Sometime in mid-2009 or early 2010 — no one really knows for sure — a brand new weapon of war burst into the world at the Natanz nuclear research facility in Iran. Unlike the debut of previous paradigm-shattering weapons such as the machine gun, airplane, or atomic bomb, however, this one wasn’t accompanied by a lot of noise and destruction. No one was killed or even wounded. But the weapon achieved its objective to temporarily cripple the Iranian nuclear weapon program, by destroying gas centrifuges used for uranium enrichment. Unfortunately, like those previous weapons, this one soon caused unanticipated consequences.
The use of that weapon, a piece of software called Stuxnet widely concluded to have been jointly developed by the United States and Israel, was arguably the first publicly known instance of full-scale cyberwarfare. The attack deployed a software vulnerability or exploit, called a zero-day, buried so deeply in computer code that it remains undetected until someone — a team of hackers, a criminal, an intelligence or law enforcement agency — activates it. We’ve all heard of, and perhaps even been victimized by, criminal hacks that may have pilfered our credit card numbers and passwords, or been spammed by suspicious emails that invite us to claim supposed Nigerian fortunes. But zero-days operate on a different level entirely.
“Zero-days offer digital superpowers,” New York Times cybersecurity reporter Nicole Perlroth writes in “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.”
“Exploiting a zero-day, hackers can break into any system — any company, government agency, or bank — that relies on the affected software or hardware and drop a payload to achieve their goal, whether it be espionage, financial theft, or sabotage. There are no patches for zero-days, until they are uncovered. It’s a little like having the spare key to a locked building.”
Such capabilities, says Perlroth, make zero-days “one of the most coveted tools in a spy or cybercriminal’s arsenal.”
As with any other highly coveted commodity, a vast covert global market has sprung up to meet the demand for zero-days. Perlroth explains that this invisible digital trade was…