This two-hour documentary released Friday, July 8, and playing in selected theaters and streaming online, traces the history and consequences of Stuxnet, a sophisticated piece of malware unleashed on the world in 2010 (trailer & theater list).
Before you yawn and click away, there’s an important feature of the Stuxnet worm and others like it that makes this story of vital interest to you. Stuxnet was not designed to invade your home or office computer, but to attack the industrial control systems (specifically, programmable logic controllers) that manage critical infrastructure. These systems make sure trains and airplanes don’t crash, control car and truck traffic, maintain oil and gas production, manage industrial automation, ensure you have water to brush your teeth with and electricity to run the coffee maker, keep life-saving medical technology operating, and, of course, give you access to the internet. Cyber-attacks on these systems cause real-world, physical destruction, even widespread death.
Behind the Computer Screen
The Stuxnet story—still highly classified, but revealed over time—began with an effort by the United States and Israel to thwart Iran’s ability to produce nuclear weapons by destroying centrifuges at the country’s Natanz uranium enrichment facility. The software was diabolically clever, virtually undetectable, and essentially untraceable. In theory.
The fact that it was a Zero Day exploit (that is, that the attack would begin before the software problem was discovered and attempts made to fix it or shut it down) and that the Stuxnet code contained not one, but four zero day features, was remarkable. Once it was inside, it worked autonomously; even the attacker could not call it back.
The Israelis, apparently, were impatient. They assassinated Iranian nuclear scientists, and they changed the Stuxnet code, and it spread. It ended up infecting computers worldwide, at which point it was no longer secret, people were looking for it, and the Russians and others found it. “Israel blew the [malware’s] cover and it could have led to war,” the film says.
Another consequence is that the day when something similar can be unleashed on us grows ever closer. It will come from one of three sources:
- Cybercriminals, in it for the money
- Activists, intent on making a political point or
- Nation-states seeking intelligence or opportunities for sabotage.
U.S. security agencies are not complacent. While they talk publicly about our cyber-defenses, in fact, there is a large (unexamined) effort to develop offensive cyber-weapons. There are reports of an even more draconian cyber-weapon embedded throughout Iranian institutions. Warding off its activation is believed a primary reason the Iranians finally struck a nuclear agreement. Certainly it prompted the rapid development surge in Iran’s cyberarmy.
In putting this story together, writer and director Alex Gibney interviewed former high-ranking U.S. and Israeli security officials, analysts from Symantec who teased the code apart, personnel from Russia’s Kaspersky Lab, and many others, including CIA/NSA/DoD officials unable to speak on camera.
“Fear Does Not Protect Us”
The documentary makes a persuasive case for who holds the smoking Stuxnet gun, but it also suggests that finding fault is not the primary issue. The climate of international secrecy around Stuxnet—and the inevitable clones that will follow—makes an open discussion about them impossible. Nor does it allow development of rational strategies for managing the risks, regardless of how urgently needed those strategies are. Cyber-risk management will never be easy, but as one of the film’s experts points out, “it will never happen unless you start.”
The subject is “hideously overclassified,” says Michael Hayden, former director of both the NSA and CIA. (The climate of secrecy is so extreme that even the U.S. Department of Homeland Security cyber team was unaware that Stuxnet originated across town and spent countless resources trying to track it down.) We, of all nations, need this debate, because there is no more vulnerable country in the world, when it comes to systems’ connectedness.
“Evil and good live side by side,” says an anonymous agent of the Israeli intelligence agency, Mossad. Keeping secrets is a good way to prevent being able to tell one from the other.
Rotten Tomatoes critics’ rating: 87%; audiences 69%.