Forty-three years ago, on November 2, 1988, the Internet lost its innocence. Now, in reality, the Internet was never truly “innocent,” and, let’s face it, in 1988, it wasn’t even really the Internet. It was the ARPANet, or DARPANet, or MILNet… a loose confederation of large institutions like banks, government agencies and academics connected through a series of common protocols through a disambiguated network that permitted them to both share resources and to communicate with each other. There were as many as 60,000 “Internet” users in the United States at the time — more or less. The “Internet” was a club — a fraternity — and its members considered themselves somewhat elite. The nascent network, already more than a dozen years old at that point, allowed a researcher in Chicago to take advantage of the power of a “supercomputer” in San Diego to run programs. It allowed users to play Star Trek games like Netrek (“you have entered a new quadrant… type “L” to look around”). While certain entities were dependent upon the fledgling “Internet,” it was yet to become a tool for massive electronic commerce, social media, and mass communications. In fact, connecting to the Internet meant mastery of things like DIP switches, PIN settings, baud rates, and dial-ups, or reliance on network administrators and contracts with companies like Bolt Baranek and Newman. It was an exclusive fraternity.
There had been computer crimes before November, 1988. Fred Cohen had already written his book on computer viruses. Dr. Joseph Popp was a year away from releasing the world’s first ransomware attack. John Draper and other phrackers had learned how to hack the nations’ phone system — mostly for free phone calls. Hacks — they were already called hacks — to various computers had been going on for years — decades perhaps, for various reasons. The Hannover hackers were motivated by espionage, politics and money when they attempted to steal information about the U.S. “Star Wars” program. Kevin Mitnick was just a teenager exploiting social engineering for the thrill of it. Hackers had stolen money from places like the Bank of America, and other online institutions. Hackers had also accessed and altered systems at U.S. military installations, intelligence agencies, and related institutions. Hacking was not completely novel.
But on November 2, 1988, a graduate student at Cornell University launched a computer program — a worm — designed not to do anything in particular. The worm was designed to penetrate computers using a series of attacks that would be considered mundane today. Password cracking. Exploiting FTP and Sendmail vulnerabilities. Using the finger daemon. It used variants of many of the techniques used today — social engineering, establishing a bulkhead and drawing the malicious code in, using the equivalent of buffer overflow techniques to induce a target machine to run code, getting the host to do something it was designed to do, but not what it was expected to do. You know, hacking.
The author of the worm had no destructive intent. And little malice. The goal of the worm was simply to spread, announce its presence, and remain resilient. A reboot would remove the worm entirely — until a reinfection. Cybersecurity was a hobby of the author — testing, probing, and exploring to see how things worked — breaking them to figure out how to fix them. The hobby came naturally to the author — he was the son of the Chief Scientist of the National Computer Security Center at the National Security Agency. Both father and son had attended Harvard, both had majored in sciences related to computers, both had a passion for tinkering. Both had experience at major security research institutions — Bell Labs. For both, communicating and experimenting online came naturally. The father was one of the luminaries in the fields of computer science in general, math theory, and information security — indeed testifying before Congress in 1983 about the dangers (and the exaggerated dangers) of juvenile hacking — something the dad equated to nothing more than “joy riding.” The son even gave presentations to the NSA about hacking — how to do it, and how not to get caught.
Yet, on November 2, 1988 something changed. The movie “War Games” focused attention on the potential for destructive hacking — particularly by minors. Hacking was considered a mix of vandalism and the end of the world as we know it. Misinformation about what computers did — and what they could do — was abundant. Much of this was fear of the unknown. The worm attack was front page news for days, and many institutions felt that the attack was part of a broader attack on the nations’ critical infrastructure. The worm’s author tried to reign in the impact of the worm, but effectively had lost control of his own creation. Ultimately, he was tried and convicted for what he did in a single-count indictment which represented the first use of the federal Computer Fraud and Abuse Act.
Following the worm case, the nature and character of “hacking” offenses changed dramatically. Hackers were, for the most part, not simply curious engineers attempting to figure out how the technology worked and how it could be manipulated (and exploited). At least not the “hackers” who were the subject of criminal prosecution. A new breed of malicious actors saw the Internet — together with the World Wide Web, social media, the so-called “dark Web” — and all the technologies they enable as a platform for theft, destruction, extortion, manipulation, espionage, and a host of other crimes. The “internet” had lost its innocence. It was no longer an exclusive club for the cognoscenti. It was democratized — for good and for ill.
None of this was the fault of the worm’s author. If anything, the author (either deliberately or inadvertently) sounded a wake-up call with respect to data security. But the thing about wake-up calls is that they are so easy to ignore. Today, we are much more vulnerable to threats, and much more reliant on technology. Barely a minute goes by when we do not use the technologies enabled by the Internet. But, to a great extent, November 2, 1988 was a turning point in the history of the web. Which way it has turned is going to be up to us.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.