Advertisement

`Virus' Inquiry Hears Vital Harvard Testimony

This week's testimony by two Harvard computer workers before the federal grand jury investigating the "Cornell virus" is key to an indictment because, unlike in other criminal cases, prosecutors of computer crime must rely on circumstantial evidence to show guilt, experts on computer law said this week.

In addition, these experts said that the relevant legal codes in the virus investigation are an untested agglomeration of brand-new statutes and old legislation recently given high-tech applications. They said that even if the prosecution could prove one person knowingly created the virus, it may not be able to show that making the rogue program--which jammed thousands of terminals across the country--violated federal law.

The "Cornell virus" infected the Arpanet network, which links 60,000 computer systems nationwide including those of the defense Department and research institutions, on November 2. Experts estimate that clean-up costs related to the program--which did not destroy any computer information--reached $2 million for down-time spent weeding the program out of the stalled systems.

From the start, the man believed responsible for the unprecedentedly successful--and costly--rogue program is Robert T. Morris, Jr., '83-'85, a Dunster House alumnus and Cornell graduate student. Morris, who is affectionately known as "RTM" by his friends at Aiken Computation Laboratories, immediately drew Harvard into the virus vortex by calling Aiken's Andrew H. Sudduth '83-'85 and computer science graduate student Paul Graham the night the renegade program began to spread.

Sudduth and Graham testified Wednesday before the Syracuse, N.Y. grand jury, answering questions about Morris and their late-night talk with him on Virus Night, November 2.

Advertisement

The examination consisted "more of a general fact-finding type of thing," rather than targeted questions, Sudduth said.

Graham could not be reached for comment yesterday.

Asked whether Morris mentioned the word "virus" in their conversations, Sudduth said, "I can't recall exactly whether he did or not."

Technically, though, Morris' creation was not a virus, but a `worm,' a less dangerous program that reproduces itself and slows down the host system, but does not hurt the data.

This kind of general testimony is vital to establishing whether Morris was capable of creating the virus and intended for it to cause the damage, experts said.

Morris' intent and the wording of federal laws form the basis for a "two-pronged" question surrounding computer crime.

"It's a two-pronged test [for federal prosecutors]," said Florida state attorney John A. Frusciante, "[They must prove] what the man did, and what does that violate." Frusciante, who has prosecuted several Florida computer crime cases, is the chair of the American Bar Association's computer crime committee under its science and technology section.

Morris' legal fate depends on the interpretation of a handful of newly enacted or applied federal laws, Frusciante said. These laws--especially the Computer Fraud and Abuse Act of 1984, a statute prohibiting unauthorized access to stored computer records and a longstanding wire fraud act--represents the federal government's frontline against a new technological crimes.

But Morris' lawyer and federal authorities have acknowledged that it may not be clear whether--even if Morris created the virus--he violated any of these laws.

"If it appears that he's done what he's done--he's put the virus into the machine--the question is does that constitute the violation of a criminal offense?" Frusciante said. "If it does, how are we going to prove that?"

According to sections under Title 18 of the U.S. Code, "Intent without authority to access or causing to be accessed [a computer file] that is exclusively reserved for the government of the United States..[and such access] affects the government's [operation] of its computers by means of altering...damaging...destroying...or preventing authorized use" is a felony, punishable by a maximum of a $1000 fine and a one-year prison sentence.

Intent at issue

Other laws applicable to the Morris case rest on the proof of commercial or private gain for or malice by the perpetrator.

"Intent--it's the main issue," said Thomas A. Guidoboni, Morris' lawyer in an interview last week.

Frusciante agreed it was important to find out the state of Morris' mind while the virus was being produced, but did not consider its importance paramount.

"What you're trying to do is show what he intended to do," he said. "[Proving] it is a help...to be able to show that this person was knowingly initiating a virus, that he was talking about what systems he wanted to hit, his awareness of what systems it would hit...and what systems it wouldn't."

"But I wouldn't consider it [proof of intent] the key to unlock the door. I wouldn't say that any given item is the hinge" of the case, he said.

"You very rarely have direct evidence of some-one watching somebody doing something illegal on the next computer," said the state prosecutor. "It is circumstantial evidence built up in lots of pieces."

Sudduth and Graham have maintained that Morris did not intend for the program to get out of hand. MIT programmers who contained the attack at their facilities said a programming error, instructing the virus to reproduce itself in every 10th--instead of 10,000th--computer, led to its explosive growth and crashing of several systems. Without that error, friends said, the virus would have harmlessly lodged in a few computers, allowing Morris to track his creation's progress.

Knowledge

Also central to the virus case is proving that the perpetrator has the knowledge to write a program, is in a position to place it into a system, and is aware of its consequences, said Frusciante. "It's a very subjective kind of situation," he said, where time dates from a computer on a program, a man's alibi, and the testimony of his friends all form admissible evidence, but with different weights assigned to them by a grand jury.

Sudduth and Graham's testimony becomes important in this light by showing the likelihood of certain legal conclusions, he said.

"Certainly [Morris'] communication to other people can lead you to believe what they knew as true and certain knowledge he had and that's why it's very important," Frusciante said.

"This is extremely significant. You want to know what was on the state of his mind," he said.

The second half of the prosecutor's case relies on interpretation of existing laws. Even if Morris is charged with any crime and found guilty, the extent of his punishment is problematic. "Whether or not the defendent is guilty is one thing, whether he should be punished for something he did not see...that's another question," Frusciante said.

But he added that his interpretation, as a prosecutor, was that intent to simply enter a system might imply responsibility for resulting damage. "If he knew this virus was there, if he helped it get there, if he allowed it to get within a certain computer system" that would constitute responsibility, the Florida prosecutor said.

"The fact that it grew beyond expectations is unfortunate but it does not necessarily negate his guilt," he said.

Responsibility for a program's unexpected performance turns on subtle points of torts law, said a writer with the Journal of Law and Technology at Georgetown University.

"They're calling [Sudduth and Graham] in not necessarily for their expertise, I think, but to establish whether Morris had the intent to infect federal computers, or was he reckless enough [to allow it and was he expert enough," said George-town law student and technology writer Robin A. Meltzer.

"If Morris knew that 95 percent of what he intended to do was harmless, but if he knew there was a risk [in the program running awry] and did it anyway," that might imply guilt, she said.

"In other words, how smart is this guy, should he have known?"

Meltzer added, though, "viruses are an unexplored area--there are no cases, there may be a little out there but it's all less than two years old. They're just becoming big news now."

Advertisement