On August 15, 2012, a mysterious self-replicating virus struck Saudi Aramco, the world’s largest oil company. The cyberattack wiped out every piece of software and every line of code on as many as 30,000 company computers, along with terabytes of data. Four months later, another unidentified virus targeted Bank of America, Wells Fargo and a dozen other major U.S. banks, repeatedly shutting down their online services. Experts said the technical sophistication of the two attacks strongly suggested the work of a foreign government. But with no obvious return address, President Barack Obama didn’t respond, leaving the private sector to deal with the damage.
Secretly, however, Obama and his top aides knew who did it and why. It was Iran, they concluded, retaliating for a covert U.S.-Israeli cyberoffensive that used the now-infamous Stuxnet virus to destroy more than 1,000 centrifuges at Natanz, then the center of Iran’s nuclear program. “White House officials knew the Iranians had sent them a message, saying: ‘Stop attacking us in cyberspace the way you did at Natanz with Stuxnet,’” says Richard Clarke, the White House special adviser on cybersecurity at the time. “We can do it too.’”
This unprecedented exchange is at the center of Zero Days, Alex Gibney’s disturbing new docu-thriller about the first time a country, or group of nations, used a cyberweapon for offensive purposes. An Emmy- and Oscar-winning filmmaker, Gibney’s previous documentaries investigated sexual abuse by the Catholic Church, CIA torture and the Church of Scientology. This time, he focuses on the development of an entirely new category of weapons of mass destruction. The film takes its title from the computing term for the worst sort of vulnerability a network can have—one that provides no time for repair before a hacker can exploit it. Gibney shows how these powerful cyberweapons can quickly destroy a country’s power grid, water supply, air traffic control, financial institutions and civilian and military communications—all without a trace of the attacker’s identity. He also argues that the official secrecy surrounding cyberweapons in the U.S. and elsewhere has stymied a much-needed debate about their destructive power. The absence of that debate, the filmmaker claims, is preventing the creation of an effective cyberarms-control process to limit their use.
Zero Days begins with a dramatization of an event that happened in 2010: Two men on a motorcycle, their faces concealed under their helmets, pull up alongside a car in downtown Tehran. Inside are two Iranian nuclear scientists. The motorcyclists slap a magnetic mine to the car door and speed away. Seconds later, the mine explodes, killing the scientists. These were the days when Israel was widely believed to be using such operations, along with public threats of airstrikes, to halt Iran’s nuclear program. Gibney’s film details the covert side of that struggle, telling how American and Israeli operatives deployed what they thought was a foolproof virus that would anonymously destroy Iran’s capacity to produce bomb-grade nuclear fuel. What they did instead was start a new era of cyberwar.
In his 2012 book, Confront and Conceal, David Sanger of The New York Times broke the news of that joint U.S.-Israeli operation, code-named Olympic Games. For more than two years—around 2008 and 2009—the virus scrambled the speeds of centrifuges at Iran’s Natanz nuclear enrichment facility, causing them to spin out of control and explode. But in 2010, news of Stuxnet became public because of a programming error in a more aggressive version of the virus that allowed it to escape Natanz and spread around the world online.
As Gibney picks up the story, he can’t get any U.S. or Israeli officials to discuss Stuxnet, which remains classified. Even Russian and German cybersecurity experts won’t touch it. So, the filmmaker uses other cybersecurity experts to explain how the virus worked. They speculate that a spy used a thumb drive to introduce the virus into the Natanz computer network, which was not connected to the internet. Once the virus began interfering with the centrifuges, the experts say it avoided detection by playing back a recording of their normal signals to the facility’s operators. When the centrifuges exploded, the Iranians had no idea why and blamed their own incompetence.
Gibney traces the development of Stuxnet to the last years of George W. Bush’s administration. It was a major operation, participants tell him, involving the CIA, the National Security Agency (NSA) and U.S. Cyber Command. On the Israeli side, it involved the Mossad, Israel’s foreign intelligence service, and Unit 8200, its military signals intelligence division. Britain’s General Communications Headquarters, its signals intelligence corps, also played a role. After the code for Stuxnet was written, it was tested both in the U.S. and Israel on centrifuges identical to those used by Iranians. When CIA officials showed Bush the shards of a centrifuge that Stuxnet had destroyed, the president gave the OK to use it against Iran. The era of cyberwarfare had officially begun.
The participants who confirmed Stuxnet’s American and Israeli origins did so anonymously and off-camera, for fear of violating strict prohibitions against discussing classified information. That’s why Gibney used an actor, her face pixelated for dramatic effect, to say, verbatim, what the participants told him. It’s through this character that Gibney breaks his news in the film. “Stuxnet was just part of a much larger Iranian mission,” the character says. There was another cyberwarfare program code-named Nitro Zeus, which she says the U.S. had planned to launch if Israel attacked Iran or the Iran nuclear talks collapsed. “Nitro Zeus would take out Iran’s strategic communications, air defenses, power grid, civilian communications, transportation and financial system,” she says. “We were inside [Iran’s computer systems], waiting, ready to disrupt, degrade and destroy those systems with cyberattacks. In comparison, Stuxnet was a back-alley operation. Nitro Zeus was the plan for a full-scale cyberwar with no attribution.”
The American, Israeli and British governments have never acknowledged they launched Stuxnet. But the film forcefully argues that the virus and others have ushered in a paradigm shift in warfare. “This has the whiff of August 1945,” Michael Hayden, a former director of both the NSA and the CIA, tells Gibney, referring to the first use of the atomic bomb. “Somebody just used a new weapon, and this new weapon will not be put back in the box.”
Sure enough, since Stuxnet, two cyberattacks have caused significant physical damage: one in 2014 on a German steel mill and another in 2015 on Ukraine’s power grid. Cybersecurity experts believe Russian hackers were responsible for both.
Yet, unlike nuclear weapons, whose spread prompted public debate and a raft of arms-control treaties, virtually no one is talking about cyberweapons or treaties to limit them. “We can’t have that sensible discussion about cyberwar and cyberweapons because everything is secret,” Clarke, Obama’s former adviser on cybersecurity, tells Gibney.
The secrecy surrounding America’s cyberweapons is largely institutional. The weapons are developed by the NSA and launched by the U.S. Cyber Command on the direct orders of the president. But they fall under the control of the CIA. Some secrecy, of course, is necessary, but too much is harmful, experts say. “Secrecy is justified to protect sources and methods,” Rolf Mowatt-Larssen, a former CIA case officer, says in the film. “But don’t hide behind secrecy to avoid talking about something that the American people ultimately need to see.”
Others, however, take issue with the film’s contention that no international norms govern cyberspace. The emerging cybersecurity architecture is “not as robust as the strategic arms framework,” James Lewis, a cyberexpert at the Center for Strategic and International Studies in Washington, tells Newsweek, “but it’s certainly pretty far along. There’s been a lot done,” including separate U.S. agreements on cybersecurity with Russia and China and two U.N. General Assembly resolutions that urge nations to respect the laws of war in cyberspace.
Gibney dismisses such claims, calling them overblown. “There’s nothing whatsoever in the way of restraints on cyberweapons being seriously entertained by the U.S.,” he tells Newsweek.
One reason: Restraints for cyberweapons are complicated. How, for instance, would an expert verify a nation is abiding by a cyberwar treaty? By checking for code on potentially millions of laptops? And how do you define the use of force in cyberspace? “There’s a tacit understanding among great powers that a cyberattack that causes physical damage or casualties would qualify,” says Lewis. But he quickly concedes: “Nobody wants to write that down because they don’t want to lose political flexibility.”
That admission seems to prove the main point of Zero Days. As Col. Gary Brown, a former lawyer with the U.S. Cyber Command, tells Gibney: “Right now, the norm in cyberspace is, ‘Do whatever you can get away with.’”