Mark Wolverton in Undark:
Sometime in mid-2009 or early 2010 — no one really knows for sure — a brand new weapon of war burst into the world at the Natanz nuclear research facility in Iran. Unlike the debut of previous paradigm-shattering weapons such as the machine gun, airplane, or atomic bomb, however, this one wasn’t accompanied by a lot of noise and destruction. No one was killed or even wounded. But the weapon achieved its objective to temporarily cripple the Iranian nuclear weapon program, by destroying gas centrifuges used for uranium enrichment. Unfortunately, like those previous weapons, this one soon caused unanticipated consequences.
The use of that weapon, a piece of software called Stuxnet widely concluded to have been jointly developed by the United States and Israel, was arguably the first publicly known instance of full-scale cyberwarfare. The attack deployed a software vulnerability or exploit, called a zero-day, buried so deeply in computer code that it remains undetected until someone — a team of hackers, a criminal, an intelligence or law enforcement agency — activates it. We’ve all heard of, and perhaps even been victimized by, criminal hacks that may have pilfered our credit card numbers and passwords, or been spammed by suspicious emails that invite us to claim supposed Nigerian fortunes. But zero-days operate on a different level entirely.