Zero Days full movie review - Useful material to start discussion about "cyber warfare". Unsure it will reach out to politicians and other non-IT people. Will probably shoot over everyone's head
Saw this at the Berlinale 2016, where it was programmed as part of the official Competition section. I have to start with a full disclaimer, by confessing that information security has been my full time occupation for at least 25 years.
As such it was not my intention to learn something new when viewing this documentary about the infamous Stuxnet worm, jointly developed by Israel and US, targeting Iranian reactors and obstructing the production of nuclear material. Yet I'm very interested in each and every vehicle (movie, book, newspaper article, whatever) to make non-IT people aware of the issues at hand, if only to provide material for an open debate about the pros and cons of "cyber warfare" with much wider implications than the average layman realizes.
As observed with previous movies about IT-related issues (WikiLeaks, Snowden, Steve Jobs etcetera) it is very difficult to sit it through while being (like myself) someone who worked in IT all his life. We saw numerous fragments of Assembler, flashing lights from network equipment, heavily populated cable bundles, and many screens showing various sorts of abracadabra, all supposedly intending to look technical for an average layman. Another problem is that several talking heads ducked when asked specific questions about Stuxnet, the latter being the main topic of this movie. Most of them had the usual excuse *Even when I knew about it, I cannot elaborate". Luckily, we heard not once the excuse "I can tell you about it but after that I have to shoot you", usually intended as a humorous escape from hot questions without appearing offensive or overly defiant. Several high ranking officials only wanted to speak out in general terms, thereby avoiding Stuxnet and other concrete projects, by explaining what they found wrong, especially about the secrecy that most found exaggerated and unnecessary. As such, their contributions were still useful, albeit not exactly touching the subject at hand.
Nevertheless, I heard a few new things I had not thought about yet. Firstly, Stuxnet was not designed to become so visible as it did. People at the NSA were furious when seeing that Israel extended v1.1 of the software to be more aggressive, making it spread and allowing it to surface, while that never had been the intention. The net result is that other countries may find justification to counter with similar software, now the US has provided for a precedent. Secondly, many people in CIA and NSA express their concerns about over-classification, preventing an open debate on future policies and rules of engagement in cyber space, like similar rules developed in the past for army, navy and air force. Cyber weapons are the fourth category, and it may take 20 to 30 years to create clear rules and policies for it. Lastly, the net effect that Stuxnet had on Iranian nuclear program, has proved to be negligible in the long run. There was a noticeable dip in the production statistics, but it triggered Iran to invest extra in centrifuges. An extra side effect was that Iran invested in cyber powers of their own, by attracting talented people on this field of expertise. As of now, it looks like they succeeded in overpowering the western world in this so-called cyber war. In other words, due to Stuxnet we lost our head start, and it is doubtful we will ever regain that.
There was one talking head with distorted voice and face, who appeared many times throughout the story. In hindsight, she was reading collected texts from several people working in NSA, CIA etcetera, all of them having useful insights on the matter but unable to come forward. Being reasonably versed in these issues, I am of the opinion that these texts sound genuine and seem to really come from people with intimate knowledge, which would otherwise be kept from the public. One example is that they internally made fun about "air gapped", the common defense against infections from the outside. They knew several ways to get over this obstacle, e.g. by infecting vendors responsible for installing and updating software in the plant, more or less working like so-called watering hole attacks. Reading these texts as done here, was an artificial but necessary addition to the documentary. In a final scene the one reading the texts revealed herself as an actress who had no personal involvement in the issues, but was effectively used as a vehicle to get this information across. During the press conference organized by the Berlinale it was explained that this was the only way to obtain and release this information, if only to protect the sources since harsh policies have been issued to deal with information leakage.
All in all, I'm not sure the message will land where it should land, namely with non-IT people who should know about the implications of "cyber warfare", having an impact on our future that cannot be underestimated. I don't think that a documentary that takes nearly 2 hours, will achieve said goal. Nevertheless, I applaud every honest attempt. The documentary is well made and tries to present a balanced view on the matter. Well made, but probably shooting over everyone's head and defeating its well-intended purposes.