{"id":14191,"date":"2018-11-03T01:06:16","date_gmt":"2018-11-03T01:06:16","guid":{"rendered":"http:\/\/www.lifeandnews.com\/articles\/?p=14191"},"modified":"2018-11-04T01:08:15","modified_gmt":"2018-11-04T01:08:15","slug":"30-years-ago-the-worlds-first-cyberattack-set-the-stage-for-modern-cybersecurity-challenges","status":"publish","type":"post","link":"https:\/\/www.lifeandnews.com\/articles\/30-years-ago-the-worlds-first-cyberattack-set-the-stage-for-modern-cybersecurity-challenges\/","title":{"rendered":"30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges"},"content":{"rendered":"

Scott Shackelford<\/a>, Indiana University<\/a><\/em><\/span><\/p>\n

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr.<\/a>, was a 20-something graduate student at Cornell who wanted to know how big<\/a> the internet was \u2013 that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer<\/a> and ask each machine to send a signal back to a control server, which would keep count.<\/p>\n

The program worked well \u2013 too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren\u2019t enough to keep the program from clogging up large sections of the internet<\/a>, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators<\/a> about the problem couldn\u2019t get through.<\/p>\n

His program became the first of a particular type of cyber attack called \u201cdistributed denial of service<\/a>,\u201d in which large numbers of internet-connected devices, including computers, webcams<\/a> and other smart gadgets<\/a>, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked. <\/p>\n

As the chair of the integrated Indiana University Cybersecurity Program<\/a>, I can report that these kinds of attacks are increasingly frequent<\/a> today. In many ways, Morris\u2019s program, known to history as the \u201cMorris worm,\u201d set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming \u201cInternet of Everything<\/a>.\u201d<\/p>\n

Unpacking the Morris worm<\/h2>\n

Worms and viruses are similar, but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book. <\/p>\n

In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm<\/a>. In that time, it infected tens of thousands of systems \u2013 about 10 percent of the computers then on the internet<\/a>. Cleaning up the infection cost hundreds or thousands of dollars<\/a> for each affected machine. <\/p>\n

In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection<\/a>. Sadly, many journalists as a whole haven\u2019t gotten much more knowledgeable on the topic<\/a> in the intervening decades.<\/p>\n

\n \"\"<\/a>
\n Robert Tappan Morris, in 2008.<\/span>
\n Trevor Blackwell\/Wikimedia<\/a>, CC BY-SA<\/a><\/span>
\n <\/figcaption><\/figure>\n

Morris wasn\u2019t trying to destroy the internet, but the worm\u2019s widespread effects resulted in him being prosecuted<\/a> under the then-new Computer Fraud and Abuse Act<\/a>. He was sentenced to three years of probation and a roughly US$10,000 fine. In the late 1990s, though, he became a dot-com millionaire<\/a> \u2013 and is now a professor at MIT<\/a>.<\/p>\n

Rising threats<\/h2>\n

The internet remains subject to much more frequent \u2013 and more crippling \u2013 DDoS attacks. With more than 20 billion<\/a> devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding. <\/p>\n

In October 2016, a DDoS attack using thousands of hijacked webcams<\/a> \u2013 often used for security or baby monitors \u2013 shut down access to a number of important internet services<\/a> along the eastern U.S. seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai<\/a>. Today\u2019s internet is much larger, but not much more secure, than the internet of 1988.<\/p>\n

Some things have actually gotten worse. Figuring out who is behind particular attacks<\/a> is not as easy as waiting for that person to get worried and send out apology notes and warnings<\/a>, as Morris did in 1988. In some cases \u2013 the ones big enough to merit full investigations \u2013 it\u2019s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages<\/a> when playing the \u201cMinecraft\u201d computer game.<\/p>\n

Fighting DDoS attacks<\/h2>\n

But technological tools are not enough, and neither are laws and regulations about online activity \u2013 including the law under which Morris was charged<\/a>. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity<\/a> of attacks, in part because of the global nature<\/a> of the problem.<\/p>\n

There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures<\/a> \u2013 a notion<\/a> that comes with a number of downsides, including the risk of escalation \u2013 and to require better security<\/a> for internet-connected devices. But passage is far from assured.<\/p>\n

\n \"\"<\/a>
\n Aircraft problems get thoroughly investigated, resulting in public reports and recommendations for industry to improve performance and safety.<\/span>
\n NTSB via AP<\/a><\/span>
\n <\/figcaption><\/figure>\n

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world\u2019s first Cyber Emergency Response Team<\/a>, which has been replicated in the federal government<\/a> and around the world<\/a>. Some policymakers are talking about establishing a national cybersecurity safety board<\/a>, to investigate digital weaknesses and issue recommendations<\/a>, much as the National Transportation Safety Board does with airplane disasters.<\/p>\n

More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility<\/a>, they \u2013 and their staff, customers and business partners \u2013 would be safer.<\/p>\n

In \u201c3001: The Final Odyssey<\/a>,\u201d science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon \u2013 which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone \u2013 governments, companies and individuals alike \u2013 to set up rules and programs that support widespread cybersecurity, without waiting another 30 years.\"The<\/p>\n

Scott Shackelford<\/a>, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University<\/a><\/em><\/span><\/p>\n

This article is republished from The Conversation<\/a> under a Creative Commons license. Read the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Scott Shackelford, Indiana University Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was \u2013 that is, how many devices were connected to it. So he wrote a program that would travel from computer […]<\/p>\n","protected":false},"author":44,"featured_media":14187,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3410],"tags":[4082,5361,612,5390,613,5389,5391],"_links":{"self":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/14191"}],"collection":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/comments?post=14191"}],"version-history":[{"count":1,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/14191\/revisions"}],"predecessor-version":[{"id":14192,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/14191\/revisions\/14192"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media\/14187"}],"wp:attachment":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media?parent=14191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/categories?post=14191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/tags?post=14191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}