When most of us think about computer hacking, we picture Julian Assange leaking government secrets or a shadowy, bad-shave crook in some former Soviet republic hoovering up credit card info from a chain store. But while folks like these do stir up all manner of trouble, a much deeper danger lies elsewhere.
That danger is the theme of Zero Days, a chilling new film by Alex Gibney, who sometimes seems to turn out documentaries as quickly as tweets. This latest one may be his finest and most important, for it doesn't merely tell an exciting story about using a computer virus to wage black ops against Iran. Filled with juicy historical tidbits, it keeps expanding its frame of reference to reveal one of the looming, but invisible threats of the digital age.
Gibney begins in 2010 in Belarus, where a computer security guy comes across a highly infectious new kind of malware — dubbed Stuxnet — that is dazzling in its complexity. Soon, computer whizzes, journalists and even our Department of Homeland Security are working overtime to understand this self-replicating virus that takes over every PC it touches.
Stuxnet is just too big, too perfect and too untraceable to be the work of anything less powerful than a national government. But who created Stuxnet — and why?
Even today, no country admits involvement. But following the lead of New York Times reporter David Sanger, who broke the story, Zero Days establishes in thorough, sometimes groundbreaking detail that Stuxnet was a joint project of the United States and Israel designed to sabotage Iranian attempts to get the atomic bomb.
Stuxnet stealthily took over computers at Iran's Natanz nuclear plant and directed its centrifuges, which create weapons-grade atomic material, to self-destruct without its technicians being able to do anything about it. This operation was so secret that Sean McGurk, America's then-cyber-security czar at Homeland Security didn't know about it. It didn't even occur to him to think the U.S. might be behind it.
Stuxnet is a great story that brims with great talkers, from Israeli intelligence bosses to NSA employees whose identities must be hidden for their protection. You've got Eric Chien, head of security for Symantec, who's so lucid and charismatic you'll never call computer guys geeks again. You've got the entertaining Richard Clarke, former head of counterterrorism for Presidents Clinton and Bush, who specializes in smiling through his rage. And you have avuncular Gen. Michael Hayden, whose cheery, almost cute manner belies a heart that pumps iron filings — this dude ran both the NSA and the CIA.
Zero Days would be worth seeing just for its account of the Stuxnet operation, which boomerangs when Israel pushes things too far, much to American dismay, and Iran does some cyber-mischief in the U.S., just to remind us that two can play this game.
But Gibney doesn't stop there. He expands his focus, showing that the implications of the story are far huger than one might think. You see, in launching this cyber-attack on a foreign country, the U.S. and Israeli governments brought something new into the world. Indeed, Gen. Hayden compared this to dropping the bomb on Hiroshima, noting that once America does something, other countries think that sets the standard of behavior.
These days many countries possess the capacity to wage cyberwarfare, taking down the financial system a la Mr. Robot, sowing chaos by seizing control of mass transit systems and even weaponry, or inflicting deadly damage by shutting down power grids and sabotaging water supplies. Naturally, America has programs in place to do this kind of thing, which doesn't exactly inspire restraint in our global enemies.
If this isn't scary enough, there's no cyberwarfare equivalent to the treaties governing nukes and germ warfare. Although President Obama has talked of the need to negotiate international agreements, it's not clear how you monitor a digital weapon that can be hidden on something no larger than a thumb drive. And because all these cyber programs have grown up in the dark — which is how intelligence agencies like them — the public has had little knowledge of, much less influence over their shape and purpose.
But after Zero Days, we can no longer say that we haven't been forewarned. Gibney makes it clear that we must start pressing our leaders to negotiate treaties banning it — and to do so before it's too late. After all, if history has taught us anything, it's that, when a new kind of weapon is created, people will use it — unless you find a way to stop them.