Does the punishment fit the crime? Let’s dive into this week’s Tech Time Warp to find out.
Insiders from the nascent cybersecurity industry debated this question after the May 4, 1990, sentencing of Robert Tappan Morris, the first individual prosecuted under the Computer Fraud and Abuse Act, passed by Congress in 1986.
Morris was sentenced to three years’ probation, fined $10,000, and ordered to perform 400 hours of community service. Prosecutors had asked for five years in prison and a $250,000 fine.
The sentence came after the Cornell University graduate student was convicted of unleashing the Morris worm in November 1988. Disguised to look like it came from the Massachusetts Institute of Technology (MIT), the Morris worm hit 6,000 of the then-estimated 60,000 computers connected to the internet. These were computers found at colleges, universities, and public and private research centers. The Ivy League, Johns Hopkins, and NASA were all hit with the worm, which didn’t destroy or damage files but slowed functionality and delayed email deliverability.
Intent, impact, and a turning point for cybersecurity law
Morris’ defense was that his worm was designed to publicize security vulnerabilities. However, due to a programming error, the worm replicated itself at a much faster rate than intended. Morris contacted a couple of friends to help him distribute a message about how to remove the worm. However, the Morris worm was already slowing traffic, including delivery of said message. One of his friends also contacted The New York Times and referred to the creator of the worm as “RTM”—Morris’ initials—which led to his apprehension.
While many felt Morris didn’t receive enough punishment, Morris himself appealed his conviction. His conviction was upheld—and Congress significantly expanded cybersecurity protections with the 1996 passage of the National Information Infrastructure Protection Act.
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.
Photo: prajit48 / Shutterstock
