It was 25 years ago Tuesday that The New York Times first named 23-year-old Cornell graduate student Robert Morris as the culprit behind what became known as the Morris Worm, the Internet's first major malware outbreak. The man who would prosecute Morris for his actions was Mark Rasch, who was then a prosecutor in the Department of Justice's fledgling computer crime unit. Last week, we talked by phone to discuss the Morris case, computer crime law, and the recent controversy over Internet activist Aaron Swartz. Swartz was indicted for downloading articles from the academic archive JSTOR and committed suicide earlier this year.
Timothy B. Lee: What was your role at the Department of Justice in 1988?
Mark Rasch: I was a trial attorney with the fraud section of the criminal division. We had a computer crime unit. To the extent there was a head of that unit that was me. There were two people. We did all of the computer crime cases back then. I was at Justice from 1983 to 1992. We worked out of [the] main Justice [Department building in Washington D.C.].
Was there much computer crime to prosecute in 1988?
There was some. One of the things I was working on at the time was the "Cuckoo's Egg" case. Clifford Stoll wrote a book about that case: East German hackers hacking in to steal information about the Strategic Defense Initiative. Also, Kevin Mitnick. There were a few dozen [computer crime cases].
How did the Morris Worm case come to your attention?
I was actually at the headquarters of DEC in Boston on a computer crime case when I got a phone call that told me that the Internet was down. So we started looking into what was going on. We went back to Washington to investigate how the Internet was down, and what was going on and who was responsible, whether this was an attack on our military capabilities or something else.
In the original indictment, we included the Wright-Patterson Air Force Base as one of the victims of the crime. We had been told that Wright-Patterson was offline for several days and that they believed that the attack was a Soviet attack on our ability to wage war. When we got there, we found out that although they were supposed to go offline for several days, they'd actually gone offline for a few minutes because a civilian employee ignored the order. So we couldn't demonstrate any significant damages besides panic. When we removed them from the indictment, everyone assumed it was because of classified military information as opposed to the actions of a rogue civilian employee.
How did you identify Morris as the culprit?
A lot of ways. One way was with computer forensics. Tracing back the source of the worm. The second way was one of Morris's friends told The New York Times in response to some articles that John Markoff was writing he inadvertently gave his initials.
Can you talk about how and why you felt Morris's conduct deserved to be prosecuted as a felony?
It was a considered decision. Clearly his conduct was within the definition of the felony within the statute. It wasn't like the felony was a stretch. It was clearly serious conduct. Clearly disruptive conduct. The issue we had to deal with was: Was there a reason to charge this as a misdemeanor? You had conduct that was planned, premeditated, that was deliberate, over periods of months, that caused massive disruption and expense to a wide number of different individuals. We asked ourselves is there a reason to treat this the same as shoplifting from a Safeway?
Misdemeanors are generally considered to be minor or trivial offenses. And we didn't believe that an attack of this nature was a minor or trivial offense. On the other hand, we didn't believe that Morris intended to cause harm or damage. We didn't believe that the damage was necessarily foreseeable. We debated that. I still debate that.
What did you decide to do?
What we decided to do is charge him with a single felony count. Each computer could have been a separate count. Each count can be charged as a felony, each count theoretically can carry its own 20 years. So we could have charged him with hundreds or thousands of felony counts. We charged him with one.
That was a risky move because we put all of our eggs in one basket. If the jury didn't believe that we had proven that one count, we would have lost the case in its entirety. That was a deliberate decision to reach a compromise. Something more than a misdemeanor, less than the death penalty.
We also considered the fact of this being the first major computer hacking trial. There were a lot of people watching to see what would happen.
I don't believe that you over-prosecute someone to send a message. I don't believe in the head-on-a-stake theory of prosecution. But there was genuine concern that if the government treated this as a misdemeanor, a trivial offense, that others would go out and do it. Others would be encouraged or not discouraged from doing it. That played a small part in our consideration. Generally we considered the merits of Robert Morris and his actions.
What do you think motivated Morris to do what he did?
Even to this day, I have never spoken directly to Robert Morris. If I were his lawyer I would not have let him talk to me either. But I believe that he was one of the generation of true hackers, and by that I mean explorers. He was motivated mainly by curiosity and by a desire to show that he could do it.
There was no small amount of pride but not hubris. He wasn't particularly arrogant, but he wanted to demonstrate that he had these skills to be able to do this. That showed in the design of the worm itself. Even though the worm was never designed to cause harm or damage, it was very clear to the jury that he never intended to cause harm or damage; it was designed to infiltrate widely, propagate wildly, and to be difficult to effectively remove.
That ended up being his undoing because he had programmed the worm to not re-infect infected computers some of the time, but to make it robust, it was designed to occasionally re-infect a computer. He just picked the wrong number as the re-infection rate. So in a very reason sense he was playing with digital fire.
What range of penalties could Morris have received as a result of his conviction?
Morris committed his offense on Nov. 2 1988. Federal sentencing guidelines came into effect Nov. 1, 1988. So Robert Morris was one of the first criminal cases in the United States to apply the federal sentencing guidelines. It gave the court very little discretion at sentencing. [The law treats damage] resulting from a computer crime the same as a theft. If you commit a computer hack that causes a million dollars worth of damage, even if it's only a dollar's worth of damage to a million people, [the law] treats that as if you had stolen a million dollars.
The problem we had was our estimates of damage or loss resulting from the worm ranged from a low end of $250,000 to $96 million. Even at the low end, it would have treated Robert Morris as if he had stolen a quarter of a million dollars, which he did not. It was an interesting dilemma at sentencing. He didn't steal anything, but he did cause a lot of disruption.
We debated back and forth what we considered to be an appropriate sentence. Consistent with the federal sentencing guidelines, it imposed an 18-month sentence. The court found that the federal sentencing guidelines did not apply to Morris's conduct and sentenced him to probation. We did not appeal. We could have appealed and asked for a greater sentence. We did not.
What defenses did Morris raise?
There were really a couple of defenses. Some were legal. Some were factual. Some were emotional. The emotional defense was that Robert Morris was not a bad person, did not intend to cause any harm, and simply made a mistake. None of which we disputed.
Factual issues revolved around the scope of damage and loss, the impact that the worm had on "victims," and what the government could prove about who wrote the worm, although he did testify that he wrote the worm. He came in and testified, "I did it, and I'm sorry." I turned to my co-counsel and asked, "Should I prove he didn't do it or he's not sorry?"
Morris's legal argument was that the wording of the CFAA, which made it a crime to intentionally access a computer without authorization and cause damage. One of the legal arguments was he did not intend to cause damage, and the word intent in the statute modifies both "access" and "damage."
The second legal argument was that he did not access the computer without authorization, or in other words that he had the authorization to access any computer on the Internet that he had the ability to access. And the court rejected both of those arguments.
A third argument he made was he didn't access any computers at all. Only computers he accessed was the one at Cornell, which he was authorized to access. That his virus or worm accessed the other computers.
How did you learn about what Morris did and why?
We talked to his friends. His friends were witnesses for us. They didn't have a choice.
There was a core group. Just as a coincidence, one of the meetings where Robert Morris was discussing the worm occurred at a Legal Seafood in Kendall Square in Boston while he was visiting Boston where he went to college with his friends. By absolute coincidence, I happened to be there at the same time. At that Legal Seafood.
He talked about how it was developed, how it worked, what vulnerabilities it exploited. At one point he was at a meeting back at Harvard, he got so excited that he literally jumped up on a table pacing back and forth on the table explaining how it worked, without realizing he was standing on the table. This was in Aikin Hall.
How do you think the prosecution of Robert Morris compares to the more recent prosecution of Aaron Swartz for downloading JSTOR documents?
Obviously the youth of the offenders is one similarity. The statute is another similarity. The lack of an evil motive on the part of the defendant is another similarity.
There is a difference. One is that I think in the Swartz case there was a concerted effort to apply the principles of trespass and theft where there may not have been an actual trespass or theft. There was also a certain heavy-handedness there. I can understand why people might think in the Morris case there was also a heavy-handedness. Like the Swartz case you could make a good argument for misdemeanor or felony in either case. So you have that parallel as well.
You also have in the Swartz case and the Morris case brilliant academics engaging in conduct that they believe furthers the science. One difference is that Morris really just wanted to see if it could be done. Swartz I think was engaging in his conduct as a protest against the fact that this data was not publicly available. So to a greater extent, Swartz was aware that the community considered his conduct wrongful. I think that to some extent Morris didn't consider his conduct wrongful, he considered the consequences wrongful or bad.
Had the Morris worm not propagated the way it did, it would still have been a crime, but it would have been unlikely to have been prosecuted the way it was prosecuted. If it had happened today and caused minimal damage, it would have been unlikely to have been prosecuted as well.
There are some parallels between Morris and Swartz, but the statute has changed significantly in the interim as well. For example, you now have things like "exceeding the scope of authorization" [being a crime] in addition to just having access without authorization.
The other amendment to the statute was that in the original version it was illegal to access a computer without authorization in order to obtain certain protected kinds of information. The statute was amended to make it illegal to access a computer without authorization to obtain any information. Those two amendments, exceeding authorized access and to obtain any information, makes the statute significantly more capable of being used against people like Aaron Swartz.
The charges against Swartz could theoretically have led to decades of prison time. Is that another important difference?
Here's the interesting thing. I understand that the prosecutors offered Swartz a plea arrangement where he would only do a few months in jail. Quite frankly, with Morris, we would have done the same. But a few months in jail we believe would probably be an appropriate sentence considering his lack of venality. The problem was the sentencing guidelines [which required a sentence of around 18 months].
There were some mechanisms for [the judge] to depart from the sentencing guidelines. He would have had to find that Morris's case was outside the heartland of computer crime cases. He could have found that based on his intention and departed downward. Instead, he simply made a blanket declaration that the guidelines didn't apply.
But there was no guarantee there. It was a huge risk for Morris. If he went to trial he could have been acquitted. But if he was convicted he could have faced a very serious penalty.
The thing about these multiple decades [that prosecutors threatened Morris with], is it's a bit of a ruse. It's a game that prosecutors play. It has to do with how the sentencing guidelines work. If I indict you on 20 counts or I indict you on one count, the sentencing guidelines are going to be roughly the same. What happens in a multiple-count indictment under the sentencing guidelines, the maximum statutory punishment is increased.
So if I charge you with one count of computer crime, it's 20 years, two counts is 40 years, three counts is 60 years. However if the sentencing guidelines for your offense is three years, it doesn't matter that it's one count or three counts or 30 counts. So when you sit there and say Swartz could have gone to jail for whatever the number is, that doesn't really matter. There is a little bit of a bump because of multiple counts, but it's not that significant.
The other thing about multiple counts is if I charge you with 10 counts of computer fraud, and you are acquitted of nine counts, but convicted of one count, the judge can sentence you for all 10 counts and for counts I didn't even charge you with. And they can sentence you for counts on which you were acquitted.
What is significant in the computer crimes statute was the estimate of loss or damage. Because the sentencing guidelines at the time sentenced computer hacking the same way it would theft or fraud. So they would look at the damages or losses that occurred, and in Morris case, the estimates were $250,000 to $96 million.
It also sends a message to the community. If we charge Morris with one count, it's a way of moderating a view of his conduct. You still see 50- or 100-count indictments. The truth is if they were offering Swartz a 3-month deal, they were offering him a 3-month deal. But a defendant facing 100 years in jail feels like he's facing 100 years in jail even if the sentencing guidelines say the sentence he is going to face [is much less].
Any other comments about the Morris case?
One thing I wanted to point out is that I would not object if Robert Morris was granted a pardon. I would represent him if he wanted. Because he was not a bad person. To the extent that the felony conviction now is keeping him from being able to do something, I don't see any reason he should have to wear this as a mark of shame for the rest of his life. Everyone knows who he is, what he did, and why.
It was a significant case and a significant prosecution, but that doesn't make him an evil person. I believe in the power of redemption. He's certainly redeemed. I don't mean to say he needed to be. One of the jurors came to me after the trial and said we don't think he's a criminal, we think he committed a crime.
I think the conviction has probably impacted his work to get a security clearance and do work on classified work. I think there's no reason it should.
There are former hackers, I mean that in a non-pejorative way, who I don't believe should ever touch a computer again. And there are those like Robert Morris who I think are honest and trustworthy but who made a youthful mistake.
What have you done since your time at the Justice Department?
I left Justice in the early 1990s. I've worked for various IT security consulting companies, including SAIC, and FTI consulting. I'm right now working as a lawyer in the areas of privacy and information security, based out of Bethesda. I help companies respond to computer security incidents, computer forensics, and this whole NSA stuff.