Sun Tzu once said, “The supreme art of war is to subdue the enemy without fighting.” The master tactician was right. What better—and safer—way to crush an opponent? That’s the crux of cyber war. Silent tools capable of striking and subduing entire nations, often without targets even knowing it. This digital battlefield is the frontline depicted in Oscar-winning director Alex Gibney’s new film Zero Days, which opens in theatres this week.
Gibney, whose previous work explored national security in a myriad of forms, delves into themes that have never felt more relevant: concealment, over-classification of information, lack of communication between government and the public and the desire for those in-the-know to blow the whistle.
Meanwhile the nuclear threat presented in Peter Bryant’s Red Alert, or the cyberpunk matrix of William Gibson’s Neuromancer have never felt more antiquated. Today’s fight is waged online as much as in real life. Hackers are soldiers, and depending on whether you believe Gibney’s film, the United States is responsible for arming our enemies on the other side of the screen.
Zero Days tells the story of the Stuxnet virus, malware allegedly created by the U.S. and Israel to eliminate Iran’s nuclear program. But things didn’t work out that way. Somehow the same formula became compromised, and the attacked got savvy to the code. Now they have the same digital weapons we do. Weapons that can cross over into the physical world by hitting the infrastructure we depend on.
If Stuxnet was created in 2010, how much more deadly are the viruses being built right now?
You get a sense of it in the film. We look at something post-Stuxnet, which was Nitro Zeus. That was a much more robust program. Also, we know there was an incident in December where a large portion of the electrical grid in Ukraine went down, which is largely assumed to be a piece of malware invented by the Russians. That’s a real life example of what Nitro Zeus was allegedly intended to do.
Have we been hit and not known about it?
It’s possible. We’ve heard about some big banking hits. There are some others that have already happened that haven’t been revealed yet that will soon be.
How will the public react? Will they put two and two together?
I think they’ll start to. One of the things that the film gets at is, so long as all this world is kept secret, how can we assess what’s going on? That becomes part of the problem. The public, I think—I hope—will begin to demand some greater transparency in terms of what’s going on around us.
How do you deal with the fear, your own security and privacy?
I think I deal with the fear by not panicking. The point is that before something happens, we need to be aware of the possibilities of the threats. The desire for some magical, offensive weapon can put us at greater risk and also cause us to panic because we really don’t know what’s going on.
I’m much more careful than I used to be. When needed, I use encrypted emails and encrypted phone calling. And sometimes I go old school, using electric typewriters instead of computers. It depends. But I’m much more aware of the possibility of being listened to or hacked. It’s just a fact of life now. You can’t imagine that you’re safe, you can only imagine that when you do get attacked, what are you going to do about it? How can you take basic precautions to make sure your conversations aren’t easily penetrated?
The discovery of Nitro Zeus was pretty controversial. That hadn’t been disclosed before.
The movie features interviews with Michael Hayden, the former head of the NSA and CIA, counterterrorist czar Richard Clarke and numerous anonymous hackers. How hard was it to get such secretive people to open up?
It was very hard. We’ve been working on this for well over two years. And there’s an atmosphere of enormous fear among people who have security clearances that any kind of leak will be very aggressively prosecuted. Which is unique to the Obama administration. The Bush administration wasn’t nearly as intense about it. People inside the NSA are frustrated that people don’t know more about what’s going on, because it’s preventing debate, and so there are ever more secrets being created by the Obama administration, ever more pressure for those secrets to be revealed, and ever more need for them to be released because without understanding what’s going on, how can people make informed decisions? Over time, it was the frustration of people inside the classified system that caused them to want to come forth.
The discovery of Nitro Zeus was pretty controversial. That hadn’t been disclosed before. That’s evidence of the real science-fiction cyber war scenario.
People are starting to get it. There really is a failure to communicate. We’ve seen it in the wake of the Snowden revelations where James Clapper lied to Congress. We’re seeing it with offensive cyber weapons. We’re just not getting the kind of information we need from the government to make informed decisions about what’s good for our children.
Is it fair to say Obama is the most secretive president we’ve had?
Seems like. We know he’s prosecuted more leakers—whistleblowers—than all previous administrations combined. He promised to be the most transparent administration in history, and in some ways he shows evidence of that transparency. In other ways, he goes just the opposite direction with an extreme approach to classified stuff that the Bush administration wouldn’t have even considered.
When we talk about the morality of this conflict, there’s no Geneva Conventions. How do you regulate an invisible threat?
Very hard. Because there are few nations that are so advanced, they want to believe that will always be the case, so it’s best not to have any rules of the road. Gary Brown, the former JAG at the NSA, says ‘Right now the only norm is do whatever you can get away with, which is not a very good norm.’
Your film suggests we’re responsible for building hacker armies in Russia, China and Iran by giving them these blueprints?
I think to some extent. You could argue that the technology isn’t static. Certainly, the release of Stuxnet gave a lot of people, both nation-state actors, and also non-nation-state actors, a glimpse of what is possible. And in that sense, it really was a Pandora’s Box moment. So yes, that aspect of it is true.
Whether you want to talk about morality or you want to talk about legality and the laws of war. Recently the Department of Justice indicted a number of Iranians for their cyber-attack on U.S. banks. I don’t know for sure, but I gather from my sources that there was a lot of upset [people] in various parts of the government because that meant suddenly a number of named individuals in national security organizations can also be indicted by Iran under the same principles for the Stuxnet attack. The point is that if you want other countries to respect certain principles, then you have to abide by those principles.
Are North Koreans, Iranians and others planning their own Stuxnet-level events?
We know that throughout the world the United States has found backdoors into computer networks that are attached to pieces of critical infrastructure of other nations. We also know that other nations are doing the same in our critical infrastructure. That’s a fact. The other things that my friends in Symantec tell me is that when they were working on Stuxnet they saw maybe one other nation state attack in 2010. Right now they’re working on well more than 100. That nation state activity has just exploded. Not far behind, I would assume, would be the non-state actors.
Meaning groups like ISIS? Any evidence of that?
Not so far. One of the interesting things about the Stuxnet malware is that it was clearly done by two actors who had enormous resources, both in terms of the power to code and also the power to test with real-life systems that are not easy to get your hands on. Like nuclear centrifuges. And also a certain amount of espionage work that needed to be done. It was hugely expensive and required a huge amount of man-hours, probably beyond the reach of most non-state actors, including ISIS. But it will come a time when the learning curve will change, and some of this kind of malware will become easier to reproduce. That’s one of the reasons why we need to focus on this area.
Should we stock up on supplies and get in a bomb shelter like it’s 1950?
No, I don’t think so. There’s no need to stock up on bows and arrows and Sterno. But I do think that the destabilizing aspect of these weapons is such that we have to begin demanding our government to open up about what’s going on. We know how powerful these weapons are, and that creates a kind of existential threat. Our government should keep us informed.
How does that happen? Marching? Writing Congress?
Any or all of the above. The same thing happened with nuclear weapons. Over time, demonstrations, in addition to people writing their congressmen, caused the federal government to reckon with this idea that somehow international treaties had to be put in place to control the use of these weapons.
Why aren’t world leaders up front about this?
World leaders are perfectly happy keeping this information secret. That seems to be the approach of the most powerful nations when it comes to cyber weapons. When it comes to Trump, I’m not sure that Donald Trump knows what a cyber weapon is. It’s probably not surprising that he’s not talking about it. Hillary Clinton certainly knows what they are. And I would hope that it would be something that would be on the docket to be discussed in the presidential election.
Why make this film?
My job is to try to make this as public as possible. That’s what the intent is for. In addition to some of the national security areas I had looked into, say in Taxi to the Dark Side, or even We Steal Secrets, this tension between what should and shouldn’t be secret keeps coming up over and over. And I see that as one of the reasons for taking this on. I was also interested in this subject because I didn’t know that much about it. I didn’t have a full appreciation or understanding of how powerful these cyber weapons could be. And when my producer Marc Shmuger suggested we look into this, I realized there was a deeper dive needed here. Sometimes it’s useful not to be an expert in something because it propels you to learn about it enough to understand what’s really going on. That’s probably what we all need to do when it comes to these cyber weapons.
Is it inevitable?
It’s already happening! I cite that Ukraine example again, as maybe the best one. When most of the country’s grid goes down on account of malware, that’s it. That shows you what can happen.