How Realistic Is "Zero Day"?

In Netflix’s limited series Zero Day, a political thriller fronted by Robert De Niro, the United States is thrust into a distinctly modern crisis: a coordinated cyberattack that cripples the nation’s critical infrastructure, igniting political turmoil, media manipulation, and widespread panic.

For one harrowing minute, mobile phones, computers, and communication networks across the country go dark. Trains derail, planes lose contact with control towers, and critical hospital equipment shuts down – triggering mass casualties and plunging the country into chaos.

In response to the unprecedented breach, President Evelyn Mitchell – portrayed by Angela Bassett, fresh from her turn as president in the final Mission: Impossible instalment – establishes the Zero Day Commission, an emergency task force armed with sweeping powers, including the authority to conduct warrantless searches and suspend habeas corpus (the legal mechanism designed to protect individuals from unlawful or arbitrary detention).

So far, so Hollywood. But what exactly is a zero-day attack? And should we be worried?

What Is a Zero-Day Attack?

In cybersecurity, a zero-day refers to a vulnerability in software or hardware that’s unknown to the vendor or developer responsible for fixing it. These flaws can go undetected for weeks, months, or even years before someone discovers them.

In the best-case scenario, security researchers or developers find the vulnerability before attackers do. But sometimes, hackers find it first.

The term zero-day highlights the urgency: once discovered, there are zero days to fix the issue before it can be exploited. When attackers act on a zero-day flaw, they often do so under the radar – bypassing defences before anyone is even aware a threat exists. These attacks can be used to plant malware, steal sensitive data, or disable critical systems.

Zero-day vulnerabilities are rare compared to other security flaws – just 3% of recorded vulnerabilities fall into this category, according to IBM’s X-Force threat intelligence team. But what they lack in quantity, they make up for in impact. When found in widely used software or operating systems, a single zero-day flaw can expose millions of users or entire industries to significant risk.

Once a vulnerability is discovered, the clock starts ticking. Security teams scramble to develop and deploy patches, while attackers race to weaponise it. Often, this race ends in a matter of days – long before many organisations even know they’re exposed.

This isn’t just a hypothetical risk. In 2024, Google’s Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited “in the wild” – down from 98 in 2023, but still higher than the 63 recorded in 2022. Despite the dip, GTIG noted that “the average trendline indicates that the rate of zero-day exploitation continues to grow at a slow but steady pace.”

So, is it only a matter of time before fiction becomes reality? Could an entire country really be brought to its knees by a well-coordinated cyberattack?

Worms of Mass Disruption

Now, in the TV series, the 60-second attack hits multiple systems simultaneously – not just Windows or iOS, for instance – making it far more difficult to trace the source or prevent further strikes.

While no real-world attack has caused destruction on that scale, there have been several incidents with serious consequences. In 2010, a highly sophisticated piece of malware known as Stuxnet was deployed against Iran’s nuclear programme. It exploited four previously unknown (zero-day) vulnerabilities in Microsoft Windows to infiltrate industrial control systems. Once inside, it sent malicious commands to the centrifuges used to enrich uranium. These commands caused the centrifuges to spin so fast that they broke down. The attack is thought to have disabled around 1,000 centrifuges and significantly delayed Iran’s nuclear ambitions.

While no country has officially claimed responsibility, Stuxnet is believed to have been the result of a covert operation involving both the United States and Israel.

Its deployment is thought to have prompted a series of retaliatory cyber incidents, including the 2012 distributed denial-of-service (DDoS) attacks on U.S. banks and a malware attack on Saudi Aramco that disabled tens of thousands of computers, in an apparent attempt to to disrupt oil production.

“This has the whiff of August, 1945,” Michael Hayden, former director of both the CIA and NSA, said of Stuxnet during a 2013 event at George Washington University. “It’s a new class of weapon, a weapon never before used.”

That same year, The New Yorker warned:

Ironically, the article also name-checked CrowdStrike – “one of a new generation of security companies, such as FireEye, Damballa, and Mandiant, that offer clients a variety of active strategies – security and intelligence-gathering tools that bring the fight to the attacker in your system.”

If the name CrowdStrike rings a bell, it’s likely because of that summer day in 2024 – when a routine software update sparked cyber chaos around the world…

Friendly Fire

Airports ground to a halt. Banks and hospitals scrambled. Government systems flickered offline. The cause? A single faulty update from cybersecurity firm CrowdStrike, pushed globally in the early hours of 19^th July. A simple misconfiguration – 21 input fields instead of 20 – was enough to crash more than 8.5 million Windows machines, triggering the dreaded “blue screen of death” and what would become one of the largest IT outages in history.

The ripple effects were enormous. Businesses across the world were paralysed, with losses estimated at over $5 billion. Delta Air Lines, one of the most severely affected, filed a lawsuit accusing CrowdStrike of pushing “untested updates” that disrupted 7,000 flights and impacted 1.3 million customers. The airline is seeking over $500 million in damages.

CrowdStrike responded with transparency, releasing a detailed root cause analysis and acknowledging shortcomings in its testing and deployment processes. The company has since promised major changes – more rigorous quality assurance, phased rollouts, and greater customer control over updates. Still, the incident exposed a hard truth: even the companies meant to defend digital infrastructure can inadvertently bring it down.

And that’s where Zero Day hits closest to reality. The show’s cyberattack may be exaggerated, but its premise isn’t. As the CrowdStrike outage proved, it doesn’t take an act of war to paralyse a country – just a few lines of bad code.