Why make a film about Stuxnet now?

Alex Gibney: I have a habit, I guess, of going in after big stories and trying to find out a little bit more about them -- doing a deeper dive. Sometimes, in the kind of of relentless 24-hour news cycle, a simple and easy narrative develops and then you just move on without understanding the broader implications. It seemed to me this story had legs.

What were you hoping to add to the conversation?

Gibney: To really take stock of this idea that it was a crossing of the Rubicon, as [former director of the NSA and CIA] Michael Hayden said. It's a kind of a moment that changed everything, that launched us into a new era. That's what I was trying to get at.

Eric and Liam, what convinced you cybersecurity researchers to participate in this film?

Liam O'Murchu: I like the fact that Stuxnet ties into a bigger picture. At the time when we analyzed it, it was a unique beast and we didn't see too many other [cyber] threats that were driven by governments. Whereas now we're tracking more than 100 operations run by governments and we see them all the time. So although Stuxnet is a standalone piece, it's a beacon of how things have changed and how progressing towards cyberwar actually fits into a much bigger threat landscape.

Alex, you've covered traditional warfare in your previous films, how is covering cyberwarfare different?

Gibney: There's an interesting aspect to it, in the sense that some parts of it are very different. This idea that you're using spyware, and out of that spyware comes the ability to manipulate the physical environment. Once you get to the physical environment then things are similar. That's like sabotage. And also, these kinds of attacks are also surrounded by human intelligence. So it's really interesting because it's creating damage in the physical world, but it's a weapon system really coming out of the intelligence world, both in terms of signal and human intelligence.

A technician at the Uranium Conversion Facility in Tehran, Iran.

You've related in the film the rise of cyberwarfare to the the rise of nuclear weapons. How is it different?

Gibney: That can be overdrawn. When you drop an atomic weapon on a city, we know from Hiroshima and Nagasaki what's going to result. And it's horrific. I think in many ways cyberweapons are not that brutal at all. Nevertheless, once you start talking about messing with critical infrastructure, which can be things like changing controls on a high-speed train or poisoning a water-filtration system, you have the potential for consequences that are vast -- even though they don't have that visceral destructive, explosive capability that atomic weapons do.

Eric and Liam, do we have a decent understanding of cyberweapons at this point?

Eric Chien: The capability will likely grow. Even when we look at Stuxnet, when we began researching it in 2010, we found traces going back to 2006. So already, then, we were potentially four years behind what the known capabilities are. There are likely things out there that haven't been discovered that are more advanced.

I think the unfortunate thing, to be frank, is that to cause an impact -- to cause potential destruction to critical infrastructure -- it doesn't require any more capabilities than what we have today. The Ukrainian power grid went out in December, and the attack was believed to be from Russia. This is already possible today.

Gibney: I think that one of the surprises for us [was] we started this as a story about Stuxnet. We didn't know that along the way we would discover Nitro Zeus, which is a much more potent attack which involves basically shutting down a country. As someone says in the film, the cyberwar science-fiction scenario is here.

Eric Chien, Alex Gibney and Liam O'Murchu

Stuxnet was a massive weapon that we kind of had to let go, we couldn't exactly control how it acted once it was in the wild. Is that something we have to think about in terms of cyberwarfare, constructing something that hopefully does what you tell it?

Chien: I would hope now that we've had Stuxnet that people would make good conscious choices. Stuxnet was a case where someone made a choice and decided we're going to make this autonomous, more aggressive, and we are willing to have collateral damage. Stuxnet could infect any Windows machine, anywhere in the world that was connected to the internet. That's a lot of collateral damage to go after a single target.

It's been six years since you began researching Stuxnet, Eric and Liam. What have we seen since?

O'Murchu: We're seeing a lot more in that threat landscape of just general government malware infecting all sorts of systems. We see a lot of espionage, actually. We see a lot of particular categories of companies being targeted, like chemical companies, defense contractors, aerospace. We also see preparation, some threats where countries are getting into crucial networks like those control systems and leaving backdoors behind, so that in some point in the future they can come and use that.

Chien: When you come from zero, everything we see now is new. We continue to see things that, to be frank, astound us. You might remember the SWIFT bank attacks, where one billion dollars was being attempted to transfer. That's been traced back to be connected to the Sony wiping attacks, which the US government tied to North Korea. Now you potentially have North Korea transferring one billion dollars to themselves, which would be the first time a nation state just tried to steal money via a cyberattack.

Stuxnet is kind of an open secret: Everyone knows who the players were. But the U.S. government hasn't admitted to it and hasn't talked about it. Why do you think that is?

Gibney: The obvious reason is that it was designed originally as a covert operation. It was a CIA and Mossad operation. That's something I didn't fully appreciated when I started this story. So by its nature it's covert. But the frustrating part is because of this momentum of over-classification, once the operation was blown it's the refusal to talk about that that seems so appalling. Because you can't begin to start talking about the capabilities of these weapons, and what we're going to do about them in the future.

Even more disquieting than the refusal to talk about Stuxnet, because nations play these games all the time, well if we say we were responsible officially, then the Iranians can hold us to account officially for attacking their critical infrastructure. If we never say it, just like the Israelis have never admitted they have nuclear capabilities, we all know that they do, but at some point it becomes ridiculous, like the emperor's new clothes.

It's particularly problematic, though, when you can't even talk about cyberwar or weapons. So you can't look on the budget of the American government and see how much we're spending on cyberweapons; it's secret. What kind of cyberweapons do we have? It's secret.

That's the part that's disquieting because you don't know what kind of risk we're putting others under, and you assume that other nations have these capabilties and they're training them on us, so we don't know what risk we're under.