The vast majority of cyberattacks—98 percent—start with phishing attacks that contain no zero-days, no malware. They just trick us into turning over our passwords. Despite the attraction of zero-days, Rob Joyce, the head of TAO, essentially the nation’s top hacker, gave a rare talk four years ago, in which he called zero-days overrated and said unpatched bugs and credential theft is a far more common vector for nation-state attacks.
