A Brief History
When I was a kid, my mother bought me a computer and taught me how to write simple programs. In time I learned to write more complicated programs. One particular program reached out across the network and touched another program on someone else’s computer. This got me into a bit of trouble, but not so much that it derailed my life.
Mom told me I was following in the footsteps of several generations of people who discovered that computers didn’t just do what they were supposed to do, they could also do things you didn’t think they could do. The ideal situation was that you found out the latter before someone else did so that something bad didn’t happen to you. That wasn’t usually the case, and I found out later it was why she was at work so much.
Mom also said that we knew how to deal with these problems way back in the middle of the previous century. A lot of very smart people anticipated that insecurity had the potential to be a problem, and they asked another smart man to study the problem. He wrote a report that explained how we could remedy the situation.
Apparently, it wasn’t a best seller.
Over a decade later mom said another wise man discovered foreign spies in his computer. He managed to chase (figuratively) these spies across the world, but had a hard time getting anyone who could do anything about it to listen. It didn’t help that at the time it wasn’t even clear if anyone should do anything about it since in a meaningful sense “computer crime” wasn’t a thing.
It took another decade before computers went from being relatively large and fairly rare, to boxes that sat on a desk that anyone could buy. It didn’t take long for more foreign spies and even common criminals to break into those computers and for people to start writing books about the problem and standing up organizations to combat these new-age evil doers.
As the decades passed, the scope and scale of the problem only got worse. Computers went from something that sat on your desk to something that sat on your lap to something you wore in your pocket to something you wore on your wrist, to something that got implanted inside you. Your car was just a set of computers that just happened to have wheels. In each and every case someone somewhere figured out how to gain access to those computers without permission. “The greatest transfer of wealth in history” some called it. Some of most protected systems in the world were not safe from compromise if not outright destruction.
The militarization of cyberspace had been a theory and in a few short years became reality. Viewed as a so-called “domain” like the air or oceans, billions of dollars were spent trying to “dominate” it at the expense of other foreign powers and non-state actors who leveraged computer power to punch well above their weight, at least online. States still had a monopoly on force in meat space, but online the super-empowered could hold their own against most comers.
That cyberspace was a battlefield wasn’t really well communicated to everyone else who needed to move bits around the globe. They kept connecting random boxes to the global network without the means for them to operate securely, with predictable results. The more devices, the more we relied on those devices for significant aspects of our lives, the worse the impact of every hack. Bureaucrats wrung their hands about privacy, despite the fact that everyone’s personal details were available for pennies ten-times over on the dark web; but wouldn’t make computer security policy that was meaningful, functional, or mandatory.
There were some organizations that took security seriously. Nobody would do business with a physical bank that kept its doors unlocked and didn’t have an alarm system, so digital banking could do no less. But once you stepped away from the top tier of any field, the protections and attention to security waned considerably. Attacks on supply chains followed, with the trust relationships of the weaker links being exploited to compromise those top tier institutions who didn’t bother scrutinizing packets from their suppliers because, well, they’re trusted, right?
It only took a few more years before things went from bad to terrible to catastrophic. The hacks weren’t just getting bigger; they were having a much bigger impact for longer periods of time for larger and larger groups of people. Not just here, everywhere. Critical infrastructure in Los Angeles would be out of whack for a week, St. Petersburg would follow, with Shenyang close behind. Everyone disavowed the activity but it all followed a predictable, obvious cycle that was tied to how bombastic the international political rhetoric was that news cycle.
Laissez les Mauvais Temps Rouler
And then the twins arrived.
Beatrice and Cynthia. They were the second and third named hurricanes of that season. Beatrice approached the Carolinas from the east, and Cynthia came up through the gulf. Both category 5s that cut a swath of death and destruction from Louisiana to North Carolina.
Now the southeastern US is not a stranger to hurricanes and their ability to do harm, but decades worth of knowledge and capabilities that were manifest in state and local emergency response units were rendered inoperative just before the twins hit thanks to a coordinated blitz from one of our “near-peer” adversaries. With no way to communicate the latest emergency information or effectively deploy resources, the death toll was five times what it would have otherwise been and the damage to infrastructure was so severe the anticipated recovery time and expense was several orders of magnitude more than normal.
The attack was traced back to its country of origin. NATO, still a thing back then, was divided about whether Article 5 applied. The UN security council was equally useless, which makes sense when you consider the three biggest warring factions were on the council and all held veto power on any decision that had the faintest whiff of retaliation or punishment.
The U.S. Congress, for a change, decided to step up. With a lot of fanfare but little debate, they passed the Cyberspace Privateering Act, which gave the executive branch the ability to coopt the resources of private enterprises to support both offensive and “active defense” operations. It also granted legal immunity to corporations who participated in such actions under government sanction.
The world’s “very serious people” lost their shit.
Never mind that some of the earliest cases of malicious activity online were carried out by proxies of foreign governments.
Never mind that in nearly every conflict that had a cyberspace component to it governments turned blind eyes to non-state actors who were causing harm to the enemy despite having laws on the books that made their actions criminal.
The fact that the US was willing to say the quiet part out loud forced the world’s major powers to raise their voices in a collective protest, though it is worth noting that while none of them formally passed their own versions of the Act, from that point forward it was clear to all observers that they were more than happy to let de facto supersede du jure.
A critical portion of the Act required agencies that applied private resources to establish a management and oversight scheme to ensure that privateers upheld all the other laws that were on the books, minus 18 USC 1030 of course, and to deconflict what was expected to be a very crowded battlespace. While in theory any given company willing to play by the rules could participate, in reality only the largest private enterprises would play leading roles because they had the resources and knowledge of government bureaucracy to handle all the paperwork associated with the regulatory regime.
TeachTech was a consortium of the world’s largest search engine and the world’s largest software company. Arguably the greatest collection of offensive and defensive practitioners in the world that were not in uniform.
BlackCloud didn’t have the deep tech bench of TeachTech, but it did have the largest collection of special operations veterans in the free world. A brigade-sized element of technically astute operators, most of whom had spent decades enabling cyber operations in the world’s hard targets.
BuzzOps was to online espionage what BlackCloud was to cyber-attack. An unofficial 19th US intelligence agency, its roster was filled information warfare operatives and disinformation experts.
It was said that you saw some increase in uncoordinated and amateur offensive activity worldwide after the Act was passed, but in just a few months we reached a point where organized, skilled, large-scale operations could get underway in earnest and at combat speed.
The wins were pretty impressive.
TeachTech’s AI-managed honeynets quickly identified and disrupted enemy botnets on a scale that was heretofore unthinkable. Formerly a complex and highly coordinated (read: slow ass bureaucracy powered by nervous lawyers) activity that was carried out maybe twice a year was happening dozens of times a month. Botnets as weapons were basically taken off the table.
Black Cloud went to where the money was and made off with hundreds of billions in cryptocurrency from adversaries and their hangers-on. Cash-strapped members of our generation’s axis of evil were more or less neutralized (even villains have to pay their bills).
BuzzOps seeded R1 universities with ever-so-slightly altered research findings and commercial databases with modified intellectual property. It was a long-game sort of play but reports leaked after that war suggested it cost the other side billions in wasted R&D, and those projects that managed to see daylight suffered catastrophic failures in short order.
Of course the nay sayers were quick to point out that in any sort of war, even a cyber war, the enemy still gets a vote.
The fast and loose relationship between the CEO of a US electric automobile company and an oligarchs of one of the warring factions came back to bite the former’s enterprises in the ass when foreign “engineers” on an exchange visit Stuxnet-ed the cooling systems at a manufacturing plant killing dozens and leaving dozens more with life-altering injuries. It wiped out several billion dollars’ worth of paper value and even at this late date the company’s share price hasn’t fully recovered.
One near-peer’s cyber corps released deep-faked emails and chats purported to be from the government and Black Cloud that implicated the staff of both in war crimes and profiteering. Given the reputation of Black Cloud from its days as strictly a guns and grenades outfit in various conflicts around the world, this wasn’t terribly hard to believe. It took months for a Congressional investigation to run its course and the company was able to resume sending bytes downrange.
The risks associated with operating a technical monoculture have been known for several decades, but it had never really been that big of a problem until the opposition decided to exploit flaws deep in that monoculture that they let lie dormant for years. The changes were subtle but widespread and difficult to detect. Some context in documents here, a few numbers past the decimal point in spreadsheets there. It took months before anyone figured out what was going on, and by then hundreds of millions of documents and spreadsheets had been compromised. No data leaked, just completely untrustworthy.
From Bad to Worse
Ever since the first computerized system was deployed in combat, there has been a concern that such “weapons” would desensitize their operators to the point that they would not think clearly about their actions and the consequences thereof. Normally you have to expose yourself to enemy fire in order to fire on the enemy; it’s a different calculus when you’re miles away and can kill a dozen with the push of a button.
People who study this stuff today more or less agree that the beginning of the end was when one of our near-peer adversaries took things out of cyberspace and brought them into meat space: the murder of over three dozen military cyber warfare operators and civilian privateers in a series of bombings and shootings. Their operatives were already here, doing your run of the mill secret policeman’s work: hunting down expatriate dissidents, beating up immigrants who bad-mouthed the government back home, and reconnoitering critical infrastructure for future attacks. The fact that these head-crackers were willing to go all out against what they considered “legitimate military targets” was something those who voted for the Act hadn’t counted on. Nobody had.
Of course it triggered a response.
The founders of BlackCloud and BuzzOps were all from cities impacted by the hurricane hack and had lost family in the aftermath. They formed a covert and unofficial joint venture and spent months infiltrating the SCADA systems that controlled a series of hydroelectric dams across the adversary’s territory. While most of those systems were closed to the outside world, it was common to find at least one dual-hosted box on site to allow maintenance staff remote access so that they didn’t have to drive to the site at 2:00 in the morning to troubleshoot some minor glitch.
In those cases where they couldn’t get remote access, like an outfit staffed with ex-spies would be wont to do, they paid low-level technical staff the equivalent of several years’ salary to bring in the tools they needed to connect to the internal network. They timed their attack as monsoon season started, in an attempt to mask the true origin of the attack by making it look like shoddy construction of the dams themselves were the cause of what has been called, in a poor attempt at humor, the second largest flood the earth has ever seen. In keeping with the theme it was said that the damage and death toll had been biblical.
While never officially declared or acknowledged, at approximately the same time as the adversary declared the flood over and recovery operations were to begin, effectively all malicious activity from both near peers and their proxies stopped.
Fallout
With the shooting over, the hard work of building a lasting peace began.
While every public intellectual opined on the whys and wherefores related to the end of hostilities on their Substack, the three warring parties and a handful of unaligned nations met at Esperanza Base to draw up a way forward. Antarctica was an ideal location for such work since it was one of the few places that would not support the presence of the press, network connectivity was spotty at best (and easily blocked for the duration of the discussions), and was only tolerable from a climate perspective for about four months. When you have to work under constraints, you tend to produce results faster. The agreement they hammered out contained both short and long term remedies, and laid the groundwork for life after a reboot.
Privateers in non-executive positions were given amnesty. The CxOs of all privateering forces were allowed to be publicly recognized and thanked by their respective governments, but in secret they were to be sanctioned both domestically and internationally. It was a given that they would hold no office in a company that dealt with technology. They could participate in no form of international financial activity. As long as they never left their homelands, they were safe from an international arrest warrant that would he held in abeyance for the duration of their lives.
The balance sheets of the legal entities the privateer forces set up, regardless of which warring faction they supported, were forfeit and donated to a fund managed by the World Bank, earmarked for the restoration of damaged infrastructure worldwide.
Cybersecurity research required a license from the government, who only gave them out to those working on critical infrastructure, and under the approval of critical infrastructure providers. Research findings were required to be disclosed upon proof-of-concept, simultaneously to all customers worldwide. The next generation of the “curious” were able to hone their skills in highly controlled academic environments, but in the end if you were going to wear a hat, it was going to be a white one.
Full responsibility for not shipping code that did not meet specific safety and security standards fell on the shoulders of CEOs who, like the CEOs of publicly traded companies who had to comply with the Sarbanes-Oxley Act, had to attest to the standards of their products. Failure to do so meant financial penalties and prison. This didn’t result in perfect code, but it did effectively eliminate stupid code, and that wasn’t nothing.
No one was going to stop people from trying to rob online banks or cryptocurrency wallets, but everyone agreed that no good was served turning out the lights, killing people on ventilators, or denying people access to clean water. The horrors of the great flood still fresh in everyone’s minds helped a critical infrastructure non-aggression pact last to the present day with shows no sign of abating.
To reinforce the non-aggression pact and to build trust and goodwill, every four years, engineers and their families from each of the warring factions were sent on a rotational assignment to one of another faction’s critical infrastructure providers. Once trained to proficiency, they were responsible for operating and maintaining said infrastructure. The incentive to perform well and be a good steward to the local population was self-evident and never had to be spelled out.
No Place Like Home?
Mom rarely uses a computer these days. She doesn’t have connectivity at her cabin, so when she connects it’s at the local library where she does the most innocuous things in full view of the public. ‘Better to not give them an excuse’ she says.
It’s taken me a while to understand what she means.
She used to use a computer every day, often times well into the night. I’d heard her described at various times in various forums as a “trailblazer” a “rock star” and a “luminary.” I never really understood what she did back in the old days because things moved so fast during my formative years that I barely understood and didn’t really appreciate what was going on. I know she was a big enough deal that me perpetrating shenanigans that would have landed anyone else in prison was dismissed with a wave of a hand. I know in the first months of the war she was rarely home and lost enough weight that her doctor was concerned about her health. I know that after the war I got to go with her to work – for the first and only time – to watch her receive a medal.
For some reason she couldn’t take the medal home.
I also know that not long after that ceremony she took a job with one of the big conglomerates. Not long after that we moved into a much nicer house, she drove a much nicer car, and every digital device I had was replaced with top-of-the-line gear.
The year I graduated from college she retired and moved to the sticks. She was glad the two of us graduated from the same fancy school. She jokes that she wishes I’d studied computer science and not history, though she knows I’d mastered the fundamentals by the time I was 16, so four years of boredom was not the best use of 529 plan funds.
She’s worried that me having some memory of what went on – along with my training as a historian – will lead to trouble. She’s never quite clear on what sort, but a once uber-she-nerd who helped win the cyber war who lives disconnected and hoards pre-war books and periodicals like they were money has given me some hints. I’ve decided not to tell her that I’m building my own little hoard for the time being. No sense in worrying her unnecessarily. I’m glad I didn’t go down the same path she did, but by the same token I feel like I’m on track to have just as big an impact albeit in a different way.
Assuming she still has enough juice to keep me out of prison again.
(C) Michael Tanji, 2025