'There's a whole war going on': the film tracing a decade of cyber-attacks

In early 2010, scientists at a uranium enrichment plant in Natanz, Iran, watched their infrastructure malfunction at an unprecedented, inexplicable rate. Technicians inspected their equipment, but could find no explanation for why the plant’s centrifuges – machines to isolate the uranium isotopes needed for nuclear power – were spinning at irregular rates, and then failing.

Five months later, cybersecurity responding to a seemingly separate network malfunction in Iran inadvertently discovered the culprit: a malicious string of code which instructed computers, and the centrifuges they controlled, to vary in speed until their parts broke down, while simultaneously mimicking normal operator instructions, as if playing security footage on a loop in a heist movie. It was computer malware capable of physical, real-world destruction – the world’s first digital weapon, originating from US national intelligence.

Related: 'They refused to act': inside a chilling documentary on Trump's bungled Covid-19 response

Stuxnet, as the worm came to be known, marked a sea change in international relations – the first known time a country deployed an offensive cyber weapon to inflict damage rather than collect surveillance, and the precipitating event of The Perfect Weapon, a new HBO documentary on the past decade of insidious, troubling escalation of international cyberwarfare. With Stuxnet, which is thought to have been developed by America’s National Security Agency as early as 2005, the United States “crossed the Rubicon”, David E Sanger, a longtime national security correspondent for the New York Times, says in the film. “The United States has basically legitimized the use of cyber as a weapon against another country against whom you had not declared war. It pushes the world into an entirely new territory.”

The Perfect Weapon, like Sanger’s book of the same name, traces in succinct, clinical style the Pandora’s box of chaos-sowing, digital tits for tats in the wake of the Stuxnet reveal, from hacks that garnered enormous and arguably outsized media attention – the leak of Democratic National Committee emails in the run-up to the 2016 election by Russian hackers, the 2014 Sony hack and its flurry of gossipy work emails – and lesser-known but still critical developments in what is essentially a multinational, virtual cold war. “There’s a whole war going on right underneath our noses that is state-sponsored,” John Maggio, the film’s director, told the Guardian. “The actual act may be carried out by ‘criminals’, but they’re sponsored by states – by Iran, by North Korea, by China, by Russia, and by America against their adversaries.”

In under an hour and a half, The Perfect Weapon blisters through the proliferation of cyberwarfare in the last decade-plus: how offensive ransomware and disinformation campaigns have morphed from a undercover sideshow – as late as 2007, cyberwarfare was not even listed as a pressing concern on the US military’s threat assessment – into a relatively cheap, accessible and potentially devastating staple of international relations. “The asymmetry of this kind of warfare is very cost-efficient for countries that are under economic restrictions by the United States or otherwise,” said Maggio. Actors of middling economic power, such as Iran and North Korea, can strike debilitating and costly blows on American businesses, for example, at relatively little cost. Bugs like Stuxnet could disrupt electrical grids, shut down airports or derail vulnerable election infrastructure. The future of warfare, as Maggio sees it, is “no longer going to be boots on the ground, it’s going to be fingers on keyboards”.

The Perfect Weapon re-contextualizes widely covered hacks and cyber-attacks as part of a broader sweep of cyber weaponry designed for destabilization, revenge and theft. With interviews from cybersecurity experts, former national intelligence officials and recollections from those targeted by hackings, including John Podesta, Hillary Clinton, Seth Rogen and anonymous staffers at the Sands casinos, The Perfect Weapon puts a human face on an often baffling field little understood by the general public. From Stuxnet, Maggio revisits the Iranian ransomware attack on Sands casinos in 2013, which cost the conglomerate owned by the outspoken Republican donor Sheldon Adelson three-quarters of its servers and $40m.

A year later, the hacking of Sony emails by a North Korean-backed team in China – a bizarre response to the studio’s planned release of a movie co-written by Rogen, The Interview, which depicted the fictional assassination of Kim Jong-un – marked a shift in the public understanding of corporate vulnerability to cyber-attack. But the concerns over security and kowtowing to the hackers’ will (the studio ultimately pulled the movie from most theaters) was frequently overshadowed by the gossipy contents of the hack itself, a media pattern repeated and refracted to more insidious effect in 2016, with the Russian hack and WikiLeaks release of Democratic National Committee emails.

The Perfect Weapon argues, as numerous cyber and media experts have pointed out, that zeroing in on the content of the emails, and in particular on the narrative of a Democratic party “rigged” against Senator Bernie Sanders, played into the Kremlin’s intention to roil the election with destabilizing noise. Even the specter of Russian meddling created an environment where “nothing is real and everything is possible”, says Podesta in the film. “That really destroys the credibility of democracy, and that’s what Putin wants.”

Related: Hack the vote: terrifying film shows how vulnerable US elections are

“America is uniquely susceptible to these kinds of attacks because of our openness, because we have a public square,” said Maggio. “Disinformation, the hack-and-dump kind of attacks, are very effective at sowing a lot of chaos.” Cyber weapons do not need to strike to be effective, due to what Sanger called the “perception hack” – the recognition of foreign meddling as a possibility in any unclear scenario, a caustic understanding which erodes trust in American democratic processes and opens the door for muddled disputes of illegitimacy.

The final third of The Perfect Weapon covers the worryingly profuse cyber-attacks in the years since the 2016 election, when Russia hacked a US voting systems manufacturer: the devastating NotPetya cyber-attack, a Russian operation on Ukraine that infected corporate networks across the world, from Maersk to FedEx. And of course, concerns over foreign interference in America’s current election.

The clear timeline of cyberwarfare, a once-shadowy arena ever-crystallizing in hindsight as more information comes to light, indicates, said Maggio, a need for greater transparency and accountability – in effect, guardrails – from the international community. “We have Geneva conventions, we have conventions around war that the use of certain weaponry, chemical weapons, nuclear weapons, things like that – but there is nothing like that with cyber,” said Maggio. “An outgrowth of what’s been going on over the last decade or so is going to have to be some sort of meeting of the minds on the use of these kinds of weapons.”

The goal of the film, Maggio said, was to “set the table” – present a seemingly opaque, sprawling phenomenon as accessibly and humanly as possible. And for audiences to recognize that cyberwarfare on infrastructure, and its corrosive effect on institutions, is “the world that we live in now”, says Brandon Scott, president of the Baltimore city council, in reference to a 2019 ransomware attack which cost the city 12 years of files and $15m. “This is the new normal.”

  • The Perfect Weapon premieres on HBO on 16 October with a UK date to be announced