Chris Knipp
07-08-2016, 10:21 AM
ALEX GIBNEY: ZERO DAYS (2016)
http://www.chrisknipp.com/links/zd.jpg
ZERO DAYS' COMPOSITE NSA WHISTLEBLOWER
World War 3.0: waged by computer
On the digitally-altered face of it, Zero Days is just another conventional documentary with talking heads and some visually nice computerized imagery. But it justifies its existence with compelling material perched on the edge between computer technology and global warfare, a growing world of dangerous hacking and vulnerability we hear about every day from sources as different as Edward Snowden and the award-winning show "Mr. Robot."
A "zero day" virus or malware is one whose identifying "signature" is as yet unknown and defense as yet undevised, and that can spread by itself. This cyber jargon denotes the high-tech world's vulnerability, which only grows with time. Furthermore, things don't even need to be computer-operated to be shut down or destroyed by unseen, sometimes unnoticed electronic attackers. Malware has the power to lastingly disable power, communications, conceivably a whole nation. Malware was so sparse twenty years ago big cyber security firms like Symantec- two of whose key experts are the first voices here - had to hunt for it. Now there are millions of new viruses every day.
This is alarming in itself. But Zero Days has a very specific story to tell - about what critics consider misguided and failed cyber warfare against Iran. The film tells an urgent, well-paced tale with wide implications, well narrated and illustrated by beautiful computer-generated imagery supervised by Sarah Dowland that makes codes and their deep penetration come to life. And eventually the film morphs from Power Point lecture into an urgent investigation whose tone is heightened by the angry composite voices of anonymous whistleblowers.
Zero Days emerges as a two-phased detective story. First there are the security experts acting as detectives who describe their discovery of an unprecedented super-malware threat they dub Stutznet. (Later it turns out its makers called it Olympic Games.) We hear Symantec cyber-security experts Eric Chien and Liam O Murchu, the NYTimes' wide-ranging correspondent David E. Sanger, CIA officials, and cyber investigators from Russia, among others. There are three levels of the malware game: commercial or individually malicious; hacktivist, to promote causes; and international, for cyber warfare. Stuxnet/Olympic Games was the international kind, the most serious, nation against nation, malware far more complex and rich. This was something beyond what Chien and O Murchu had seen before: super-code, extraordinarily complex, well made: foolproof, flawless, and with no buried telltale signs of its origins. Here the computer visuals come in not only to give Stutznet a personality and a "look" but to clarify how Chien and O Murchu sussed out its distinguishing features.
The two Symantec experts describe their passionate process of decoding the puzzle, figuring out what Stuxnet was designed to do - a problem so fascinating they pull repeated all-nighters working on it. Eventually they realize it must be the product of "a nation state" (or states), designed to target Iran's nuclear program (there's a digression here about Iran's and that program's history). And, given this target, specifically the centrifuges at the Natanz Iranian nuclear facility, they conclude it's most likely the joint work of the US and Israel. Stuxnet was a program made to do what the Semantec guys used to think a joke: attack people, not just computers. It could not only be deployed, they ultimately realized, to destroy Iranian enrichment centrifuges, but could threaten attacks against Iranian civilian infrastructure. ("Nitro Zeus" was a much broader malware plan to disable Iran's defenses. For all we know, it may be still in place, ready to trigger all-out global conflict.)
But then, this well-constructed film enters a new puzzle of its own, because its talking heads begin refusing to discuss what they have learned about US and Israeli involvement in Stuxnet. When we hear Gibney's own voice saying "This was beginning to really piss me off," this signals his shift to bypassing his sources and looking for more information from anonymous Washington leaks - government insiders willing to speak, with disguised voices, about the source of Stuxnet. It's here that the film starts to feel like a real, investigatory documentary - no longer just a nicely illustrated lecture about computers and world politics. Gradually we start to realize some of the reasons behind the stonewalling.
Gibney's team delivers something of a scoop with the disguised blonde NSA woman- actually, it turns out, an actor composite of off-the-record NSA critics - who says on camera, with altered voice: "Look, this is not a Snowden thing. I think what he did was wrong. He went too far, he gave away too much. Unlike Snowden who was a contractor, I was in NSA. I believe in the Agency so what I am willing to give you will be limited, but we're talking because everyone's getting the story wrong and we have to get it right. We have to understand these new weapons. The stakes are too high." "What do you mean?" "We did Stuxnet. It's a fact. We came so fucking close to disaster, and we're still on the edge. It was a huge multinational interagency operation." "She" names specifically which agencies in the US, Britain, and Israel were involved. Later "she" declares that Israel fucked up the whole operation.
We hear from Yossi Melman, a former Haaretz correspondent, and Gen. Yaolin, both Israelis, on Israel's longtime war against its neighbors' nuclear facilities. Then back to the US, where we learn something about the NSA's offensive partner and Fort Meade neighbor, Cyber Command. The US government stays mum about how its spying is now covedrtly capable of becoming attacking. Stuxnet, started under George W. Bush, then renewed (predictably) by Barak Obama, was just the first sign of a whole vast new, unpredictable, dangerous, and unregulated form of warfare.
Stuxnet worked, destroying Iran's Natanz centrifuges for some time, without the Iranians becoming aware of what was doing it. Stuxnet was produced in various versions, and eventually became discovered because the Israeli collaborator, Mossad's Unit 8200, over-zealous about their mission, kept pushing (again predictably) for a more aggressive version - which it launched unilaterally, and which spread too far and was detected by the Iranians.
The unauthorized Israeli version of Stuznet also spread everywhere, including American computers. When that happened, Homeland Security was called in - to protect us from what had been our own weapon, but coopted unilaterally by what the composite blonde NSA whistleblower calls "the fucking Israelis." Tipped off to Stuxnet and guarding against it now, the Iranians brought their centrifuge production back up. Their nuclear program bloomed, inspired by anger at what was detected as an American invasion - exactly what the CIA and NSA had promised Obama would not happen. There is a treaty now, Iran has created a big cyber army, and has staged two big cyber attacks, destroying Saudi oil cyber files and shutting down US online banking, to warn us: We've got cyber war capability too. Though the film doesn't say this, the Iranians weren't using anything as sophisticated as Stutznet. But you can do still do some serious temporary cyber damage with simpler means if mounted on a large scale. The thing about the original Stuznet though was, it could have continued for a long time because it could act undetected.
In its later segment Zero Days stresses that US government's stubborn continuing secrecy about its capacity for cyber warfare is wrong: this is a very dangerous and largely unknown alternative that needs to be publicly discussed. Yes, Gibney has made another one of his more important documentaries here. This is not only a good spy story, but brings up a crucial subject we've only begun discussing. Recommended.
Zero Days, 116 mins., debuted at the Berlinale; shown at half a dozen international festivals. Its US theatrical release and Internet release comes 8 July 2016 (in the San Francisco Bay area, at Landmark's Embarcadero, San Francisco; Shattuck, Berkeley).
_______________
Further reference. See "Joker in the Pack: If Financial Systems were Hacked," The Economist (http://worldif.economist.com/article/12136/joker-pack) 16 Jun. 2016.
http://www.chrisknipp.com/links/zd.jpg
ZERO DAYS' COMPOSITE NSA WHISTLEBLOWER
World War 3.0: waged by computer
On the digitally-altered face of it, Zero Days is just another conventional documentary with talking heads and some visually nice computerized imagery. But it justifies its existence with compelling material perched on the edge between computer technology and global warfare, a growing world of dangerous hacking and vulnerability we hear about every day from sources as different as Edward Snowden and the award-winning show "Mr. Robot."
A "zero day" virus or malware is one whose identifying "signature" is as yet unknown and defense as yet undevised, and that can spread by itself. This cyber jargon denotes the high-tech world's vulnerability, which only grows with time. Furthermore, things don't even need to be computer-operated to be shut down or destroyed by unseen, sometimes unnoticed electronic attackers. Malware has the power to lastingly disable power, communications, conceivably a whole nation. Malware was so sparse twenty years ago big cyber security firms like Symantec- two of whose key experts are the first voices here - had to hunt for it. Now there are millions of new viruses every day.
This is alarming in itself. But Zero Days has a very specific story to tell - about what critics consider misguided and failed cyber warfare against Iran. The film tells an urgent, well-paced tale with wide implications, well narrated and illustrated by beautiful computer-generated imagery supervised by Sarah Dowland that makes codes and their deep penetration come to life. And eventually the film morphs from Power Point lecture into an urgent investigation whose tone is heightened by the angry composite voices of anonymous whistleblowers.
Zero Days emerges as a two-phased detective story. First there are the security experts acting as detectives who describe their discovery of an unprecedented super-malware threat they dub Stutznet. (Later it turns out its makers called it Olympic Games.) We hear Symantec cyber-security experts Eric Chien and Liam O Murchu, the NYTimes' wide-ranging correspondent David E. Sanger, CIA officials, and cyber investigators from Russia, among others. There are three levels of the malware game: commercial or individually malicious; hacktivist, to promote causes; and international, for cyber warfare. Stuxnet/Olympic Games was the international kind, the most serious, nation against nation, malware far more complex and rich. This was something beyond what Chien and O Murchu had seen before: super-code, extraordinarily complex, well made: foolproof, flawless, and with no buried telltale signs of its origins. Here the computer visuals come in not only to give Stutznet a personality and a "look" but to clarify how Chien and O Murchu sussed out its distinguishing features.
The two Symantec experts describe their passionate process of decoding the puzzle, figuring out what Stuxnet was designed to do - a problem so fascinating they pull repeated all-nighters working on it. Eventually they realize it must be the product of "a nation state" (or states), designed to target Iran's nuclear program (there's a digression here about Iran's and that program's history). And, given this target, specifically the centrifuges at the Natanz Iranian nuclear facility, they conclude it's most likely the joint work of the US and Israel. Stuxnet was a program made to do what the Semantec guys used to think a joke: attack people, not just computers. It could not only be deployed, they ultimately realized, to destroy Iranian enrichment centrifuges, but could threaten attacks against Iranian civilian infrastructure. ("Nitro Zeus" was a much broader malware plan to disable Iran's defenses. For all we know, it may be still in place, ready to trigger all-out global conflict.)
But then, this well-constructed film enters a new puzzle of its own, because its talking heads begin refusing to discuss what they have learned about US and Israeli involvement in Stuxnet. When we hear Gibney's own voice saying "This was beginning to really piss me off," this signals his shift to bypassing his sources and looking for more information from anonymous Washington leaks - government insiders willing to speak, with disguised voices, about the source of Stuxnet. It's here that the film starts to feel like a real, investigatory documentary - no longer just a nicely illustrated lecture about computers and world politics. Gradually we start to realize some of the reasons behind the stonewalling.
Gibney's team delivers something of a scoop with the disguised blonde NSA woman- actually, it turns out, an actor composite of off-the-record NSA critics - who says on camera, with altered voice: "Look, this is not a Snowden thing. I think what he did was wrong. He went too far, he gave away too much. Unlike Snowden who was a contractor, I was in NSA. I believe in the Agency so what I am willing to give you will be limited, but we're talking because everyone's getting the story wrong and we have to get it right. We have to understand these new weapons. The stakes are too high." "What do you mean?" "We did Stuxnet. It's a fact. We came so fucking close to disaster, and we're still on the edge. It was a huge multinational interagency operation." "She" names specifically which agencies in the US, Britain, and Israel were involved. Later "she" declares that Israel fucked up the whole operation.
We hear from Yossi Melman, a former Haaretz correspondent, and Gen. Yaolin, both Israelis, on Israel's longtime war against its neighbors' nuclear facilities. Then back to the US, where we learn something about the NSA's offensive partner and Fort Meade neighbor, Cyber Command. The US government stays mum about how its spying is now covedrtly capable of becoming attacking. Stuxnet, started under George W. Bush, then renewed (predictably) by Barak Obama, was just the first sign of a whole vast new, unpredictable, dangerous, and unregulated form of warfare.
Stuxnet worked, destroying Iran's Natanz centrifuges for some time, without the Iranians becoming aware of what was doing it. Stuxnet was produced in various versions, and eventually became discovered because the Israeli collaborator, Mossad's Unit 8200, over-zealous about their mission, kept pushing (again predictably) for a more aggressive version - which it launched unilaterally, and which spread too far and was detected by the Iranians.
The unauthorized Israeli version of Stuznet also spread everywhere, including American computers. When that happened, Homeland Security was called in - to protect us from what had been our own weapon, but coopted unilaterally by what the composite blonde NSA whistleblower calls "the fucking Israelis." Tipped off to Stuxnet and guarding against it now, the Iranians brought their centrifuge production back up. Their nuclear program bloomed, inspired by anger at what was detected as an American invasion - exactly what the CIA and NSA had promised Obama would not happen. There is a treaty now, Iran has created a big cyber army, and has staged two big cyber attacks, destroying Saudi oil cyber files and shutting down US online banking, to warn us: We've got cyber war capability too. Though the film doesn't say this, the Iranians weren't using anything as sophisticated as Stutznet. But you can do still do some serious temporary cyber damage with simpler means if mounted on a large scale. The thing about the original Stuznet though was, it could have continued for a long time because it could act undetected.
In its later segment Zero Days stresses that US government's stubborn continuing secrecy about its capacity for cyber warfare is wrong: this is a very dangerous and largely unknown alternative that needs to be publicly discussed. Yes, Gibney has made another one of his more important documentaries here. This is not only a good spy story, but brings up a crucial subject we've only begun discussing. Recommended.
Zero Days, 116 mins., debuted at the Berlinale; shown at half a dozen international festivals. Its US theatrical release and Internet release comes 8 July 2016 (in the San Francisco Bay area, at Landmark's Embarcadero, San Francisco; Shattuck, Berkeley).
_______________
Further reference. See "Joker in the Pack: If Financial Systems were Hacked," The Economist (http://worldif.economist.com/article/12136/joker-pack) 16 Jun. 2016.