From 'Zero Days.' Jerusalem Film Festival

Did the Israeli-American Stuxnet Virus Launch a Cyber World War?

A new documentary tells the story of Stuxnet, a computer virus developed, it is claimed, by Israel and the U.S. to disrupt the Iranian nuclear project. In an interview, filmmaker Alex Gibney talks about Israel’s responsibility for the revelation of the operation and its eventual spread around the world. Are we already in the midst of what Gibney calls ‘World War 3.0’?



NEW YORK – The two following assertions sound like something out of a James Bond movie: 1. We are in the midst of a new global war on a scale of the world wars of the 20th century, and, 2. The countries that have declared and launched the war refuse, in effect, to acknowledge its existence – or being held accountable for its outcome.

These notions are not some Hollywood fantasy: They underlie “Zero Days,” the new film by the Oscar-winning American documentary filmmaker Alex Gibney.

The film is based on years of in-depth research, carried out with the help and cooperation of more than 100 journalists, information security experts, senior personnel at the U.S. National Security Agency and the Central Intelligence Agency, and Israeli figures including Yuval Steinitz, the national infrastructure minister who is also responsible for the Atomic Energy Commission, and the former director of Military Intelligence, Maj. Gen. (res.) Amos Yadlin.

“Zero Days” tells the constantly surprising story of the Stuxnet computer virus, which, according to Gibney and his sources, was developed by Israel and the United States during 2007-2008 in order to thwart the Iranian nuclear enterprise. Considerable information about the virus, including Israeli and U.S. involvement in its development, became public in September 2010, a few months after Stuxnet was first detected by information security firms.

In the six years that have elapsed, The New York Times, The Washington Post and other important media outlets have revealed additional details about the subject. Neither Israel nor the United States, however, has ever admitted its involvement in creating the virus, nor have they taken responsibility for its subsequent unexpected and aggressive spread around the world, in the course of which it attacked American computer networks and infrastructure facilities.

The purpose of Gibney’s documentary, which had its Israeli premiere this week at the Jerusalem Film Festival (where it has a final screening on July 16), then, is to generate a public discussion on questions that have not otherwise been addressed because of ostensible security considerations.

In light of the 62-year-old filmmaker’s career– he won an Academy Award for best documentary feature for “Taxi to the Dark Side” (2007) and was nominated for one for “Enron: The Smartest Guys in the Room” (2005) – it wouldn’t be surprising if he took home yet another gilded statuette next winter. However, he says, “If the film is recognized [by the Academy] that would be great, but I don’t make films for that reason.”

He got the idea for "Zero Days," he explained in an interview in New York last month, from Marc Shmuger, one of the producers of his 2013 documentary "We Steal Secrets: The Story of WikiLeaks": "I started out making a small film investigating Stuxnet, the self-replicating computer virus invented by the U.S. and Israel to infiltrate and sabotage the Iranian nuclear centrifuges at Natanz.

Axel Schmidt, AP

"What I discovered was a massive clandestine operation involving the CIA, the NSA, the U.S. military and Israel’s intelligence agency Mossad, to build and launch secret cyber ‘bombs’ that could plunge the world into a devastating series of crisscrossing attacks on critical infrastructure, shutting down electricity, poisoning water supplies and turning cars, trains and planes into deadly weapons."

Do you believe that a cyberwar could be as dangerous, or even more dangerous, than aerial bombing that causes mass deaths, or than nuclear weapons, for example?

“From a moral perspective, I think we should take cyber weapons extremely seriously. I think this was the point of making this film. While these weapons are still at a relatively unadvanced stage – though even at this stage they can shut down entire grids – we should be looking at them, and that was reason why a number of the sources came forward. They were convinced that the people in the U.S. Cyber Command didn’t have a sufficiently full appreciation of the damage that these weapons can do.

“The nuclear comparison can be overdone – when you shut down grids, people are not eviscerated in a nuclear explosion – but still, these weapons can wreak destruction. So much of the machinery and the controls that manipulate the machines that keep our society running were never intended to be integrated in this way with the internet. We don’t know what the problem might be like in 10 or 20 years, and that is a big issue.

“Unlike the agreements we now have regarding nuclear or chemical weapons, there are no guidelines when it comes to cyberwars. And the use of malware can be kept secret – attribution is very difficult. Think how long everybody was arguing about whether the Sony hack [in 2014] really originated in North Korea. And there were a number of grid attacks on Ukraine, which were attributed to Russia [but never confirmed].

“So, attribution is difficult, raising the specter of false flags and mistaken counterattacks that could lead to a cyber world war. Our sources have confirmed that, since the launch of Stuxnet, offensive cyber operations – conducted by nation-states – are an everyday occurrence. They are expanding exponentially.”

Indeed, although the history of computer viruses dates back to the 1960s, the original idea was for the malware to spread as rapidly as possible from computer to computer, irrespective of the users’ identity. Stuxnet, in contrast, was a “designated” virus that was developed specifically to disable control systems at the Natanz facility, in Iran’s Isfahan province.

AP

There were cyberattacks before Stuxnet, Gibney notes, “but I think what made Stuxnet important,” he says, “is that you had a piece of malware that was developed by a nation-state specifically to take control over a PLC [programmable logic controller, which controls the speed and various functions of the centrifuges]. It worked by effectively spying on the system for a number of days and then launching an attack on its own.

“The Iranians had no idea what had hit them, and that level of capability is extraordinary in itself.”

Gibney adds that once Tehran realized what had happened, “they established the Iranian Cyber Army. In a sense, Stuxnet gave Iran, China, Russia and any other country a Rosetta Stone for cyber weapons that could be used in a future war.” In other words, what started out as a secret operation has become a model for future attempts to develop malware specifically meant to spy on, and eventually destroy, grids and facilities across the world.

Atomic love affair

To get a handle on the genesis of this form of weaponry, we need to go back to the 1970s. In “Zero Days,” David E. Sanger, a senior New York Times correspondent who has been reporting on Stuxnet since 2010, asks how the Iranians obtained their first facility for uranium enrichment. To which he gives his own amused reply: “Very simple: We [Americans] gave it to them.”

According to Sanger, President Richard Nixon was an ardent supporter of the Iranian nuclear project and provided Tehran with assistance in building nuclear facilities during the period of the shah (who ruled Iran from 1941 to 1979). The atomic love affair between the two countries came to an abrupt halt in 1979, however, after the shah’s ouster, when Iran adopted a stridently anti-American posture under the regime of the ayatollahs.

Nevertheless, Iran did not abandon its nuclear ambitions. On the contrary: Its war with Iraq (1980-88) convinced the country’s leaders that it was urgently necessary to develop nuclear weapons as a defensive deterrent. In the decades that followed, Iran built several uranium-enrichment facilities, including the Natanz site.

Reuters

Toward the end of the presidency of George W. Bush, with the United States entangled in Iraq and Afghanistan, Washington made every effort to avoid the emergence of an Iranian front. Gen. Michael Hayden, who was CIA director from 2006 to 2009 and is a key interviewee in “Zero Days,” states on camera that Washington believed that Israel would mount an air force attack on Iran by itself, on the assumption that the United States would then join in. The Israelis’ goal would presumably be not to derail the nuclear project in Iran, but to drag the United States into a war with that country, Hayden told Gibney.

In order to dispel some of the tension with the U.S., Israel suggested the development of a computer virus that would disrupt the activity of Iran’s centrifuges, and thus significantly set back the country’s nuclear project. Gibney notes that in contrast to other malware, which infiltrates computers when activated by an external command, Stuxnet operates autonomously. Once in the system, it is capable of taking control without additional outside intervention.

According to the film, everything went so smoothly – the virus destroyed hundreds of centrifuges at Natanz – that Israel decided to create another, far more aggressive version, and that’s when things began to go awry.

What do you think would have happened if Israel had not developed the new version of Stuxnet?

“Once the initial mission was accomplished, the U.S. said, ‘Okay, let’s cool it now.’ But the Israelis wanted more destruction, so they adapted the code and released a newer version. The code was extremely viral and spread across the world. But there was a flaw in the code, which started to shut down computers uncontrollably – and that tipped off cyber security experts everywhere.”

Indeed, many of those interviewed in “Zero Days” cite similar allegations about Israel’s – and Prime Minister Netanyahu’s – overeagerness to expand the use of Stuxnet, which resulted in the operation’s exposure and the global spread of the virus. According to Sanger, the discovery of the code, reported in the media, infuriated the administration. Vice President Joe Biden blew his stack during a meeting in the White House situation room and said that it must be the Israelis who were behind the leak.

Yet, despite the spate of reports in the international media, President Barack Obama denied vehemently any American involvement in the creation of Stuxnet. Instead of issuing public statements, Obama declared a “zero tolerance” policy toward leakers, and his administration was more occupied with pursuing Sanger’s sources (among them the former vice chairman of the Joint Chiefs of Staff, retired Gen. James Cartwright) than with answering reporters’ questions on the subject.

It was the new and more aggressive version of the malware that ultimately led to Stuxnet attacking American infrastructure facilities. The height of absurdity occurred when American cyberwar experts identified the assault and assumed that it was Russian or Chinese in origin. Their mistake was due to the fact that the NSA, determined to preserve the operation’s secrecy, failed to update other governmental agencies about the virus’ existence.

In the meantime, reprisal attacks had begun. In 2012, Iranian hackers attacked an oil-drilling company and subsequently a number of American banks. Since the virus’ existence became known, the Iranians have recruited hundreds of engineers into their Iranian Cyber Army, which within a few years became one of the largest forces of its kind anywhere.

AP

“World War 3.0,” as Gibney calls the global cyberwar that began around 2010, also played a significant part in the agreement that was signed between the world powers and Tehran on July 14, 2015, over the protests of Netanyahu and other senior Israeli figures. Obama, Gibney says, knew he was coming to the negotiating table from a position of power, because the United States has the ability to strike at Iranian infrastructures if Tehran violates the terms of the accord.

Based on your conversations with senior people in the Israeli and American security systems, do you think the Stuxnet episode is the cause of the strained relations between Obama and Netanyahu?

“The origins of the Stuxnet plan were during the Bush administration. Then Obama – like he did with the use of drones – ratchets it up. I think there were a lot of issues between Obama and Netanyahu, but this was a contributing factor, particularly since I think that Obama inherited the idea from Bush that the whole notion of the Stuxnet weapon was not so much to attack Iran as to prevent Israel from dropping a bomb on Iran.”

Did the snafu that led to the Iranians’ discovery of Stuxnet affect the negotiations that led to the nuclear agreement with Iran?

“I think both Iran and the U.S. were happy with the fact that they made a deal. For Obama, knowing that he has a much more powerful [cyber-offense] program, called Nitro Zeus, certainly informed the parameters of the deal. While Obama was widely criticized – both in Israel and at home – for being ‘too weak’ and not getting a ‘good enough’ deal – another way of looking at it is that he was sitting there thinking, ‘If they cheat, we have a new weapon that can make things increasingly difficult for them.’ They knew that the U.S. could virtually shut down the entire country in the event that Iran cheated on the deal.”

‘Ticking “cyber bombs”’

Indeed, one of the major revelations in “Zero Days” is that the Stuxnet affair was only a small part of a broad policy overhaul in which the United States moved from the development of defenses against cyberattacks, to developing malware for offensive purposes. Nitro Zeus, whose existence is mentioned toward the end of Gibney’s documentary, was an ambitious plan aimed at monitoring, and if necessary attacking, disrupting and destroying such essential infrastructure as the supply of electric power, fuel and water, and also aerial defense systems.

According to an article published in The Times last February, Nitro Zeus – which was planned and developed by thousands of American military and intelligence personnel at an estimated cost of tens of millions of dollars – is part of a secret cybernetic assault plan that was designed as a safety net in the event Iran refused to sign a nuclear accord or violated its terms after signing.

According to Gibney, the switch from defense to offense, and the attempt to deter other countries from developing cyberwar options against the United States was unsuccessful.

“Russia, China and North Korea have attacked the United States in one way or another,” Gibney says, adding, “There are apparently thousands of ticking ‘cyber bombs’ that have been infiltrated into American computers and are capable of damaging infrastructure facilities, including electric power, water purification, transportation and more.”

Why does the film focus on Stuxnet, whose existence was already known, and not on Nitro Zeus?

“Stuxnet is the Pandora’s Box story. It is the moment when a new weapon is unleashed, just like in Hiroshima and Nagasaki. It was the first malware able to jump from the cyber realm into the physical one, so it was important to deal with it in detail and tell this origin story. While we were doing the film about Stuxnet, we discovered Nitro Zeus. It demonstrates the momentum of cyberwar: Nitro Zeus shows that Stuxnet was not a one-of-a-kind occurrence.”

Did Israel have anything to do with Nitro Zeus?

“As far as we know, it wasn’t Israel, but rather the U.S. Cyber Command and the NSA.”

Does the program still exist?

“We are fairly certain that the U.S. is still spending money on developing powerful cyber weapons, but we don’t know for certain whether Nitro Zeus is still in effect. It was recently reported by David Sanger that some of the weapons we’re using against ISIS are cyber weapons. This is one of the first times that the U.S. government has actually come forward and said, ‘Yes, we’re using cyber weapons.’ They are now talking about literally changing texts and information, so when you send an email or a text message – imagine that instead of saying ‘I love you’ it comes out ‘I hate you and I’m going to kill you.’ That’s kind of a scary thought.”

I asked Gibney whether he thinks Israel is portrayed fairly and objectively in the film.

“I was trying to show different aspects of the Israeli policy,” he replied, “but we were able to establish that it was Israel that blew the secrecy of the operation. We don’t know for sure whether this was intentional and was meant to send a message to Iran. We’re told that it was Netanyahu who wanted to see more results more quickly, so maybe he was fine with Iran knowing what was blowing up the centrifuges.

“According to my sources, [the late Mossad chief] Meir Dagan was pressured by Netanyahu to show more explosions, and as a result, once Israel changed the code it spread much more quickly. This was a question I wasn’t able to answer. If you’re sharing intelligence and technology with another country, it can be problematic if that country happens to have a different interest.”

Do you anticipate that the way Israel is presented in “Zero Days” will generate criticism of you and your production company?

“I suspect I will be criticized, because any time there is any criticism of Israel there is some blowback. But to me this was a really important object lesson for how that alliance can be extremely problematic, particularly when you’re sharing military technology, and Israel – or certain parts of Israeli defense establishment – and the U.S. have very different views on how these weapons should be used. My understanding is that the Israelis contributed quite a bit to the technology, and each side had the right to go along if it so wished. But after the explosion of 1,000 centrifuges, the U.S. made it very clear to Israel that now would be a good time not to push it, because the Iranians had no idea what was going on. But the Israelis decided to push forward.”

Did you try to interview Prime Minister Netanyahu or other senior Israeli governmental figures?

“Yes, certainly. We were trying to interview Prime Minister Netanyahu, as well as other Israeli officials like Meir Dagan. The closest we were able to get was Yadlin and Steinitz.”

In the end, “Zero Days” raises disturbing questions about censorship, espionage and the use of military power, as well as making a case for a public discussion to take place on the legal and moral aspects of cyberwar. Asked whether he truly believes that we are at the start of a third world war, Gibney replies that the expression “World War 3.0” is “a bit of a sardonic joke,” but adds, “The serious part of it is that we do suggest that cyber weapons – which are increasingly powerful – could lead us into a war that couldget out of control very quickly. Cyber weapons are just beginning to be used, and we can’t tell who will end up using them, and how.”

Queries to the Prime Minister’s Office and the Israel Defense Forces’ Spokesperson’s Unit went unanswered.

skip all comments

Comments

Sign in to join the conversation.

Required field
Required field

By adding a comment, I agree to this site’s Terms of use

  1. 1