In 2007’s Live Free or Die Hard, Timothy Olyphant’s evil cyber-terrorist Thomas Gabriel initiates a paralyzing attack on the nation’s technological infrastructure—seizing control of its transportation, communication, military, and power systems—which Justin Long’s nerdy hacker dubs a “fire sale” due to the fact that in such an assault, “everything must go.” As befitting an entry in the popular action franchise, this catastrophe concludes with Bruce Willis’s cop John McClane saving the day through acts of superhuman physical heroism. Replete with Gabriel using his high-tech gadgetry as a way to soothe his damaged ego and steal lots of money, it’s a familiar Hollywood saga, albeit with a modern digital twist. Except that, according to Alex Gibney’s new documentary, Live Free or Die Hard is anything but outlandish fantasy.
In Zero Days, Gibney provides a comprehensive overview of the Stuxnet worm—a sophisticated piece of malware that, on June 17, 2010, was found by a Belarus security expert on one of his client’s machines in Iran. Though it was immediately apparent that the virus was deadly, it would take considerably more analysis—including by Symantec security response professionals Eric Chien and Liam O’Murchu—before its true potential was revealed. Those revelations were at once awe-inspiring and unsettling, as Stuxnet turned out to be a complex program designed to infiltrate, target, and sabotage the centrifuges at Iran’s Natanz nuclear facility. It was equipped to do this even though Natanz’s systems were disconnected from the internet. And it was to perform its mission without “command and control” input—meaning that its groundbreaking code would initiate and carry out its tasks wholly on its own (or as Chien says, “There was no turning back once Stuxnet was released”).
It came as no surprise that, after comprehending the scope of Stuxnet’s potential, the Symantec experts called it “Hollywood-esque” and likened it to something out of a “James Bond” movie.
To make matters worse, Stuxnet contained four “zero day” exploits, meaning that at four different stages of its operation, it was capable of completing its objectives before its target even knew an attack was imminent. Upon seeing it for the first time, German security professional Ralph Langer realized that, “It went beyond our worst fears, our worst nightmares.”
Stuxnet left no concrete signature denoting who created it, but as Gibney’s film lays out in detail, its authors are now largely assumed to be the United States and Israel, who co-wrote the malware via the NSA, the CIA, Israel’s “Unit 8200,” and the seven-year-old, NSA-overseen United States Cyber Command (USCYBERCOM). Its purpose was to hinder Iran’s nuclear enrichment program, instead of having the Israelis launch a more traditional air assault on Natanz that, U.S. officials feared, would draw us into all-out war. What Gibney finds frustrating (and outrage-inducing) is that this was all done in secret, and in fact still largely remains in secret thanks to the fact that domestic cyberwarfare operations are masked behind an impenetrable wall of “classified” designations and attendant “I don’t know, and if I did, we wouldn’t talk about it anyway” denials.
If that makes Zero Days sound like a compelling recitation of already-known facts, that’s because it is—including with regards to its supposed “bombshell.” That comes from a former Cyber Command official (whose ID remains anonymous on-screen) who verifies that, yes, America and Israel were behind Stuxnet, and that in fact it was only the point of the spear, as a more wide-ranging virus known as “Nitro Zeus” was concurrently developed in case Israel and Iran ever went to war. Though it was shelved (for now) by President Obama’s 2015 nuclear deal with Iran, “Nitro Zeus” was, in effect, akin to Live Free or Die Hard’s “fire sale”: an agent of apocalyptic cyber-destruction that would disable the country’s air defenses, power grid, traffic, health, and communication infrastructures.
Unfortunately for Gibney, “Nitro Zeus” isn’t a stop-the-presses trump card for Zero Days, since its existence was outed last February by The New York Times’ Mark Mazzetti and David E. Sanger—the latter of whom participates in Gibney’s documentary. The result is that his film will only prove truly eye-opening to those who haven’t kept abreast of news about America’s burgeoning forays into cyberwarfare, which began under President George W. Bush (who saw it as a necessary tactical alternative after the Iraq War sabotaged his chances of starting another Middle East invasion) and which have continued unabated during President Obama’s eight-year Oval Office tenure.
Zero Days thus often feels like a superficial history lesson—a not unfamiliar shortcoming of the prolific Gibney’s output. The director’s myriad assembly-line projects (discounting TV, he’s helmed 21 features since 2005!) sometimes come across as having been hastily produced in order to remain timely. Here, he brings together an impressive array of talking heads (including former NSA and CIA director, General Michael Hayden) who are as forthcoming as they’re allowed to be under law. Furthermore, he maps out his tale with archival footage of former Iranian president Mahmoud Ahmadinejad’s hateful anti-Israel, anti-American speeches, computer graphic depictions of Iran’s centrifuge motors, and ominous industrial-noise music. It’s a documentary staged to play like a real-time thriller, and in terms of getting the pulse racing—and the blood boiling—it ably achieves its ends.
Gibney, however, has a larger purpose for addressing Stuxnet, which came to light after Israelis apparently got too carelessly aggressive using it—namely, as a means of sounding the alarm about a scary new world order in which nations wage secret, devastating attacks against their enemies with the click of a button, and without any oversight from (or even notification of) Congress or the public. In this 21st century techno-paradigm, the rules of engagement are “Do what you can get away with.” As such, Zero Days is ultimately a demand for, if not outright transparency (since many of our military and espionage endeavors must reasonably remain clandestine), a public national discussion about what cyber-weapons our enemies and we possess, and what sort of regulatory framework might be established to best prevent an international conflict.
Given that Stuxnet didn’t permanently stymie Iran’s nuclear capabilities, and that the country successfully retaliated against us with two subsequent computer attacks, Zero Days makes clear that we’re already enmeshed in this terrifying new cyber-reality. And unfortunately for us all, we’ll need more than John McClane to help avert forthcoming global disaster.