The first security incident
By 1971, ARPANET linked about two dozen research and government sites, and researchers occasionally played "practical jokes" on each other involving joke messages, annoying messages, and other minor security violations.
But it wasn't until 1986, when the first international security incident was identified by Cliff Stoll, then of Lawrence Berkeley National Laboratory. Stoll uncovered an international effort to connect to computers in the United States and copy information from them.
In 1988, ARPANET had its first automated network security incident: the Morris worm, a self-replicating automated network attack tool written by a student at Cornell University, Robert T. Morris. The program would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. As a result, 10% of the U.S. computers connected to the ARPANET effectively stopped at about the same time.
The Morris worm prompted the Defense Advanced Research Projects Agency (DARPA, the new name for ARPA) to fund a computer emergency response team, now the CERT Coordination Center.
References and useful resources: