It was not supposed to go public. In fact, it should have disappeared without a trace. Facing the development of Iran’s nuclear program, the US Secret Services, NSA, CIA in collaboration with its armed forces, the British Government Communications Headquarters (GCHQ) and Israel’s Mossad engineered a new kind of cyber weapon. This malicious virus was programmed to specifically attack the fast-spinning centrifuges in Iran’s nuclear enrichment plants, without revealing its origin. The program was effective, but only managed to slow down Iran’s production for a short while. Then everything went catastrophically wrong. A Pandora’s box of colossal damage was unleashed, threatening the entire planet.
During the first sequences of his film, Gibney spends a lot of time portraying the fascination expressed by highly experienced specialists from different factions and backgrounds regarding this new and highly complex weapons system. Code named Olympic Games by its developers. While traditional viruses can normally be detected and decrypted in a matter of hours, it took foreign secret services and information scientists months to assess Stuxnet’s impact. When the uncontrollable outbreak of the Games became apparent, no state or organisation took responsibility. No comments were made or risks confirmed. The case got classified, the subject taboo. But, even inside the NSA there were some who, conscious of the worldwide threat, broke the silence. Under the protection of guaranteed anonymity, they began to share information with the public. Gibney’s film is based on their statements.
But, in order to fully understand the consequences, let us take a step back. During the Shah’s regime, it was the United States that brought the first atomic reactor to Iran and encouraged it to go forward with its own nuclear production, including nuclear weapons. At that time, Iran was considered a good strategic partner for America’s interests in the Middle East. However, the Islamic revolution quickly severed these political ties. Now the State of Israel, which was never recognised by Iran, felt threatened by its growing nuclear production. In 1981, in a risky manoeuvre, Israel’s military force destroyed Iran’s only plutonium enriching reactor. The political backlash was an enforced alliance of the Arab world against Israel. Following the US’ defeats in Afghanistan and Iraq, Iran no longer felt threatened by a potential invasion and returned to its nuclear program. Even Bush could not risk a direct attack on Iran’s growing nuclear plants. Instead, in 2010, a plot to assassinate Iranian nuclear scientists was put into action. What was needed now was a new kind of weapon, onewhich did which did not leave a trace.
Consequently, the NSA in collaboration with Israel’s 8200 Headquarters developed, in total secrecy, the Stuxnet cyber weapon. This malicious computer worm targeted the programmable logic controllers (PLCs) in Iran’s industrial computer systems. Introduced to the target environment online, without the prior necessity of a download, it remained dormant for one month, collecting data on normal operations systems values. Once Stuxnet was activated, this data was replayed and fed back to the systems users, duping controllers into not noticing strange activity whilst causing the fast-spinning centrifuges to explode before their very eyes. The attack was considered a great success until the nervous Israelis went rogue.
Without explicitly stating so, it is clear that these powers of espionage greatly concern the industrial and political decision makers worldwide.
In 2010, in a reckless attempt to pressurise the United States to take more extreme measures against Iran, Israel broke Stuxnet’s security code and released it worldwide. From that moment on, industrial computers everywhere were at risk of potentially shutting down large production complexes or even activating striking programmes. For these reasons, NSA employees, even those who considered that Snowden had gone too far, decided to incite a public debate, perhaps their only chance of avoiding a global catastrophe. The brilliance behind the Olympic Games is that it works without a source code. Once launched, it acts independently and cannot be recalled. It is not connected to any centre and can get reactivated for new attacks on different Zero Days (dates of initiation). Furthermore, Stuxnet is no longer dependent on the internet to access its targets. It finds its way through other networks, rendering protection almost futile.
Its effect and consequences are boundless. NSA employees confirmed an invasion on preinstalled global programs allowing not only the possibility to spy on all text messages, telecommunications, emails and web pages but to manipulate commands, for example, transmitting bogus messages to lure victims to specific locations. The belief in these capabilities was undoubtedly the basis for the recently accepted atomic deal with Iran. The risk of a hidden nuclear production now appears under control. Without having to state it explicitly, it is clear that these powers of espionage greatly concern the industrial and political decision makers worldwide. It has since been proven that Stuxnet attacked other specific targets in and outside of Iran but was decrypted and most probably integrated in the Russian Federal Security and the Iranian Secret Service cyber attack programs. Obama’s reaction to the failed promises made by his security staff was made clear when he said: “You told me it would not get out of the Network and it did, you told me the Iranians would never know the origin of the attack, and they do, you told me it will have a huge effect on their nuclear program and it has not.”
Gibsey’s documentary leaves certain questions unanswered. How are important investments in highly sensitive atomic technology still possible, when the dangerous risks caused by Stuxnet are acknowledged, at least for now, in secret service and inner circles? Maybe this question is naive, referring to a possible moral impact on decision makers regarding their business interests. Concerning technical issues, it could be asked: how is an uncontrollable, isolated virus able to affect specific targets? On a strategically political level, the question seems evident: how are terrorist acts and the subsequent clumsy investigations into these still possible in times of absolute surveillance? Of course, the cynical answer here would be that indeed these acts could be discovered more quickly or even avoided altogether, but they are needed as a politically effective strategy to legitimise the development and implementation of even more invasive surveillance technology, which serves completely different interests to the defence against terrorism.
While in the States, the Homeland Protection agency produced a lawsuit against its own government, and to date, a cyber-attack has never been officially recognised. It was Snowden who quoted a state document wherein Obama clarified conditions under which – with his signature – a cyber attack can be operated. But, the public denial continues and without any confirmation, no real international agreements can be reached to limit the risks, as, for example, the atomic agreement with Moscow in December 8, 1987 did. Only in 2012, and for the very first time, did David E. Sanger make public the existence of cyber weapons in the New York Times. Without international norms and surveillance, strategies controls are still impossible. Without them, at any time, an offense against infrastructures could take place with thousands of potential victims.
Gibney turns his camera from speaker to speaker; people you would never meet at your local café: cyber specialists, information scientists and members of the secret service. Their statements may sometimes seem a little repetitive, but it appears important to document the consistent recognition, at least by the informed circles, of the facts. The main protagonist of his film is female and virtual. She represents the synthesised knowledge of all the NSA agents rebelling against secrecy. The structure of his documentary is quite simple and as such avoids potentially confusing accumulation of styles and representation levels, which was a weak point remarked by Tori Aarseth in the Ny Tid article Stuxnet was basically waging war.
Any visual complexity would have been inappropriate facing the density of the information, which for an unprepared viewer could be overwhelming, so slightly repeating sequences could even be helpful. It would be advisable to show Zero Days in schools and education institutions. There is no excuse for naivety or ignorance. As never before, democracy cannot survive without a permanent personal ability and determination to learn and research.