As the Morris Worm Turned

Twenty years later, cybersecurity remains a challenging set of problems

At half past midnight on November 3, 1988, subscribers to an email list for TCP-IP developers received an ominous message: "There may be a virus loose on the Internet," it warned.

A worm written by a Cornell grad student, Robert Tappan Morris, had been released from Massachusetts Institute of Technology. Designed to test the size of the Internet, it got access to computers by exploiting a variety of vulnerabilities, including easy-to-guess passwords and weaknesses in the sendmail and finger server processes that ran on most of the hosts.

There were only about 88,000 computers on the Internet, then used mainly by computer scientists and the Defense Department. But as the "Morris worm" wiggled around, it copied itself over and over on some machines, executing multiple simultaneous processes and causing crashes.

Bill Scherlis was an assistant professor of computer science at Carnegie Mellon temporarily working at the Defense Advanced Research Projects Agency. He and others at DARPA suddenly began receiving reports about problems from all over the country, but because panicked users were pulling sites offline to avoid infection and the remaining email queues were saturated with the worm, Scherlis wound up glued to his phone for the next 72 hours.

"I'm glad I had a headset," says Scherlis, now a professor in SCS and director of the Institute of Software Research and its Ph.D. program in software engineering.

Although the Morris worm wreaked a high toll in terms of lost productivity, it actually helped the Internet's development, Scherlis says: "It got us thinking about a systematic approach to protection." The approach he and his colleagues suggested --- a permanent organization to respond to cybersecurity problems --- became the Computer Emergency Response Team. Today, the rapid response unit (known as the CERT Coordination Center) is one part of a broader effort by CERT at assessing risks, analyzing network security, devising procedures and "best practices" and training IT professionals.

CERT celebrated its 20th anniversary March 10 and 11 in Pittsburgh with a two-day technical symposium designed to bring together people and groups that have taken the lead in cybersecurity. The invitation-only gathering was an intentionally low-key affair, says Archie Andrews, senior member of CERT and the event's coordinator. "Rather than widely advertising the event, we wanted to bring the movers and shakers together in one place at one time to encourage frank and honest exchange," he says.

A generation ago, the Internet was making the transition from what Scherlis calls a "small-town" culture to that of "a big city where you need to keep your eyes open all the time." When the Morris worm hit, DARPA researchers had to quickly learn how it worked, what damage it was causing and who could rapidly engineer fixes. Scherlis worked with Stephen Squires, then software technology program manager at DARPA, to study the aftermath and make recommendations to the Pentagon.

Most of the havoc created by the Morris worm was caused by denial-of-service problems, but if it had been malicious, it could have corrupted or compromised data on every machine it touched. "The worm had access to every file on every infected computer," Scherlis says. "It could have violated the data on every infected computer  ...  we were daunted by the unrealized potential for vast damage." One of DARPA's recommendations was creation of a neutral team "to collaborate with the community, mobilize resources and coordinate response from multiple organizations," Scherlis says. After their memo reached then-DARPA Director Craig Fields, he asked Larry Druffel, director of Carnegie Mellon's Software Engineering Institute from 1986 to 1996, to oversee CERT's creation.

Those gathered for the anniversary symposium looked at the past but spent more time examining the frontiers of Internet security. Keynote speakers included Vinton Cerf, vice president and chief Internet evangelist for Google; U.S. Navy Rear Adm. Elizabeth Hight, vice director of the Defense Information Systems Agency; John Gilligan, former chief information officer for the U.S. Air Force and now president of the Gilligan Group, a Virginia-based consultancy specializing in defense information networks; Scott Charney, Microsoft's corporate vice president for trustworthy computing; and Jonathan Zittrain, professor of law and co-founder of the Berkman Center for Internet and Society at Harvard University.

A panel led by David Farber, professor of computer science and public policy at Carnegie Mellon, discussed emerging security challenges, while SCS Dean Randy Bryant led a forum on security and privacy issues in cloud-based computing systems. A government panel focused on areas of concern within the U.S. government and means of sharing those concerns with the private sector.

Privacy issues were another topic of discussion. Knowing the identity of other users can prevent scams and predatory behavior, Andrews says, but if you track everyone's identity, participants noted, are you violating their right to privacy?

Twenty years after the Morris worm, cybersecurity researchers are still wrestling with the legacy of the Internet's "small-town" culture, Scherlis says. "Perhaps we continue to wrestle because we know it is such a shame to have to abandon trust just because there are few bad actors," he says. "That's our challenge --- how to build technology and institutions so we can have it both ways. We need to remember that despite its scale and pervasiveness the Internet is still quite malleable."

CERT's presence in Pittsburgh since 1988 has helped make Carnegie Mellon a "powerhouse" in cybersecurity, Scherlis says. "When we took on this public service role, there were amazing things that happened," in terms of attracting top faculty, students and projects, he says. "We have real opportunities ahead of us."
For More Information: 
Jason Togyer | 412-268-8721 | jt3y@cs.cmu.edu