Zero days is a documentary by Alex Gibney about Stuxnet, a computer virus discovered in 2010 that was almost undeniably the work of the the U.S. and Israel attacking the Iranian nuclear program. According to sources claiming to be from within the NSA, its working name was Olympic Games, or OG. The documentary combines talking heads, archive footage, and cheesy Matrixish animation, to reveal to the public the extent to which American intelligence agencies are pursuing undeclared cyber warfare without accountability under the protection of classification.
The talking heads fall into three categories: named former or current U.S. and Israeli government officials, cyber security experts, and media. There is a very self-conscious and funny setup of the first category before beginning those interviews, in which every pasty old spook proclaims their inability to discuss classified operations. Only the retired director of the CIA gets close to boasting about U.S. responsibility.
The story begins with the first public awareness of Stuxnet by those who named it: cyber security professionals. From them we get an alarmist and somewhat patronizing explanation of the title of the documentary. A zero day exploit allows malware to spread between hardware without any user initiation in the software, accidental or otherwise, and Stuxnet had a redundancy of these rare and expensive exploits, which are usually not necessary for mere spying or financial gain, but meant the worm aggressively needed to get somewhere off the internet (behind an “air gap”) to do physical sabotage. They also describe the detective work involved at looking at the code and realizing it targeted a specific piece of hardware used in uranium enrichment centrifuge arrays, intending to make the centrifuges not only over and under spin, but preventing the monitoring software from reporting the errors.
It became very clear just through these third parties and their mapping of the spread of the virus from Iran outward that it did not originate in Iran, but that agents installed it where technicians who brought software into the enrichment facility would spread it. And it did work – at slowing Iran’s uranium enrichment down for a year. But the political repercussions, Iranian state-sponsored retaliation, worldwide paranoia, and the swift recovery of the program made it most probably not worth millions of U.S. tax dollars.
The third talking head category include former military and a reporter urged to silence after publishing his investigation into Stuxnet, which the public, if they paid attention at all, worried was a more general threat. It also includes the spokesperson of the Iranian-American council, who does a decent job explaining how Iranians reacted to Americans thinking it was their place to curtail the nuclear capability of any other country, when it was already inspected by an international commission to ensure it not be used for weapons. There was a tendency to blame Israel for the U.S.’s silent war on Iran, which would most likely, at least in the majority, otherwise not be interested in attacking the U.S.
There is additionally an anonymous informant representing people who hack for the government and are critical of the secrecy around it and the dangerous precedent they have set. The film’s gimmick around this informant is a blonde woman put through a digital rotoscoping filter similar to the layered-characters animation style used during its voiceovers. Tellingly, she is the only woman among the talking heads. Spoiler alert: she’s an actor reading a script assembled from several anonymous leaks. This is actually fairly obvious from how forthright and dramatic her statements are, especially concerning the other infiltration the NSA’s collaborative department of cyber offense (I did not take notes on what this is actually called, but they have a seal involving an eagle or something) did into Iran, supposedly to curtail hot war, besides OG’s politically counterproductive overkill. That itself just sounds like intimidation, just as the informants’ description of surveillance in Iraq sounds like bragging.
Most of what we get out of the officials is claiming that this covert cyber warfare was intended to prevent Israel from outright bombing Iran, which the U.S. felt it would be drawn into more than just financially, provoking war with pretty much the entire world, which is, at this point, everyone who wants American imperialism to end, including an under-armed majority of Americans. But they also agree that weapons like Stuxnet/OG set a bad precedent for nation states, especially without the kind of democratic accountability that developed around nuclear weapons. There is a dramatic irony to the crisis of covert cyber warfare developing out of the first nuclear superpower’s insistence that another nation be stopped from developing those weapons and disregard for the regulations set up to prevent them from killing the entire world accidentally.
The archive footage of Ahmedinejad’s inspection of the uranium centrifuges that provided intelligence to the developers of Stuxnet/OG contains no women, because, Iran. Archive footage of American politicians during the time they okayed using the worm includes, naturally, Hillary Clinton. Both Bush and Obama knew about and okayed the operation, although the original (and more subtle) version of it included a cutoff date just before Obama’s inauguration.
There is a darkly humorous interlude about the Department of Homeland Security, indicating what a clueless, hopefully doomed, pure bureaucratic entity it is, since once Stuxnet started incidentally affecting more machines than just Iranian centrifuges, the DHS spent massive resources investigating Stuxnet as an external threat to U.S. infrastructure, with no indication from other agencies or politicians about its true intent, or, apparently, honest consultation with the security professionals investigating it.
But the way Zero Days is truly a cyber thriller isn’t just the repeated layered code animations that I, as a cyberpunk fetishist, love. It’s how it means that this clumsy use of government resources to attack a legal industrial activity in an ideologically hostile country, while maintaining militarized secrecy, and with deliberate deflection of public accountability, means that other nations and extranational interests would be able to use similar aggressive exploits to target a barely-defended infrastructure. Rarely are humans actually motivated enough to pursue that scale of generalized destruction, but there is very little development of cyber defense in place, primarily due to the same neoliberalism that U.S. government cyber warfare supports. Other countries can, and already do this, and though the results are not as immediately drastic as those of nuclear attack, the intersection that Stuxnet already represents, and the Kafkaesque maze of denial and diversion, say it is very likely to take lives before it can be optimistically regulated.