Zero Days

The new weapons of warfare (specifically computer viruses) and the climate of secrecy and legality, in which such weapons are used are excellently portrayed in this documentary. Experts of high standing from both the intelligence and cyber security communities have been interviewed and their insights and opinions wonderfully woven together to tell the story of the most complex stealth- like computer virus to have targeted very specific critical infrastructure to date, aka 'The Stuxnet' virus This documentary covers new ground in documentary film making and uses the Stuxnet virus as a platform to explain many of the complexities, secrecy and politics involved with international cyber warfare and the dangers and to some extent morality of it. Essential informative viewing without doubt!

Saw this at the Berlinale 2016, where it was programmed as part of the official Competition section. I have to start with a full disclaimer, by confessing that information security has been my full time occupation for at least 25 years. As such it was not my intention to learn something new when viewing this documentary about the infamous Stuxnet worm, jointly developed by Israel and US, targeting Iranian reactors and obstructing the production of nuclear material. Yet I'm very interested in each and every vehicle (movie, book, newspaper article, whatever) to make non-IT people aware of the issues at hand, if only to provide material for an open debate about the pros and cons of "cyber warfare" with much wider implications than the average layman realizes.

As observed with previous movies about IT-related issues (WikiLeaks, Snowden, Steve Jobs etcetera) it is very difficult to sit it through while being (like myself) someone who worked in IT all his life. We saw numerous fragments of Assembler, flashing lights from network equipment, heavily populated cable bundles, and many screens showing various sorts of abracadabra, all supposedly intending to look technical for an average layman. Another problem is that several talking heads ducked when asked specific questions about Stuxnet, the latter being the main topic of this movie. Most of them had the usual excuse *Even when I knew about it, I cannot elaborate". Luckily, we heard not once the excuse "I can tell you about it but after that I have to shoot you", usually intended as a humorous escape from hot questions without appearing offensive or overly defiant. Several high ranking officials only wanted to speak out in general terms, thereby avoiding Stuxnet and other concrete projects, by explaining what they found wrong, especially about the secrecy that most found exaggerated and unnecessary. As such, their contributions were still useful, albeit not exactly touching the subject at hand.

Nevertheless, I heard a few new things I had not thought about yet. Firstly, Stuxnet was not designed to become so visible as it did. People at the NSA were furious when seeing that Israel extended v1.1 of the software to be more aggressive, making it spread and allowing it to surface, while that never had been the intention. The net result is that other countries may find justification to counter with similar software, now the US has provided for a precedent. Secondly, many people in CIA and NSA express their concerns about over-classification, preventing an open debate on future policies and rules of engagement in cyber space, like similar rules developed in the past for army, navy and air force. Cyber weapons are the fourth category, and it may take 20 to 30 years to create clear rules and policies for it. Lastly, the net effect that Stuxnet had on Iranian nuclear program, has proved to be negligible in the long run. There was a noticeable dip in the production statistics, but it triggered Iran to invest extra in centrifuges. An extra side effect was that Iran invested in cyber powers of their own, by attracting talented people on this field of expertise. As of now, it looks like they succeeded in overpowering the western world in this so-called cyber war. In other words, due to Stuxnet we lost our head start, and it is doubtful we will ever regain that.

There was one talking head with distorted voice and face, who appeared many times throughout the story. In hindsight, she was reading collected texts from several people working in NSA, CIA etcetera, all of them having useful insights on the matter but unable to come forward. Being reasonably versed in these issues, I am of the opinion that these texts sound genuine and seem to really come from people with intimate knowledge, which would otherwise be kept from the public. One example is that they internally made fun about "air gapped", the common defense against infections from the outside. They knew several ways to get over this obstacle, e.g. by infecting vendors responsible for installing and updating software in the plant, more or less working like so-called watering hole attacks. Reading these texts as done here, was an artificial but necessary addition to the documentary. In a final scene the one reading the texts revealed herself as an actress who had no personal involvement in the issues, but was effectively used as a vehicle to get this information across. During the press conference organized by the Berlinale it was explained that this was the only way to obtain and release this information, if only to protect the sources since harsh policies have been issued to deal with information leakage.

All in all, I'm not sure the message will land where it should land, namely with non-IT people who should know about the implications of "cyber warfare", having an impact on our future that cannot be underestimated. I don't think that a documentary that takes nearly 2 hours, will achieve said goal. Nevertheless, I applaud every honest attempt. The documentary is well made and tries to present a balanced view on the matter. Well made, but probably shooting over everyone's head and defeating its well-intended purposes.

I watched the BBC Storyville version of this film, which appears to run about 20 minutes or so shorter than the feature currently in cinemas; not sure what was lost in that, but I mention it for context. At the start of the film we have several talking heads who refuse to even respond to a question regarding the computer virus/worm which attacked Iran's nuclear centrifuges; this opening sets the stage for a documentary where a lot has to be pieced together, or cannot officially be known, but yet manages to do it in a way that gives the viewer a broad view, with enough detail to aid understanding, but nothing likely to lose you (I say this as someone who can setup his wifi but not much more).

The film starts after the fact and works backwards. In doing this it allows to do enter the subject via the security companies who found this virus and started trying to figure out what it does. This is done in a way that is engaging and accessible, even though you are talking about guys reading screen after screen of code. From here the film starts to draw in the politics, to explain Iran, and as it does this, the pieces fall into place – just as they did for the security guys. This framing helps make the film clear to follow, but also builds the tension in the film as we go from the unknown, to the understanding, and then are left with what it means for the road ahead.

The film's ending doesn't really do a good job of leaving us with that chill (I think the drawing in of the Iran deal didn't really work), but mostly it still does leave the viewer thinking about how much could go wrong if key infrastructure elements were switched off or controlled to do harm. Watching it a few days after the inauguration of Trump only makes it more chilling, since the only time I have heard him speak about this he said "So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He's 10 years old. He has computers. He is so good with these computers, it's unbelievable. The security aspect of cyber is very, very tough. And maybe it's hardly doable". Hardly oil on troubled waters.

Great documentary. Very informative and enlightening (not for the Pixar crowd). Very honest and surprisingly propaganda-free. The film maker went to great lengths to find credible, knowledgeable and highly qualified people to interview for this topic. Kudos.

"To make a documentary on such a complicated, far-reaching subject and maintain a common-sense perspective requires formidable organizational skills and a steady narrative hand to keep the movie from straying into any number of theoretical byways. It takes the imagination of a science- fiction writer to make it coherent and entertaining enough to hold your attention. Mr. Gibney has demonstrated all of these qualities..." Stephen Holden, The New York Times.

Once you go beyond the automatic dislike of computer screen hexadecimals turning into beautiful 3D animations, which is the norm in all popularizing documentaries, you can see not only how interesting the story is and how well the film is done, but how much effort came into the gathering of the information in it.

This two hour film describes how Stuxnet changed the world, first from the eyes of malware researchers and how they discovered the worm and how they started to analyze it and realize how advanced it is and what it does, then goes into the political realm, describing how the US and Israel did this to Iran, then narrows down, showing not only how this was something the US did to prevent the Israelis to do even worse things, but how Stuxnet came back to bite its creators in the ass. In the end we are shown the true reality of a world in which anyone can do horrible damage with no attribution while the security institutions keep everything secret and out of public discussion and decision.

A very informative movie, filled with useful tidbits, showing the story of Stuxnet from start to end and to later consequences, interesting to both technical people and laymen alike. Well done!