Love Bug: 25 Years On. Reflections from the Front Lines of Cyber Security
Glenn Ambler
Last year, I posted a blog about the infamous ILOVEYOU virus, mainly as a light-hearted reaction to rediscovering an old company newsletter I was featured in: https://2t-security.com/looking-back-at-2-years-since-iloveyou/
But this year marks a bigger milestone, 25 years since Love Bug hit inboxes everywhere, and as someone now chalking up three decades in Cyber and IT Security, I figured it’s time to get a bit more serious. A little reflection. A few predictions. And a warning or two.
2000: When 10,000 Mailboxes Brought the House Down
Back then, I was managing an email service supporting 10,000 users and servicing around 20 million customers. When the Love Bug hit, it didn’t crash the system due to clever malware it simply overwhelmed us with volume. Our infrastructure just couldn’t scrub that much email that fast. We had no elasticity. If you needed more horsepower, you physically racked more servers.
Now you’d hope your cloud-hosted mail has scalable infrastructure, AI-assisted spam filters, and sandboxed attachments. But let’s not be smug, we still see email-borne threats do real damage. The medium might have evolved, but the human weakness it exploits hasn’t.
Email Down? Just Call Us
Interestingly, when email failed, we simply reverted to phones. Call centres were the norm. Online payments were still new (I was working on that too), so there wasn’t the dependency on digital comms we see today. Clients were mildly annoyed, but operations ticked on.
My bigger concern wasn’t email. It was what might happen to critical systems, wastewater control, supply chain platforms, lab systems. Fortunately, in 2000, these weren’t connected to corporate networks. The idea of remote access to ICS/OT environments was still science fiction.
Enter: Remote Access, Ageing Engineers, and the End of Air-Gaps
Fast-forward 10 years. I’m consulting with a company managing significant ICS infrastructure. Their challenge? An ageing contractor workforce unwilling to drive to remote sites. Air-gaps were being reconsidered. We talked VPNs, VDI, MFA, time-bound access, and the (then-niche) Jericho Forum. The solutions weren’t easy but they were necessary. And largely, they’ve since become the norm.
Then a few years later, another ICS project. Network segmentation? Check. Remote access controls? Check. But the software vendor insisted on linking their Windows domain controller to the corporate AD with trusts. “Don’t worry, the firewall keeps it safe,” they said.
Nope. A compromise in corporate AD meant direct risk to the ICS estate. I flagged it, and thankfully the CISO listened. But that design pattern still exists. And it still gives me heartburn.
Hybrid Clouds, Blurred Boundaries, and Attackers Who Don’t Care
Today’s frontier? Hybrid cloud. Researchers are poking at the seams, where identity, access, and configuration drift between cloud and on-prem worlds. I’ll be honest: this is one area where I rely heavily on specialists. But one truth holds, attackers don’t care where you host things. They want initial access and a way to pivot.
When you join the dots, cloud to corp, corp to OT, you realise the modern kill chain can cross more boundaries than ever before.
So What?
If you’re reading this, you probably work in cyber. You’re likely in one of two camps:
- “This is obvious.” If so, great. You’ve got a mature security model, solid asset visibility, and a risk register that means something.
- “We’re struggling with exactly this.” You’re seeing the risks but can’t get leadership buy-in. You’re working around vendor design flaws. You’re under-resourced.
If you’re in the second camp, you’re the reason 2T Security exists. You’re not alone. And yes, we should probably talk.
Looking Ahead
The pace of innovation is wild. Agile delivery means MVPs often ship before security is baked in. Add GenAI to the mix, I recently had to Google what “vibe coding” meant, and we’re staring into a future where more code, more data, and more integration means more risk.
That’s not fear-mongering; it’s reality. The opportunity is massive, but we need smart, adaptable guardrails. Standards are slow. Principles scale. That’s why I’m such a fan of NCSC’s Secure by Design principles. They force us to ask better questions early.
How We Think at 2T Security
This is exactly how we work at 2T Security. We help organisations bake in security from the start:
- Strategic security design
- Security assurance for cloud-native services
- Securing ICS and critical infrastructure
We don’t do silver bullets. We do what matters most.
Twenty-five years on from Love Bug, the threats have changed but the fundamentals haven’t. The world needs clear thinking, good design, and grounded advice more than ever.
Let’s keep building a safer future. One well-secured system at a time.
Contact our team to discuss a tailored security strategy that always puts your organisation first.
