‘Zero Days’ Review: Alex Gibney Hacks Into the Legendary Stuxnet Virus

The world’s computer networks are more vulnerable than we think, as this chilling documentary reveals

Last Updated: July 8, 2016 @ 4:15 PM

How do you make a documentary about something people won’t talk about? It’s been widely reported that the Stuxnet virus, which infected computers all over the world in 2010, was a joint creation of U.S. and Israeli intelligence designed to cripple Iran’s nuclear capacity.

But the long and impressive line of high-ranking intelligence agency members that Alex Gibney (“Going Clear,” “Taxi to the Dark Side”) assembles for “Zero Days” is almost comically tight-lipped about Stuxnet, all the way down to refusing to confirm it even exists. The subject is, as former CIA and NSA chief Michael Hayden admits, “hideously over-classified.” But as another subject points out, you can’t have a national debate about whether and when to use cyberweapons if the government won’t even stipulate that there are such things, and that’s just how the powers that be want it.

Fortunately, Gibney finds a counterbalance in two charmingly chatty anti-virus experts, Eric Chien and Liam O’Murchu, who are more than willing to spill what they know. They detail how even in the world of high-tech hacking, Stuxnet was a unicorn, a lengthy, flawlessly crafted piece of code with multiple examples of what they call “zero day exploits,” hitherto unseen pieces of malicious code, the targets of which have no advance warning.

Gibney also talks to the New York Times’ David Sanger, who broke the story of what was known as “Olympic Games” inside the various agencies that collaborated on it, and to an apparent intelligence-agency whistleblower whose alternately forthcoming and dismissive responses give the movie its closest thing to a central personality.

Zero-Days_vertThe latter, a blonde white woman, appears with her features digitally disguised, the edges blurred so her figure seems to be constant danger of disintegrating into binary bits. She’s the ghost out of the machine, but she could slip back inside at any minute. Because the “Zero Days” subjects who are best positioned to provide new information are also the least likely to talk, much of the movie is devoted to rehashing previously published reports, which Gibney does with both cogency and style.

Although Gibney takes sole writing and directing credits, his movies are released at a pace of three or a four a year that suggests a more assembly-line approach. They’re professional and solidly executed, informative if you go in underinformed but rarely surprising or aesthetically noteworthy.

Gibney’s not as frequent an onscreen presence as Michael Moore, but he makes sure you know he’s there, seething behind the camera as yet another spook stonewalls him. Most egregiously, one interview is filmed over Gibney’s shoulder and through an office door as he chats up his subject on Skype, as if the camera crew just happened by and didn’t want him to know they were eavesdropping.

Techniques like that oddly voyeuristic interview amount to window-dressing, an attempt to add spy-movie tension, as do the shots of flickering server banks that might have been pinched from Michael Mann‘s “Blackhat.” (Perhaps it’s only fair, since Stuxnet was clearly one of Mann’s inspirations.) The movie doesn’t need them, though, as it turns out that what’s at stake is more than some multiplex MacGuffin.

The Stuxnet virus, we learn, was specifically designed to target PLCs, which are essentially small computers attached to major pieces of physical infrastructure: bridges, water plants, electrical grids, etc. Hacking them could allow a bad actor to effectively shut down an entire city or more in a single stroke, and with Stuxnet’s release, the U.S., and especially Israel (both of whom apparently released the virus into the world without their allies’ consent), have sent a signal to the world that cyberattacks are a legitimate form of (cold) warfare.

It’s that, Gibney’s mysterious whisteblower suggests, that should really terrify us, especially since the heavily networked U.S. is excruciatingly vulnerable to large-scale hacks. But it’s hard to address the problem when our government won’t even allow people to acknowledge there is one.