Cyber Security Impact: The 30th Anniversary of the Morris Worm

It was thirty years ago this November that a young grad student changed the world of cyber security forever. Robert Morris Jr., intent on discovering how big the internet was, accidentally set loose the first ever internet worm upon thousands of helpless computers.

This is a tale of caution. The world of cybersecurity is an exciting, constantly changing puzzle. Over the years, it has drawn all kinds of people into the challenge. As interesting and fun as being a cyber security major can be, students need to remember that what may start out as probing vulnerabilities out of simple curiosity can have disastrous results if you aren’t trained and careful.

Picture this. It is 1988: George H.W. Bush is running for president, the Teenage Mutant Ninja Turtles have conquered pop culture, and the cinematic masterpiece Coming to America has just hit theaters. The internet is a completely different animal than it is today. We are just beginning to explore its vastly open world of connectivity which has only recently been accessible by laypeople. And that’s because a nice desktop computer is still going to set you back about 1,000 dollars. At this point, a computer is a luxury and not everyone can afford one. Hackers do exist, but they only go after big fish and would never bother with your insignificant personal computer. Cyber security isn’t something that users are concerned about.

Enter the Morris worm. Robert Morris was an alumnus of Harvard University and was working to complete a graduate degree at Cornell when he released the worm from an MIT computer, hoping it would seem as though it was being sent out by someone there. The worm exploited a vulnerability in the Unix system that allowed it to enter almost any computer. Morris intended to use the worm to answer a question for him: how big is the internet?

In addition to trying to give himself more time to run the program by sending it out from MIT, Morris took other measures to make sure his experiment would succeed. If deleting the worm was too easy Morris wouldn’t be able to accurately collect his data. To make it harder to get rid of, he instructed the worm to copy itself even after it was recognized by a user. He did not test the program on a smaller scale before sending it out but was sure it would take the worm a long time to go through the entire internet. Unfortunately for Morris, the program took his copy command a little differently than he expected.

It began to copy itself exponentially, crashing computer after computer. Large pieces of the internet came to a standstill, infected by the runaway program. It took hundreds of people days to clean up the virtual mess left in the wake of the Morris worm, which did between an estimated $100,000–10,000,000 dollars’ worth of damage.

"The Morris worm was really the first malware of its kind,” says Dr. William Butler, chair of cyber and information security at Capitol Technology University. “The way it exploited early computer vulnerabilities helped pave the way for modern day security and penetration testing."

It also woke the public up to the need for cybersecurity. Prior to the invasion of the worm, no attack had affected so many private users and companies at once. The worm took down computer systems in government facilities, hospitals, and military bases in addition to privately owned computers. Although the inflicted damage was an accident, Morris was the first person to ever be convicted under the 1986 Computer Fraud and Abuse Act.

After serving a lightened sentence of three years of probation, 400 hours of community service, and paying a fine of $10,050, Morris came out on the other side of his mistake. Today he is an instructor in MIT’s AI lab, and has steered clear of releasing any further malware apocalypses.

If you want to learn more about the world of cybersecurity, join us for Cyber Saturdays, sign up for one of our summer camps, or check out our variety of cyber related programs. Capitol Technology University is a DHS/NSA designated National Center for Academic Excellence in Information Assurance and Cyber Defense Education (CAE-IA/CD).