I wrote then:

“The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.”

Part of these predictions or ruminations or whatever you care to call them makes me think of the hijinks of the group that started out in the spring variously known as LulzSec, Anonymous and later adopted the moniker AntiSec. This loosely affiliated group emerged from the wake of the various attacks against Sony, and seemed to have nothing to prove but that it could make mincemeat out of whatever security measures had been put in place by Sony or whatever video game outfit it had targeted on a given day.

Sony’s Playstation Network was a favorite target, and its service was at least partially offline during two months ended in July.

Then, as summer dawned, the group’s members became aware of global politics and teamed up with Anonymous, the Wikileaks-allied band of hackers known for their campaigns of digital civil disobedience. Together they declared “immediate and unremitting war” on governments and corporations, and said their top priority would be to steal and leak any classified government information, including but not limited to email and documentation. They attacked an Arizona police agency as a way of making a statement against anti-immigrant laws in that state, and published the names and home addresses of several officers.

Later they sought to earn some street cred by stealing “secret” documents from NATO, only to learn after the fact that the documents they released had not only been released before, but weren’t even really all that secret to begin with. It wasn’t long before alleged members of the group started showing up in handcuffs, which seemed not to faze them. The prospect of body bags and real-world violence during a confrontation with Mexican drug cartels, however, did.

Yet for all the headlines they garnered and the headaches they caused, the LulzSec/Anonymous/AntiSec gang wasn’t anywhere near the scariest thing to appear on the computer security landscape in 2011. To my mind, one of the top three scariest things was the disclosure of Operation Shady RAT, which Intel-unit McAfee said appeared to be the biggest large-scale compromise ever, affecting 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. McAfee said the attacker was a “state actor,” though it declined to name it. The candidate highest on the short list was, naturally, China.

The second truly scary incident was the attack carried out against RSA Security, a unit of the IT company EMC, the maker of the popular SecurID tokens that so many people have on their keychains and use to create an added layer of security that goes beyond the password. Months later, the U.S. defense contractor Lockheed Martin was attacked with duplicate SecurID tokens.

Finally, the Stuxnet Trojan (used by parties officially unknown, but probably Israel with a little help from the U.S.) continued to fascinate and confound security researchers in 2011. Having caused nuclear centrifuges in Iran to explode in an attempt to set back that country’s nuclear weapons research program, Stuxnet was found to have a sibling called Duqu. Unlike Stuxnet, which messed with industrial control computers and made them do things they wouldn’t normally do, Duqu’s mission was much simpler: Steal everything in sight.

And after that, it was discovered by researchers at Kaspersky labs that Stuxnet and Duqu are part of an even bigger family, with at least three more siblings still undetected by researchers, and that all five were created by the same people and with the same tools. Chances are we’ll see at least a few of those final three in 2012, particularly as tension with Iran heats up.

So while there was much to consider scary happening on the Internet in 2011, I’m grateful for being wrong on one key prediction: That we didn’t see a significant computer attack used to physically harm innocent people on a large scale. That’s one prediction I hope to miss for years to come.

I can’t remember a year during which computer security stories jumped so readily from the tech and business pages to the front page.

The year 2010 was bookended by two such cases. It opened with Google’s disclosure that it had come under attack in China, an apparent attempt to penetrate the Gmail accounts of certain activists and journalists.

It ended with the WikiLeaks affair, which stemmed from the alleged theft by an Army private of classified documents stored on a government network.

And let’s not forget in mid-year came the story, as fascinating as it was sobering, of Stuxnet, a computer worm developed by parties unknown–although the smart money is on Israel–that penetrated and ultimately damaged equipment used in the Iranian nuclear program.

Computer hacking–which has for too long evoked images in the public mind-set of teenagers in basements taking digital joyrides–has finally revealed itself to everyone for what it has long been for those in the know: The domain of espionage, sabotage and possibly warfare.

In Google’s case, the attacks upon its systems raised questions about where it draws the line with authorities in Beijing about such matters as freedom of speech. When the attack was first disclosed, Google publicly mulled shutting down its operations in China.

Then in protest, it stopped censoring its search results, giving mainland Chinese access to the same search results available to residents of Hong Kong. Beijing responded by blocking access to Google’s site.

Finally, Google and China came to a new agreement, and Google appeared the loser in the battle of wills.

Computer security is one of those things that companies and governments say they take seriously, but never really seem to get a grip on, judging by the results.

In any case, there is no firewall or software in existence that could have prevented Bradley Manning from stealing the documents that he is alleged to have given to WikiLeaks. As a low-level Army intelligence analyst, he was a trusted insider who had access to this material in the course of his day-to-day job.

So, it was not technology that failed. The failure was one of internal policies that allowed him access to data not relevant to his position.

Any employee of a midsize company can see how wrong that is. Human-resources documents are limited only to those who work in that department. The same is true of people who work in the legal office, business development department and so on.

But it apparently didn’t occur to anyone in government to limit the access to what became the WikiLeaks cache to people who worked only for or closely with the State Department.

If it turns out that thousands of companies are better at protecting their business secrets than the U.S. government is, then it’s not for nothing that the Central Intelligence Agency task force investigating the WikiLeaks affair bears the initials “WTF.”

Something similar was true of Stuxnet. One of the reasons the attackers, whoever they are, succeeded was that they used several so-called “zero day” vulnerabilities in Windows.

These are undocumented weaknesses that hackers save up for special occasions as a way to open a back door into a computer and then insert a troublemaking payload, like a worm. Zero day exploits are a fact of life, and once spotted in the world, they’re usually patched.

The Stuxnet attackers used as many as four zero day exploits as a way to get their worm into targeted computers. Microsoft, to its credit, made short work of fixing them once they came to light.

Even so, the Stuxnet worm burrowed its way from Windows machines into industrial control computers known as SCADA systems, which are widely used to run factories, power plants, pipelines and all sorts of other infrastructure essential to modern life.

The worm was designed to find a specific target: The systems controlling a set of as many as 1,000 centrifuges at the uranium enrichment facility in Natanz, and make them spin faster than they were supposed to.

The ability to attack industrial computers and cause them to do things they’re not supposed to do has been a lingering fear among security experts for years. Researchers at the U.S. Department of Energy in 2007 looked at the potential for attacks on SCADA systems and proved that it was possible to seize control of an electrical generator and then make it destroy itself.

They also found that many of these systems are connected to the Internet for what seem like good reasons: Convenience and cost savings. But these connections have also opened them up to the same kind of attacks that rattled the Iranian facility in Natanz.

Another Stuxnet-like worm, the thinking goes, could be used to bring down a power grid, or poison drinking water, or shut down an oil or gas pipeline. The good news is that such an attack is expensive–Stuxnet, by one estimate, cost $10 million to create–and requires a lot of specialized insider knowledge.

The bad news is that the Stuxnet source code is circulating in the wild for anyone to study. And as the WikiLeaks case shows, there are often insiders willing to take part in criminal schemes.

The other bad news? Securing these systems won’t come cheap.

If history is any judge, there will likely be a barrage of computer security companies that try to spin these incidents into opportunities to make a sales pitch. That’s what security companies do, after all.

But they usually miss the point. How can you plan for a vulnerability you’ve never seen? How can you stop an otherwise trusted insider from abusing their access to sensitive information? Both are fundamentally difficult problems for which there are no easy answers.

Spending money on last year’s security vulnerabilities is like preparing to fight the last war: Circumstances inevitably change, and they certainly will in 2011. New kinds of attacks will arise, and they will catch their targets by surprise.

And the public, like the CIA, will reasonably ask, “WTF?”

The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.

And the events of 2010 point the way to a world where that’s a more realistic scenario than it ever was before.

What caused the disruptions? Finding five accidental failures in a week a bit hard to swallow, conspiracy theorists were quick to claim sabotage. But the cable operators and the International Telecommunication Union insisted the most likely culprit was an errant boat anchor. And their argument seemed to be borne out when an abandoned anchor was discovered near the second cable to be cut.

But now it appears the ITU itself may be finding the errant-anchor theory a bit suspect. With repairs completed on four of the five cables, the ITU has presumably been able to perform a fair bit of analysis on the cables at issue here, and it’s not convinced that it was Mother Nature who damaged them. “We do not want to pre-empt the results of ongoing investigations, but we do not rule out that a deliberate act of sabotage caused the damage to the undersea cables over two weeks ago,” Sami al-Murshed, head of the ITU, told Agence France-Presse. “Some experts doubt the prevailing view that the cables were cut by accident, especially as the cables lie at great depths under the sea and are not passed over by ships.”