A HISTORY OFINTERNET SECURITY

The first message is sent between UCLA and Stanford Research Institute on ARPANET — the precursor to the internet. The network is designed for resilience, not security. Its creators assume the users are trusted government researchers. There is no authentication, no encryption, no concept of a hostile actor on the network.

The foundational flaw of the internet is baked in from day one: a system built for collaboration, not confrontation.

Programmer Bob Thomas creates Creeper, a self-replicating program that moves between ARPANET machines, displaying the message "I'm the creeper, catch me if you can!" It causes no damage — but it is the first program to spread autonomously across a network.

In response, Ray Tomlinson (inventor of email) writes Reaper — the first antivirus program, designed to chase and delete Creeper. The security arms race begins before most people know computers exist.

IBM develops the Lucifer cipher, which the US National Bureau of Standards will eventually adopt as DES (Data Encryption Standard) in 1977. For the first time, a government-backed standard for encrypting sensitive data exists — though controversially, the NSA reduces its key length from 64 bits to 56 bits before publication, a decision that will haunt cryptographers for decades.

Rivest, Shamir, and Adleman publish the RSA algorithm — the first practical public-key cryptosystem. For the first time, two parties can exchange encrypted messages without first sharing a secret key in person. This single mathematical breakthrough makes secure communication over open networks theoretically possible, and underpins nearly all internet security to this day.

The film WarGames, in which a teenager accidentally nearly starts World War III by hacking a military computer, shocks the American public and President Reagan personally. It leads directly to the first US computer crime legislation — the Computer Fraud and Abuse Act of 1986. Security becomes a policy issue for the first time.

Two Pakistani brothers, Basit and Amjad Farooq Alvi, write Brain to protect their medical software from piracy. It spreads via infected floppy disks and becomes the first virus to infect IBM PCs in the wild. The same year, German hacker Markus Hess is caught breaking into US military computers — a case later immortalised in Clifford Stoll's book The Cuckoo's Egg.

Cornell student Robert Morris releases a worm that exploits Unix vulnerabilities and spreads across approximately 6,000 machines — roughly 10% of the entire internet at the time. It causes millions of dollars in damage and Morris becomes the first person convicted under the Computer Fraud and Abuse Act.

The incident directly leads to the creation of CERT (Computer Emergency Response Team) at Carnegie Mellon — the world's first cybersecurity incident response organisation.

Phil Zimmermann releases PGP, the first widely available public-key encryption tool for ordinary people. The US government immediately begins a criminal investigation — exporting strong encryption was legally equivalent to exporting munitions. The case is eventually dropped, but the "Crypto Wars" have begun.

PGP puts military-grade encryption in the hands of journalists, dissidents, and privacy advocates worldwide. Its descendants are still used today.

Netscape engineers create SSL (Secure Sockets Layer), enabling encrypted communication between browsers and web servers. The padlock icon appears in browsers for the first time. E-commerce becomes possible — without SSL, entering a credit card number online would be suicidal.

SSL's successor TLS remains the backbone of secure web communication today, protecting virtually every HTTPS connection on the internet.

Netscape introduces HTTP cookies to allow websites to remember user sessions. Within years, advertising companies realise cookies can track users across multiple websites — creating the surveillance advertising model that still dominates the web. A technology designed for shopping carts becomes the foundation of the data-broker industry.

US Navy researchers David Goldschlag, Mike Reed, and Paul Syverson publish the concept of onion routing — layered encryption that bounces traffic through multiple nodes so no single point knows both the sender and destination. Originally designed to protect US intelligence communications, it will eventually become Tor, the world's most widely used anonymity network.

The Melissa worm (1999) spreads via infected Word documents emailed to contacts, crashing mail servers worldwide and causing $80 million in damage. The following year, ILOVEYOU spreads to 45 million machines in days, causing an estimated $10 billion in damage — at the time the most destructive computer virus in history.

These attacks establish a pattern: exploit human trust, automate the spread. Social engineering becomes the primary attack vector.

The Tor Project is launched publicly, making onion routing available to anyone. Originally funded by the US Navy and DARPA, Tor routes traffic through a global network of volunteer relays, making it extremely difficult to trace communications back to their origin. Journalists, whistleblowers, activists — and criminals — all rush to adopt it.

Following a dispute over a Soviet war memorial, Estonia suffers three weeks of coordinated DDoS attacks that knock out banks, newspapers, and government websites. It is the first time a nation-state has faced a sustained cyberattack targeting critical infrastructure. NATO scrambles to respond — and realises it has no doctrine for this kind of warfare.

Widely attributed to Russia, the attack marks the beginning of geopolitical conflict conducted through keyboards as much as kinetics.

A sophisticated Chinese state-sponsored operation breaches Google, Adobe, Juniper Networks, and at least 30 other major companies. Attackers target source code and Gmail accounts of Chinese human rights activists. Google publicly accuses China — an unprecedented move — and briefly considers pulling out of the country entirely.

Operation Aurora establishes the template for state-sponsored industrial espionage that continues to this day.

Stuxnet is discovered — a 500-kilobyte worm that physically destroys Iranian uranium centrifuges by sending incorrect commands to their control systems while reporting normal operation to operators. Jointly developed by the US and Israel, it is the first known malware designed to cause physical destruction in the real world.

Stuxnet proves that cyberweapons can cross the barrier between digital and physical reality. Every critical infrastructure operator in the world takes notice.

NSA contractor Edward Snowden leaks thousands of classified documents revealing that the US government conducts mass surveillance of its own citizens and foreign leaders alike. Programs like PRISM collect data directly from Microsoft, Google, Apple, Facebook, and Yahoo. GCHQ taps undersea fibre-optic cables carrying the world's internet traffic.

Overnight, "paranoid" security practices become rational responses to documented facts. Downloads of Tor Browser surge 100%. Signal's user base begins its exponential growth. The privacy tools industry is born in earnest.

Yahoo suffers what will eventually be confirmed as the largest data breach in history — all 3 billion user accounts compromised. The breach, attributed to Russian state-sponsored hackers, exposes names, email addresses, phone numbers, and poorly encrypted passwords. Yahoo doesn't disclose the breach until 2016, during its acquisition by Verizon — which reduces its purchase price by $350 million.

The Yahoo breach establishes the grim template: vast breaches, slow disclosure, and no meaningful accountability.

The FBI orders Apple to create a backdoor into the iPhone of the San Bernardino shooter. Apple's CEO Tim Cook publicly refuses, arguing that no backdoor can exist for only "good guys" — any vulnerability created for law enforcement is a vulnerability that can be exploited by anyone. The FBI eventually pays $1 million to a private firm to crack the phone.

The case crystallises a debate that continues today: the tension between law enforcement access and genuine security for billions of people.

WannaCry ransomware, using an NSA-developed exploit called EternalBlue leaked by the Shadow Brokers hacking group, spreads to over 200,000 computers across 150 countries in a single day. The UK's NHS is crippled — hospitals turn away patients and cancel operations. Spain's Telefónica, FedEx, and Deutsche Bahn are all hit.

WannaCry proves that state-developed cyberweapons, once leaked, can cause global civilian harm. The NSA had known about the Windows vulnerability for years and kept it secret for offensive use.

The EU's General Data Protection Regulation comes into force — the most significant data privacy legislation in history. Companies must obtain explicit consent for data collection, delete data on request, and report breaches within 72 hours. Fines can reach 4% of global annual turnover. Google is fined €50 million in the first year. Facebook faces billions in potential liability.

GDPR forces a global rethink of data collection practices and becomes the template for privacy legislation worldwide.

Russian intelligence (SVR) hides malware inside a software update for SolarWinds Orion, an IT monitoring tool used by 18,000 organisations including the US Treasury, Department of Homeland Security, NATO, and Microsoft. The attackers spend months moving silently through networks, reading emails and exfiltrating data.

SolarWinds redefines the threat model: if you can't trust software updates from legitimate vendors, you can't trust anything. Supply chain security becomes a boardroom-level concern overnight.

Apple, Google, and Microsoft jointly announce support for FIDO2 passkeys — cryptographic credentials stored on your device that replace passwords entirely. Unlike passwords, passkeys cannot be phished, reused, or stolen in a database breach because the secret never leaves your device.

The humble password, which has been the primary authentication mechanism since the 1960s, begins its long-overdue retirement. The transition will take years, but the direction is set.

Large language models enable attackers to generate perfectly written, personalised phishing emails at scale — eliminating the grammatical errors that previously helped users identify scams. Deepfake audio and video are used to impersonate CEOs in real-time video calls, successfully stealing millions from companies worldwide.

The human firewall — the idea that a sceptical person can spot an attack — begins to break down. Security now requires scepticism of everything, including what you see and hear.

NIST publishes the first finalised post-quantum cryptography standards — algorithms designed to resist attacks from quantum computers that could break RSA and elliptic-curve encryption. Nation-states are already harvesting encrypted traffic today in a "harvest now, decrypt later" strategy, waiting for quantum computers powerful enough to crack it.

The cryptographic foundations of the internet — unchanged in their essentials since RSA in 1978 — must now be replaced entirely. It is the largest infrastructure security migration in history.