‘Zero Days’

Zero Days

IT IS QUITE CONCERNING to realise upon finishing Alex Gibney’s cyberwarfare documentary Zero Days that the overwhelming majority of people have no idea that cyberwarfare on an international scale may be taking place, or that computer code has reached such a level of sophistication as to influence the physical world.

The film concerns the emergence of the mysterious self-replicating Stuxnet computer worm, a highly complex, highly malicious piece of code now “on the loose”, and Gibney’s mission to discover why it is so dangerous and why nobody seems to want to talk about it.

The “zero days” which give the film its title are unknown vulnerabilities within software that leave that software able to be exploited by hackers but with no opportunity for detection by the developer. It is called a “zero day” because once the software’s author realises that his software carries such a vulnerability, he or she has zero days to fix the code and distribute a patch or software update. In other words, to discover the existence of a zero-day vulnerability is to find you have already been hacked; it can take months or years before a developer learns of the vulnerability.

Stuxnet was developed jointly by the American and Israeli intelligence services–neither country has admitted to this, and it is a major plot point–to infiltrate the network at Iran’s nuclear development facility in Naranz and sabotage the centrifuges which enrich the uranium oxide isotope needed to make a weapon. It uses four different zero-day exploits, which had never before been seen and has not been seen since.

But though the meat of the film may belong to Stuxnet, it is equally about the future of warfare. In a memorable scene, an Israeli intelligence operative describes how for thousands of years, combat was conducted by the army and the navy. In the early part of the 20th century, it was expanded to include the air force. Gibney makes the compelling–and concerning–case that in the future, war will be conducted from behind computer terminals with complex, attack-minded malware intended not to gather information, but to cause physical harm, and if we suspected this to be the case already, Gibney illustrates just how far along the road we are. A team of determined hackers in one part of the world may be able to disable the power grid in another and, as one talking head notes, a power grid is not something you can simply boot back up.

Zero Days is also a detective story of sorts. Eric Chien and Liam O’Murchu, who are security responders at Symantec in California, describe how after a month’s examination of the Stuxnet code they were only beginning to understand its purpose (it usually takes them “minutes” to analyse a piece of malware) and so they undertook “deep analysis”–a slow and painstaking process of unpicking the code bit by bit. Around the world, other computer security experts were doing the same. In effect, what these specialists proceeded to do was see what leads they had and pursue them from place to place. The only difference between these men and women and a private investigator or police detective was that they never had to leave their computer. The future of warfare may be cyber, but perhaps the future of detective stories is too.

The film’s assorted talking heads–among them security response teams, consultants, Mossad agents, and a composite, digitally generated character giving testimony on behalf of NSA whistleblowers–and the manner in which Gibney uses visualisations of the code, do an effective job of expounding an area of computing that tends to leave many scratching their heads, if not completely overwhelmed.

Gibney has proved himself to be one of the world’s very best investigative documentary makers and the very best at dealing with controversial or secretive subjects. The maker of the scientology documentary Going Clear and the WikiLeaks documentary We Steal Secrets interweaves footage of interviews with visualisations and archival video in Zero Days smoothly and with forceful pacing so as to create a narrative that is utterly compelling. It is an intriguing watch which leads you to arrive at the conclusion that if a cyber nonproliferation treaty is not being discussed, it certainly ought to be.

In November of 2009, nine researchers from the media lab at the Massachusetts Institute of Technology were among eleven authors of a paper in which it was argued that to be unable to code was to be illiterate. “For those who cannot program in the 21st century,” the authors wrote, “it’s as if they can ‘read’ but not ‘write.’” Perhaps–but you do wonder, given these new and hidden dangers, if those who don’t understand programming may be leaving themselves highly vulnerable, too.