What does war look like when the weapons are invisible?
So goes this era’s unofficial-official cyberwar, in which lines of code are the new Kalashnikovs, holding enough power to cripple infrastructure, and even kill.
At least that’s what Alex Gibney claims in his new film, “Zero Days.”
The Oscar-winning director’s chilling documentary looks at the global threat posed by computer viruses and other kinds of malware. Through interviews with government sources, security experts and David Sanger, the New York Times reporter who broke the story, “Zero Days” tells of a joint U.S.-Israeli mission to cripple Iran’s nuclear program. And it makes an argument for the potential for computer hackers to transform warfare as we know it.
“They can undo all the complex actions we’ve come to depend on in modern life,” said Gibney in an interview. “If the power goes off or the water is no longer properly filtered for weeks or months, that’s a huge problem. And people will die.”
The New York Times covered the Iran hack — eventually known as Stuxnet — on its front page. “60 Minutes” ran a segment in 2012. But unless you’re deep in the intelligence or hacker worlds, chances are you don’t have a clue about its scale or its implications.
Gibney posits that the United States and Israel used infected flash drives to infiltrate Iran’s uranium-processing facilities. The plan worked, at first. Centrifuges started exploding, and Iran had no idea it was being hacked. But according to Gibney’s film, Israel became overzealous, introducing an even more aggressive form of the virus. And that’s when it spread to computers around the world.
In 2010, a security contractor in Belarus noticed the virus, posted it to a forum, and soon everyone from Iran to the Times became wise to the gambit.
But in “Zero Days,” almost everyone on camera acts afraid to utter the word “Stuxnet,” too spooked to divulge classified secrets. Michael Hayden, the former head of the CIA and NSA, says he wouldn’t tell Gibney if he did know. The only ones in the film unafraid to be candid are the engineers Eric Chien and Liam O’Murchu, of the anti-virus firm Symantec, who traced the virus back to the government.
All this cloak-and-dagger is worrisome, according to Gibney, who previously took on issues such as the military’s use of torture (“Taxi to the Dark Side”) and Scientology (“Going Clear). It took two years to get anybody to speak; many fear being prosecuted for revealing classified information.
“They felt that the obsession with secrecy was doing more damage than good. It’s preventing debate,” he said. “Without understanding what’s going on, how can people make informed decisions?”
In addition, when there is a strike, secrecy makes it harder to figure who’s to blame. “When a missile is launched or a bomb, you know who’s done it. In the case of this kind of malware, attribution is very difficult,” said the 62-year-old native New Yorker. “Code can sometimes introduce a false flag or try to fool the victims about where attacks are coming from.
And according to the documentary, cyberwarfare is already happening. During a June panel at the film festival AFI Docs, moderated by Washington Post film critic Ann Hornaday, Symantec’s Chien said, “We are tracking hundreds of campaigns that have nation-states behind them.” In March, the Department of Justice indicted seven Iranian nationals for their alleged cyberattacks on U.S. banks.
Could all this cyberwar talk be exaggerated? Bruce Schneier, a security technologist and chief technology officer of Resilient Systems, as well as a fellow at the Berkman Center for Internet and Society at Harvard University, said yes.
“This is not an existential threat,” added Schneier, who has not seen the film. “The name I have for this is movie-plot threat.”
Schneier says the masses shouldn’t be worried about this affecting their lives — and he bristles at the term “cyberwar” for being an undefined overgeneralization.
“Yes, there’s way too much secrecy in our society,” Schneier continued. “There is value in keeping some things classified. But there’s a lot of overclassification.”
Gibney maintains that the goal is getting the public to understand the stakes — not incite fear. After Nagasaki and Hiroshima, “there was a palpable enough sense of the damage that could be caused, and the enormous loss of life that could result. That forced us to enter international agreements. Hopefully, it won’t take that happening to do that.”
He added, “We have to begin demanding our government to open up about what’s going on here.”