“It’s funny, there are a bunch of guys from Unit 8200 in Israel — sort of Israel’s NSA — that are engaged in a number of startups. One of them is a company designed solely to protect you and your car from being hacked and taken over by malware, which gives you a pretty good idea that the demand for that is going to be enormous, if they’re starting up a company to do just that,” says Alex Gibney in typically wry fashion, as a stray thought comes to him towards the end of our conversation about his latest film “Zero Days.”
Only Gibney, who previously made “Enron: The Smartest Guys in the Room” and “We Steal Secrets: The Story of WikiLeaks” could make the start of the end of the world as we know it sound positively benign, which is why the unflappable filmmaker was ideally suited to make “Zero Days.” Tracing the migration of a particularly nasty piece of malware known as Stuxnet, Gibney’s dogged investigation across the globe follows the trail of code created through a collaboration by the U.S. and Israeli governments to prevent Iran from their march towards uranium enrichment at their nuclear facilities, only to have unintended consequences as it begins to sprawl out of their control.
While the twists and turns of Stuxnet are compelling on their own, particularly as Gibney latches onto digital gumshoes Eric Chien and Liam O’Murchu, the two online security specialists at a Los Angeles-based firm Symantec that initially uncovered Stuxnet, the film’s analysis of Stuxnet’s broader implications as the world begins to embrace cyber warfare capable of destruction on par with physical weaponry. Though the material is dense and the number of people willing to be interviewed on the record about Stuxnet few, Gibney manages to bring the Pandora’s Box of issues this one piece of malware raises into the real world, demonstrating the the considerable threat to civic infrastructure that can be unleashed with just the push of a button and how a lack of public discourse, as governments are allowed to operate in the backchannels of the cyber world, is prone to push us further towards armageddon.
For as many times as Gibney hears “no” to questions about Stuxnet, he still manages to gather the great analytical minds in the intelligence community and beyond to piece together a comprehensive look at the state of cyber warfare, roping in everyone from former American National Coordinator for Security Richard A. Clarke and NSA Director Michael Hayden to an unidentified NSA whistleblower (portrayed fittingly in 1s and 0s that come alive, thanks to some crafty animation by VFX house Framestore) to describe a situation in urgent need of more transparency. Shortly before the film comes out in theaters, Gibney was joined by Chien to talk about opening up a conversation amongst those with the power and knowledge to shape the future, being able to present such an abstract situation as cyber warfare in tangible terms for an audience, and how the film has already made waves with the revelation of the American counterattack strategy Nitro Zeus.
Alex Gibney: It was brought to me by Marc Shmuger, the same guy who persuaded me to take on the “WikiLeaks” film, and I certainly knew about the event itself, but I didn’t know much about it. It seemed like one of those stories that deserved a deeper dive.
Was it an interesting decision to make yourself a part of the film?
Alex Gibney: I always try to avoid going down that road and then sometimes I end up doing it. Like in “The Armstrong Lie,” I’m part of the story. In this case, my frustration was so palpable that I decided that I would integrate that. It seemed a more personal way of doing it, rather than do it in kind of a distant frontline manner, where you simply show the denial and then move on. Likewise, we also would double-back around and make the blockage by all of these people saying “no comment” part of the story. I had learned that once before when I was doing “Taxi to the Darkside.”
When we went down to Guantanamo [for that film], it’s designed to look as anodyne as possible to the press. You don’t get into the place where they’re really doing the nasty stuff to people, so what we decided to do was to make the tour part of the story — the idea that you’re touring Guantanamo, there was kind of a Grand Guiginol quality to it that we liked and here, we made, what I believe is, the loony obsession with secrecy long after things aren’t secret a part of the story.
So Eric, with everyone else saying no, was it easy to say “yes” to an interview?
Eric Chien: Fortunately, in our job, we are really looking at the technical details of the threat and we had published a lot of that technical information already. The first investigation started way back in 2010. We’re a private company and none of the stuff that we see is classified, and it’s out there on the internet, we don’t consider classified, so it was actually, in some sense, easy to provide that information.
Since Alex is capturing physical reality and Eric’s expertise is in the cyber world, were you able to fill the other in on the bigger picture to some degree?
Eric Chien: What’s interesting is before this film, most of the stories and specs really are about the technical part of Stuxnet and what did it do? There’s been reports of who is behind it, but no one was asking the bigger fundamental question about what does it mean that Stuxnet is here?It was really great to the film really pose that question. It’s what we had been waiting for. As technology people, we can never do that. I can tell you all about the threat, but what really interests us is what’s happening behind the curtain on the other side and Alex was able to bring that.
Alex Gibney: Our job was just to get Eric and Liam to tell their story. Then we put their story in a larger context. We did bother them incessantly as we were designing the visual look of the [computer] code. Very often filmmakers or TV news just slap some some in, but we wanted to make sure that it was accurate. We had Stuxnet in house, so we kept going back to Eric and Liam and saying, “At this point in the story when we zoom into this, is that the correct command [onscreen]?” They were very good about answering our endless questions.
What was important to get right?
Eric Chien: Actually, what’s shocking is that we never thought that was even a possibility to get [code] right. We’ve done media very often and they always want a piece of eye candy — [we hear] “Just give me something” and give them something that looks cool. Alex was really insistent that “No, we want the piece of code that you’re talking about right here at this moment,” which was really great to see. To be honest, I can’t even think of another time when anybody actually wanted the code to be so accurate.
You also demonstrate a test involving a balloon that you actually conducted to see the real world effect that malware can have. Although it’s somewhat described in the film, how did that idea come about?
Eric Chien: Fortunately, Alex brought it to the next level [in the film]. From hindsight, we had to do a talk at a security conference about Stuxnet, and when we talk at conferences, we always like to bring a demonstration to really show people what we are talking about. We batted around ideas and we obviously couldn’t set up our own centrifuges, so we settled on this — let’s get a pump and blow up a balloon. There’s actually a lot of funny stories about this thing because Liam had to go fly out with this device, and we were worried about getting through the airport. I hadn’t finished it yet and I was going back to old college of electronics, trying to figure out how to connect the whole thing. Literally 10 minutes before [Liam] had to fly out, I got it working, threw it in a big pelican box, and off he went to the airport.
Alex Gibney: We did a bunch of tests because we knew we wanted to film it in slow-motion and light it properly, but we were amazed that actually we discovered a little secret. We were amazed when you do it just straight, you don’t really see much when the balloon blows up. But somebody tipped us off to the secret of talcum powder, so we put talcum powder inside the balloon and that really creates a moment. It was one of those things which was so simple, and that’s what we liked about it, and it’s probably what Eric and Liam liked about it — a balloon is so simple. It blows up.
You also find a creative way to convey the testimony of a NSA whistleblower, portrayed by an actress that is presented in code. Where did that visual idea come from?
Alex Gibney: People were so scared of talking that we had to figure out a device that would allow them to appear but not be recognized. There were a lot of possible devices, but the traditional ones we didn’t like very much. We settled on this one because it probably allowed people to come forward that otherwise wouldn’t have. Then we wanted to come up with the technology that would be within the visual language of this computer world. The structure of the film is quite complicated and [we did this] in order to be able to have flexibility so that we could fiddle with the layers and textures. We [actually] did something that was intentionally off-putting to the audience, I think — as you get to the end [of the film], we start to show more and more of our face [of the whistleblower]. People, I’m sure, are going, “No, you’ve shown too much,” but that was very much intentional. We also wanted a look that was kind of hacked, so it wasn’t too pristine, so if you move the camera around to the side, which you do after the fact, suddenly you get all these wild trails. It was an organic process that came out of the necessity of source protection.
Was it a difficult film to figure out structurally? It’s intimidating at first because you start in the cyber realm and only slowly move out into the physical realm that would be more relatable for most viewers.
Alex Gibney: It was really difficult, and the storytelling was the time frame. We knew about the work that Symantec had done and as we were making the film, we reached out to Liam. Frankly, it wasn’t until we got them on board that the film really had a sense of structure and story. They’re the cyber detectives in what is a detective story and Eric and Liam were telling their story as it happened to them and some of that same stuff also happens to the [whistleblower] character. We didn’t want to introduce that character for a while, until we got to this frustrating block where nobody would talk, so figuring out exactly what to reveal when was really the structural issue. Then there was a certain amount of history we had to fold in, and all the while you want to keep the sense of a thriller momentum going. That was the tricky part, and it took us a long time to get the mix right.
Since you filmed in America, Israel and Moscow, did the sequence of traveling around affect the story you were telling?
Alex Gibney: It was enormously helpful. Going to Israel really opened us up in terms of understanding elements of the story that we wouldn’t have understood if we hadn’t gone there. There are some people who assert and believe that Israel actually invented the original Stuxnet virus, or malware, and that the U.S. came on and helped to develop it out. We were never able to find out whether that was true or not, but they definitely played a huge role. Also, there’s a certain sense of pride in Israel where people start looking at you with a wink and a nod, like “I can’t tell you anything about Stuxnet” as a way of saying, “I sure would like to because we’re so proud of what we’ve done.”
Alex Gibney: They definitely want to talk, and I think that’s not uncommon, both in Israel and also in the United States. I know that there are a lot of people that I spoke to, even the people that said “no comment,” and really would like to talk and feel that too much is classified. They’re frustrated, but they’re belief is that they’ve taken an oath, the material is classified, so until it’s not classified, they’re not talking.
Shortly before the film premiered at the Berlin Film Festival in February, the film actually made news with the revelation of “Nitro Zeus,” an American plan for cyberattack if Iran became an aggressor. Was there any blowback from that?
Alex Gibney: Oddly not. Via the New York Times, we did go to the office of the Director of Intelligence and let them know that information about “Nitro Zeus” was going to be included in this film. I don’t think the government was particularly happy about it, but we offered them a number of days to see whether or not they had any objections, whether they felt it was going to put anybody at risk to include that information and they couldn’t make the argument, so we went ahead. I haven’t heard from anybody since then.
What’s amazing to me is how much we’re seeing the cyber science fiction scenario play itself out in real world terms. In December, there was an attack on the Ukrainian grid with a piece of malware that basically shut down a huge portion of the Ukrainian electrical grid that everybody believes was developed and utilized by Russia. The stuff we talk about in theoretical terms in the film, or as an operation that went undone in the case of Nitro Zeus, we’re seeing in the real world. It’s happening all around us. Iran, in addition to shutting down the banks, they hacked into a water filtration plant in New York state. This stuff is happening all the time. Eric will tell you that the number of state attacks is increasing dramatically.
Eric, doing the job you do, are you more or less scared about what’s going on in our world?
Eric Chien: The impact of it is much greater. If we failed at doing our job, however many years ago someone would lose their 16-digit credit card number. Today, we are trying to protect national critical infrastructure for countries all over the world. We have no idea who the actors are. We have nation states now, potentially North Korea, who try to transfer $1 billion out of the Bangladesh bank. The stakes just keep getting higher and higher. If our jobs weren’t hard enough now, it’s compounded with things like internet of things, where people are putting the internet in a toothbrush. I don’t know if “scared” is the right word — I think if you get scared then you potentially don’t act rationally. But we definitely feel the weight of importance of our job much more so today than we did in the past.