Zero Days documentary review: the code war has begun

Get new reviews in your email in-box or in an app by becoming a paid Substack subscriber or Patreon patron.

Zero Days green light

MaryAnn’s quick take…

Fascinating and horrifying. A gripping detective story and an impassioned call for public debate over terrifying weapons that have already been loosed.tweet
I’m “biast” (pro): love Alex Gibney films
I’m “biast” (con): nothing
(what is this about? see my critic’s minifesto)

Cyber warfare is here. And I’m not referring to the Russian hacking of DNC servers during the recent US presidential election. The cyber equivalent of Hiroshima happened several years ago, and it wasn’t the Russians who dropped the bomb. It was the US and Israel, and it’s what outgoing president Barack Obama was referring to when he said, in his farewell speech the other day, that he had “shut down Iran’s nuclear weapons program without firing a shot.” He was talking about Stuxnet, the malware that sneakily threw Iran’s delicate nuclear-fuel-refining centrifuges out of whack in 2010, which preceded more diplomatic efforts to convince Iran to get out of the bomb business.

Zero Days Michael Hayden
This man could tell you about Stuxnet, but then he’d have to kill you.tweet

We are living in the future, and not in a good way.

I don’t think Obama has ever overtly acknowledged that the US was responsible for Stuxnet. And in his latest documentary, the fascinating and horrifyingtweet Zero Days, Alex Gibney (The Armstrong Lie, Mea Maxima Culpa: Silence in the House of God) tries to get people — intelligence operatives, politicians, cyber experts, and others in the know — to talk openly about Stuxnet, but everyone’s lips are officially sealed. The film opens with a montage of talking heads spouting variations on “I don’t know anything, and if I did I couldn’t tell you anyway.” It would be funny if it weren’t so frustrating. Gibney wants to use the Stuxnet offensive as the jumping-off point to talk about cyber warfare in a larger, more philosophical, more socially imperative sense, but as he asks with wry irritation, “How can you have a debate if everything is secret?”

We could see for ourselves the impact of nuclear weapons, as Gibney notes, and that fueled the cultural discussion about their use. How do we reach the same level of awareness if no one will talk about nation-state-sponsored malware and if the ordinary person cannot see how it works? So, Gibney suggests, let’s look at the Stuxnet code itself, which is not secret. He turns to the global civilian security industry — which, intriguingly, shares info among itself even across acrimonious borders; Russians and Americans are cooperating in this area — to explain how it is possible to figure out from the code itself who created it and what it does. (When Donald Trump decides he wants a primer on cyber forensics, he could start with this movie.tweet)

This composite of CIA whistleblowers will tell you all about Stuxnet, and it will stun you.
This composite of CIA whistleblowers will tell you all about Stuxnet, and it will stun you.tweet

You don’t need to be very computer savvy to understand the basics, which are set out very clearly, most centrally and rather entertainingly, by Eric Chien and Liam O’Murchu from Internet security firm Symantec. (It’s from them that we learn what the title refers to: a “zero day exploit” spreads without you having to do anything, like click on a link to download a file; it remains secret until it starts doing whatever it is intended to do, and so there is no patch to fix it.) Among the superscary things we discover is that even though at the time Stuxnet was the most sophisticated malware ever seen (it may now have been surpassed), it wasn’t perfect, and it spread much further and wider than it may have been intended to: it infected millions of computers all around the planet, and while lots of experts could see that it was there, no one knew initially what it would do. (What if it had been designed to shut down the power across an entire country, or targeted other critical infrastructure?) Even more terrifying, malware such as Stuxnet is like a bomb that explodes but can subsequently be picked up and used again. Once the code is out there, anyone can see it and alter it and use it however they want.

And that is indeed what happened with Stuxnet. You’ll have to see Zero Days to get the full story. This is a gripping detective storytweet at “the strange intersection of cyber, nuclear weapons, and espionage,” says Gibney. My favorite muckraking docu-journalist, he digs and pushes and doesn’t give up until he gets answers — some via anonymous CIA sources who will scare the life out of you — about the real-world physical damage computer code can wreck. The public debate Gibney wants to have about cyber warfare needs to start yesterday. And Zero Days is the opening statement.

share and enjoy
If you’re tempted to post a comment that resembles anything on the film review comment bingo card, please reconsider.
notify of
newest most voted
Inline Feedbacks
view all comments
Thu, Jan 12, 2017 4:33pm

A zero-day exploit just means that the authors of the software haven’t yet been told about it, so there’s no patch; it has nothing to do with how the malware spreads or behaves.

The US of course is trying to have it both ways, just as with nuclear weapons: anyone who uses malware against it is Bad, but it’s just dandy to use against other people.

MaryAnn Johanson
reply to  RogerBW
Sat, Jan 14, 2017 11:15am

it has nothing to do with how the malware spreads or behaves.

This is specifically mentioned in the film. Perhaps because the way it hides contributes to unawareness of it?

reply to  MaryAnn Johanson
Sat, Jan 14, 2017 11:50am

I think this may just be a misinterpretation of the term, or people on the fringes of the community hearing something that sounds cool but not realising that it actually has a specific technical meaning (see also “syndrome”).

MaryAnn Johanson
reply to  RogerBW
Mon, Jan 16, 2017 9:36am

It’s the expert forensics guys from Symantec who use the term here. Maybe they don’t explain it well, but they’re far from fringe.

Aaron Jones
Aaron Jones
Fri, Jan 13, 2017 12:47am

No horror movie or thriller in 2016 was scarier than this doc.