It’s been six years since we’ve discovered Stuxnet, the worm that infected Windows PCs worldwide, and was eventually traced to the US and Israel as a way to attack Iran’s nuclear program. It was the first time a cyberweapon was used to attack a physical location (it disabled uranium enriching centrifuges by causing them to spin out of control), and it sparked a series of cyberattacks from governments all over the world. Alex Gibney, the acclaimed documentarian behind films like Taxi to the Dark Side, Enron: The Smartest Guys in the Room, and the recent Steve Jobs: The Man in the Machine, decided to dive into Stuxnet’s legacy with his latest film, Zero Days. I sat down to chat with him about the film, together with Symantec researchers Eric Chien and Liam O’Murchu.
Why make a film about Stuxnet now?
Alex Gibney: I have a habit, I guess, of going in after big stories and trying to find out a little bit more about them; doing a deeper dive. Sometimes, in the kind of of relentless 24-hour news cycle, a simple and easy narrative develops and then you just move on without understanding the broader implications. It seemed to me this story had legs.
What were you hoping to add to the conversation?
Gibney: To really take stock of this idea that it was a crossing of the Rubicon, as [former director of the NSA and CIA] Michael Hayden said. It’s a kind of a moment that changed everything, that launched us into a new era. That’s what I was trying to get at.
Eric and Liam, what convinced you cybersecurity researchers to participate in this film?
Liam O’Murchu: I like the fact that Stuxnet ties into a bigger picture. At the time when we analyzed it, it was a unique beast and we didn’t see too many other [cyber] threats that were driven by governments. Where as now we’re tracking over 100 operations run by governments and we see them all the time. So although Stuxnet is a standalone piece, it’s a beacon of how things have changed and how progressing towards cyber war actually fits into a much bigger threat landscape.
Alex, you’ve covered traditional warfare in your previous films, how is covering cyberwarfare different?
Gibney: There’s an interesting aspect to it, in the sense that some parts of it are very different. This idea that you’re using spyware, and out of that spyware comes the ability to manipulate the physical environment. Once you get to the physical environment, then things are similar. That’s like sabotage. And also, these kinds of attacks are also surrounded by human intelligence. So it’s really interesting because it’s creating damage in the physical world, but it’s a weapon system really coming out of the intelligence world, both in terms of signal and human intelligence.
A technician at the Uranium Conversion Facility in Tehran, Iran.
You’ve related the rise of cyberwarfare in the film to the the rise of nuclear weapons. How is it different?
Gibney: That can be overdrawn. When you drop an atomic weapon on a city, we know from Hiroshima and Nagasaki what’s going to result. And it’s horrific. I think in many ways cyberweapons are not that brutal at all. Nevertheless, once you start talking about messing with critical infrastructure, which can be things like changing controls in a high speed train or poisoning a water filtration system, you have the potential for consequences that are vast even though they don’t have that visceral destructive, explosive capability that atomic weapons do.
Eric and Liam, do we have a decent understanding of cyber weapons at this point?
Eric Chien: The capability will likely grow. Even when we look at Stuxnet, when we began researching it in 2010 we found traces going back to 2006. So already, then, we were potentially four years behind what the known capabilities are. There are likely things out there that haven’t been discovered, that are more advanced.
I think the unfortunate thing, to be frank, is that to cause an impact — to cause potential destruction to critical infrastructure — it doesn’t require any more capabilities than what we have today. The Ukrainian power grid went out in December, and the attack was believed to be from Russia. This is already possible today.
Gibney: I think that one of the surprises for us [was] we started this as a story about Stuxnet. We didn’t know that along the way we would discover Nitro Zeus, which is a much more potent attack which involves basically shutting down a country. As someone says in the film, the cyberwar science fiction scenario is here.
Stuxnet was a massive weapon that we kind of had to let go, we couldn’t exactly control how it acted once it was in the wild. Is that something we have to think about in terms of cyberwarfare, constructing something that hopefully does what you tell it?
Chien: I would hope now that we’ve had Stuxnet that people would make good conscious choices. Stuxnet was a case where someone made a choice and decided we’re going to make this autonomous, more aggressive, and we are willing to have collateral damage. Stuxnet could infect any Windows machine, anywhere in the world that was connected to the internet. That’s a lot of collateral damage to go after a single target.
It’s been six years since you began researching Stuxnet, Eric and Liam. What have we seen since?
O’Murchu: We’re seeing a lot more in that threat landscape of just general government malware infecting all sorts of systems. We see a lot of espionage. actually. We see a lot of particular categories of companies being targeted, like chemical companies, defense contractors, aerospace. We also see preparation, some threats where countries are getting into crucial networks like those control systems and leaving backdoors behind, so that in some point in the future they can come and use that.
Chien: When you come from zero, everything we see now is new. We continue to see things that, to be frank, astound us. You might remember the Swiss bank attacks, where one billion dollars was being attempted to transfer. That’s been traced back to be connected to the Sony wiping attacks, which the US government tied to North Korea. Now you potentially have North Korea potentially transferring one billion dollars to themselves, which would be the first time a nation state just tried to steal money via a cyber attack.
Stuxnet is kind of an open secret: everyone knows who the players were. But the US government hasn’t admitted to it, and hasn’t talked about it. Why do you think that is?
Gibney: The obvious reason is that it was designed originally as a covert operation. It was a CIA and Mossad operation. That’s something I didn’t fully appreciated when I started this story. So by nature it’s covert. But the frustrating part is because of this momentum of over-classification, once the operation was blown it’s the refusal to talk about that that seems so appalling. Because you can’t begin to start talking about the capabilities of these weapons, and what we’re going to do about them in the future.
Even more disquieting than the refusal to talk about Stuxnet, because nations play these games all the time, well if we say we were responsible officially, then the Iranians can hold us to account officially for attacking their critical infrastructure. If we never say it, just like the Israelis have never admitted they have nuclear capabilities, we all know that they do, but at some point it becomes ridiculous, like the Emperor’s New Clothes.
It’s particularly problematic though when you can’t even talk about cyberwar or weapons. So you can’t look on the budget of the American government and see how much we’re spending on cyberweapons, it’s secret. What kind of cyberweapons do we have? It’s secret.
That’s the part that’s disquieting, because you don’t know what kind of risk we’re putting others under, and you assume that other nations have these nations and they’re training them on us, so we don’t know what risk we’re under.
Can you talk further about the need to speak openly about cyberweapons? What do you think we have to gain by opening up the conversation?
Gibney: Rules of the road. Like I said, when we started the Stuxnet story, it was a technical story about a gadget, or a kind of malware. What can it do? But the larger questions that usually remain unanswered are the legal and moral questions. A good analogy can be drones. We can agree that weaponized drones are far more accurate than the bombers we used in the Vietnam war, or even the bombers we have today. But under what conditions are they used? What kind of people are they taking out? Our “signature strikes” are the kind of thing where you see a group of young men together and assume they’re bad guys, so you kill them.
What’s the legal rationale for that, and what’s the blowback? Do other people feel they now have the right to do the same thing we’re doing? So it’s those issues surrounding cyberweapons that haven’t even really begun to be examined, and that’s why you have rules of the road. Seems like [now], well you have a war so, just do whatever damage you can do. But there are rules of war. There are laws of war. They’re there for a reason, to constrain and limit the damage from this kind of thing and prevent, you know, chaos.
Knowing everything you know now about Stuxnet, do you think it was a good idea?
Gibney: Knowing what we know now, no, I don’t think it was a good idea. Having said that, it was a brilliant weapon as it was conceived, in terms of having a limited impact. But so often with these weapons, the immediate fix is what people focus on. That’s the challenge. How do you keep Israel from bombing Iran? Well, how about Stuxnet. How do you keep Iran from developing a bomb? Well, Stuxnet, good idea: It’ll delay them.
But look at what happened afterwards, nobody thinks about the unintended consequences. So the Iranians ratcheted up their nuclear capability. They ratcheted up their cyber capability, and now we have a kind of weapon and a use. That is to say, it was used outside the laws of war, so that now we have chaos.
Do you think the US government has learned anything from this fiasco? That is, partnering with someone to build and use a tool, and it ends up blowing up in their face.
Gibney: It’s hard to know what they’ve learned, because so much is secret. We did have [NSA director] Michael Rogers recently admitting to the use of cyberweapons against ISIS. I find it interesting he admitted it against ISIS, because ISIS is sort of the international pariah, you can do anything to ISIS. But we’re not really admitted the fact we’re putting implants all over the world, or those countries are putting implants here. Those are the kinds of discussions we’re still not having, even as I understand it, with our elected representatives who are supposed to be more in the know.
The Obama administration has talked a lot about transparency, but meanwhile it pushed forward on secrecy and making Stuxnet even worse.
Gibney: The Obama administration on secrecy has just been appalling, absolutely appalling, both in terms of the number of secrets they keep and the punishments being meted out for people who leak. It’s an odd thing. You’d think, if you’re the Obama administration you’d say this stuff is supposed to be secret and we’ll prosecute people. But for a long time there was an intentional balance between secrets and leaks, because that’s part of the democratic process. Because ultimately, if everything the government does is secret, how is there going to be any accountability?
You were able to get fascinating people to talk about Stuxnet, you even got [former NSA/CIA director] Michael Hayden. Was it difficult to convince them to participate?
Gibney: Michael Hayden is becoming increasingly expert at talking about just about anything, but he had some insights that I never expected. Particularly regarding the Bush administration, of which he was very much a part. I found it interesting from the US perspective, he implies, that Stuxnet was developed not to stop Iran from getting the bomb, but to stop Israel from bombing Iran, which inevitably would have embroiled us in a third war in the Middle East.
Despite the Stuxnet blowup, it does seem like a better outcome than Israel trying to attack Iran.
Gibney: Yes, so from that technical standpoint Stuxnet, you could argue was a good idea. It’s just the implications of launching that kind of weapon without thinking about the ramifications down the road, and what kind of precedent it set.
We’re seeing surveillance normalized in society, it almost seems like cyberwarfare is getting there too. Is there a danger in that?
Eric: I think the real danger is that people are mostly unaware. I’m not sure we’re in a position right now where everyone is well aware of it, the impact and are okay with it. I think we’re at a stage well before that, where people simply aren’t aware and aren’t aware what are the possible long term consequences.
Photo credits: Iranian nuclear facility/AP Photo/Vahid Salemi