At 8:30 in the evening on Wednesday 2 November 1988, a 23-year-old graduate student named Robert Tappan Morris, in his first semester of a PhD programme in computer science at Cornell University, logged into a Massachusetts Institute of Technology computer from his terminal in Ithaca, New York. He had recently graduated from Harvard, his father was the chief scientist at the NSA’s National Computer Security Center, and he had been working for several weeks on a small experimental program designed, in his own later description, to gauge the size of the internet — which at the time consisted of approximately 60,000 connected machines running mostly at universities, research labs, and military facilities. Morris logged into MIT in order to obscure the program’s origin from Cornell, then released the program into the wider network. Within hours, it had brought 10 percent of the internet to a standstill.

According to the FBI’s own history of the Morris worm, the program was designed to copy itself from one computer to another, exploiting known software vulnerabilities in the Unix systems that dominated the ARPANET. Morris had built in mechanisms intended to keep its spread under control — including, in principle, a check that would slow reinfection of already-infected machines. The check did not work as intended. Within hours of release, the worm was reinfecting machines repeatedly, with each infected machine running multiple copies of the program at once. The cumulative computational load brought infected machines to a crawl, then to a complete stop. Approximately 6,000 of the 60,000 machines on the early internet — about 10 percent — were rendered unusable within the first 24 hours.

What the worm actually did

The Morris worm did not steal data, encrypt files, or damage hardware. According to a Lawrence Livermore National Laboratory retrospective on the incident, it simply replicated itself, jumping from machine to machine across the network, exploiting three specific Unix vulnerabilities to gain access. The first was a debugging mode that had been accidentally left enabled in the sendmail email server program, allowing the worm to deliver itself as an email payload that would then execute as code. The second was a buffer overflow vulnerability in the fingerd network daemon, which the worm exploited to inject and execute its own code on the target machine. The third was a list of approximately 400 common passwords, which the worm tried in combination with usernames from the system’s password file to crack accounts on machines that were not vulnerable through the other two methods.

The combination was extraordinarily effective at spreading, but the spread itself was what caused the damage. The worm’s intended design had included a probability check — if a target machine reported that it was already infected, the worm was supposed to skip it with a probability of 6 in 7. The implementation contained a subtle bug. Even when the target reported infection, the worm sometimes installed itself anyway, producing layer upon layer of copies on a single machine. Infected machines slowed dramatically as they spent all their processor cycles running concurrent instances of the worm and attempting to spread it further. System administrators across the country watched their workstations grind to a halt over the night of 2-3 November, with no clear understanding of what was happening or how to stop it.

How it was stopped

The response involved a coordinated effort by Unix programmers at universities and research labs across the United States, working through long telephone calls and a still-functioning network of internet sites that the worm had not yet reached. The Computer Systems Research Group at UC Berkeley, the Lawrence Livermore National Laboratory, MIT, and Purdue all played significant roles. Within about 36 hours, the affected community had reverse-engineered the worm, identified its propagation mechanisms, and distributed patches to the vulnerabilities it exploited. By the end of the week, most infected machines had been cleaned and the worm’s spread had been halted. The total economic damage from the incident has been variously estimated at between $100,000 and $10 million in lost productivity and recovery costs, with most credible figures clustering at the lower end of that range.

The institutional response was more significant than the immediate damage. The Defense Advanced Research Projects Agency, which then administered the ARPANET, funded the creation of the Computer Emergency Response Team Coordination Center, or CERT/CC, at Carnegie Mellon University in November 1988, specifically as a response to the Morris worm. CERT/CC became the model for similar coordinating organisations around the world and remains the central US clearing-house for cybersecurity incident response. The Department of Energy established its own Computer Incident Advisory Capability at Lawrence Livermore in February 1989, also as a direct response to the worm. The modern field of cybersecurity, as an organised institutional practice with national-level coordinating bodies, began the morning of 3 November 1988 with system administrators across the country trying to figure out what was running on their machines.

The conviction

The FBI opened its investigation within days of the incident becoming public. According to the Wikipedia reference on the Morris worm, the bureau identified Morris quickly. A friend whom Morris had told about the program had made an anonymous call to the New York Times shortly after the worm was released, attempting to explain that the spread had been a mistake. During the call, the friend slipped and referred to Morris by his initials, “RTM.” The Times confirmed the identification through publicly available Cornell records, and the FBI traced the rest. Morris cooperated with investigators.

In 1986, two years before the worm, the US Congress had passed the Computer Fraud and Abuse Act, which made unauthorised access to “protected computers” a federal crime. The law had not yet been used against any defendant. Morris was indicted in 1989 and convicted by a jury in 1990, in what was the first felony conviction under the CFAA in US history. He was sentenced to three years of probation, 400 hours of community service, and a $10,050 fine. He served no prison time. The leniency of the sentence reflected, in part, the judge’s acceptance that Morris had not intended to cause harm — he had genuinely been trying to measure the internet, and the damage was the result of a coding error.

What happened to Morris

The conviction did not end Morris’s career. According to the Crime Museum’s biographical profile of Morris, he completed his PhD in computer science at Harvard in 1999, joined the faculty of MIT the same year, and received tenure in 2006. He co-founded the early e-commerce platform Viaweb with Paul Graham, which was acquired by Yahoo in 1998 for shares then worth approximately $49 million and renamed Yahoo Store. He co-founded the Silicon Valley startup accelerator Y Combinator in 2005, also with Graham, which has since funded more than 5,000 companies including Airbnb, Dropbox, Reddit, and Stripe. By any conventional measure of professional success, the conviction was a footnote in Morris’s career rather than a defining event.

The Morris worm itself remains a landmark in the history of computing for two reasons. The first is that it was the first program of its kind to demonstrate that the internet — built on a network of trust between technically sophisticated users, with security treated as a secondary concern — was vulnerable to malicious or accidental disruption at scale. The second is that it established a legal precedent under which subsequent computer-fraud cases have been prosecuted for more than three decades. A small experimental program written by a graduate student, intended to count the size of a network, ended up creating both the discipline of cybersecurity and the legal framework that polices it.