The arc, in fifty entries. How we got here.

Pre-history · 1960s-1970s

1. 1969

   ARPANET goes live. The internet's military progenitor connects four nodes (UCLA, Stanford, UC Santa Barbara, Utah). Nobody is thinking about security.

2. 1971

   Bob Thomas writes Creeper at BBN — the first self-replicating program. It moves across DEC PDP-10s printing 'I'M THE CREEPER, CATCH ME IF YOU CAN.' Ray Tomlinson writes Reaper to delete it. The first virus + first antivirus.

3. 1972

   John Draper aka Cap'n Crunch demonstrates that a toy whistle from a cereal box produces 2600 Hz — the tone AT&T's long-distance network uses for authorization. The phone-phreak era opens.

4. 1978

   First documented spam: Gary Thuerk emails 393 ARPANET users about a DEC computer demo. Universally hated. The internet's first marketing email.

The 80s · birth of the malicious

1. 1983

   WarGames releases. Cyberpunk consciousness enters mainstream culture. Senate holds hearings on computer security partly in response. President Reagan watches the movie + asks the Joint Chiefs about its plausibility.

2. 1986

   First PC virus — Brain — written by Basit and Amjad Farooq Alvi in Lahore, Pakistan. Spread via 5.25-inch floppy disk. Their phone number was in the virus code. They told researchers (like Mikko Hyppönen years later) they were just trying to track who pirated their software.

3. 1986

   Cliff Stoll publishes 'Stalking the Wily Hacker' in Communications of the ACM — methodically tracking a German hacker selling stolen US military data to the KGB. The first publicly documented foreign-intelligence cyber-espionage incident. Later becomes the book 'The Cuckoo's Egg.'

4. 1988

   Morris Worm. Robert Tappan Morris (then Cornell grad student) releases a worm that exploits Unix sendmail + fingerd + rsh/rlogin. Estimated to infect 10% of all internet-connected machines (~6,000 of ~60,000 at the time). First conviction under the Computer Fraud and Abuse Act (1989). CERT/CC founded in response.

The 90s · commercialization + culture

1. 1993

   Phrack #44 publishes 'Smashing the Stack for Fun and Profit' by AlephOne. Buffer-overflow exploitation enters the public canon. Required reading for vulnerability research for the next 20 years.

2. 1995

   Kevin Mitnick arrested by FBI after multi-year pursuit. Profile in NYT magazine. Becomes the public face of 'hacker' in 90s mainstream coverage. The trial reshapes federal cyber prosecution norms.

3. 1996

   Aleph One publishes 'Smashing the Stack for Fun and Profit' in Phrack #49. The canonical buffer-overflow tutorial. Required reading for the next 20 years of exploitation work.

4. 1998

   L0pht Heavy Industries testifies before Congress. The famous line: 'we could take down the internet in 30 minutes.' First time a hacker collective addresses the US Senate. Mudge (Peiter Zatko), Weld Pond, Dildog, Brian Oblivion, others on the panel.

5. 1999

   Melissa virus disrupts email globally. David L. Smith arrested + pleaded guilty. Internet-scale malware enters the mainstream news cycle.

The 2000s · worms + criminal economy

1. 2000

   ILOVEYOU virus from Manila spreads to ~50M computers within 10 days. Causes ~$5.5B in damages. Onel de Guzman avoids prosecution because the Philippines had no anti-cybercrime law at the time. Later passed in response.

2. 2001

   Code Red worm exploits a buffer overflow in Microsoft IIS web servers. ~360,000 hosts infected in 14 hours. The first internet-scale worm requiring no user interaction.

3. 2003

   SQL Slammer. 75,000 victims in 10 minutes. Doubled the size of its infected population every 8.5 seconds. The fastest-spreading worm in history, still.

4. 2004

   Estonia becomes a digital state. First nation to offer digital identity to all citizens. Cyber posture becomes a national-economic concern.

5. 2005

   Sony BMG rootkit scandal. Sony's audio CDs install a kernel-level rootkit on users' PCs that becomes a tool for malware. Triggers a class-action lawsuit + FTC enforcement. Mark Russinovich's discovery is a landmark of public-interest reverse engineering.

6. 2007

   Estonia DDoS attacks. Three weeks of distributed denial of service targeting Estonian banks, government, media. Attributed to Russian state-affiliated actors. The first publicly-acknowledged cyber operation against an entire country.

7. 2008

   Conficker worm reaches 9-15M infections at peak. Most-infected machines remain unpatched for years. Conficker Working Group represents the first major industry-wide collaborative defense — Microsoft, ICANN, Symantec, etc.

8. 2008

   Russia-Georgia war includes coordinated cyber attacks on Georgian government and media sites — the first publicly-attributed combined kinetic + cyber operation.

The 2010s · cyber as a weapon

1. 2010

   Stuxnet disclosed. Worm targeting Iranian uranium-enrichment centrifuges. The first publicly-documented cyber weapon causing physical destruction. Reshapes global cyber doctrine permanently. (See /learn/cyber/breaches for full case study.)

2. 2011

   PlayStation Network breach. ~77M accounts compromised. Sony's PSN offline for 23 days. The first major consumer data breach to become a quarterly-earnings-affecting event for a Fortune 500.

3. 2013

   Edward Snowden disclosures. NSA contractor leaks documents revealing PRISM, XKeyscore, mass-surveillance programs. Reframes global conversation on government cyber capabilities + civil liberties.

4. 2013

   Target breach. HVAC vendor compromise → POS malware → 40M cards stolen. The textbook supply-chain attack.

5. 2014

   Sony Pictures hack attributed to North Korea. Treasury sanctions follow. Nation-state retaliation against a US private company over content.

6. 2015

   OPM breach. 21.5M federal employee records including SF-86 background-investigation forms exfiltrated. Attributed to Chinese state actors. The most consequential US government data breach by counterintelligence value.

7. 2016

   DNC hacks attributed to Russian GRU (APT28). Mirai botnet (700K+ IoT devices) takes down major DNS provider Dyn — Twitter, Reddit, Spotify, Netflix all degraded. Brian Krebs's site hit by 620 Gbps DDoS from Mirai.

8. 2017

   WannaCry (May, attributed to North Korea's Lazarus). NotPetya (June, attributed to Russia's GRU, $10B+ damages). Equifax (147M consumers). Shadow Brokers leaks NSA Equation Group exploits including EternalBlue. The year cyber goes mainstream.

9. 2018

   GDPR takes effect in EU. CISA established in US as DHS sub-agency. The era of formalized cyber-policy infrastructure begins.

10. 2019

    Capital One breach. ~106M accounts. Paige Thompson convicted. AWS S3 + IAM misconfiguration becomes a board-level conversation.

The 2020s · supply chain + critical infrastructure

1. 2020

   SolarWinds Orion supply-chain compromise. ~18,000 customers received backdoored update. Selective post-compromise on US federal agencies. Attributed to Russian SVR. Triggers EO 14028 (Improving the Nation's Cybersecurity).

2. 2021

   Microsoft Exchange ProxyLogon. Colonial Pipeline ransomware ($4.4M paid, 6-day shutdown). Kaseya VSA supply chain (~1,500 organizations). Log4j (CVE-2021-44228) — the year of mass-exploitation events.

3. 2022

   Ukraine war begins Feb 24. Viasat KA-SAT modems wiped attributed to Russia. Microsoft becomes a public defender of Ukrainian cyber posture. Costa Rica declares national emergency after Conti ransomware. Sandworm Industroyer2 attempts on Ukrainian power grid.

4. 2023

   MOVEit Transfer mass-exploitation by Cl0p — 2,500+ organizations affected. Volt Typhoon disclosed — China-state pre-positioning in US critical infrastructure for sabotage rather than espionage. National Cybersecurity Strategy published. SEC 4-business-day breach disclosure rule takes effect.

5. 2024

   Change Healthcare ransomware ($22M paid, 100M+ individuals affected — largest US healthcare breach ever). XZ Utils backdoor discovered by Andres Freund just before it would have shipped in major Linux distros — the most consequential near-miss in open-source supply chain history. Salt Typhoon compromise of US telecommunications carriers disclosed late in the year.

6. 2025

   Quantum-resistant cryptography migration accelerates. NIST PQC standards (FIPS 203/204/205) finalized late 2024 → 2025 enterprise adoption. CISA Secure-by-Design pledge expanding. AI safety becomes formal regulatory category (EU AI Act enforcement begins phased rollout).

7. 2026

   We're here. Drones replaced artillery in Ukraine. LLMs power both attack and defense workflows. Critical-infrastructure pre-positioning is the central threat. The field needs more defenders than there are.