What We Learned About Cyber Warfare From the Heroes of Stuxnet

By
Eric Chien, Alex Gibney, and Liam O’Murchu at the Zero Days premiere.Photo: Astrid Stawiarz/Getty Images

Alex Gibney’s newest documentary, Zero Days, takes us on a trip through the recent battlefields of cyber war, in which governments collude on code that can infiltrate and sabotage industrial infrastructure halfway across the world. Gibney’s curiosity was piqued by Stuxnet, a self-replicating virus aimed at Iran’s nuclear facilities in Natanz that somehow wriggled its way across the world; once it was discovered in the wild by a tech-security firm in Belarus, other companies got in the game trying to analyze the mounds of complicated code. Symantec’s Eric Chien and Liam O’Murchu spent three months deciphering Stuxnet — not just how to protect computers from the worm with patches and workarounds, but what it actually did and how it worked.

The deeper Gibney dug, the more he came up against government officials who not only wouldn’t talk to him about Stuxnet, they wouldn’t even acknowledge it. Naturally, this just made him more curious and more insistent — as he says in a voice-over, he was getting “really pissed off” — and what he found was that this virus was just the tip of the iceberg. Anonymous sources at the NSA who had firsthand experience with Stuxnet revealed the details of its joint development with Israel, and how it got out of hand; moreover, the sources revealed a sprawling cyber-offense plan against Iran, dubbed Nitro Zeus, that made Stuxnet look like the Oregon Trail. Zero Days brings up more questions than answers, the biggest being, how do we avoid cyber warfare on a global scale if our government officials won’t even admit they’ve launched the first salvo?

In case you weren’t already concerned about Brexit and Trump and everyone going all Mad Max, there’s more bad news in store. According to Gibney, Chien, and O’Murchu, the biggest cyber-security crisis we’re facing is on a global level. Gibney said, “When they looked at Stuxnet back in 2010, they would see maybe one, two nation-state attacks a year. Now they’re seeing over 100. And there are a lot that we don’t even know about, that are simply implants, both what we’re doing to others and what others are doing to us. But we’re the ones who are probably the most vulnerable.” Chien added later, “Basically, every country you can imagine has decided that they want to start some sort of cyber-offensive campaign, and so in that sense, the way to handle those threats and understand them and dig into them, the complexity of them, is much, much greater now.”

Covering up your webcam with a piece of tape is the least of your worries when Stuxnet-like weapons are aimed at entire power infrastructures. “We’re the ones who are probably the most vulnerable. One of the reasons that a portion of the Ukrainian grid came online so quickly is because their grid is so old-school that they still have things like Manual, when it comes back to turning back on the lights,” said Gibney. Meanwhile, everything in the U.S. is jacked into the Matrix like Keanu, and infrastructure execs aren’t exactly listening to their tech engineers about how to fix the gaps. (If you really hate sleeping soundly at night, you can read more about what could happen to NYC if our infrastructure was hacked here.)

Gibney appeared at a special screening in New York City Thursday night hosted by WSJ+, along with Chien and O’Murchu to discuss all things Stux. Here are a few things we learned from their Q&A, led by journalist Tanya Rivero.

1. Stuxnet’s still out there. Stuxnet has already done its damage on the nuclear centrifuges at the facility in Natanz, and yeah, there have been patches, but that doesn’t mean it’s not still floating around out there. O’Murchu revealed, “We still see computers infected with it, even to this day. It’s autonomous, so it can just keep spreading, and people use USB keys and pass them around — it just keeps going. It’s not going to do any damage any more; there’s dates in there so that the centrifuges won’t be affected any more, but we still see customers with it.” Good news for your nuclear centrifuges, but not so hot for your PC.

2. Cyber warfare is worringly like Dr. Strangelove. One of the major frustrations Gibney had was the stony silent treatment he received from government insiders about Stuxnet, despite the fact that it’s not exactly on the down low any more. “Everybody knew about Stuxnet, everybody had agreed that it was Israel and the United States that had conducted the operation, but I couldn’t get officials to even say that Stuxnet had existed, so there was a kind of emperor’s new clothes quality about it that I found particularly frustrating, in this context,” Gibney said. “That ended up being very much a part of the subject of the film itself, because it’s the offensive cyber weapons and the strategy of pursuing offensive cyber weapons as a deterrent rather than focusing on defense, combined with the idea that all that would be kept secret — it’s a little bit like Dr. Strangelove. And so the secrecy itself was causing a real danger, and that then became one of the themes of the film.”

3. Gibney went to great lengths to protect his sources — including creating a digitally rendered character to give voice to their quotes. Gibney managed to get interviews with several inside sources, although he won’t say how many — but it wasn’t easy. He used a couple of different things to assure his resources their anonymity would be preserved. First, they went analogue. “We recorded their testimony on a digital recorder, not internet-connected, and then had the transcripts typed up on an electric typewriter, also not internet-connected, and then destroyed the digital recordings,” Gibney revealed. Actress Joanne Tucker plays a digitally rendered character whose script is comprised of the sources’ interviews, which added another layer of obfuscation. “There are many, many moments where the script is verbatim, and in some cases we changed things if it felt like certain remarks would be too revealing of who the characters were, but [we] always kept the essential meaning intact.”

4. Chien and O’Murchu track 100 cyber-war operations they believe were launched by governments. Zero Days won’t exactly help you sleep easier at night. O’Murchu said, “We see all sorts of hacks, and I think if most people knew what we see, they would be very, very scared.” The sort of stuff floating across their screens at Symantec is scary on a global level, and it’s gotten much worse since Stuxnet. “We’re tracking 100 different operations on a day-to-day basis that we are very confident are being launched and being maintained by governments,” O’Murchu said. Chien later added, “The thing with cyber is there is a relatively low threshold to start a cyber-offensive program. When Stuxnet came out, every other country realized, ‘Wow, this is practically possible. Someone is doing this. We should get into this game, too.’”

5. Stuxnet is partly the result of a “Weiner moment” by Mahmoud Ahmadinejad. Former Iranian president Mahmoud Ahmadinejad accidentally revealed some key details that helped Stuxnet developers out an awful lot, just by taking a film crew around the Natanz facility. Gibney referred to this footage as “Ahmadinejad’s Weiner moment, that he was so proud of the nuclear facility at Natanz that he was strutting through not understanding that he was giving quite valuable intelligence to a number of people.” Although some of the footage is online, it wasn’t easy to track it all down. “Some of it was available through private sources. It took a lot of shoe-leather work through my very able team, led by Sarah Dowland and Javier Alberto Botero, who are both here tonight, and no, we didn’t license it. We used it via the Fair Use doctrine,” said Gibney.

6. ISIS has a long way to go before it can achieve anything on the technical level of Stuxnet. It’s cold comfort, but Chien said, “Currently, the types of attacks ISIS have been doing have primarily been propaganda attacks … primarily doing things like disinformation campaigns, taking over Twitter accounts, causing denial of services on certain websites — pretty rudimentary-type cyber attacks. That’s currently what we’ve been seeing.” Gibney added, “Part of what you need to know when you’re launching a Stuxnet-type attack is not just code, but you need human assets, and you need a certain amount of spy work to understand the machines that you’re going to attack before you launch the computer code, so it does become a more complex operation.” So, at least there’s that.

7. Advice for college grads? Study computer security. Practically every tech-minded college grad has apps on the brain, but what happens when that boom goes bust? Chien pointed out, “There are very few college grads today understanding the low levels of computing and how computers work at a very low level, which is what’s required for this job. What I think what we love about this job, and why we’re super-passionate about it, is it’s unique in some sense. While we have competitors in this business, also creating security products, when we go in the office, we’re not thinking about, how do we make another dollar? How do we beat our competitor? We go to the office and think about how we can defeat these adversaries, how we can defeat these hackers, and those hackers are constantly changing.” Now that Stuxnet and its progeny are setting up back doors in practically every country’s infrastructure, one thing’s for sure. There’s a great future in tech security.