Defendant Robert Tappan Morris was charged under the Computer Fraud and Abuse Act of 1986 for launching a “worm” on the Internet. Morris became the first individual to be tried under the new Computer Fraud and Abuse Act of 1986, 18 U.S.C. Section 1030(a)(5)(A) (Kelty, n.d.). On appeal, he argues that the United States government failed to prove that he intended every element of the offense (Case Briefs, n.d.).
Morris was a computer science graduate student at Cornell University. In October 1988, he began work on a computer program, later known as the INTERNET “worm” or “virus.” The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers (US v. Morris, 1991).
On November 2, 1988, Morris released the worm from a computer at the Massachusetts Institute of Technology. MIT was selected to disguise the fact that the worm came from Morris at Cornell. Morris soon discovered that the worm was replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, many machines at locations around the country either crashed or became “catatonic.” When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at numerous installations, including leading universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000 (US v. Morris, 1991).
Morris was found guilty, following a jury trial, of violating the Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision (US v. Morris, 1991).
The ethical issue that was raised by this case was that Morris’ transmission of computer “worm” constituted intentionally accessing federal interest computers without authorization and prevents authorize use of information in those computers causing loss of $1,000 or more; And that Morris used computer program that transfers and receives electronic mail and program that permits person to obtain limited information about users of another computer to release “worm” into group of national networks that connected university, governmental, and military computers around the country and use of those features was not in any way related to their intended function (US v. Morris, 1991).
However, based on an article written by Kelty (n.d.), what Morris did, objectively, was to force certain security vulnerabilities to be fixed by writing a program that publicly exploited them. As the author of one official investigation, Eugene Spafford, pointed out, the code contained no commands that would harm a computer on which it ran, only commands intended to exploit vulnerabilities that allowed the code to copy itself and spread. On the other hand, his conviction for Fraud and Abuse clearly sends a different message—that this was a criminal act, and as the law had it, one that threatened not just citizens, but the federal government itself .
But the most significant effect of the worm was how it permanently changed the culture of the Internet. It forced software vendors to take security flaws in their products seriously (Lee, 2013). The worm pointed out a number of glaring security holes in UNIX networks which would probably have gone unknown, or at least been ignored as not very significant, had not the worm been so graphic in its exploitation of such “little” bugs. There are even those who suggest thanking Morris for his actions as they provided a serious wake up call to system administrators around the country. Of course, other people have pointed out that there might have been other ways of delivering the same message. Before late 1988, computer security was not a major concern of internet community, at least, not to the degree it was after November 2. There were a number of other bugs that the worm did not exploit, but which were discovered during a close reinspection of operating systems and (hopefully) patched up (Sudduth, 1988).
References
Case Briefs. (n.d.). United States v. Morris. Retrieved from Case Briefs: https://www.casebriefs.com/blog/law/criminal-law/criminal-law-keyed-to-dressler/mens-rea/united-states-v-morris/
Kelty, C. M. (n.d.). THE MORRIS WORM. Retrieved from Limn: https://limn.it/articles/the-morris-worm/#edn1
Lee, T. B. (2013, November 1). How a grad student trying to build the first botnet brought the Internet to its knees. Retrieved from The Washington Post: https://www.washingtonpost.com/news/the-switch
Sudduth, A. (1988, November 3). The Lessons of the Worm. Retrieved from The Morris Internet Worm: https://snowplow.org/tom/worm/worm.html
US v. Morris, 928 F.2d 504 (2d Cir March 7, 1991).
Information and Computer Ethics 
Leave a comment