History of cybersecurity: Key changes since the 1990s and lessons for today

History of cybersecurity: Key changes since the 1990s and lessons for today

Danny Wheeler, Director of IT, Recast Software, says you can’t excel at addressing future threats unless you also understand the past.

In the realm of cybersecurity – which is a huge part of my job as the Director of IT (and Security) at Recast – most folks tend to focus on what’s coming next.

But you can’t excel at addressing future threats unless you also understand the past. Although the goals and activities of threat actors have changed tremendously over the past two decades, many traditional threats remain just as prevalent today as they were in the past.

As a result, a holistic approach to cybersecurity requires the ability to manage risks of all types – not just the latest, greatest threats that have emerged in the age of AI.

To that end, allow me to walk through what I see as key stages in the evolution of cybersecurity from the dawn of the Web in the 1990s through the present . I’ll also explain how today’s IT and cybersecurity leaders can leverage the lessons of the past to erect stronger cybersecurity defenses.

The 1990s and early 2000s: The dawn of modern hacking

Attacks against computer systems stretch back to the early days of computing in the mid-twentieth century. But in order to avoid writing too much of a tome, I’m going to begin my analysis of the history of IT security in the 1990s, which is when the Internet first entered homes and businesses in a big way.

At this time, most folks were still trying to figure out what the Internet really meant and what you could do with it – including hackers. That’s probably why most early IT security attacks focused on causing relatively minor damage, like defacing Web pages or disrupting Internet services. Most cyberattackers hadn’t yet thought about using the Internet to pursue financial gain or cause serious harm to organizations.

To be sure, financial crimes based on computer hacking took place in the ’90’s and early 2000s. But they didn’t dominate the news in an endless stream of cautionary tales, and most people thought the 1995 movie Hackers was a realistic depiction of how hacking worked (in truth, it’s much, much more boring, but I digress).

I like to think of cyberattacks during this period as the equivalent of graffiti: They were annoying, but they rarely caused extensive damage – and it was easy enough to clean up the aftermath.

Mid-to-late 2000s: Criminals embrace the Internet

By the mid-2000s, however, Internet-based attacks started to become more harmful and frequent. This was the era when threat actors realized they could build massive botnets then use them to distribute spam or send scam emails.

These attacks had the potential to cause real financial harm, but they weren’t exactly original types of criminal activity. They were merely the use of a new medium, the Internet, for conducting traditional types of criminal activity – like scams.

Importantly, this era also saw the advent of the Dark Web and underground online marketplaces like Silk Road. These were a natural outgrowth of criminals’ embrace of the Internet, since they provided a place to sell stolen digital goods.

The 2010s: A golden age of cybercrime

Gradually, threat actors evolved their strategies. In place of botnets, which blasted massive amounts of spam at targets that were typically chosen at random, they began launching ransomware attacks that focused on specific organizations.

(For the record, I should note that ransomware attacks actually date back at least to the 1980s. But the 2010s were the decade where ransomware truly took off and became a widespread threat for virtually every organization.)

The 2010s were also a time of massive technological change. The advent of cloud computing, widespread adoption of mobile devices and rollout of IoT hardware meant that businesses could no longer define clear network perimeters or that sensitive data always remained in their own data centers.

At the same time, this period saw the rise of state-sponsored threat actors alongside traditional hacking groups. State-sponsored actors enjoyed access to substantial resources, which increased their ability to carry out effective attacks.

The combination of these three factors – targeted ransomware attacks, increasing IT complexity and state-sponsored attackers – made it harder than ever for organizations to keep their digital assets secure.

Despite some investment in protections like firewalls and software patching tools, most companies struggled to keep up with cyber threats because basic solutions weren’t enough on their own to contend with the vast scale or complexity of cyber risks.

The late 2010s: Enterprises fight back

Things began changing in a positive direction starting in the later 2010s. By that point, the typical organization had realized that basic, reactive cybersecurity protections were not enough. Companies learned that they also needed to invest in preventative measures.

Hence the widespread deployment of Multi-Factor Authentication (MFA) solutions, which make it significantly harder for attackers to impersonate targets using stolen credentials. Hence as well investment in more sophisticated types of cybersecurity solutions and techniques, such as threat intelligence and threat hunting.

To be sure, these solutions didn’t eradicate cybercrime. But they were effective in reducing overall levels of risk.

The recent past: Covid and AI

Over the past few years, we’ve lived through two major new challenges that complicated cybersecurity even further.

One was the Covid pandemic. When large numbers of white-collar employees began working from home, enterprise networks extended to include home networks, too. This meant that businesses needed to adopt yet more sophisticated cybersecurity protections, such as zero-trust network security policies.

Meanwhile, the AI boom of the past few years has placed new tools in the hands of threat actors. Today, the bad guys can turn to AI to assist with tasks like selecting targets and generating malware, introducing new levels of efficiency and scalability to hacking operations.

In response, we’re currently witnessing another inflection point in cybersecurity strategies. Enterprises have realized that to keep up with attackers, they need to achieve greater levels of efficiency and up their attack prevention game. To do this, they’re investing in AI-enabled cybersecurity tools that provide capabilities like advanced behavior analysis and automated response.

Lessons from cybersecurity history: Or, why we need to go back to the basics

There are many potential takeaways from the cybersecurity history I’ve just laid out. But I’m going to focus on the one that I think is the most important for helping to guide modern cybersecurity strategies.

That takeaway is how far removed we’ve gotten from basic cybersecurity practices and how important it is not to lose sight of standard best practices in today’s age of highly sophisticated threats.

To be sure, solutions like MFA and AI-enabled cybersecurity tools are great things and they’re a necessary part of a modern defense strategy. But these tools don’t excel at addressing more basic security risks, like unpatched software or endpoints that an organization is not monitoring effectively.

That’s why effective cybersecurity requires a defense-in-depth strategy that hinges on adopting tools and techniques from across all of the stages of cybersecurity history that I described above.

Seemingly mundane solutions, like patch and vulnerability management software and least privilege policies, remain just as important as more modern innovations, like fancy AI-powered threat hunting and modeling tools.

Conclusion: To thrive in the present, remember the past

This brings me back to the observation with which I started: That you can’t excel at meeting today’s cybersecurity threats without drawing, in part, on lessons from decades past.

There’s no denying that some of today’s threats are more sophisticated and complex than ever, and that they require novel solutions. But an unpatched server, or a user with unnecessary administrative privileges, remains just as much of a risk today as it did twenty years ago, which is why cybersecurity lessons from the past still apply to the present.

Browse our latest issue

Intelligent CISO

View Magazine Archive