Zero Days is a sobering look at the recent past and our possible future. The documentary is a deep dive into a computer malware attack in 2010—its discovery, its history, and its implications.
The film starts with interviews from security experts associated with Symantec. They explain what they saw and how they teased out information from the malware code itself. This code was unusually bug-free, 20x the size of normal malware code, and very dense. This all suggests a nation-state was behind the malware attack—not cybercriminals, not activists.
The makers of the malware, which is dubbed Stuxnet based on words in the code, left some clues behind. Random numbers in the code turned out to be identification numbers for PLCs (programmable logic controllers), which control critical infrastructure. Certifications in the code came from two companies in close proximity to each other in Taipei, Taiwan.
Although the malware infected computers and systems worldwide, the code was designed to probe for a specific target. Everything not its target it ignored. It ran through certain checks, and if they were not confirmed, then an attack was not initiated. What was its target? Cybersecurity specialists were able to trace the attacks backwards to Iran. Through a series of deductions, they determined that the target was a nuclear facility in Iran.
The documentary interviews a number of officials and experts. Some questions are answered. But some aren’t. No one will confess to being behind Stuxnet or knowing really anything about it. Stuxnet is an open secret. We know it happened, but it is top secret so no one will talk about.
Zero Days gets around that a bit with people who will talk, like the cybersecurity experts who discuss the malware code they analyzed. David Sanger, the National Security Correspondent at the New York Times, describes the history and politics of Iran and the transfer of nuclear technology from Pakistan to Iran. An insider who was part of the organization that created the code at the NSA spills the beans—she is disguised physically and vocally. (In the end, it turns out that she was an actor reading a script of composite information. This information was gleaned from several experts at the CIA and NSA who came forward to set the story straight—the story that everyone was getting wrong.)
Olympic Games, the more official name of the program commonly referred to as Stuxnet, was a collaborative creation between the US, the UK, and Israel. The program was designed to get into systems, spy on them, and infect them—all without ever being detected. The US got involved in this, it seems, in order to reign in Israel’s desire at more destructive tactics against Iran. In the end, the US was not successful in curtailing Israel. Israel changed the code to make the malware more aggressive, which led to the Iranians noticing the malware.
Originally, the program infected an Iranian nuclear facility, waited as it studied the systems, and then began to modify the speed that centrifuges were running, which ultimately caused them to explode. All the while though the malware ran normal data on the computers that the engineers were monitoring, so it seemed as though nothing was wrong even though centrifuges were blowing up. Iran suspected problems with the centrifuges or the engineers, not malware—until the Israelis changed the code to shut down the computers. Then the Iranian discovered the malware.
To get to this point, remember, the malware supposedly harmlessly infected computers as it spread across the world. The malware was only designed to run on computers that met certain criteria, i.e., the Iranian computers in their nuclear facility.
But no one knew this. When Homeland Security discovered that computers across the US were infected, they were trying to figure out how to prevent critical infrastructure from being taken out. No one in the US government told Homeland Security that there was nothing to worry about. Instead, Homeland Security spoke to Congress and spent money and time trying to deal with a red herring. The agencies and people in the US in the know could not admit to involvement in the program. The left hand didn’t know what the right hand was doing.
But that wasn’t the only unintended side effect. Stuxnet attacked in 2010. In 2012, Iran conducted a cyberattack on Saudi oil facilities, erasing all of their programs and disrupting those facilities. In 2013, Iran caused a surge attack on several large American banks, creating a disruption in the banking system. Basically, Iran was telling the US, we can hit you the same way you hit us.
The US had unleashed a Pandora box. Cyberwar was now a game that was acceptable, with no rules, and anyone can play. And what did we achieve with Stuxnet? There was a one-year dip in the number of operating centrifuges in Iran and then a surge in 2012 as the Iranians expanded their nuclear program. So our goal of affecting their nuclear program really failed.
The disguised composite of NSA/CIA agents spoke of a larger program, Nitro Zeus, which is meant to infect all critical infrastructure in Iran—basically as a type of all-out war. The chilling thing is that taking out critical infrastructure wouldn’t just take out military targets. Critical infrastructure is everything needed for a society to function, including power and water. In theory, war is against combatants, not civilians. With Nitro Zeus, there is no distinction. Civilians will likely be the ones that suffer the most.
Ironically, the documentary mentions the 2015 Iran deal concerning its nuclear capabilities—a deal that the US recently walked away from. The dissolution of this deal will likely cause unintended consequences like the use of Stuxnet/Olympic Games did. The US seemingly partnered with Israel on Stuxnet to try to reign in Israeli actions (at least this is the implication that I picked up in the film), but clearly that didn’t work. Since then, Israel demanded the destruction of the Iran nuclear deal. When will we think through the unintended consequences of our actions?