This week, security experts warned that a new computer virus could cause mass power outages — a scenario that could prompt life-and-death emergencies across the globe. In an assessment of the circumstances surrounding a blackout in Kiev, analysts at the security firm Dragos said they discovered “the first ever malware framework designed and deployed to attack electric grids,” and concluded that the software could be easily changed to attack other critical infrastructure all over the world. They said the relatively limited attack in Kiev “may have been more of a proof-of-concept attack than a full demonstration” of the total power of the cyberweapon.

The Kiev attack came only a few years after the 2010 Stuxtnet attack — a virus aimed at destroying centrifuges inside Iran’s nuclear facilities. While no governments have acknowledged their role in that attack, most security experts believe the malware was created by government agencies, and many assert that the United States and Israel were involved in its development. In a documentary called “Zero Days” that recently won the Peabody Award, Oscar-winner Alex Gibney explored the roots of Stuxtnet. The film looks at the question of whether or not the U.S. government is now using malware as an offensive military weapon — even as it keeps its cyberwarfare units a complete secret.

In a podcast interview with International Business Times’ David Sirota, Gibney reviewed the Stuxtnet case, arguing that the secrecy surrounding the United States’ cyberwarfare programs is preventing Americans from weighing the pros and cons of a whole new kind of warfare that could cause mass casualties at home and throughout the world. Without an open debate like the one that unfolded at the beginning of the nuclear weapons era, Gibney says, Americans are unable to consider whether to constrain such weapons — and whether such weapons will inevitably be turned against the U.S. itself.

What follows is an excerpt of Gibney’s podcast interview. You can hear the entire interview here.

Sirota: What was Stuxtnet and why is it still so important?

Gibney: Stuxnet was a piece of malware that was almost certainly developed by the United States and Israel, designed to attack the nuclear power plant, or the nuclear centrifuge plant at Natanz, in Iran, and to basically take control of the plant and to cause the centrifuges to spin out of control and explode. If you think about it, it was the first weapon, cyber weapon that we know of, that was designed to cause physical destruction, to leap from the cyber realm to the physical realm. It did, it worked.

Sirota: How was Stuxtnet originally discovered by those outside of the military and intelligence communities?

Gibney: It was first discovered by an IT guy in Belarus. He’s since gone on to work for Kaspersky, the antivirus company, in Moscow. But at the time he was working for an IT company in Belarus and he had clients in Iran. The clients in Iran were upset. Their computers kept going off and they had the wheel of death, and they didn't know what was going on. They figured it must be some virus. They contacted him, and he began to investigate, and ultimately, he got a hold of the Stuxnet code. He began to announce it on antivirus chat rooms…T hen, what’s fascinating and actually quite thrilling about this sort of antivirus community is that they all have an interest in protecting computers from malicious software. They all began to coordinate and get together, to see if they could understand what this new piece of malware was.

Sirota: Does Stuxtnet operate autonomously?

Gibney: It's a worm, so you don't have to click on anything. It can spread automatically if you hook into a printer, or it’s on your computer and then you hook to a printer, suddenly that printer gets infected… Some people think [the first infection] was an exchange in Moscow where somebody put something on an Iranian computer or that it was a Siemens technician who was an agent and was able to get it in. Almost certainly, it was either put directly into the Natanz facility by a person, a spy, or it was put on someone’s computer who almost certainly was going to hook up to Natanz. But they faced a problem over time, which was you had to get different versions of the software, because the genius of Stuxnet, purely as a weapon, was that it did different things. It wasn’t just designed to blow the whole thing up.

Sirota: Explain how Stuxtnet actually tricks users into thinking its not working.

Gibney: It was actually designed to infect the brains of the engineers at Natanz so that it would make them go crazy… Part of the genius of the virus was that it actually had within it a command that sent messages to the [computers called PLCs] which ran the system. [PLCs] are the little mini computers that run the machines. They would send a message to those, kind of like the video in “Oceans 11” that said everything was okay. Even as the system was malfunctioning, either spinning too slow or spinning too fast, the message that the PLCs would get is that everything was operating just fine…. Suddenly this huge whine is in the room next door and it sounds like a 747 taking off right next to you. They’re wondering, “What the hell is happening? The dials are saying everything's okay.”

The trick was, because they wanted to infect the brains of the engineers in effect, they had to keep putting different kinds of software into Natanz. It got harder and harder to do that with spies. Ultimately, what they decided to do was to infect five IT firms just outside of Natanz, who almost certainly would service the Natanz facility — which is brilliant if you think about it.

Sirota: So how did Stuxtnet spread from Natanz to the rest of the world?

Gibney: Think of it like a virus. They let loose the virus, a very virulent form of the virus, outside Natanz, in these IT firms, because they wanted to get [into Natanz] in a hurry, and we’re fairly certain that this was the Israeli part of the operation, which was probably designed to do the delivery system, [which] was the Israeli responsibility. To get it in there quickly, to do more damage quickly, they came up with a particularly virulent form which they introduced as quickly as possible and to as many machines as possible in that IT community around Natanz.

It did a good job of spreading into Natanz, but the problem was because it can affect any computer, it began to spread outside those IT firms surrounding Natanz. It began to spread all over the world. Now, you can ask, was that by intent? In other words, was that the Israeli Mossad, equivalent of the CIA, trying to send an overt message? Or was it simply a mistake where the Israelis wanted to get in in a hurry and cause some real damage, even as the Americans were urging caution and it just got out of control?

Whatever happened, it’s clear that the reason it got out was that the delivery system was a very virulent virus that spread all over the world. Certainly it did get into Natanz, but it got everywhere. It got to the United States, it got to Africa, it got to Europe, it got to Moscow, all over the world literally.

Sirota: Natanz was supposed to be “air gapped” — which means cut off from the Internet and other external networks. But your movie suggests that even air gapping cannot protect a network that may be targeted for malware.

Gibney: A lot of us think, “Well, the one key way to protect yourself and your computer is to have systems that are air gapped, that are not connected to the internet.” The people who are expert in this just chuckle when you say that because they say, “No, there's always a way.” The way is often through that odd flash drive that somebody just picks up and happens to plug into their laptop, or even a printer that’s worked on by a technician whose computer might be affected by the Stuxnet virus.

Then the virus transmits to the printer, and then suddenly the printer is infected, so everybody who plugs in is now infected. That’s how it happened. That part of it was genius in a way, but also caused it to spread all over the world. It was the Pandora’s box moment.

Gibney
Director Alex Gibney addresses a news conference to promote the movie 'Zero Days' at the 66th Berlinale International Film Festival in Berlin, Germany, February 17, 2016. REUTERS/Fabrizio Bensch

Sirota: Your film notes that Stuxtnet was only targeting one specific kind of equipment at one location in Iran. If that’s the case, why is it such a big deal that the virus got out? Computers may be infected, but the virus isn’t doing anything to those computers, right?

Gibney: In one way, it’s not a big deal because you’re right, for most machines that were infected by the Stuxnet virus, it did not have an impact. But for some machines, on a smaller technical level, they started to shut down because when the Israelis rejiggered this more virulent form of the virus, there was a flaw programmed in, and it began to shut down computers, so that was a problem. I think the larger problem, though, is kind of like the blueprint problem, which is — think of it this way — you’ve given people a design for a kind of nuclear weapon. It may not be the kind that’s easy to do at home, but since you have the larger formula, now you’re able to retrofit it into any number of other possibilities.

By essentially making the code, which is super top secret and very elegant, and took months and months and months to create, suddenly you’ve given people a kind of a blueprint for how this code could be reinvented or replicated with modifications, and used now not to attack a nuclear centrifuge, but to attack a big power plant, say, or a water filtration system. That’s the problem.

Sirota: How can we be sure Stuxtnet was created by a nation-state and not by a bunch of hackers?

Gibney: One was the target. Once it began, they could trace the path of the virus. It’s a little bit like patient zero. They could literally trace the path of the virus by figuring out what computers it had been on and where, by the trail it left behind. You can see that all of the infections, the emanation from the infections were all around Natanz and Iran. Well, what’s in Iran that’s of great interest to a lot of people? Everyone at the time was talking about Iran’s nuclear program. That was a clue, but it wasn’t the only clue. The bigger clue was the size and nature of the code. It was so complex.

I mean, the two guys at Symantec, the detectives that we found so compelling, Eric Chien and Liam O’Murchu, normally when they get a piece of malware, they can break it down in minutes or maybe an hour or two. They were working on this for weeks and weeks and weeks, and still couldn’t understand what the hell it was. It also had within it a number of so-called zero days which were vulnerabilities in say Microsoft programs that hadn’t yet been uncovered. That’s like a flaw in a printer, so you can get inside the printer, a flaw in Windows, so you can get inside of Windows, those kinds of things. Those zero days to bad actors are tremendously valuable. They can cost hundreds of thousands of dollars on the black market.

To see four, possibly five of them, in this weapon, was staggering. Who has the resources to get that many zero days in one place? That’s what started to lead people to the idea of a nation state.

Sirota: The United States does not acknowledge that it uses cyberweapons in an offensive military capacity. Why do you think that is problematic?

Gibney: A covert operation is supposed to remain covert, but what needn’t remain covert, and this is a lesson we should take from nuclear weapons, is the capacity to cause this kind of damage. Because from a diplomatic perspective, we — or we and the Israelis — committed an attack on Iran’s critical infrastructure in times of peace. That could be construed to be an act of war. At the very least, there’s a diplomatic issue here, but in a larger sense, there needs to be an understanding of what kind of weapons are being used in our name. It’d be like dropping a bomb on Hiroshima and Nagasaki, and saying, “What bombs? We're neither going to confirm or deny the use of atomic weapons in Japan.”

That would be a little bit silly but it’s a little bit like what happened here, where you don’t need to give people the keys to the kingdom and the blueprints, even though that’s ultimately what we did do. But you need to let your citizens know what kind of weapons are being used and how they’re being used, and whether they’re being used offensively in advance, and what kind of defenses we have when people start coming back at us, and shutting down our power plants and our power grids.

Sirota: How is it that cyberweapons are so secret that different agencies of the U.S. government aren’t kept informed of them?

Gibney: One of the most remarkable things we discovered as part of this story was that it was a night at the Department of Homeland Security in its cyber division where there was an alert, and they were terrified, because it seemed like some huge piece of malware was attacking the United States. It was so sophisticated that they were concerned that perhaps it was shutting down parts of the grid, perhaps it was attacking our missile systems. They didn’t know what it was, but they were terrified because of the size and shape and breadth of the code. Well, it turned out if they’d wanted to find out who it was, they could have gone over to Fort Meade, because that’s what it was, it was the Stuxnet virus that we launched on Iran, but which was now coming back.

We’d met the enemy, and it was us. Those are the bigger questions that we as citizens really have to be privy to, and that’s why some of these people inside the NSA were willing to talk, because they were offended at the idea that so much is being kept secret, that needs to be known in order to have a civilized debate about these weapons in a democracy.

Sirota: What do you think the long-term implications of Stuxtnet are?

Gibney: In the intelligence community they could say, “Well, it was an intelligence operation and we disrupted an Iranian nuclear program” and all of that is true, but it misses the larger point, which is the precedent that was set. There was a technical precedent that was set, which is to say a new weapon which has crossed the threshold from the cyber realm to the physical realm, and there was a legal threshold crossed, which means that we had now set a new kind of precedent for how these weapons get used. People rolled their eyes; it’s like, “Oh, there are bad guys out there, they don't care about precedents.”

Precedents do matter and people take cues from that, because everybody wants to be perceived as a good guy, even if they’re bad guys, so you want to be able to have a rationale or at least a rationalization for why you did what you do. Well, once the United States and Israel launched preemptive attacks like this, everybody else can say, “Well, they can do it, why can’t we do it?”

Sirota: Moving forward, is it a realistic possibility Stuxtnet-like virus could be aimed at the United States and shut down major facilities?

Gibney: Yes, damage could be caused that could cause enormous problems. Even shutting down a grid for half a day, which we know that the Russians have done to Ukraine, can be enormously damaging and cause loss of life. Now, imagine if it goes down for two, three, four days. Imagine infecting a water filtration system where suddenly people are drinking poison instead of good water. In fact, we know that the Iranians launched a counter attack on a small dam in upstate New York. Now mind you, it was a kind of pathetic attack and the dam was not very big, but the fact is that it was a baby step to what could be a much more damaging attack the next time around.

Sirota: With all the episodes of hacking during the 2016 election, there seems to be some more public focus on the dangers of cyberwarfare. But it also seems like the 2016 hacking is way more primitive than these cyberweapons you describe.

Gibney: These attacks are much, much bigger than simple phishing attacks on the DNC or John Podesta, and yet, somehow people haven’t yet made that leap to demand answers for this. I’m not sure exactly why, and it may be that just we haven’t seen the definitive result of one. The other scary part of this is that imagine an attack where power plants start to go down on the East Coast, and a false flag is put into that code which indicates that it was the Chinese who did it, but actually it was the Russians. You can see how a situation like that might spin wildly out of control. Or let’s say somebody said it was the Iranians and in fact, it was, I don’t know, Bashar al-Assad?

I’m just saying, this attribution issue compounds the problem because when you drop a bomb, you know what plane dropped it and you generally speaking know what kind of devastation would result and what countries would have that weapon.

Cyber is a whole new realm in that way, and that’s why the need for starting this kind of international treaty discussion is so vital, because if we don’t start it soon, we’re going to be in a whole lot of trouble.