History of Cybersecurity: How It Started, and How It’s Changed

Many of the top cybersecurity issues of today are reflected in the history of cybersecurity’s past. We may think of computers as primitive before the era of smartphones, but the truth is that many of the current challenges existed as far back as the 1970’s.

Before the internet there was ARPANET, and before hackers could steal millions of credit cards at once, they were stealing source code. Many threat actors were looking to abate boredom or make a name for themselves, but their capability — and desire — for inflicting damage evolved. So, too did the cybersecurity techniques used to thwart threats and avert disasters.

Indeed, the biggest thing that’s changed since the days of disco is scope: more threats threatening more devices, encompassing a bigger network of more-sensitive data. The cybersecurity techniques of the past require supplementation with modern approaches that grant a higher degree of visibility and precaution than ever before.

With this in mind, let’s look at the earliest and most noteworthy cyber threats of the early era and how they brought us to our modern always-on, and infinitely connected cyber landscape.

The Early Era of Cyber Threats (1970s — 1990)

Early cybersecurity risks involved individual threat actors. Viruses and early prototypes of malware spread largely through removable media and limited connection systems like ARPANET and Bulletin Board Systems (BBS).

Increasing use of localized networks and consumer internet use saw cybersecurity grow rapidly as an industry and a discipline starting in the late 1980s.

Most cybersecurity threat actors were interested in applying their theories, pulling pranks, or gaining a name for themselves. Threats were rare, and they typically concentrated on those organizations with the widest digital footprints: defense agencies, corporations, universities, and research institutions.

However, any disruptions could mean major losses. Worse, the psychological implications led to widespread fear that a single hacker could inflict major damage to revenues, trade secrets, or reputations.

1971: Creeper & Reaper Worms Wriggle Through ARPANET

ARPANET went live for official use by sanctioned organizations in 1971. It represented the first connected, widely distributed computer network, a precursor to today’s internet.

In what would become a recurring theme, it seems that individuals given the potential to wage mischief couldn’t resist putting that power to use. Bob Thomas, an employee at the R&D company Bolt Beranek and Newman Inc. near MIT, decided to create a computer program capable of moving between systems autonomously. It has since been described as one of the first network computer viruses, albeit one that deleted itself on one system once it copied itself to the other. All the program did was output a taunt on the teletype printout readings, saying “I’M THE CREEPER: CATCH ME IF YOU CAN.”

Ray Tomlinson, the creator of an early electronic mail system, was intrigued by the program. He developed a version capable of self-replicating (an early example of a worm or virus). He then developed a very similar program dubbed “Reaper” that spread through ARPANET with the sole purpose of deleting lingering instances of the Creeper program. Thus, the first true computer virus and antivirus software were born in tandem.

One technologist would describe the incident poetically as “two programs doing battle in the dark and noiseless corridors of the core.”

1979: A 16-Year-Old Hacks Into The Ark

The Digital Equipment Corporation (DEC) operated a mainframe computer connected to a modem for the purposes of storing and maintaining the source code for its operating system software, nicknamed “The Ark”.

16-year-old Kevin Mitnick was given the phone number to the dial-in modem from a fellow member of his hacking group. Mitnick needed more credentials to access the computer, so he called The Ark’s system administrator posing as a developer who couldn’t access his account. The admin created a new account and password for Mitnick, along with the password needed to access the dial-up system: “buffoon”.

Mitnick shared this information with his friends, one of whom used the access window as a means to download proprietary data. Mitnick would later be arrested, charged, and convicted for his breach in 1988. Soon after parol, he began hacking into cell phone network infrastructure. After years of hacking and evading law enforcement, he now operates his own cybersecurity consulting firm.

1983: MIT Obtains the First Patent for Cybersecurity Technology

In 1977, after a Passover dinner at a student’s house (one that allegedly involved much Manischewitz wine), Ron Rivest would write the basic operations needed to develop the one-way cryptographic algorithm. The initial program was written based on extensive research and discussion by Rivest alongside his colleagues Adi Shamir, and Leonard Adleman. The initials of their last names form the acronym “RSA”, and RSA encryption remains in use today.

The team’s publications eventually led to a patent in 1983 and they received the Turing award in 2002 for their contributions.

1984: The Term “Virus” is Popularized

In 1984, Fred Cohen of the University of Southern California published a paper: Computer Viruses – Theory and Experiments. While the paper was not the first publication to use the term “virus” in reference to computers, it did help solidify that moniker for generations to come.

1986: A Hacker Infiltrates U.S. Military Networks

Using an internet gateway located in Berkeley, CA in 1986, the German hacker Marcus Hess was able to infiltrate mainframes connected to the ARPANET networks, even going so far as to penetrate the Pentagon. He would end up hacking 400 computers in total, and he offered to sell the information he found to the KGB.

Fortunately, astronomer Clifford Stoll had been able to foil the attempted info theft. Using “honeypot” systems as bait, he successfully detected the intrusion and isolated Hess’s user session so that minimal damage was wrought.

1987: Two Companies Create the First Antivirus Products

In 1986, John McAfee, an employee at Lockheed, decided to create a computer program to identify and remove the “Brain” virus that had been spreading at the time. Dubbed “VirusScan”, McAfee formed a company to sell and distribute the product in 1987.

That same year, G Data, a German company formed in 1985, began to release its cybersecurity Anti-Virus Kit (AVK) for use with the Atari ST. AVK would see wide release in 1988.

1988: The Morris Worm Makes Headlines

In 1988, Robert Morris became the first high-profile computer virus author. His worm program was released to the ARPANET and rapidly spread to 6,000 computers.

The alarming speed at which the program spread crippled the network and prompted many universities and research companies to proactively disconnect their systems to avoid contracting the worm. The attack method used to shut down computers was nearly identical to modern DDoS attacks.

An investigation by the FBI led to Robert Morris’ arrest, and he became the first person to be tried and convicted under the U.S.’s 1986 Computer Fraud and Abuse Act. Morris’ exploits made front-page news in the New York Times, and it became one of the first high-profile attacks to draw attention to the vulnerability of connected computer systems.

Cybersecurity Transitions to the Modern Era (1990 – 2000)

Home computer usage rose rapidly from the early 1990s to the 2000s.

According to the U.S. Bureau of Labor Statistics (BLS): “Between 1990 and 1997, the percentage of households owning computers increased from 15 to 35 percent, and the amount spent by the average household on computers and associated hardware more than tripled.”

Corporations began to make email accounts and internet-connected desktop computer workstations ubiquitous. These technologies created more speed of information and convenience for office workers, but they had the side effect of also building a larger and more tempting attack surface for viruses to spread.

1990 – 1994: Viruses and Antivirus Software Would Grow and Evolve

Symantec would release Norton AntiVirus in 1991 in response to the growing presence of computers and the growing list of threats they faced.

Early antivirus products were largely scanners, with some capacity to isolate or remove the offending invaders. Viruses were identified based on a database of known code signatures.

Scanning for viruses would slow down operations significantly, and the use of databases had its own set of flaws. Viruses could evade detection by creating new versions without identifying markers. The first polymorphic viruses also emerged, which could rewrite themselves and change with each generation in order to avoid detection. The mechanism is very similar to RNA viruses like COVID-19.

In this period from 1990 – 1994, viruses could wreak havoc on networked computers, but they had limited capacity to spread damage beyond infected endpoints. Few mainframe breaches were reported, and theft of sensitive information was rare.

1995: Firewalls are Invented

In 1995, the Marshall Space Flight Center would create the first formal use of firewalls for networked computers, in order to prevent major breaches from reaching the most-sensitive mainframes and data storage centers.

1995 – 1999: With Melissa and ILOVEYOU, the Volume and Voraciousness of Viruses Grows

Techniques in the mid-1990s began to reflect the need for comprehensive security strategies to prevent and mitigate, not just detect, cybersecurity attacks.

“New virus and malware numbers exploded in the 1990s,” writes anti-virus company Avast, “from tens of thousands early in the decade growing to 5 million every year by 2007. By the mid-‘90s, it was clear that cybersecurity had to be mass-produced to protect the public.”

Matters grew exponentially worse in the transition to the new millennium. Email usage was near-ubiquitous in enterprises by the late 1990s, and more households and educational organizations were using it by this period, as well.

This set the stage for the Melissa virus in 1999. The virus would activate when a file was opened in Microsoft Word, which would then activate a “macro to hijack their Microsoft Outlook email system and send messages to the first 50 addresses in their mailing lists,” sending promises of illicit sexual content or important files, says the FBI. “With the help of some devious social engineering, the virus operated like a sinister, automated chain letter.”

Within weeks, email servers at more than 300 corporations and government agencies became overloaded, leading to an estimated $80 million in cleanup and repair costs.

The ILOVEYOU worm repeated the pattern, spreading through the hijacking of Outlook address books rapidly starting in May of 2000.

“In just about 10 days, ILOVEYOU reached an estimated 45 million users and caused about $10 billion in damages,” reports TechTarget.

With the fearsome power of cybersecurity threats recognized, corporations, government agencies, and research institutions began a new era of cybersecurity

A “Code Red” for Protecting Your Attack Surface is Issued (2001 – 2009)

Early viruses spread largely through user activity; being judicious about the emails you opened and files you accessed could prevent an intrusion.

Starting in the early 2000s, however, cybersecurity threats grew more aggressive in their offense

2001: Code Red and Nimda Strike Fear

In mid-2001, the Code Red computer worm spread through websites hosted using Microsoft IIS web servers. The hacked websites would display a taunting message and use the affected machines to scan for other vulnerable server hosts.

At its peak, 359,000 computers were affected by Code Red, including 136 “.mil” website host machines and 213 “.gov” hosts.

A similar incident, the “Nimda” worm, inflicted even more terror in 2001. Using a mixed attack vector approach, the worm targeted users through email and systems using shared server files. It also sought to exploit websites using Javascript.

A year later, Computer World described the worm’s spread as “an event that may have driven more corporate IT security changes during the past 12 months than the Sept. 11 terrorist attacks did.”

2002+: Networking and the Internet Give Malware Fertile Ground to Spread

Since the early 2000s, viruses, exploits, and malware have evolved beyond their humble beginnings. What started as isolated incidents affecting single workstations or application suites rapidly became a global networking concern.

So what changed? The stakes. Machines were vulnerable from multiple angles, and a single compromised endpoint could lead to the contamination of entire networks.

The need for up-to-date security patches meant that software was expected to be changed more frequently than the typical 6-month to a year cycle. Systems also needed to be actively scanned for suspicious activities or signs of threats. Protection also needed multiple layers, including firewalls, AI-based threat detection, and mitigation techniques to minimize damage once an incident began.

In a quote from the above-linked Computer World article: one corporate VP stated that  “Nimda attacked the core content and data of enterprises. It brought home the fact that security is not just about network-level security or about authentication and authorization.”

Hacking and Havoc Becomes Profitable (2010 – Now)

There are, undoubtedly, hundreds if not thousands of instances of sensitive data theft from corporations from the 1980s to the early 2000s. However, these incidents tended to affect a small swathe of customers, systems, or corporate trade secrets.

That all changed in 2009 when a high-profile criminal case revealed that a hacker had been stealing consumer credit card information from corporate databases from 2005 – 2007. Victims encompassed a staggering 40 million credit card holders who had shopped at outlets like T.J. Maxx, OfficeMax, Dave & Buster’s, and BJ’s Wholesale Club. Damages were estimated to be close to $200 million in total.

One notable aspect of this case was that many consumers had not been informed that their information had been compromised. While TJX, the parent company of T.J. Maxx, claimed it had not been negligent, it ended up paying $9.7 million to 41 states in a settlement agreement.

Another high-profile attack occurred in 2013, this time affecting retailer Target. The breach affected 110 million customers, revealing credit card info, as well as “names, addresses, phone numbers, and emails.”

Cyberterrorism Becomes a Parallel Motive

2014 saw the hacking of Sony Motion Pictures, which resulted in emails being distributed that contained publicly embarrassing conversations as well as leaks about planned studio projects.

WannaCry, NotPetya, and other ransomware attacks in 2017 magnified this damage, bringing global shipping operations and multiple international conglomerates to a grinding halt.

2017 also saw Equifax breached, affecting what was long seen as one of the most stalwart financial organizations on the planet.

All of these incidents had the collective result of putting a much higher price tag on the internal costs of a breach and the public damage inflicted through bad press. They also completely changed the public perception of cybersecurity, shifting it from a tech-minded problem to a danger to commerce and their own personal data.

In response, organizations began investing in deeper levels of cybersecurity. Active threat detection, zero trust architecture, comprehensive IAM, and multiple layers of perimeter security all became table stakes.

More than ever, organizations had a deeper financial incentive to invest in preventing a breach rather than dealing with the aftermath.

So What Changed in Cybersecurity Since the 1990s? Attack Surfaces Became Exponentially Larger

Those of us of a certain age vividly remember cybersecurity precautions dating back to the mid-90s and beyond. But things began to change in the early 2000s, and not just because attacks were becoming more widespread, visible, and costly. What really changed from decade to decade was the nature of the attack surface.

Previously, internet-connected computers posed a threat if the user opened a sketchy email, but the damage was often contained. Now, the financial incentive to wage cyberwar has not only skyrocketed but so has the complexity of securing the overall attack surface of an enterprise.

Every System is Connected, So Every Asset is Vulnerable

Organizational leaders can no longer think of cybersecurity as a perimeter protecting on-premises equipment, with limited entry and exit points. Now, business operations happen across the planet, not just on-site but also in data centers, on employee laptops, on consumer devices, and in the cloud as a whole.

Enterprises must protect the totality of their operations across all endpoints and all customer touchpoints. With cloud, containers, and hybrid architectures, the prospects of casting a broad net over everything with the company name on it are non-existent. The situation becomes even more complicated considering the implications of user accounts that migrate across platforms and the thousands of microservices depended upon to conduct e-commerce, accept payment, or deliver content over the web.

Organizations need to understand that vulnerabilities can lie within any link of this vast, interconnected tech ecosystem. Their protections have to go beyond systems they can wholly take responsibility for and into protections for:

  • Consumer and employee app users
  • Employees going BYOD
  • Connected IoT devices
  • The vast network of peripheral services that touch the customer experience

SIEM and SOAR capabilities are needed, but they cannot cover every facet of the attack surface.

Prepare for Modern Threats With a Modern Attack Surface Management Strategy

What enterprises need is visibility; they must be able to see just how far and how deep their tech ecosystem goes (which inevitably extends beyond their assumed “stack”).

Lucidum can reveal this attack surface with clarity and precision. Instead of flying blind, organizations can visualize everything going on within their airspace.

The Lucidum platform acts like a copilot, putting both threats and potential threat vectors on your radar to help you strategize, mitigate, and address risks with confidence.

Valuable data and corporate networks still face the same risks of a 16-year-old calling up and asking for replacement credentials, just like what happened in the ‘70s. The only difference is now the consequences of failing to prevent that type of incident — or much more sophisticated attacks waged by cybercriminals — are much more costly and much more public.

Find out how to protect your organization by reading our ebook: “What Do Emerging Organizations Need to Know to Get Serious About Cybersecurity?” Or, schedule a conversation with an Attack Surface Management expert today.