Back in 2010, reports of a complex computer virus called Stuxnet flared up in the news. It was deduced to purportedly be a U.S.-Israeli orchestrated attack on Iran’s nuclear facility in Natanz, but somehow Stuxnet spread well beyond its intended target, infecting personal computers worldwide and even critical infrastructure in the U.S. However, as most stories in the modern news cycle tend to do, talk of Stuxnet disappeared from the headlines. What people fail to realize—or are failing to discuss now—is the dangerous precedent in cyber warfare that was set with Stuxnet, one that is manifesting itself as an unseen threat that could cripple the most powerful countries from the inside out.
Documentary filmmaker Alex Gibney is pushing the conversation of nation-state sanctioned cyberattacks into public discussion with his new film Zero Days. Gibney chronicles the lead-up and execution of the Stuxnet malware as best he can given the fact that both the U.S. and Israeli governments have yet to assume responsibility for the attack and everyone on both sides continue to remain totally mum. Zero Days relies heavily on the expertise and accounts from cybersecurity firm Symantec employees Eric Chien and Liam O'Murchu, the two men who discovered Stuxnet.
"If you asked us years ago can something like this happen, we would say this is the kind of stuff you see in the movies—Stuxnet basically made that into the practical," Chien, technical director of Symantec Security Response, says. "It opened Pandora’s Box for everyone else, other nation states, primarily, to be thinking along the lines of ‘if other countries are doing this, maybe we should be doing this too.’ That immediately raised the bar on the type of impact cyberthreats can have on the world."
Stuxnet fundamentally restructured how the team at Symantec currently deals with cyberattacks. In a pre-Stuxnet era, the most malicious threats a cybersecurity firm most likely dealt with were credit card scams or more sophisticated operations like ransomware. But now that nation-states, with more resources, bigger budgets, and crack teams behind them, are involved in cyber warfare, there’s far more at risk for everyone involved.
"Before [Stuxnext] we were doing a very technical job in looking at zeros and ones all day. Now, current news and geopolitical events are very much a part of our job," Chien says. "Every piece of malware that comes across your desk is equal at that point in time, so you’ve got to be able to sift through the noise to find the most important things. We’re getting one million new pieces of malware every single day, so you can imagine there’s this huge haystack and we’re always trying to find that needle."
The biggest problem not only for cybersecurity engineers like Chien and O'Murchu, but for the average citizen as well, is that governments are operating in such secrecy, and, as in the case of Stuxnet, don’t fully realize the collateral damage of their actions. Zero Days effectively poses the very important question of "should governments be involved in cyber warfare?"
"I understand when a plane goes to war, what its purpose is and what it’s going to do. I have no idea when they talk about dropping cyber bombs on ISIS what that actually means. We probably should know that," O'Murchu, director of Symantec Security Response, says.
Symantec is currently tracking upward of 100 government-backed cyber operations, and that number is only set to grow. That said, the firm’s engineers are admittedly working in extraordinarily murky waters—there’s no name badge attached to the code they’re analyzing that reads "Hi! My Name Is: USA Virus." The best the Symantec team can do is compile characteristics of the code that run counter to civilian attacks, namely the level of detail involved and deducing its intended target.
"Even if we know who the victims are, and maybe we suspect it’s from a certain country, we have no proof. From the [Edward] Snowden revelations, we can see all sorts of trickery going on in that world about trying to pretend it’s another nation doing it and all sorts of double-crossing," O'Murchu says. "And we don’t really have any insight into that. We just get a piece of code and we have to look at it and say, is it good or is it bad? That’s what our job really boils down to: Would our customer want this on their computer or not?"
Putting their customers first inherently creates somewhat of a blind spot toward government interests. One could argue that the U.S. and Israel’s alleged intentions to sabotage Iran’s nuclear facility was for the greater good and that Symantec blew the lid off everything. But the problem with that logic goes back to the level of stealth involved with these attacks. It’s one thing not to make any formal declaration of war in the news, but when the code in the attack bears no clear indication of its origin or intention, it could be from anyone doing just about anything.
"This wasn’t a piece of code that only ever went into Natanz and never went anywhere else. We found this in India, Korea, Australia, the U.K., Germany, and even in critical infrastructure in the U.S.," O'Murchu says. "For a vast majority of the time while we were analyzing [Stuxnet] we felt a huge pressure that maybe something bad was going to happen in all these countries and, by not analyzing this quickly enough, we may not be able to prevent that."
Stuxnet may not be in the headlines anymore, but the fallout from it is a reality for cybersecurity companies like Symantec. What Chien and O'Murchu are hoping for with Zero Days is that the topic of cyberattacks enter into the list of concerns citizens have about government actions. The technology used in Stuxnet is by no means exclusive to the U.S. or Israel—the blueprint for devastating cyber warfare is out there, and it’s anyone’s guess what someone or some country will do with it.
"It is difficult to relate to as an ordinary person because right now it doesn’t affect you—maybe we need some big incident to happen before people will really understand what’s happening," O'Murchu says. "A lot of things happen right now and the ordinary people either don’t hear about them, don’t know about them, or it doesn’t actually affect them. The concerning thing for me seeing it every day is that any of these incidents can affect you and people don’t realize that."