Cybercrime includes any nefarious activity that uses or targets a computer or network. In the present day, cybercrime can take a wide range of forms – from computer worms to viruses to phishing. This type of criminal activity is so difficult to combat because hackers make technological advancements all the time and even create new forms of attack. To keep hackers in check, cybersecurity must constantly evolve as well.
To get a better idea of how cybercrime and cybersecurity have advanced through the decades, let’s take a look back to when it all started…
Dawn of the Digital Age: Computers Before Cybercrime
The earliest computers were difficult to hack for a few different reasons. First of all, they were not connected to the internet – the internet didn’t even exist yet! To use them for any purpose – legitimate or fraudulent – a user had to physically enter the facilities where they were kept. One of the earliest of these machines was the ENIAC computer, which was built for a government-funded project in the 1940s and housed at the University of Pennsylvania. This computer took up most of its 50-by-30 foot storage room in the university’s basement and required 17,000 vacuum tubes, 70,000 resistors, and 10,000 capacitors to function. There is no record of anyone breaking into the ENIAC’s facilities to use it for any kind of nefarious purpose.
Another reason early computers were not often subject to attack was that each one was built for a very specific purpose. They were not the type of general-use computer that we use today. The ENIAC was an incredible piece of technology to be sure, but the only thing it was really used for was solving complex mathematical calculations. Anyone that hypothetically gained unauthorized access to the ENIAC could use it to accomplish mathematical feats but that would be it. You can see why hackers weren’t quite so eager to mess with the ENIAC.
A third element that made early computers safe from hackers was that, in the 1940s and 1950s, few people knew how to use computers – even for legitimate purposes. The earliest computers like the ENIAC, UNIVAC, and Colossus could only be used or understood by the people who first designed them plus a small circle of colleagues whom they taught. The skill set needed for computer hacking was not yet widely available for members of the public.
The First Hackers: Tech Model Railroad Club
The early digital age was, in a way, a golden age for cybersecurity because it was so easy to implement – just lock the door and make sure nobody unauthorized goes into the room where the computer was kept. However, over the decades, technology advanced and a wider range of users learned to use it. This laid the groundwork for the amazing computer and network technology that we all have access to today and which many of us rely on. However, it also opened the door for the possibility of hacking.
The early definition of “hacking” was a bit different from how we think of the concept today. It sprung up semi-organically in an unexpected place–the MIT Tech Model Railroad Club, or TMRC.
The student group was founded in 1946, the same year that ENIAC was created at Penn just a few years before MIT obtained its own computer, an IBM 704. In its early years, the club focused on building model train sets, which consisted of putting together tracks, painting scenery, building trains, and designing electric circuits to power the models. In the 1950s, as IBM 704 was getting off the ground, TMRC built a small-scale computer to automatically run their trains according to a specified schedule. They called it the Automatic Railroad Running Computer (ARRC).
TMRC students loved tinkering with all sorts of technologies and computers. They started using the term “hacking” to mean using or altering a machine for something other than its intended purpose. Formally, TMRC defined hacking as “a project undertaken or a product built not solely to fulfill some constructive goal, but with some wild pleasure taken in mere involvement.”
In 1959, the MIT administration opened an IBM 704 for public use. Time had to be reserved and TMRC students were among the most frequent visitors to reserve time. They applied the concept of hacking to the computer by writing programs that could do fun things outside of the computer’s intended purpose. For example, one “hacked” program created a simple ping-pong game on the computer’s screen.
While the TMRC hackers were pretty benign compared to the modern-day hackers that we know, they developed an anti-authority culture based around an implicit set of Hacker Ethics, which has persisted in hacker communities to this day. Steven Levy summarized the ethics in his 1984 book, Hackers:
- “Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total. Always yield to the Hands-On Imperative!”
- “All information should be free“
- “Mistrust authority—promote decentralization”
- “Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, sex, or position”
- “You can create art and beauty on a computer”
- “Computers can change your life for the better”
While TMRC laid some of the technological and ideological foundations for hacking, the organization today is clear that they “resent the misapplication of the word to mean the committing of illegal acts. People who do those things are better described by expressions such as ‘thieves’, ‘password crackers’, or ‘computer vandals’. They are certainly not true hackers, as they do not understand the hacker ethic” (TMRC webpage).
The 1980s: WarGames and Legislation
No discussion of cybersecurity history is complete without crediting Matthew Broderick, the rapscallion star of Ferris Bueller’s Day Off. Three years before the debut of this hit, Broderick starred in John Badham’s techno-thriller WarGames (1983). In the film, which takes place during the Cold War, Broderick’s character accidentally hacks into a U.S. government supercomputer programmed for nuclear warfare with the Soviet Union. The film delighted fans and horrified government officials.
According to a biography, President Reagan, upon watching WarGames, exclaimed, “I don’t understand these computers very well, but this young man obviously did. He had tied into NORAD!” Congress took the vulnerabilities depicted in WarGames very seriously and convened to discuss cybersecurity at the following congressional session. That year’s proceedings on federal cybersecurity began with the screening of a four-minute clip from WarGames, after which Congress dove into investigating the threat of cybercrime in the U.S.
The following year, they released a foreboding report (H.Rept 98-894) with the key finding that, “the motion picture WarGames showed a realistic representation of the automatic dialing and access capabilities of the personal computer.”
In response to the hypothetical threat of cybercrime, Congress began work on a computer fraud amendment for an in-the-works comprehensive crime act. However, before the amendment was finalized, legislators’ cyber fears became a reality in the form of the so-called ‘414 Gang.’
Like Matthew Broderick’s WarGames protagonist, 414 members were mostly teenagers in middle and high school with a love for computers and technology. The group was based in Milwaukee (they took their name from the local area code) and many of them met through an IBM-sponsored youth program.
With their home computers and a bit of research, the 414s were able to hack into at least a dozen major computer systems across the country. Their targets included Los Alamos National Laboratory, a nuclear research site; Security Pacific National Bank of Los Angeles; and Sloan Kettering Memorial Hospital. The group was caught by the FBI after they accidentally deleted a large number of records from Sloan Kettering’s files, sparking an investigation. Speaking on the experience years later, 414 members commented on the ease of accessing such systems. In some cases, administrators had never changed the passwords from the default that came with the computer. These could be found in any copy of the computer manual and were often as simple as “system.”
Following the group’s apprehension, the youngest member, seventeen-year-old Neal Patrick was brought to Congress to explain to a befuddled room of legislators how he and his friends were able to hack into computer systems around the country.
Pages and pages of legislation on computer fraud followed throughout the 1980s as the government came to realize how easily hackers could access sensitive information. If tech-savvy teenagers could do it, surely the KGB and other enemy operatives could as well.
Major Legislation of the era included:
- Amendment to the 1984 Comprehensive Crime Control Act
This legislation made it a felony to access classified information on a computer without authorization. Additionally, accessing the data of a financial institution or trespassing into any government computer was made a misdemeanor.
Of many pieces of drafted legislation, this act was ultimately the one signed into law in 1986. This act outlawed more specific cybercrimes such as theft executed via computer fraud, unauthorized destruction of digital data, and password hacking.
This act laid out a cybersecurity framework for federal agencies that used computers to follow. It tasked the National Security Agency with training federal workers in cybersecurity practices and reviewing their plans for protection against cyberattacks. It also established a new Computer System Security and Privacy Advisory Board under the Department of Commerce.
The First Worm
At the time of the 414’s arrests’ there were no active laws against computer crimes. The two older members of the group were charged with misdemeanors for harassing phone calls, while seventeen-year-old Neal Patrick was given a plea deal for sharing his knowledge. However, the deluge of strict laws created in the aftermath were ready for use when twenty-three-year-old Robert Tappan Morris let loose the first computer ‘worm’ in 1988.
A worm is a form of malware that replicates itself and spreads through a computer network. Morris created his worm as part of an experiment to try and figure out just how many computers were connected to the internet and to demonstrate existing cyber vulnerabilities. The worm spread rapidly, reaching at least 10% of all computers that were then connected to the internet. Though Morris had intended for the worm to be relatively harmless, in practice, it overloaded some systems and created a general feeling of panic since most users were unfamiliar with worms. Major institutions like NASA, Berkeley, Harvard, Princeton, and Stanford were among those impacted. Administrators at these institutions were at a loss for how to combat the infection and took drastic measures such as disconnecting all computers from the internet or wiping them completely. In hindsight, the FBI estimated between $100,000 and several million dollars worth of damage.
Morris ultimately confessed to two friends and asked them to distribute instructions for stopping the worm. However, so many computers were infected at this point that the instructions could not be quickly sent around. One of Morris’s confidantes ultimately let his name slip accidentally when speaking with the media, leading to his arrest.
Thus Robert Tappan Morris became the first hacker to be charged with violating the Computer Abuse and Fraud Act of 1986. He escaped jail time but was dealt a $10,050 fine and 400 hours of community service.
Ultimately, Morris’s worm did what he hoped it would by exposing vulnerabilities. While legislators had been frantically drawing up legislation to use against hackers in the years prior, it now became clear that preventative measures had to be taken in the form of security software.
The 1990s: The Cybersecurity Industry Takes Off
While cybersecurity had mostly been a preoccupation for government officials and academics in the previous decades, private industry found its role in the field in the 1990s producing anti-virus software.
McAfee and Symantec were two of the first players in the space. McAfee released VirusScan in 1987 and already had over a million users within its first two weeks. Symantec followed with its own Symantec Antivirus for Macintosh (SAM) in 1989, followed by Norton AntiVirus for PC in 1991 (Symantec acquired Norton in 1990). Kaspersky, which is today one of the most prominent antivirus firms, joined in 1997 with AVP, AntiViral Pro.
A major development with these new software products was the ability to download updates to combat new types of malware. Previous antiviral efforts had focused on eradicating or preventing viruses as they emerged with a reactive response approach. The software products of the 1990s were valued for their proactiveness and flexibility. This made them more effective against creative and nimble hackers who constantly tried out new attack strategies.
These products pioneered a new method of threat detection called Heuristic Detection. Rather than scanning computers for the code signature of a specific device, heuristic antivirus software scans for pieces of code or specific characteristics that are common across many types of viruses. That way they can detect new viruses or new versions without needing to identify them precisely. This form of cybersecurity is still in practice today.
Late 90s and Early 2000s: Hackers Discover the Power of Social Manipulation
While email had existed for several decades at this point, it was not widely used outside of universities and major institutions until the late 1990s. In 1996, companies like Microsoft and Hotmail began to offer free email services to the general public.
This new technology enabled people to foster and maintain social relationships online. It also opened up a new form of cyber vulnerability. Hackers learned that they could easily trick people into downloading malware by emailing it to them under a non-threatening disguise. Propelled by curiosity or a desire for social connection, users would unwittingly open files and allow their computers to download malware.
The two most widely troublesome email viruses of the time were the Melissa virus and the ILOVEYOU worm. The Melissa virus was created in New Jersey in 1999 by David Lee Smith, a programmer at AT&T. It circulated as a document attachment in an email message with the subject line “Important Message [Name of Sender].” When recipients opened the message, they found a document containing login passwords for a list of pornographic websites. When they downloaded the document, they also downloaded the virus, which would gain access to their email contacts and send itself to fifty more people. Apart from spreading, the Melissa virus did not do much, other than sometimes inserting Bart Simpson quotes into random documents on the user’s device. However, email and internet servers became so overloaded by copies of the virus that many shut down or slowed significantly. Even the Department of Defense was infiltrated. Other institutions chose to shut down computer operations as a preventative measure, which nonetheless caused enormous disruption. The FBI estimates the total damage at $80 million.
Just a year later, a computer science student from Manila named Onel de Guzman created the ILOVEYOU worm. Like Melissa, this worm spread by way of email messages. It took advantage of several vulnerabilities in Microsoft Outlook and Windows. At the time, Windows was set by default to automatically run code in a file type called VBS (visual basic scripting) as soon as the file was opened. Outlook was set up to cut off the file extension type from file names when displayed in an email, so recipients did not immediately notice that the file was an unusual format. Like Melissa, the ILOVEYOU worm sent itself to more contacts for every recipient’s address list. However, the ILOVEYOU worm went a step further in its destruction by destroying files at random, making infected devices unusable or compromised.
ILOVEYOU and Melissa have gone down in history as some of the most widespread viruses. Their impact was, of course, damaging but the ultimate result was a stronger public awareness of cybersecurity risks associated with email. In the aftermath, most top cybersecurity products like Norton and McAfee built email protections into their products. Having now tackled multiple large-scale cybersecurity investigations, the FBI established a designated Cyber Division in 2002. Meanwhile, in the Philippines, there was no cybercrime legislation yet in place, so Onel de Guzman was never even prosecuted for causing an estimated $10 billion worth of damages. In the aftermath, the country did put in place necessary cybercrime laws and countries around the world followed suit through the early 2000s.
2000s: Cyber Warfare and Espionage
As countries around the world became widely connected to the internet in the 2000s, they found ways to use cyberattacks for geopolitical gain. Beginning in the mid-2000s and continuing to this day, nations in conflict have found ways to disadvantage their opposition by shutting down systems or causing chaos. Major examples of the past couple of decades include:
- 2007 Nationwide Attack on Estonia
In the field of cybersecurity, the 2007 attack on Estonia is considered the first nationwide act of cyber warfare. It all started with a statue of a soldier, called “Monument to the Liberators of Tallinn,” which was installed in the Tallinn town center during Soviet occupation decades before. In 2007, the Estonian government made plans to move the statue to somewhere less central. Within days, the entire internet of Estonia was nonfunctional. Online banking and ATMs went down, freezing up the economy. Citizens across the country were denied network access or bombarded with email spam. Estonian officials eventually identified a denial of service attack which they traced back to Russia – though Russian officials deny involvement. The attacks finally stopped when, according to Estonian investigators, the attackers ran out of money to carry on.
- 2008 Cyberattack on U.S. Defense Systems
In 2008, the U.S. suffered what a Pentagon official called, “the most significant breach of U.S. military computers ever.” The attack, which was traced to unidentified foreign actors, was carried out via an infected USB flash drive originating at a military base in the Middle East. The flash drive contained a worm that replicated, spreading throughout DoD networks and transmitting information back to the attack’s planners. In the aftermath of the attack, the Pentagon spent 14 months carrying out a clean-up operation called Operation Buckshot Yankee. They then banned USB drives from military use.
- 2006-2010 Operation Olympic Games
Operation Olympic Games was a cyberattack carried out by the U.S. targeting Natanz, Iran’s main nuclear facility. The attack used a worm called Stuxnet, which infiltrated computers at the facility and shut down at least 1,000 centrifuges, halting Iran’s enrichment of Uranium. Several years into Stuxnet’s circulation it escaped the confines of Natanz and began circulating freely.
- 2009 Botnet Attacks Against South Korea and the U.S.
Over one week in July 2009, a collection of botnets infiltrated a wide range of websites in South Korea and the United States. Both government agencies and private companies were affected and targets included Amazon, the New York Stock Exchange, the White House, the Pentagon, the Washington Post, South Korea’s Blue House and National Intelligence Service, and the U.S. State Department. Using a worm, they caused network overloads resulting in website outages for several days. In October of 2009, South Korea’s National Intelligence Service pointed to North Korea as the source of the attack.
- 2009 Cyberattack on Google
In late 2009, Google discovered that its systems had been hacked by Chinese actors. The company deduced that the goal of the attack was to access Gmail accounts belonging to international human rights activists that had been critical of China. Google also reported that at least twenty other major tech companies had been hit with similar attacks.
- 2015-2016 Attacks on the Democratic National Committee and Republican National Committee
Two Russian hacker groups, called Cozy Bear and Fancy Bear, were behind data breaches of the U.S. DNC and RNC in the run-up to the 2016 election. The groups stole emails from DNC data stores and leaked them to the group WikiLeaks for publication.
Cybersecurity and Social Media
In the 2000s, social media emerged as a new digital platform where users shared information and made social connections. Myspace became the most visited website in 2007 and was then overtaken by Facebook in 2008. This trend continues today with TikTok becoming the most-downloaded app of 2020. These new sharing platforms quickly became a target for cybercrime. Even relatively unadvanced hackers could crack the passwords to users’ social media accounts and then masquerade as them to promote products or send nefarious URL links to their social connections. The concept of online catfishing emerged. Scammers ‘catfish’ by fostering online relationships with victims under a false identity with the ultimate goal of stealing money or personal information.
A number of social media hacks had wide-reach impacts. For example, in 2013, two Syrian hackers from The Syrian Electronic Army hacked the Associated Press’s Twitter account by way of a phishing email sent to employees. The hackers then sent a tweet to all AP followers that read, “Breaking: Two Explosions in the White House and Barack Obama is injured.” Though countermeasures were quickly undertaken the same day, the Dow Jones Industrial Average reportedly fell 150 points in response to the fake news.
In 2012, LinkedIn was subject to a massive data breach that compromised passwords and email addresses of about 100 million users, or a quarter of the total user base at that time! LinkedIn subsequently added password hashing and salting to their security protocol and created a capability for two-step verification.
Biggest Cybersecurity Risks of Today
Today, many of the same cybersecurity risks exist as in years past. However, the longer the particular type of threat is around, the better we learn to combat it. The types of viruses and worms that wreaked mass havoc in the 1980s and 1990s would be much less effective today due to more advanced protective software and user education. However, as new technologies emerge, new vulnerabilities come with them.
Cyberattacks and Cryptocurrency
Over recent years, cryptocurrency has emerged as both a deterrent to cyberattacks and a useful tool for hackers. Most cryptocurrencies use secure blockchain technology that is widely regarded as unhackable. However, hackers have also used cryptocurrency to execute ransomware attacks because crypto payments can be untraceable, allowing hackers to receive payments without being caught.
Just this past spring, the largest oil source in the United States, the Colonial Pipeline, was hacked for ransom. A message appeared on devices at the pipeline’s control room demanding a ransom of $4.4 million worth of Bitcoins. Following the attack, Deputy National Security Advisor Anne Neuberger commented, “the misuse of cryptocurrency is a massive enabler here. That’s the way folks get the money out of it. On the rise of anonymity and enhancing cryptocurrencies, the rise of mixer services that essentially launder funds.”
In the case of the Colonial Pipeline hack, the FBI was able to trace the money back to a criminal hacker group called DarkSide. However, this is no easy task since cryptocurrency transactions can be almost untraceable.
Cybersecurity and Internet of Things
Another realm of cybersecurity that is currently top of mind for many is the protection of Internet of Things infrastructure. Many cities are in the midst of ‘smart’ city initiatives in which street lights, transport networks, and other public services are connected to the internet. This allows them to be programmed to function more efficiently and so, provide a better citizen experience.
With this digitization of services, city leaders must focus on robust cybersecurity protocols to prevent bad actors from taking over city infrastructure from afar. To this end, the U.S. government signed into law the Internet of Things Cybersecurity Act of 2020, which established “minimum standards for Internet of Things devices owned or controlled by the Federal Government.”
Both cyberattacks and cybersecurity are constantly evolving. As new technologies come on the scene – from the internet to email to social media to cryptocurrency – new cyber vulnerabilities emerge. However, new technologies also create opportunities for developers, governments, and individuals to improve cybersecurity measures. It’s all a matter of staying one step ahead of the hackers!
Want to learn more about the latest technologies in cybersecurity? Consider signing up for a cybersecurity bootcamp! For a recap of everything we’ve discussed above, check out the timeline below!
- Levy, Steven. Hackers: Heroes of the Computer Revolution. O’Reilly, 2010.
- Cannon, Lou. President Reagan: The Role of a Lifetime. PublicAffairs, 2003.
- 6 H.R. REP. NO. 98-894, at 6 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3695. “The motion picture War Games showed a realistic representation of the automatic dialing and access capabilities of the personal computer.” Id. at 3696.