11 January 2017

Zero Days review: how the Pandora's box of hacking broke open



American documentarist Alex Gibney - director of films about WikiLeaks, US government torture policy and Catholic church sex abuse, as well as the gripping Scientology exposé Going Clear - is no stranger to difficult, headline-grabbing subjects.

His latest, Zero Days, is hardly short on headline potential either, being an investigation into the cyber-warfare America and Israel have conducted in secret to impede Iran’s nuclear weapons programme. The keyword is “Stuxnet” – the name of a harmful computer virus, first identified in June 2010, which both countries have consistently denied was anything to do with them.

This piece of malicious software, or “malware”, is acknowledged to be the cornerstone of one of the most sophisticated cyber-attacks ever launched against a country’s military-industrial complex – specifically Iran’s primary fuel-enrichment plant at Natanz. 

And who will go on the record about how it got there? No one. Gibney begins by trying out the Stuxnet question on all of his senior sources in American and Israeli intelligence services. He gets a variation on “no comment”, or “that’s classified”, from every one of them. Off-the-record scuttlebutt from NSA insiders – presented as composite testimony, with an actress, digitised and ghostly, reading out their lines – compares the very use of the word Stuxnet to Voldemort in Harry Potter: that which much not be named.

The immediate effect of the attack, though, is carefully explained by experts at Symantec, the security company which had to diagnose and disinfect when it spread, by accident, across the world. A notably expensive feature of this virus was the presence of four powerful “zero-day-exploits” in its source code: rare assets in hacking which allow particularly aggressive incursions into foreign computer systems.

Using these to infiltrate Siemens industrial control mechanisms, Stuxnet was able to access the centrifuges at Natanz and sabotage the programming of their rotor tubes. 

Former NSA and CIA chief Michael Hayden, interviewed in Zero Days

Gas pipelines, at the same time, kept exploding, and some of Iran’s leading nuclear scientists kept being assassinated: one is even visible behind President Ahmadinejad in a famous photo of him inspecting the plant.

Because official acknowledgement of these missions would constitute evidence of a peacetime attack – essentially, acts of war – they’re “hideously overclassified”, to quote former NSA director Michael Hayden. Gibney unpicks the timeline persuasively, making the case that Stuxnet may have been originally developed by US cyber-command to stop Israel “doing something crazy”, but was then unleashed prematurely – and here suspicion, though uncorroborated, falls on Netanyahu’s military. Pandora’s box-style, the sudden outbreak of the malware in Iran spread too quickly for its guardians to stop.

One missing dimension in Gibney’s account is any direct consequences Stuxnet might have had on innocent computer systems: millions worldwide were affected, but what else did it do? And until the very end, he omits America’s own vulnerability to cyber-attacks, or pre-existing history thereof, such as (say) the hacking of Pentagon networks by the Chinese military in 2007. 

Natanz, a fuel-enrichment plant in Iran, once the victim of one of the most sophisticated cyber-attacks in history.

His argument that Stuxnet caused retaliatory attacks by Iranian cyber-warriors – one on the oil company Saudi Aramco, the other on US banks – is meant to clinch the case that Stuxnet was a “major mistake”, opening America up to such reprisals, while also doing nothing to retard Iran’s nuclear programme beyond a very brief down-turn. This conclusion, especially as it directly contradicts statements by Hillary Clinton, needs a bit more beef, more credible faces and voices to back it up.

Gibney’s problem here, in a way, is his main point: the very lack of transparency about these missions, which operate in ill-defined spheres of international law, obstructs informed public discussion. But cyber-war is by its very nature an invisible war: it would be naive now or ever to imagine any government is willing to disclose precisely what games it’s been playing.

As with We Steal Secrets, his 2013 WikiLeaks doc, the secrecy of this topic gives Gibney a cool, throbbing, spy-thriller aesthetic to paint with, and he trots through everything he can tell us with typical, value-for-money intelligence. He shows us a smoking gun pointed squarely at Iran – but we may never know for sure who fired it.

No comments: