Though a veil of secrecy still hangs over the subject of Alex Gibney’s timely Showtime documentary, Zero Days, it is now generally acknowledged that in the mid-to-late 2000s, the United States and Israel jointly developed Stuxnet, one of the most elegant, ingenious and terrifying pieces of malware ever created, which was used to sabotage Iran’s nuclear program.
Stuxnet was designed as an invisible tool for covert operations, which would aid in sabotaging Iran’s nuclear program—but when Israel went rogue, modifying and transmitting a far more aggressive version of the Stuxnet worm without U.S. approval, missteps on their part led Iran to uncover the identity of their assailants, opening the door to a new, unregulated era of cyber warfare.
Speaking with Deadline, Academy Award-winning documentarian Alex Gibney discusses the significance of this little-known, little-discussed moment in our recent national history, commenting on the age we live in now, in which hacking has become “a fact of life.”
At what point did you first come across the word “Stuxnet,” and what made you want to take on Zero Days as your next project?
I first came across it when I was doing We Steal Secrets—the Julian Assange, Chelsea Manning film—and it was really pointed out to me by Marc Shmuger, who’s a producer on the film. He said, “You might want to take a look into this.”
I did, and I thought it was interesting, but at the time, I thought it was a purely sort of “Gee Whiz,” Tom Swift technical story. I didn’t understand at the time that it was something deeply fundamental about where we were heading, in terms of spying and cyber conflict. That didn’t happen until we started to make the film.
What about this film reflects your mission as a documentarian?
Well, twofold—one is a sense of investigation and discovery. As a documentarian, you want to be looking both at what’s happened, but also what’s coming]. Stuxnet was the perfect story for that, because it’s something that had happened, but nobody had fully appreciated its impact, and its influence on where we were headed. It was finding that in the story that was so important.
Also, in this case, finding formal ways to show something that almost couldn’t be shown. I mean, my main character in this film was code, and my other main character was completely anonymous. [Laughs] That’s one for a student. “Here. Make a movie where your main character is a series of numbers, and your other main character is completely anonymous. Good luck.”
The story you were telling with Zero Days required commentary from a range of experts and government officials, and as seen in the film, many of your subjects refused to talk, even under the condition of anonymity. Were there moments during the process of making the doc where you feared this was a story you couldn’t crack?
Yes, I was terrified, because nobody was talking, but I also knew I’d been there before, and I’d always found a way forward. On Taxi to the Dark Side, nobody wanted to talk, and there was nothing to show, but ultimately, we did find both people and materials. Likewise, I set out to make a film about Julian Assange, and he didn’t want to talk, so now what? That led me to Chelsea Manning.
Does this feeling of terror extend to the spotlight you cast on yourself as a documentarian, bringing subjects to light that the powers that be might prefer to remain buried?
I take a pretty hard-line First Amendment view on that. I think the role of journalists or documentarians is to keep the government honest and to find out stuff that we’re not meant to find out. It’s paradoxical but very important.
Classified materials are classified, and therefore, to reveal them is against the law; yet at the same time, built into our system is the First Amendment, which is part of an attempt to use speech to make sure that the government, by overclassifying material, isn’t hiding either bad policy or corruption.
You have to reveal secrets, or else the government is going to get away with murder, and in this case, one of the things we discovered, and one of the reasons the people who had access to classified materials did talk to us, was that they felt that the government was doing a terrible job of telling its own story, and therefore, subverting democracy, in some sense.
It wasn’t like, “Everybody should know everything about everything,” because that would mean revealing nuclear codes, and cyber weapon codes, and so forth, but you need to understand broad policy questions and the idea that we’re developing weapons which have huge destructive power. As citizens, we have to know that stuff.
Hacking seems ubiquitous these days, from emailed HR warnings, to the world of entertainment, to the world at large. Do you pay attention to the myriad ways this story continues to unfold?
Hacking is all around us. It’s a fact of life, and everybody should be aware of that. There are measures you can to take to defend yourself against hacking, and to defend yourself against cyber weapons. But also weirdly, as a filmmaker, sometimes it’s those hacks that give me access to materials I otherwise wouldn’t get.
That said, I think that we’re all beginning to understand that we’re in a danger zone, if everything can be hacked all the time, and if people don’t make prudent and very careful judgments about what is and what is not in the public interest. It’s sort of like, how do you balance the public interest with privacy? Those are the key questions that we’re all grappling with.
How did you track down the broad range of experts you speak with in the film, and how did you gain the trust necessary to move forward?
In terms of how you find the people, that’s really just shoe leather work. My team and I put ourselves in places where you might meet such people, and over time, you chat with people about what you’re doing. Over time, it’s purely that process of making a hundred phone calls, or taking a hundred meetings, to begin to find out the people you might be most interested in.
Then, along the way, you’re learning a lot. It turns out that that knowledge is useful, and when you start talking to people who know stuff that you want to know, you also have to convince them that you’re worth talking to—that you know enough about the subject and are committed to getting it right, because a lot of these folks are really interested in making sure that people get this stuff right. That gives them a little bit more confidence to talk.
Sometimes, they have an ax to grind. In this case, the ax to grind was, “There is too much secrecy, and it’s undermining an important democratic debate that we should be having about cyber weapons and their use.”
When we think of the dangers of technology, in its exponential growth, we often think of the Singularity, and crises that are still a ways off into the future. It seems, though, that these dangers have already arrived.
I think the film, for many people, is terrifying, because it suddenly seems like we’ve lost control, and that we could be the victim of cyber attacks, and we wouldn’t even know it.
That said, communicating that very idea gives us all a little bit more agency because then we have an opportunity both to demand protection and to affect the debate about what’s going on.
As discussed in Zero Days, nations have reached agreements over the years on issues involving other kinds of warfare—nuclear, chemical—but it seems almost impossible to legislate when you approach the arena of cyber warfare. Do you believe there is a possible resolution to this challenge in the near future?
I think if we work at the problem, there will inevitably be ways both to regulate and govern the use of cyber weapons. For every technological problem, there’s likely a technological solution. Even more than that, there’s likely a political solution, if we have the will to make one, but you have to at least understand the dimension of the problem before you begin to start solving it.
Our past is what gives us hope for the future. We have come up with solutions for this stuff in the past, and that should give us the faith that we can get them solved in the future.
My stepfather used to say, “I love the recklessness of faith. First you jump, and then you grow wings.” The leap of faith is that there will be a solution, there can be a solution, but you have to work at it. One of the goals of the film is to show the terrible things that will happen if we don’t. By the way, we’ve also seen it in our own recent election. [Laughs]
As perturbing as the doc is, it doesn’t even get to the election of President Trump, who now has access to all weapons at the U.S. government’s disposal. Are you even more concerned now, in light of recent political events around the world?
In the case of Trump and the Russia hacking, or in the case of the Sony hack, what’s interesting about those is from a technological perspective, they were rather crude technologies compared to Stuxnet, and yet you can see how even with crude, unsophisticated approaches, you can have enormous impact.
I don’t think the hack was the only thing that got Donald Trump elected, but it certainly played a role. But what was useful about it was it got people to pay attention to how this stuff impacts our daily lives.
There has been speculation surrounding the idea that the U.S. government has been sabotaging North Korean nuclear tests. What are your thoughts on how things are playing out on the world stage at the moment?
I believe in late 2015, you saw that Russia shut down a major portion of the Ukrainian grid. There’s reasonable evidence that the United States has launched cyber weapons against the North Korean nuclear effort. These things are all around us now. It’s happening.
In the wake of the election of Trump, I believe that Iran launched another cyber attack on Saudi Aramco, so yeah—it’s going on all the time, and that’s one of the reasons I made the film, to get people to talk about it.
One of the first subjects to speak in the film touches on the fine line between good and evil in the arena of cyber warfare. In your opinion, are there situations in which it is justifiable for the U.S. or any nation to resort to covert cyber action?
Well, that’s interesting. It goes back to kind of the first question you asked me. Part of what I thought I was getting into [with Zero Days] was a technical story, but it turns out, I was getting into something much bigger than that, which is how these technical operations end up having vast political consequences, and sometimes, ones that are very much unintended.
You can admire Stuxnet for its technical brilliance, and, from a short-term perspective, it did a magnificent thing, in terms of slowing down the ability of Iran to get a nuclear weapon. But by launching it unilaterally, the U.S. and Israel—and we’re fairly certain it was both—set in motion a new kind of arms race, when it comes to cyber weapons, and also, kind of woke up Iran, in terms of developing a new kind of offensive capability in cyber that they hadn’t had before.
It sent another kind of message, too, which is, the United States and Israel will use weapons and attack people first, and that sets a different kind of precedent for other countries, as well: Why shouldn’t we do the same?
You can say that what we did with Stuxnet was an undeclared act of war—it was an attack on critical infrastructure in a time of peace. That sets a terrible legal precedent. Right now, the norm in cyber is, do whatever you can get away with. Well, if you’re an average citizen, that’s not a very comforting idea.