At about 8:30 p.m. on Nov. 2, 1988, a maliciously clever program was unleashed on the internet from a computer at the Massachusetts Institute of Technology.
This cyber worm was soon propagating at an astonishing speed and grinding computers to a halt. “We are currently under attack,” wrote a concerned student at the University of California, Berkeley in an email later that night. Within 24 hours, an estimated 6,000 of the approximately 60,000 computers that were then connected to the internet at the time had been hit, according to an FBI report. (Computer worms, unlike viruses, do not need a software host but can exist and replicate on their own.)
Berkeley was far from the only victim. The rogue program had infected systems at a number of prestigious colleges and public and private research centers that made up the early national electronic network. This was a year before the invention of the World Wide Web, the FBI said and among the many casualties were Harvard, Princeton, Stanford, Johns Hopkins, NASA and the Lawrence Livermore National Laboratory.
The worm affected computers running a specific version of the Unix operating system, but it spread quickly and widely because it featured multiple vectors of attack, according to the FBI. For example, it exploited a backdoor in the internet’s electronic mail system and a bug in the “finger” program that identified network users. It was also cunningly designed to stay hidden.
According to FBI investigators, the worm did not damage or destroy files, but it still packed a hard punch. Vital military and university functions slowed to a crawl; emails were delayed for days. The nascent network community struggled to figure out how the worm worked and how to remove it. Some institutions wiped their systems; others disconnected their computers from the network for as long as a week. Exact damages were difficult to quantify, but estimates started at $100,000 and soared into the millions.
As computer experts worked feverishly on a fix, the FBI said, the question of who was responsible became more urgent. Shortly after the cyber-attack, a sheepish programmer contacted two friends, admitting he had launched the worm and expressed he was desolate because it had spiraled dangerously out of control. He asked one friend to relay an anonymous message across the internet on his behalf, with a brief apology and guidance for removing the program. Ironically, few received the message in time because the network had been so rapidly and badly damaged by the worm.
On his own, the other friend made an anonymous call to The New York Times, which would soon "splash news of the attack across its front pages." The friend told a reporter that he knew who built the program, saying it was meant as a harmless experiment and that its spread was the result of a programming error. In follow-up conversations with the reporter, the friend inadvertently referred to the worm’s author by his initials, RTM. Using that information, The Times soon confirmed and publicly reported that the culprit was a 23-year-old Cornell University graduate student named Robert Tappan Morris, the FBI said.
Morris was a gifted computer scientist who had graduated from Harvard in June 1988. He had grown up absorbed in computer technology due to his father, who was an early innovator at Bell Laboratories. At Harvard, Morris was known for his technological skills, especially in Unix; he was also known as a prankster, the FBI said. After being accepted into Cornell that August, he began developing a program that could spread slowly and secretly across the internet. To hide his tracks, he released it by hacking into an MIT computer from his Cornell terminal in Ithaca, New York, according to the FBI.
After the incident became public, the FBI launched an investigation. Agents quickly confirmed that Morris was behind the attack and began interviewing him and his associates and decrypting his computer files, which yielded a mountain of incriminating evidence.
But had Morris broken federal law? Absolutely! In 1986, Congress had passed the Computer Fraud and Abuse Act, outlawing unauthorized access to protected computers. Prosecutors indicted Morris in 1989. The following year, a jury found him guilty, making him the first person convicted under the 1986 law. Morris, however, was spared jail time, instead receiving a fine, probation, and an order to complete 400 hours of community service, according to the FBI report.
The episode had an enormous impact on a nation just coming to realize how important — and vulnerable — networked computers had become across academia, research centers, government, industry – and to individual users. The idea of cybersecurity became something computer users began to take more seriously. Just days after the attack, for example, the country’s first computer emergency response team was created in Pittsburgh at the direction of the Department of Defense, the FBI said. Developers also began creating much-needed computer intrusion detection software and began recommending other cyber safeguards as well.
The FBI credits the Morris Worm with inspiring a new generation of hackers and the incessant wave of internet-driven assaults that continue to plague digital systems to this day. Whether accidental or not, this first internet attack 30 years ago unleashed the cyber-threats we face today — ranging from fraud and identity theft to attacks on our critical infrastructure by rogue nations and international bad actors. At the same time, U.S. industries are targeted for their intellectual property and other sensitive corporate data, and universities for their cutting-edge research and development.
The FBI says cybersecurity is everyone's responsibility!
For more information about the FBI's cybersecurity efforts, read "Addressing Threats to the Nation’s Cybersecurity" brochure, and visit the FBI’s cyber-crime page: https://www.fbi.gov/investigate/cyber.