Grand Jury Indicts Student For Crippling Nationwide Computer Network

Grand Jury Indicts Student For Crippling Nationwide Computer Network

By John Markoff
The New York Times

July 26, 1989

After more than eight months of delay, the Justice Department said Wednesday that a federal grand jury in Syracuse, N.Y., had indicted the 24-year-old Cornell University graduate student who has been blamed for crippling a nationwide computer network with a rogue software program.

The student, Robert Tappan Morris, was charged with a single felony count under a 1986 computer crimes law, the Computer Fraud and Abuse Act. Justice Department officials said the indictment was the first under a provision of the law that makes it illegal to gain unauthorized access to federal computers.

A spokesman for the Justice Department said Wednesday that the indictment had been delayed simply because of the time taken to develop evidence.

But legal experts familiar with the case said the department had been stalled in efforts to prosecute Morris because of an internal debate over whether it might be impossible to prove the charges. Under the 1986 law, prosecutors must show that Morris intended to cripple the computer network.

As a result of this concern, the U.S. attorney in Syracuse, Frederick J. Scullin Jr., had considered a plea bargain in which Morris would have pleaded guilty to a misdemeanor charge. This approach was apparently resisted, however, by Scullin's superiors in Washington, who wanted to send a clear signal about the seriousness of computer crime.

Three bills now pending before Congress would make it easier than with the 1986 law to prosecute malicious invasion of computer systems.

The indictment charges that Morris was the author of a computer program that swept through a national network composed of more than 60,000 computers November 2, 1988 jamming as many as 6,000 machines at universities, research centers and military installations.

The software, which computer hackers call a "virus," was supposed to hide silently in the computer network, two of Morris' college friends said, but because of a programming error it multiplied wildly out of control. The friends said Morris' idea had been to simply to prove that he could bypass the security protection of the network.

According to Wednesday's indictment, Morris gained unauthorized access to computers at the National Aeronautics and Space Administration's Ames Research Center in Moffett Field, California; the U.S. Air Force Logistics Command at Wright Patterson Air Force Base in Dayton, Ohio; the University of California at Berkeley, and Purdue University.

The indictment charges that the program shut down numerous computers and prevented their use. It charges Morris with causing "substantial damage" at many computer centers resulting from the loss of service and the expense incurred diagnosing the program.

The felony count carries a maximum penalty of five years in prison and a fine of $250,000, in addition to which the convicted person can be ordered to pay restitution to those affected by his program.

Morris' lawyer, Thomas A. Guidoboni, said his client intended to plead not guilty. Morris, who now lives in the Boston area, was scheduled to be arraigned on Wednesday, August 2, before Gustave J. DiBianco, a U.S. magistrate in Syracuse.

Morris' father, Robert, the chief scientist for the National Security Agency, said the family planned to stand behind their son. "We're distressed to hear of the indictment," he said.

After realizing that his program had run amok, Morris went to his family home in Arnold, Maryland, and later met with Justice Department officials.

The 1986 law was the first broad federal attempt to address the problem of computer crime. Morris is charged with gaining unauthorized access to computers, preventing authorized access by others and causing more than $1,000 in damage.

The incident raised fundamental questions about the security of the nation's computers and renewed debate over the who should be responsible for protecting the nation's non-military computer systems.

Last year Congress settled a debate between the National Security Agency and the National Institute of Standards and Technology by giving authority over non-military systems to the civilian agency.

Last week, however, a General Accounting Office report based on an investigation of the incident recommended that the Office of Science and Technology Policy coordinate the establishment of an interagency group to address computer network security.

The incident has also bitterly divided computer scientists and computer security experts around the country. Some have said they believe that "an example" should be made of Morris to discourage future tampering with computer networks.

Others, however, have argued that Morris performed a valuable service by alerting the nation to the laxity of computer security controls.