Gibney, A. Zero Days, Jigsaw Productions, (2016). (PG-13) More information from: http://gb.imdb.com/title/tt5446858/.
By: Cheng Lai Ki
“The science fiction cyberwar scenario is here…” This statement comes from members of the United States National Security Agency (NSA), and others in the intelligence community, role-played by actress Joanne Tucker. Zero Days, directed and narrated by documentarian Alex Gibney – who produced the award winning documentaries Enron: The Smartest Guys in the Room (2005) and Taxi to the Dark Side (2007) – explores the evolving nature of computer network exploitations (CNEs). In a world where critical infrastructures (i.e. energy suppliers, telecommunication infrastructures), military communication grids (i.e. US Global Information Grid – GIG) and diplomatic communications are conducted on information-communication technologies (ICTs); the documentary illuminates the uncomfortable realities and vulnerabilities within cyberspace.
Zero Days explores StuxNet, a computer worm developed by a US-Israeli effort to cripple the uranium enrichment capabilities at the Natanz enrichment plant in Iran. The documentary debuted at the 2016 Berlin film festival and was awarded a four-star review by the Guardian’s Peter Bradshaw, who described Gibney’s 2016 documentary as ‘intriguing and disturbing’. Named after the technical term ‘zero day’ that represents a computer network vulnerability that is only known to the attacker, the investigative documentary tells Gibney’s journey in uncovering ‘the truth’ behind StuxNet’s technical capabilities and attributed political motives. Despite discussing a cybersecurity threat, the documentary goes beyond the technical landscape and introduces various geopolitical elements within – such as the Israeli disapproval of Iran cultivating national nuclear capabilities. Given the relative basic nature of its discussions, this documentary appears to be intended for the general public rather than specialists in the field. However, Gibney appears to have followed along an investigative journalistic approach (something he undoubtedly is famous for) and guides the viewer along a path of what essentially is a cyber-attribution journey implicating the US and Israeli agencies. The documentary was constructed with strategically cut interviews from cybersecurity specialists (i.e. Kaspersky; Symantec), former senior-leaderships from ‘three-letter’ government agencies, industrial experts (i.e. Ralph Langner, a German Control System Security consultant) and pioneers within the investigative journalism (i.e. David Sanger) in discussing StuxNet’s discovery and capabilities. In addition to these interviews, Gibney wanted a more ‘real’ source of information. This was where the anonymous NSA intelligence community came in. Collectively using transcripts of these employees (and the help of actress Joanne Tucker), Gibney was able to incorporate an inside-source that gave this documentary a little more power behind its claims.
The documentary excels in unveiling to the general public that: i) cybersecurity is not purely a software issue, but also a hardware one; and ii) digital-malware can be easily weaponised for intelligence gathering and strike purposes.
First, Symantec Security Response specialist, Eric Chien, states in an interview: ‘…real-world physical destruction. [Boom] At that time things became really scary for us. Here you had malware potentially killing people and that was something that was Hollywood-esque to us; that we’d always laugh at, when people made that kind of assertion.’ Through conducting a simple experiment where Symantec specialists infected a Programmable Logic Controller (PLC) – the main computer control unit of most facility control systems – with the StuxNet worm. Under normal conditions, the PLC was programed to inflate a balloon and stop after five-seconds. However, after being infected with the StuxNet worm, the PLC ignored commands to stop the inflation and the balloon burst after being continuously filled with air. Through this simple experiment, the specialists (and Gibney) managed to reveal the devastating impact of vulnerable computer systems that control our national critical infrastructures or dangerous facilities such as Natanz.
Second, the NSA employees that decided to talk to Gibney revealed who the US cyber intelligence community recruits and more importantly, their capacities to create digital-techniques for intelligence gathering – or in the case of StuxNet, strike purposes. Cybersecurity specialists that were analysing the StuxNet code discovered older versions that were focused on data-collection. It wasn’t until the later versions that more offensive objectives were made more apparent within the code. According to forthcoming NSA employees, this shift within the code was done by the Israeli foreign intelligence services (Mossad) and not the American agencies. Regardless, Zero Days does an excellent job in revealing the highly adaptive nature of cyber ordinances.
However, to security academics, this documentary suffers from several limitations undermining its credibility. Two of its main limitations are: i) over centralization on investigative attribution; and ii) inherently negative portrayal of governmental personnel and activity.
First, as earlier mentioned, the documentary is a journey of cyber-attribution at its core – much akin to the work of investigative journalist, David Sanger. To show this, we need to review the structure of the documentary. It begins with discussing the cybersecurity incident, how the worm was found, and how it baffled cybersecurity specialists. Next, the documentary explains the geopolitical and security tensions between the US, Israel and Iran; in addition to discussing the American position on Iran’s nuclear capabilities. Next, it progressed onto the technical and security domains; explaining the infrastructure of American and Israeli cyber-intelligence capabilities and operations. Finally, Gibney asks harder questions of implications and opinions during his interviews with American intelligence, security and military subjects. Obviously, for national security and secrecy reasons, these could not be answered. It would appear that Gibney wanted to ask these questions to highlight his disgust in the lack of transparency within the security sector. Throughout the late part of the documentary, he supplements various claims with an informal-esque interview with the NSA employees using Joanne Tucker as an avatar. To the general public, this documentary is undoubtedly an interesting journey of exploration and revelation about American and Israeli cyber capabilities. While highlighting several cybersecurity concerns afflicting cybersecurity specialists in governmental and industrial sectors, the documentary quickly narrows its attributive direction towards the United States and Israel – leaving little room for alternative arguments.
Second, to security specialists this documentary leaves out several key areas of consideration, such as the crucial importance of having an effective intelligence collection and pre-emptive strike capabilities for reasons of national security. During interviews with government leaderships, they were either explaining the structure of their national intelligence agencies/capabilities or talking about how certain operations were transferred between presidents – StuxNet was known within the American government community as ‘The Olympic Games’. As such, government interviewees played only an informative role, participating in few discussions. Another comment would be on the NSA employees that decided to be vocal. Playing the devil’s advocate, certain questions about credibility and accuracy can be raised: How do we know these were really NSA employees from their cyber divisions? Do we know if they are really vocalizing because they wanted to? Or were they instructed to? There was a significant amount of blame placed on Mossad for ‘weaponizing’ the StuxNet code when the Americans just wanted to utilise it solely for intelligence collection purposes. Within the realms of intelligence, this sounds more like disinformation rather than truth. To some civil-servants from security or intelligence backgrounds, this documentary appears to portray such government operations in a negative light and perpetuates the concept of transparency with little regard for its ramifications. Sometimes, knowing the ‘truth’ might do more harm than good.
Zero Days is an excellent documentary and investigatory source of information that raises awareness of cybersecurity issues and its importance in our modernized era. First, its innovative and effective use of animations coupled with strategic uses of interviewees from various backgrounds provides it credibility and persuasiveness when discussing StuxNet. Second, it increases awareness about the importance of cultivating a better understanding of cybersecurity and how vulnerable digital and hardware systems can have significantly harmful consequences. However, in his quest to push for transparency behind government intelligence operations, Zero Days promotes a dangerous notion. Operational secrecy is not a negative notion but sometimes vital for national security. The ubiquitous nature of cyberspace, like Pandora’s Box, opens nations to a new dimension of threats that cannot be as easily defended like that of Air, Land, or Sea and increased transparency can deal much more harm. Regardless your position regarding the motives behind Zero Days, it remains an excellent documentary in raising cybersecurity awareness.
Zero Days (2016) Documentary Trailer:
Cheng served as an Amour Officer and Training Instructor at the Armour Training Institute (ATI) in the Singapore Armed Forces (SAF) and now possesses reservist status. His master’s research revolves around security considerations within the Asia-Pacific Region and more specifically around areas of Cybersecurity, Maritime Security and Intelligence Studies. His Graduate thesis explores the characteristics and trends defining China’s emerging Cybersecurity and Cyberwarfare capabilities. He participated in the April 2016 9/12 Cyber Student Challenge in Geneva and has been published in IHS Janes’s Intelligence Review in May 2016. You can follow him on Twitter @LK_Cheng
Notes:
Bradshaw, P. ‘Zero Days review – a disturbing portrait of malware as the future of war’, The Guardian, Available from: https://www.theguardian.com/film/2016/feb/17/zero-days-review-malware-cyberwar-berlin-film-festival, (17 Feb 2016).
Gibney, A. ‘Director Profile’, JigSaw Productions, Available from: http://www.jigsawprods.com/alex-gibney/ (Accessed October 2016).
Internatinale Filmfestipiele Berlin 2016, Film File: Zero Days (Competition), Available from: https://www.berlinale.de/en/archiv/jahresarchive/2016/02_programm_2016/02_Filmdatenblatt_2016_201608480.php#tab=filmStills (2016)
Langer, R. ‘Cracking Stuxnet, a 21st-century cyber weapon’, TEDTalk, Available from: https://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon/transcript?language=en, (Mar 2011)
Lewis, J.A. ‘In Defense of Stuxnet’, Military and Strategic Affairs, 4(3), Dec 2012, pp.65 – 76.
Macaulay, S. ‘Wrong Turn’, FilmMaker, Available from: http://www.filmmakermagazine.com/archives/issues/winter2008/taxi.php#.V-A8_Tvouu5, (2008).
Scott, A.O. ‘Those You Love to Hate: A Look at the Mighty Laid Low’, The New York Times, Available from: http://www.nytimes.com/2005/04/22/movies/those-you-love-to-hate-a-look-at-the-mighty-laid-low.html?_r=1, (Apr 22 2005).
Image Source (1): https://i.ytimg.com/vi/GlC_1gZfuuU/maxresdefault.jpg
Image Source (2): https://upload.wikimedia.org/wikipedia/commons/8/82/SIMATIC_different_equipment.JPG
Image Source (3): https://upload.wikimedia.org/wikipedia/commons/8/84/National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg