Prolific Documentarian Alex Gibney on Zero Days

Documentarian Alex Gibney has made films on many subjects, including a wild-man journalist (Gonzo: The Life and Work of Dr. Hunter S. Thompson) and a discredited cyclist (The Armstrong Lie). But his specialties have come to be privacy, technology and conspiracy. In just the last three years, he's directed Steve Jobs: The Man in the Machine; We Steal Secrets: The Story of Wikileaks; and Going Clear: Scientology and the Prison of Belief. His new film, Zero Days, unravels mysteries of the Stuxnet virus, malware designed — most likely by the U.S. and Israeli governments — to destroy centrifuges used in Iran's nuclear program.

The quest to understand the arcane software led Gibney to Eric Chien and Liam O'Murchu, who analyze security threats for clients of Symantec, an American computer-services company. The two men appear in Zero Days, and also accompanied the director to Washington, where the movie was shown in the AFI Docs festival. The Credits talked to all three for this interview, which has been edited for length and clarity.

The Symantec experts were among the first to analyze Stuxnet, known to the U.S. National Security Agency (NSA) by the code name "Olympic Games." The movie, Gibney said, "It's kind of a spy thriller and Eric and Liam were the detectives." The documentary is also a consideration of the uses and abuses of official secrecy, and a warning about the potential dangers of future Stuxnet-like attacks. This was code that didn't just affect computers, but actually caused physical damage to devices outside the computer. That's an alarming prospect at a time when high-tech boosters are touting the Internet of Things — a worldwide web that would control far more than laptops and cellphones.

Chien: There are too many things that have the Internet. I don't need the Internet in my toothbrush. (That actually exists.) But I think the Internet of Things, despite the nonsense, is where we're headed. It is, at this point in time, obviously every insecure. And a bit worrisome.

When we started, the Internet was open and free, which was great. Anyone could hack a computer — in the old sense of "hack." We didn't design computers and networking with security in mind. We designed it so anyone could use it. But we've learned that you need some level of security. That lesson at present is not being applied to the Internet of things. That's what worries us. There is a lot of push right now to get Internet vendors on board with some sort of standard for default security.

O'Murchu: What we've seen over the last 10 to 15 years is that the malicious software is written to economic models that criminals dream up. How can you make money from someone's PC? Sending spam, stealing credit card numbers, asking for ransoms. But we will start to see criminals explore what economic models apply to the Internet of Things. Once they figure that out, there's going to be a boom in malicious software.

Cinema verite seems to be dominant in documentaries these days. But in many of your films, you use dramatizations and computer-generated visualizations. One of the major figures in Zero Days, for example, is a digitally conjured composite character. Do you dislike cinema verite, or does it just not work for the kinds of stories you tell?

Gibney: I'm a big believer in form follows content. I did a film called The Armstrong Lie. A lot of that film was actually cinema verite. We hung out with Lance. We followed Lance. We don't comment. In addition, I did interviews, but we filmed for 21 days of the Tour de France.

But a lot of the films that I do tend to look back at recent events and understand them in a different way. Usually narratives get built around them, and then I go in after the fact and ask, "Is this really what happened?" It's like cold cases. It's very hard to do cinema verite in the past.

Impossible, in fact. But I've got nothing against it. For the right film, I love it.

One of the themes of Zero Days is obsessive, possibly counterproductive secrecy.

So far the momentum on the side of the government has been to make more and more things classified. It becomes almost a default policy, and they read more and more people into these secrets so that they are unable to talk. If you have a mountain of secrets and a huge number of people who hold these secrets, it shouldn't be surprising that there are leaks.

Despite the Obama administration's insistence on prosecuting people who leak — more than all other administrations combined — you continue to get these big leaks. I think that's because there is a belief that the government is hiding misguided, immoral or illegal behavior behind those secrets, and therefore not being held to account. You are seeing that in the torture debate, in the drone debate and now with Stuxnet. They've got to wake up and understand that if they are misusing secrets, as when National Intelligence Director James Clapper lied to the Senate about operations of the NSA, there's going to be blowback. And the blowback is more leaks.

It's the U.S. government this time, but the secrecy is not unlike that of the subject of Going Clear. Which did you find to be more paranoid: the Obama administration or Scientology?

Gibney: [laughs] Tough call. Certainly the Church of Scientology doesn't have the Department of Justice on its side. On the other hand, they do have Xenu, the galactic overlord. So that is a help.

And according to your film they're pretty cozy with the IRS.

Gibney: That was a great disappointment to me. That no senator, no congressman and certainly nobody at the IRS was willing to even engage in a discussion about revoking the Church of Scientology's tax exemption.

What I took from Zero Days is that the people who released Stuxnet just didn't think about the implications. Is that your impression?

Gibney: I think one of the actors, the United States government, was certainly hoping that it would remain secret. It's unclear, but our sources told us that Israel was really responsible for altering the code in a way that was discovered all over the world. And continues to affect computers today.

Our sources inside the NSA said they were furious that the Israelis had altered the code. By terms of the agreement, the Israelis had the right to do it. But they were being urged by the United States not to do it, because if they got more aggressive, it would be discovered.

And they introduced a flaw into the code. Before that, Stuxnet would sit on people's computers and it wouldn't be discovered. But now it was shutting down computers. So people were calling their IT people and saying, "What's up?"

It's unclear whether Israel, who we believe altered the code to make it much more aggressive, whether they didn't care if got out or not, or whether they just thought that nobody would discover it. But in any event they moved very quickly, pressured, we believe, by the Netanyahu administration. While the Americans were preaching caution, because they had what they wanted.

From the U.S. perspective, what was great about the code was that it kept causing centrifuges to blow up, but in ways that — this is the Ocean's 11 aspect — it told the engineers that all was well. That was great, because it sowed doubt in the minds of the Iranian engineers. Instead of reacting against a foreign power, all the confusion, all the anxiety was directed against themselves. So when it was exposed, the U.S. was pissed off.

One of the things we discovered — from a very unusual source, Michael Hayden, former head of NSA and CIA — is that the original motivation for pursuing Stuxnet from the U.S. perspective was not to stop Iran from getting the bomb. It was to stop Israel from bombing Iran. To prevent an incident that would draw the United States into a conflict with Iran. But by leaking the code, that's precisely what ended up happening. So two sides, who were sharing the same weapon and sharing the design of the weapon, had very different motivations.

Chien: The code backs that up. It's very clear that one group was responsible for the payload code, the code to mess up the centrifuges. And another group that was responsible for spreading the code. In the beginning version of Stuxnet, the spreading is very limited. If the code had limited itself to Iran, we probably would never have seen here. We wouldn't be here, talking about this.

You've said that we need to establish international norms for the use of cyberweapons. Do you think that's possible?

Gibney: I do. I can't tell you exactly how it will be done. But I was compelled by Richard Clarke's argument: Everybody said it would be impossible to do it with nuclear weapons. Well, it was done. Impossible to do with chemical weapons. Well, it was done.

If we start, then we've got a shot at it. To say that it's impossible is just the wrong answer. We have to embark on that. Part of it is at least acknowledging that these weapons exist. Then all of us as citizens can ask, 'Is this what we want? A wild-west world where everybody's launching weapons at each other all the time? And when don't know when they might launch, or who might launch them?" The judge advocate general in the film says, "Right now, the norm is, 'Do whatever you can get away with.' " Not a very good norm.