The documentary-thriller Zero Days has plenty to say about the Stuxnet cyberattack on Iran, even if no one with intimate knowledge of the attack is willing to discuss it on camera.
Off-camera is another story. At a key moment in the film, director Alex Gibney presents a digitally altered NSA agent-turned-whistleblower who not only confirms longstanding speculation that the U.S. and Israel were behind a stealth cyberattack on Iran's Natanz nuclear facility, but also blames Israel for the Stuxnet worm's eventual discovery. The agent, whom we later discover is an actress (Joanne Tucker) playing a composite of anonymous government sources, criticizes Israel for unilaterally changing Stuxnet's code to make it even more aggressive, causing it to spread further and be discovered ultimately by a Belarussian researcher.
“The Israelis wanted more destruction,” Alex Gibney, director of Zero Days, said at a New York prescreening earlier this year. The film was released to theaters and made available on demand on July 8.
Another key admission is that “Operation Olympic Games,” the official code name of the Stuxnet campaign, was only the beginning, as the U.S. drew up a contingency plan dubbed “Nitro-Zeus,” which involved launching cyberattacks across Iran's critical infrastructure in the event of military aggression from the Middle Eastern regime.
Gibney theorized at the film screening that President Obama's awareness of Nitro-Zeus gave him leverage in ultimately negotiating a nuclear deal framework with Iran in 2015, suggesting that it likely “informed the parameters of the deal because they had an options in case Iran cheated.”
The film paints the operation as a Hail Mary plan designed to sabotage Iran's nuclear enrichment program in order to prevent an imminent attack by Israel on its neighbor's nuclear facilities. Until its 2010 discovery, the plan worked – the virus infected programmable logic controllers (PLCs) from Siemens, causing destruction when the Iranian nuclear centrifuges operating via these PLCs would secretly spin out of control and break.
In the process, however, the two nations may have set a dangerous precedent in how nations use cyberweapons as an offensive tool, the film asserts. Ostensibly, Stuxnet blew up in its creators' faces because “it gave everyone a Rosetta stone to work from to begin this escalating cyber war,” said Gibney, who also directed We Steal Secrets: The Story of WikiLeaks and Enron: The Smartest Guys in the Room.
As is often the case in films about hacking, it can be challenging to make code analysis compelling and understandable to the common viewer. The film negotiates these minefields with aplomb though eye-catching visuals of genuine Stuxnet code; engaging interviews with Symantec researchers Eric Chien and Liam O'Murchu, who helped decipher said code; and unique visual demonstrations of malware's power. This includes a whimsical, yet terrifying demonstration of industrial sabotage in which the researchers first use a digitally controlled air pump to inflate a balloon to a preset seize, then use malware to disrupt the programming, causing the balloon to inflate uncontrollably until it bursts.
With Pandora's box now opened, Gibney believes the reticence he encountered when attempting to interview officials on Stuxnet must now give way to an open conversation on the threat of cyberweapons. Ignoring their existence and previous usage is like the equivalent of it being “post-Hiroshima and Nagasaki and somebody saying, ‘What bomb?',” he said.