In the good old days, America’s battles used to be waged in clearly defined physical spaces: on land, on water and, since the last century, in the air. But with the emergence and exponential growth of cyberspace, it’s not necessary anymore to physically attack or even be physically present anywhere to do irreparable harm. Alex Gibney’s latest documentary, Zero Days, looks at the emergence of cyber wars in general and more specifically takes the Stuxnet worm, a self-replicating malware that explicitly targeted Iranian nuclear facilities, as a case study to illustrate what’s already happening and articulate why it’s important to have an actual public debate about cyber warfare. As one of the talking heads puts it: “Right now, the norm is, do what you can get away with.” But as the documentary points out, what the U.S. can get away with in other countries might just as well be used — or is perhaps already being used — by other countries or groups against domestic targets.
The ever-prolific Gibney — just last year, the Oscar winner for Taxi to the Dark Side released Going Clear: Scientology and the Prison of Belief; Steve Jobs: The Man in the Machine and the HBO two-parter Sinatra: All or Nothing at All — delivers another slickly assembled film that features countless interviewees, graphics and music that try to sell the material as a kind of nonfiction thriller. But because it wants to be a primer on a serious subject, an exciting cinematic exposé and an argument for more openness and some kind of regulatory framework, the necessities of these different strands end up getting in each other’s way. Magnolia, which acquired theatrical rights to the pic just before its Berlinale premiere, will need to construct a kind of grassroots campaign around the film to turn it both into a must-see event and keep the ball rolling on a political level as well.
Gibney plunges into the action with an excerpt from a documentary made by Iranian State Television that contains a re-enactment of the attempt to eliminate two Iranian nuclear scientists in 2010. One of them actually died, and the assassination has been blamed on Mossad, the Israeli intelligence service, though Gibney isn’t interested in these details. What does interest him is how foreign powers were trying to interfere with Iran’s nuclear program at that time, when then-president Mahmoud Ahmadinejad was threatening to annihilate Israel.
Stuxnet, a computer malware that was specifically created to render nuclear cylinders unusable even as all computers indicated regular activity, was apparently developed by U.S. military and intelligence agencies and Mossad to help stem the growth of Iran’s nuclear ambitions. “Apparently,” because so far, no U.S. official has ever admitted to having used any form of cyber warfare anywhere in the world. There’s a somewhat glib if effective and even chuckle-inducing montage early on of high-ranking (ex-)military personnel, all offering variations on “This is classified,” “I’m not allowed to say,” or “Next question.” A bit further on, a propos of the fact that none of the interviewees wanted or were able talk, Gibney observes somewhat in voiceover: “This was beginning to piss me off.” There’s a clear sense this wasn’t an easy documentary to make.
Some documents that ended up on Wikileaks — the rise of which was chronicled in Gibney’s own We Steal Secrets: The Story of WikiLeaks — confirm at least that billions were poured into military, computer-focused projects of which Stuxnet could have been one. Instead of talking specifically about Stuxnet, Gibney has high-level experts such as Gen. Michael Hayden, former head of the NSA and CIA; Richard A. Clarke, Counterterrorism Advisor to three presidents before 2004; and Gary Samore, White House Coordinator for WMDs until 2013, talk in more general terms about cyber terrorism and how it relates to foreign and military policy.
Though their sound bites are well chosen and edited, a sense remains that they are really talking around the film’s core subject. More direct, though only as a chronicler and not as a source, is David Sanger, a New York Times correspondent who has written extensively about what was known in intelligence circles as the “Olympic Games” program. And Gibney has a direct source: A blond, long-haired employee from within the U.S. Cyber Command, housed in the same building as the NSA in Maryland, whose voice and face have been digitally distorted. She says she wants to foster a more open debate about cyber warfare because she (or he?) is afraid that other states or factions will be doing to the U.S. what the U.S. government is already doing to them. And their description of the extent to which the U.S. has gone beyond just Stuxnet is staggering. (Spoiler! The character is finally revealed to be played by an actress in one of the film’s unnecessary coups de theatre and is an amalgamation of several anonymous sources.)
Zero Days’ main problem is that Gibney struggles to smoothly shift gears between his micro story — how does Stuxnet work, who brought it into the world and for what purpose? — and the overall macro narrative, which questions the reasons behind the total secrecy surrounding the U.S. government’s use of cyber warfare and is a blunt (and too-often repeated) call for more transparency. There are worldwide deals in place that put limits on nuclear, chemical and biological arms, the reasoning goes, so why does something potentially even more paralyzing for entire nations or continents go entirely unchecked?
Gibney doesn’t want to get too technical but even so, the basics aren’t always entirely clear, even taking into account that there are very few people who know the full Stuxnet story from within and Gibney probably doesn’t have one in his film (though what the blond Cyber Command employee says seems to come pretty close).
Stuxnet was discovered by an anti-virus company in Belarus — several employees of cyber-security companies try to explain how a worm like Stuxnet works — on Iranian computers and the malware is now found dormant on countless computers worldwide (it only activates if it finds very specific parameters and had an expirty date). What the film doesn’t explain properly is that the malware was never meant to escape the Natanz nuclear facility in Iran, where it was introduced via a USB flash drive to computers not connected to the Internet. It’s also never clear how, if the malware is now practically everywhere but dormant, this amounts to “having opened Pandora’s box,” as one of the interviewees suggests. And there’s no mention of similar worms that have reared their heads since 2010, such as Duqu and Flame.
To break the monotony of the talking heads, executive producer and visual effects specialist Sarah Dowland, who also worked on Gibney’s WikiLeaks film, is again on board. However, much of the visuals don’t go beyond suggesting code onscreen or adding world maps to suggest how things spread or are connected. In the end, it’s the music that does most of the heavy lifting in trying to give the film the trappings of a global thriller.
The title references a type of security flaw that can benefit hackers.
Venue: Berlin International Film Festival (Competition).
Production companies: Global Produce, Jigsaw, Participant Media
Writer-director: Alex Gibney
Producers: Marc Shmuger, Alex Gibney
Executive producers: Jeff Skoll, Diane Weyermann
Directors of photography: Antonio Rossi, Brett Wiley
Editor: Andy Grieve
Music: Will Bates
Sales: Submarine/Filmnation
Not rated, 118 minutes
THR Newsletters
Sign up for THR news straight to your inbox every day