Timeline: The U.S. Government and Cybersecurity

The federal government got its defining wakeup call about vulnerabilities facing the nation's IT systems in the years and months leading up to Jan. 1, 2000. Experts warned that the dreaded "Y2K Bug" would bring down networks and critical systems around the world. But governmental efforts to protect important information systems date ba ck several decades.

ca. 1977: The General Accounting Office recommends limiting the number of federal employees who can use a comput er as a way to prevent network security breaches.

1977: Sen. Abraham A. Ribicoff (D-Conn.) introduces the Federal Computer Systems Protection Act, which seeks to define "computer crimes" and recommends penalties for such crimes. The bill does not pass.

1983: The FBI raids more than a dozen homes in six states, confiscating Telnet passwords, at least one Apple II+ , a modem and several other computers. An article in InfoWorld refers to an increase in hacker activity following the release of the popular film "WarGames," which portrayed a high school student who was able to hack into the computer system at the North American Defense Command in Colorado Springs, Colo.

1983: Congressman and future Agriculture Secretary Dan Glickman (D-Kan.) calls for hearings to examine computer hackers after seven teenagers known collectively as the "414s" break into several government computers, including a nonclassified co mputer at the Los Alamos National Laboratory in New Mexico.

1983: Deputy Assistant FBI Director Floyd Clarke tells a House subcommittee that a computer can be used much like "a gun, a knife or a forger's pen," and urges new laws against hacking.

1987: President Ronald Reagan signs the Computer Security Act of 1987, an attempt to protect federal agencies' c omputer databases.

1988: The CERT Coordination Center is founded with money from the Defense Department's Defense Advanced Research Project Agency -- the same agency that developed the Internet's predecessor ARPANET i n the mid-1960s. CERT is a central reporting center for Internet security problems. It is part of the Networked System Survivability Program, and is located at Carnegie Mellon University in Pittsburgh. CERT originally stood for "Computer Emergency Response Team."

July 1989: Following the release of the "Morris" worm that infected 600,000 computers, the General Accounting Office (GAO) says that the White House science adviser should be tasked with overseeing ef forts to prevent subsequent computer virus attacks.

July 1989: Rep. Edward Markey (D-Mass.) drafts a bill that would make it a crime to author computer viruses.

May 1990: The GAO says the Computer Security Act of 1987 is failing to protect government data. Agency heads say budget problems contribute to the failure.

February 1991: Data theft "is a serious strategic threat to national security," says Michelle Van Cleave, the White House Assistant Director for National Security Affairs.

July 1996: Rep. Stephen Horn (R-Calif.), chairman of a House Government Reform subcommittee, publishes his first quarterly "Year 2000 readiness report card" for federal agencies and offices. Many of them receive failing grades.

July 1996: President Clinton establishes the President's Commission on Critical Infrastructure Protection, charged with coordinating and protecting vital infrastructure systems (gas, oil, telecom, water, transportation, etc.) against physical and electronic attack.

February 1998: President Clinton appoints former Deputy Budget Director John Koskinen to chair his Year 2000 Conversion Council. The council centralizes executive branch efforts to prepare government agencies for the date rollover. The council also becomes a template for later executive branch efforts to centralize oversight of cybersecurity threats.

April 1998: Realizing that Y2K problems could affect sectors under the jurisdiction of several congressional committees, U.S. Senate leaders appoint Robert Bennett (R-Utah) and Christopher Dodd (D-Conn.) to chair a panel on Y2K readiness. The committee keeps close tabs on businesses and government efforts to ready their systems for the date rollover.

May 1998: President Clinton orders the government to work with businesses to secure the nation's vital information networks, nearly 90 percent of which are privately owned and operated. Clinton appoints Richard Clarke as National Coordinator for Security, Infrastructure Protection and Counter-terrorism. He also calls for a national cyberspace protection plan, scheduled for release in 2000.

1998-1999: The U.S. government and the private sector spend significant sums (estimates range from millions to tens of billions of dollars collectively) fixing key computer and communications systems in preparation for the Y2K changeover. The government establishes a $50 million domestic and international Y2K coordination center with many of the nation's largest IT compani es contributing cash and staff.

July 1999: President Clinton signs the Year 2000 Readiness and Responsibility Act, which limits the legal liability of companies that suffer problems, despite making good-faith efforts to fix their systems in advance of the date rollover. The law says companies being sued for technological failures can raise a Y2K defense if they can prove they took adequate steps to prepare their systems for the switch.

Jan. 2000: The media and the public watch as the world transitions through Y2K with no major disasters. Many people question whether the problem was over-hyped. Critics point to many countries that s pent a fraction of the amount the United States invested but had few -- if any -- Y2K-related problems.

2000-2001: Rep. Horn turns his Y2K readiness report cards into cybersecurity readiness report cards. The number of poor grades among federal agencies sparks greater scrutiny of federal information technology officials.

Jan. 2000: The Clinton administration releases its cybersecurity strategy. The document earns a cool reception from industry, which was left out of much of the drafting process. Civil liberties and privacy groups say it advocates a government-wide intrusion detection network. They also say it could dramatically expand government surveillance of the nation's communications networks. Plans for an intrusion detection network are dropped.

February 2000: A spate of distributed denial of service (DDOS) attacks temporarily brings down several of the wo rld's largest and most popular portal and e-commerce sites. The attacks prompt congressional hearings and legislative proposals aime d at closing security holes and intensifying the hunt for cyber vandals.

May 2000: The Clinton administration dismantles the Y2K center. Some in Congress call for the appointment of a federal chief information officer -- or "cybersecurity czar" -- to oversee privacy and security issues.

May 2000: The "I Love You," or "Lovebug" virus wreaks havoc on commercial and government systems worldwide. The virus's author -- a Filipino computer science student -- escapes prosecution because the Philippines has no computer crime laws. The incident prompts the United States to push for and sign the Council of Europe Cybercrime Treaty, an attempt to harmonize laws against computer crimes.

Sept. 2000: Federal agencies' computer security systems get an overall grade of "D" from Rep. Horn.

Oct. 2001: President George W. Bush establishes the President's Critical Infrastructure Protection Board, a group charged with developing a national cybersecurity strategy. The board begins soliciting advice from the private sector on ways to beef up the nation's computer security posture. Richard Clarke is named White House cybersecurity adviser.

Oct. 2001: The Bush administration begins holding town-hall meetings for input on its cybersecurity plan. Clarke warns of an impending "digital Pearl Harbor" if industry does not take steps to improve security.

Nov. 2001: Congress conducts its second annual review of computer security at federal agencies. The agencies get a collective "D-minus." The White House office of Management and Budget promises to withhold funding for federal IT programs that don't improve security.

Jan. 2002: CERT cites a 200 percent increase in computer security incidents and vulnerabilities from 2000 to 2001.

May 2002: The White House says it will release the final version of the cybersecurity strategy on Sept. 19, 2002.

Sept. 17, 2002: Despite plans to have technology luminaries like Microsoft Chairman Bill Gates in attendance at a big signing ceremony at Stanford University, the White House decides to hold back the final cybersecurity plan. Instead, it says it will release another draft to seek further comment from businesses most likely to be affected by the plan.

Sept. 19, 2002: The cybersecurity plan draft is released. It has been shorn of some of its most controversial provisions, including a proposal that would have required high-speed Internet service providers to bundle firewall products with their services. The administration also pulls language calling for an industry-fed cybersecurity fund, as well as a section on restricting the use of emerging wireless networks until their security is approved. The draft plan is critized by some security groups who accuse the administration of kowtowing to industry pressure.

Nov. 2002: For the third year in a row, most federal agencies earn failing marks for computer security.

Nov. 2002: President Bush signs the "Cybersecurity Research & Development Act," which calls for $900 million over five years for security research and education.

Nov. 2002: President Bush signs legislation creating the Department of Homeland Security, a department that absorbs 22 federal agencies, including five cybersecurity offices and programs. The law expands the ability of authorities to obtain information from telephone and Internet service providers. The legislation also increases fines and jail terms for a range of computer crimes, and calls for life in prison for hackers whose online antics result in the serious bodily injury or death of another.

Jan. 2003: White House cybesecurity czar Richard Clarke resigns. Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board and former chief security officer at Microsoft Corp., assumes his duties.

Feb. 2003 The White House releases the cybersecurity plan after President Bush gives his formal approval in late January. It includes handy tips for home Internet users to keep their networks safe, as well as similar recommendations for busines s. It also calls for government contingency plans in case a major section of the Internet is rendered inaccessible because of a cyberattack.

Mar. 2003: The Homeland Security Department names a senior executive from Coca Cola Corp. -- Robert Liscouski -- and a former CIA official -- Paul Redmond -- to top positions dealing with information security. The administration also says it pl ans to ask Frank Libutti, the former NYC Police Department's counterterrorism chief, as the undersecretary for information analysis and infrastructure protection.

Apr. 2003: The Homeland Security Department picks Nuala O'Connor Kelly, the former chief privacy officer of DoubleClick Inc., as its privacy czar.

Apr. 2003: Howard Schmidt resigns as White House cybersecurity officer after only two months on the job. The move reflects the administration's intent to centralize cybersecurity authority in the new Department of Homeland Security.

May 2003: The Homeland Security Department says it will create an office specifically to carry out the White House's national cybersecurity strategy.