• Print

US Cyber Weapons: Our ‘Demon Pinball’

Zero Days

a documentary film directed by Alex Gibney
The disguised speaker representing sources inside the NSA and CIA who spoke to Alex Gibney for his documentary film Zero Days
Magnolia Pictures
The disguised speaker representing sources inside the NSA and CIA who spoke to Alex Gibney for his documentary film Zero Days

Ninety-four minutes into Zero Days, Alex Gibney’s documentary about the American government’s expanding and largely invisible embrace of offensive cyber weaponry, the image of retired general James Cartwright appears on the screen. From 2007 to 2011 Cartwright was vice-chairman of the Joint Chiefs of Staff and a favorite of President Obama. But when he appears in Gibney’s film, it’s not as an advocate, it’s as a potential enemy of the state, accused of leaking classified information about Stuxnet, the sophisticated software worm that destroyed thousands of centrifuges at Iran’s Natanz nuclear enrichment facility between 2008 and 2010. Stuxnet went rogue in the process and infected computers throughout the world. “These are criminal acts when they release information like this,” President Obama told the press when queried about the leaks at the time, “and we will conduct thorough investigations, as we have in the past.” And then the government dropped the case. To prosecute Cartwright, the United States would have had to acknowledge that it had a hand, along with Israel, in developing and deploying a weapon that blew up the physical assets of another country. “To this day,” Gibney tells us, “no one in the US or Israeli governments has officially acknowledged the existence of the joint operation.” Cyber weapons are stealth weapons. Absent the flash and bang of bombs and guns, they arrive, like all computer code, in 0s and 1s; they are used to silently infiltrate individual machines and entire networks. They have the capacity to strike with great precision, shutting down critical infrastructure, confusing enemy signals, upending communications, and responding to and redirecting military attacks before they occur. The centrifuges targeted in Iran were producing weapons-grade uranium, the material needed to make nuclear bombs. They were sequestered inside a heavily guarded building that was not connected to the Internet. As a consequence, the Iranians assumed they were beyond reach and for years remained unaware that outside forces had taken them over. Equipment was blowing up, yes, but when it did they ascribed it to human error or shoddy workmanship. (People lost their jobs.) That is the signature of cyber weapons: they are written in invisible ink.

For years now, the United States, primarily through the National Security Agency, has devoted considerable resources to cyber spying, putting “back doors” on computers, infecting them with malware, tapping into cable transmissions. But the government’s concerted use of digital tools as ordnance is relatively new. It began—officially, at least—in the midst of the Stuxnet operation (code name “Olympic Games”) with the creation of the US Cyber Command in 2009. The year before, classified military networks running the wars in Iraq and Afghanistan had been breached, most likely by Russia. The US Cyber Command, which has both defensive and offensive capabilities, was established in response.

Cyber Command is headquartered alongside the NSA at Fort Meade, Maryland, and the NSA director is also its head; though they are separate entities, it wouldn’t be wrong to interpret the creation of Cyber Command as the means to amplify the work of the spy agency. As former CIA and NSA director Michael Hayden tells Alex Gibney, “If you can spy on a network, you can manipulate it. It’s already included. The only thing you need is an act of will.” Cyber Command—with the blessing of the US president, who must sign off on all attacks—supplies that act of will. Its Cyber Mission Force is expected to employ 6,187 “warriors” by next year. Just as cyber weapons themselves operate largely out of sight, so too the work of those combatants. Over the years, despite publicizing the existence of this cyber strike force, and in the face of evidence culled from documents leaked by former NSA contractor Edward Snowden that show that in 2011 alone the United States initiated 231 offensive cyber attacks, the government has never acknowledged launching a single one, according to David Sanger, the national security correspondent of The New York Times, and Gibney’s collaborator here. (This appears to have changed between the filming of Zero Days and last spring, when Defense Secretary Ash Carter stated in the broadest terms that the United States was using cyber weapons against the Islamic State.) Sanger recalls being stonewalled by the White House, the Pentagon, and the NSA when he asked about the use of offensive cyber weapons:

Nobody would talk to you about it. But when you dug into the budget for cyber spending during the Obama administration what you discovered was much of it was being spent on offensive cyber weapons. You see phrases like “Title 10 CNO.” Title ten means operations for the US military and CNO means Computer Network Operations. This is evidence that Stuxnet is just the opening wedge of what is a much broader US government effort now to develop an entire new class of weapons.

The main reason no one would talk—about Stuxnet, or any of it—is that to do so was to risk arrest. “Look, for the longest time I was in fear that I actually couldn’t say the phrase ‘computer network attack,’” Michael Hayden says.

This stuff is hideously over-classified and it gets into the way of a mature, public discussion as to what we as a democracy want our nation to be doing up here in the cyber domain. Now this is a former director of NSA and CIA saying this stuff is overclassified. One of the reasons this is as highly classified as it is, this is a peculiar weapons system, this is a weapons system that has come out of the espionage community. And so those people have a habit of secrecy.

Zero Days—which traces the discovery of the Stuxnet virus by a computer security firm in Belarus in 2010, and the tense, painstaking detective work by a random assortment of researchers in the United States, Germany, France, the Netherlands, and Russia to piece together what it was and what it did and where it came from and why—is Alex Gibney’s attempt to force that conversation.

Stuxnet was not meant to be found. It was never supposed to move beyond its intended target and bounce around the World Wide Web like a demon pinball. In its original configuration, someone, an agent of the CIA or Israeli intelligence, most likely, would surreptitiously deliver the virus via a thumb drive to someone else—a technician who was able to enter the Natanz facility, for example. Once that thumb drive was inserted into one of the Natanz computers, which were offline, it would jump the “air gap” between Natanz and the rest of the world. Stuxnet would then winnow its way into the facility’s operating system.

Because the code writers were quite narrow in their approach, the worm was directed at specific pieces of equipment known as PLCs—programmable logic controllers—with specific ID numbers. These were the PLCs at Natanz that regulated the speed of its centrifuges. Slowing them down or accelerating them, as Stuxnet did, caused the centrifuges to be blown to bits. It was clever and contained and it served the dual purpose of stalling Iran’s nuclear program while appeasing Israel, which was making noises about bombing Natanz and, most probably, drawing the United States into yet another Middle Eastern conflict. But in 2010 the security firm in Belarus began hearing from clients in Iran that their computers were infected with a strange new virus, and not long after, the same virus began appearing in other parts of the world. This shows up well in the film as lights, overlaid on a map, turn on in quick succession, rendering the disease metaphor ineluctably graphic. The spread of Stuxnet looks exactly like a pandemic. In the United States Stuxnet infected, among many others, the computers of a Chevron refinery. In Russia, apparently, it made its way into a nuclear plant. The virus crashed some computers in Iran but otherwise its larger effects and objective remained unclear. As it was spreading, no one outside a small coterie in the intelligence communities of the United States, Israel, and the UK and some high-ranking officials in those countries knew what its purpose was and where it came from. Apparently, those in the know did not include Sean McGurk, the head of cybersecurity for the US Department of Homeland Security. “There was,” he says,

that “Oh, crap” moment, you know, where we sat there and said, This is something that’s significant, it’s impacting industrial control, it can disrupt it to the point that it can cause harm…. Basically [it was]…call everybody we know, inform the secretary, inform the White House, inform the other departments and agencies, wake up the world and figure out what’s going on with this particular malware.

According to Gibney, DHS then spent millions of dollars “trying to protect Americans from their own government.” The race to parse and decipher Stuxnet was led by Eric Chien and Liam O’Murchu, two young researchers at the global Internet security firm Symantec. Their quest, following what they call the “breadcrumbs” of evidence inadvertently left in the code, gives the film its surprising narrative tension. Figuring out what the virus did, and its intended target and its genesis, were all urgent puzzles to solve, especially because all Windows-based PCs were vulnerable to Stuxnet. The virus entered those computers through what is called a “zero-day” exploit—that is, a hole no one knows about except the attacker. No Windows computer encountering the virus was immune from it. Zero-day exploits are rare and valuable, worth hundreds of thousands of dollars on the black market. Finding one zero-day exploit in a program was unusual, but researchers studying Stuxnet eventually uncovered four of them embedded into the code. This was extraordinary. It was also a big red flag that Stuxnet was, most probably, the work of a nation-state. Once Chien and O’Murchu determined that the virus was aimed at PLCs made by the Siemens corporation, they decided to see how it worked by running a Siemens controller connected to a small pump—a substitute for a centrifuge—at one end and an infected computer at the other. The pump had a balloon attached to it, and the researchers watched in amazement and horror as it inflated the balloon until it exploded. “Here is a piece of software that should only exist in the cyber realm and is able to affect physical equipment in a plant or a factory and cause physical damage,” O’Murchu explains. He and Chien were spooked. This was the stuff of Hollywood thrillers. By then they knew that the PLCs in question were located at the Natanz plant, and with a little more sleuthing they surmised that the countries with the greatest interest in sabotaging Iran’s nuclear program were the United States and Israel. Years later, when asked by a reporter for Wired magazine if they were concerned that they had stumbled upon, and were interfering with, a covert US military operation, Chien, an American working in an American city, observed that “for us…bad guys are people who are writing malicious code that infects systems that can cause unintended consequences or intended consequences. We’re not beholden to a nation. We’re a multinational, private company protecting customers.” He and O’Murchu continued to probe the Stuxnet code and publish their findings, certain that government agents had them under surveillance.

A section of code from the Internet security firm Symantec’s breakdown of the Stuxnet virus; from Zero Days
Magnolia Films
A section of code from the Internet security firm Symantec’s breakdown of the Stuxnet virus; from Zero Days

According to David Sanger, who wrote extensively about Stuxnet in his 2012 book Confront and Conceal,* when Barack Obama reauthorized the Bush administration’s “Olympic Games” mission upon taking office, his great fear was attribution: the president did not want the virus to be traced back to the United States. Infiltrating and destroying physical infrastructure in another country could be interpreted as an act of war, with disastrous consequences. As Emad Kiyaei, the executive director of the American Iranian Council, says in the film, “Let’s say a nuclear facility in the United States was targeted in the same way, the American government would not sit by and let this go.”

Attribution might also invite retribution, which indeed did happen when, beginning in 2011, the Iranians attacked forty-six American financial institutions over 176 days, including J.P. Morgan, the New York Stock Exchange, and Wells Fargo. In 2013 they hacked into the operating system of a New York dam. Attribution would also undermine the government’s credibility when protesting the cyber incursions of other nations. So anonymity within the code and secrecy about it were crucial. As a documentarian, Gibney found that such secrecy posed problems. As he shows, over and over, no one with inside information would confirm the origin of Stuxnet. His conversation with the German security expert Ralph Langner was typical. Gibney points out to Langner that it’s been widely rumored that the virus is the work of a collaboration between the United States and Israel and he asks Langner if he, too, believes that to be the case. Langner does not deny it but says that it’s nothing he can talk about. Eventually the filmmaker finds someone on the inside who will go on the record and spill state secrets, but with a catch: Gibney must shield the informant’s identity. Film lends itself to this subterfuge. On camera, the source, who turns out to be a woman, is hidden behind a scrim of pixels; there’s an enigmatic, Chuck Close aspect to her appearance. That the speaker is female is disconcerting since female hackers are rare and might be easy for the government to identify. Is this more artifice? It seems possible, but Gibney gives nothing away. As viewers, we have to take his word that she is who she says she is—a patriot and a veteran of the war in Afghanistan who, in 2007, began working in the Remote Operations Center of the NSA’s Tailored Access Operations division, the agency’s elite hacking unit. She is willing to talk to Gibney, she says, because she is concerned about the misinformation surrounding Stuxnet and the public’s ignorance of where viruses like it may lead. “We have to understand these new weapons,” she says gravely. “The stakes are too high.” Gibney’s source goes on to confirm the partnership between the US and Israel in developing and deploying Stuxnet (with an assist from Britain’s GCHQ), explaining that each time Stuxnet was launched, a CIA agent stood behind the computer operator and gave the order to attack. The source also says that the worm went rogue when the Israelis changed the code without the consent of the Americans so that it would spread without human intervention and “just fucking launched it.” Her indignation is appreciable and it is familiar: it’s the fury of a writer whose perfect sentences have been mucked up by an overzealous editor. Stuxnet continued to be deployed after that, but it didn’t take long for the Iranians to understand that what they had been assuming to be operator error and equipment malfunction was something sinister and unprecedented. And then they turned around and developed their own cyber army to mount their own cyber campaigns. At the end of the film, Gibney brings his insider out of the shadows. The pixels on the screen coalesce to reveal an attractive young woman, sitting in a studio, talking directly into the camera. Before there is time to applaud her bravery for coming forward or Gibney’s recklessness in showing her face, she introduces herself as an actor, playing a role based on Gibney’s interviews with a small number of people from the NSA and CIA. It feels slippery, and it’s also unsettling, which may be the point.

In this film, and in earlier interviews, Michael Hayden has referred to the launching of Stuxnet as “August 1945.” What he means is that with Stuxnet, the United States unleashed a new class of weapon upon the world, one of great and unknown power that will be decisive in the years to come. Nuclear weapons, obviously, are absolute, but it would be shortsighted to underestimate the potency and reach of weapons that can take out power grids, shut down telecommunications, wreak havoc on banking systems, and compromise water supplies. In one of the final revelations of the film, Gibney’s source explains that Stuxnet was only one way the United States was planning to disempower Iran in the event that Israel started a conflict there, and from her description of that larger mission, called Nitro Zeus, one gets a good idea of what all-out cyber warfare might look like:

We built in attacks on Iran’s command and control systems, so the Iranians couldn’t talk to each other in a fight. We infiltrated their…military air defense systems so they couldn’t shoot down our planes if we flew over. We also went after their civilian support systems. Power grids, transportation, communications, financial systems…. NZ [Nitro Zeus] was the plan for a full-scale cyber war, with no attribution.

Nuclear weapons are expensive to build and maintain, and this is another way they are different from cyber weapons, which are cheap and available on the black market so that any country—and any criminal or terrorist group or proxy nation or industrial competitor—can acquire them. In 2014, for instance, hackers—their identity still unknown—infiltrated the control system of a German steel plant. The next year, hackers, most likely from Russia, shut down the power grid in western Ukraine. China, which has its own elite offensive cyber force within the People’s Liberation Army, has been busy stealing, among many other things, blueprints for US pipelines, power transmission lines, and power plants. According to Eric Rosenbach, an assistant secretary of defense in charge of homeland defense and global security issues, “some five dozen countries are building a military-cyber operation, equivalent to the United States’ Cyber Command.” It has been suggested, in this film and in the press, that the reason the United States has maintained its silence on Stuxnet and other offensive cyber attacks is that it doesn’t want to lose its strategic advantage by revealing what is in its arsenal. In the spring, when Secretary Carter announced that the US was waging cyber war against ISIS, he made it clear that the success of the effort depended on secrecy. “We don’t want the enemy to know when, where, and how we’re conducting cyber operations,” he said. “We don’t want them to have information that will allow them to adapt over time. We want them to be surprised when we conduct cyber operations.” Exposing what’s possible to do in the cyber realm also renders it probable that an adversary will attempt to replicate it, engendering an even more aggressive arms race than the one already in progress. In the Department of Defense’s lengthy report on its cyber strategy, issued in April 2015, the authors note that cyber threats have displaced terrorism as the number-one strategic threat to the United States, and they name Russia, China, Iran, and North Korea as having “invested significantly in cyber as it provides them with a viable, plausibly deniable capability to target the US homeland and damage US interests.” That same document, most of which is devoted to cyber defense and cybersecurity, also acknowledges, in conditional and dissembling bureaucratic language, the Defense Department’s willingness to engage in offensive cyber actions. “There may be times,” it says,

when the President or the Secretary of Defense may determine that it would be appropriate for the US military to conduct cyber operations to disrupt an adversary’s military-related networks or infrastructure so that the US military can protect US interests in an area of operations.

A classified presidential directive issued in 2012, and divulged by Edward Snowden, sets out the broad instructions for conducting offensive cyber attacks against both foreign and domestic adversaries. As reported by Glenn Greenwald and Ewen MacAskill in The Guardian, the president directed the heads of the CIA, National Intelligence, and the Defense Department to prepare a list of “potential systems, processes and infrastructure against which the United States should establish and maintain OCEO [Offensive Cyber Effects Operations] capabilities”; and the president went on to authorize cyber incursions abroad when “‘US national interests and equities’ require such nonconsensual attacks.” When asked by Greenwald and MacAskill about the apparent escalation of offensive cyber activities outlined in the directive, a senior official told them, “Once humans develop the capacity to build boats, we build navies. Once you build airplanes, we build air forces.”

While the presidential directive emphasizes that all cyber attacks must conform to US law, one result of the secrecy that conceals cyber warfare is that there are no rules of engagement to define its proper use. Although legal scholars have suggested that the existing rules that govern war pertain to cyber conflicts as well, the stealth nature of cyber attacks, where attribution is often impossible to ascertain, holds the promise of absolving nations of the responsibility of adhering to them. The secrecy that enables one country to pick the pocket of another allows them to do so without international scrutiny. Cyber weapons may hold out the possibility of a certain kind of mutually assured destruction, but so far there has been little international interest in deterrence. Five years later, it’s hard to know how to judge the success of Stuxnet. The malware did what it was designed to do: it destroyed thousands of uranium enrichment centrifuges, slowing down the Iranian nuclear project by a year or two, and discouraging the Israelis from initiating a conventional military campaign. But those successes were overtaken by their effect on officials in the Iranian government, who were motivated to step up their nuclear efforts in its wake and develop a sophisticated cyber attack force of their own. On the other hand, the deal signed earlier this year between the United States and Iran, which should curb Iranian nuclear ambitions for the next fifteen years, might also be seen as result of both Stuxnet and the greater threat, waiting offstage, of Nitro Zeus. Gibney’s sources, we are told, think so and they say their colleagues agree. The character speaking for these sources says, “Everyone I know is basically thrilled with the Iran deal. Diplomacy worked. But behind that deal was a lot of confidence in our cyber capability.” That capability will only grow. DARPA, the research arm of the Department of Defense, is currently working on a project to use virtual reality headsets to enable soldiers to visualize and explore computer networks in three dimensions in order to locate points of attack. Another DOD initiative involves moving civilian engineers, hackers, coders, and security experts in and out of the Pentagon for short-term stints to “drive game-changing evolution in the way DOD builds and deploys technology and digital services.” And the Cyber Mission Force will be fully operational in another year. Given the government’s aversion to a public discussion of the scope and limits of cyber warfare, whatever this group does, the chances are we’ll never hear about it.

  1. *

    Reviewed by Joseph Lelyveld in these pages, August 16, 2012; see also my article “Are Hackers Heroes?,” The New York Review, September 27, 2012.