than defense, and they’re not telling us about the dangers. You know, recently, for example, there was a shutdown of the Ukrainian electrical grid, or a big part of it. And we’re pretty sure that it was the result of Russian malware, a kind of new hyper-version of a Stuxnet.
Well, that could happen at any time with us, and nobody’s more vulnerable than we are, because we’re so deeply connected via the Internet. It’s particularly disquieting because we’re not allowed to talk about it.
JEFFREY BROWN: The new film talks about it, “Zero Days.”
Alex Gibney, thank you very much.
ALEX GIBNEY: Thank you.