Scene from Zero Days, courtesy of Magnolia Pictures
Alex Gibney is one of the world’s most hard-hitting nonfiction filmmakers, honored for tackling the toughest topics. His 2005 expose of fiscal fiascoes, Enron, The Smartest Guys in the Room, received an Academy Award nomination, while 2007’s Taxi to the Dark Side, about torture in Afghanistan, won the Best Documentary Oscar. Gibney scored Emmys for his 2015 HBO documentary Going Clear: Scientology and the Prison of Belief and co-won an Emmy for 2012’s Mea Maxima Culpa: Silence in the House of God, about pedophilia and the Catholic Church. The prolific producer/director/writer, who was born in New York in 1953, also makes biopics and films at the cutting edge of technology, such as 2013’s We Steal Secrets: The Story of WikiLeaks.
Gibney’s latest contribution is the sci fi-like Zero Days, a 116-minute documentary about cyberwarfare, a new form of twenty-firstt century computerized combat that the Geneva Conventions and other treaties do not cover. Zero Days reveals a complex web woven with NSA, CIA and Mossad strands that has let the cyberworm genie get out of the bottle.
In my conversation with Gibney at the SLS Hotel in Beverly Hills we discussed the opening up of this Pandora’s cyber-box, who was involved in creating it, how it has already impacted international relations, and more. (Photo of Alex Gibney, Director of Zero Days by Ed Rampell.)
Q: Why did you title your new film Zero Days?
Alex Gibney: “Zero Day” is the term for a vulnerability in a computer program, a vulnerability that hasn’t been previously discovered, which is how these pieces of malware get inside. Also, Zero Days plural seemed to speak to the idea that we’re at the start of something new, we’re at zero.
Q: What is Stuxnet?
Gibney: Stuxnet was developed jointly by the United States and Israel. We’re fairly certain that Israel was responsible for the delivery system part of the code, that is to say, how the code was spread. The United States was more responsible for the payload. In other words, how the code would command the machines once it got in.
Over time, the motives of the Americans and Israelis diverged. Particularly the motives of Netanyahu and the Obama administration diverged. Netanyahu, by all accounts, wanted to cause more and more destruction, more and more quickly with the Iranian nuclear program. So he urged his team to change the code to make it much more aggressive. They did this against the pleading of the United States. But when they did so, that allowed the Stuxnet worm to spread all over the world, and it also started shutting computers down. People started to notice.
That’s how the secret program, which was designed to destabilize the Iranians, suddenly got loose. And that caused a number of unintended consequences, in addition to the ones I discussed. It provoked Iran to launch its own cyber army, which struck back very quickly against Saudi Arabia and the United States. And rather than encouraging the Iranians to shut down their nuclear facilities, it encouraged them to expand them. So, the number of centrifuges after Stuxnet was discovered dramatically increased.
Q: Will Zero Days be released in Iran?
Gibney: I hope so. And it will certainly be released in Israel.
Q: Why do you say the computer virus Stuxnet “represented a fundamental change in the threat landscape”?
Gibney: We’ve seen a lot of computer viruses over time and a lot of them, if you click on a link, they can infect your computer. They can steal your 16-digit credit card numbers. They can make your software go crazy.
But Stuxnet is new. It crosses the threshold from the world of cyber to the world of the physical. It penetrates machines that are operating critical infrastructure and takes them over. That makes it different. It starts blowing stuff up in real time. That’s what it did at the nuclear facility in Natanz, Iran. It took over the controllers for nuclear centrifuges and caused them to spin so fast, and then so slow, that they blew up.
Q: Why is Stuxnet so hush-hush?
Gibney: Stuxnet was a covert operation. So I suppose by its very nature of it being a covert operation it’s hush, hush. BUT the operation’s been blown - it’s been blown a long time. So it’s hugely frustrating to me that many of the public officials I spoke to about it couldn’t talk about it, wouldn’t talk about it, because it’s classified. And couldn’t even acknowledge it. That was hugely frustrating and I thought stupid.
Stuxnet is the beginning of a whole new era of cyberweapons which threaten to completely destabilize our lives. These are ticking time bombs waiting in controllers of critical infrastructure all over the world to be triggered at a moment’s notice in a time of conflict.
Q: Like other covert operations Stuxnet has unintended consequences. What are they?
Gibney: Stuxnet, the piece of malware, was pretty ingenious at first in terms of what it meant to do, which was to cause damage to the Iranian centrifuges. And to send a message to the Iranians that all was well. Which meant that the Iranians didn’t think there was something from the outside messing with their centrifuges. They thought it was their fault; that they were doing something wrong, and it effectively slowed down the Iranian nuclear program.
But it launched a whole new set of norms. The United States attacked critical infrastructure in peacetime. If somebody had done that to us, that would be considered an act of war. So the United States set a new precedent that anybody at anytime can do that, because we’ve done it.
Also, by creating this new generation of weapons and allowing it to spread, people all over the world have a rough blueprint of how to take this science fiction world of controlling machines—either autonomously or by remote control—and makes it real.
Those are some pretty severe unintended consequences.
Q: You called it a “weapon of cyber mass destruction.”
Gibney: It’s not about the cyber, it’s about the physical threats to critical infrastructure. Once the electricity goes off, and doesn’t go back on, that can pose an existential threat—particularly at a time when we’re so interdependent and so interconnected. And it’s not just electrical grids: It’s water filtration systems, it’s transportation systems. Suddenly, trains become weapons. Airplanes, same thing. It’s cars that are suddenly controlled by somebody else and you can’t take control of the wheel anymore. These are examples from the science fiction cyberworld. The idea of taking control of physical critical infrastructure - that’s what’s new. This past December a huge part of the Ukrainian power grid went down on account of a piece of malware that was launched, people are pretty certain, by Russia. So there you see how cyberwarfare was able to engender enormous damage.
Q: Can you comment on the role of anonymity in cyberwarfare?
Gibney: I prefer to use the term “attribution.” The problem with cyberweapons is it’s very hard to know who launches them. They have an impact, but we don’t know for sure—and I learned this from the people at Symantec—it’s very hard to know from the code who’s responsible for designing it. Sometimes, if there are clues, they can be intentional false flags. Clues meant to throw people off. You have to put the clues for those responsible together through other means. That’s kind of what we do in Zero Days, we draw connections outside of the code itself.
It’s what makes these weapons very dangerous. There could be a malware attack and signals could indicate it came from, say, Russia. But, in fact, it may have been launched in China. So what happens then? You run the risk of an escalating cyberwar.
Q: Can you comment on the Obama Administration’s treatment of whistleblowers?
Gibney: The Obama Administration has prosecuted more whistleblowers than all previous administrations combined. That’s a staggering record. And it comes from a president who said that he’s going to have one of the most transparent administrations ever. More and more secrets are being kept under the Obama Administration and it’s raising ever more dire penalties for people who expose those secrets.
I think it’s fundamentally damaging to our democracy.
Q: Have the U.S. government retaliated against you for your exposés?
Gibney: I think the U.S. government has bigger enemies to worry about than me. Fundamentally, I’m not an enemy—I’m just a critic. But am I concerned that the U.S. government is listening in ways that they shouldn’t? Sure, I think they probably are.
Q: When you say “listening,” do you mean to you?
Gibney: Yeah. Listening to my phone calls. Getting access to my emails. And I take precautions. For important phone calls, I’ll use encrypted phone calling programs. Same thing with emails.
Q: How does Stuxnet and cyber warfare tie in with the whole digital Big-Brother-is-watching-you, top secret surveillance state Edward Snowden exposed?
Gibney: Cyberweapons grow out of cyber-espionage. They’re part of the same package, as [former NSA Director and former CIA Director General] Michael Hayden says in the film. Once the Stuxnet worm infected the Iranian nuclear plant at Natanz, it sat dormant for a number of days while it spied on the plant to find out what it was doing, how it was operating, and waiting for just the right moment, when the centrifuges were full of uranium hexafluoride, to launch its attack. Very often, these weapons are first espionage tools and second weapons. But they’re part of the same program.
Zero Days is being theatrically released in New York and Los Angeles on July 8.
Ed Rampell is an L.A.-based film historian/critic and co-author of The Hawaii Movie and Television Book.