A Cybercrime Flashback: The Morris Worm Case

Going back on a trip down memory lane… back when cyber criminals did short jail sentences followed by lucrative consulting gigs.  Times have changed and now hackers that are caught generally get longer sentences and are banned from working with computers.  In any event, Mr. Morris was convicted under the Computer Fraud and Abuse Act of 1986, 18 U.S.C.S. § 1030(a)(5)(A), for releasing a worm which crashed computers at various educational and military sites. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers.

Morris appealed his conviction and argued the government had to prove not only that he intended the unauthorized access of a federal interest computer, but that he also intended to prevent others from using it. The court found that the mental state requirement of the statute was enacted to proscribe intentional acts of unauthorized access. The court rules that the “intentionally” standard only applied to the access and not to the damages phrase of the statute.

Morris also argued his conduct constituted at most “exceeding authorized access” rather than “unauthorized access,” because he was authorized to communicate with other computers and to send electronic mail. The court found the evidence was sufficient to determine that Morris’ access was unauthorized use. Since the Morris work was designed to invade computers that he was not authorized to access, this was a no brainer.

If this case was heard today, Mr. Morris would probably be banned from working with computers… he should be glad that when his worm was released, there were profits to be made from these acts.  You may find the Morris case opinion here.

Leave a Reply

Your email address will not be published. Required fields are marked *