At approximately 10 p.m. on Wednesday, Nov. 2, 1988, LLNL computer scientist Russell Brand was busy editing a paper on computer security from his home in Berkeley when the load on his VAX computer dramatically increased by 1,000-fold within a few seconds. Tracing the problem, he soon discovered several unusually named files and processes on his machine. Believing that a worm had found its way into his LLNL computer, Brand, who was also a doctoral student at the University of California, Berkeley, contacted a group of fellow students at Berkeley’s Experimental Computing Facility and confirmed the attack. The students had made the initial discovery a couple of hours earlier and had sent out a national network message stating, “[w]e are under attack by an internet virus.” The “virus” was actually a computer worm, later dubbed the “Morris worm,” and the incident is now considered to be the first major cyberattack in U.S. history.
In 1988, the internet, not yet 20 years old and still a year off from the creation of the World Wide Web (WWW), consisted of slightly over 500 autonomous unclassified national, regional and local networks with approximately 60,000 connected computers. By comparison, today there are over 100,000 networks and billions of connected devices. In 1988, the two largest networks in the United States were sponsored by the National Science Foundation (NSF) and the Department of Defense (DoD).
The origins of the internet can be traced back to the late 1960s, when DoD’s Advanced Research Projects Agency (DARPA) established a prototype unclassified network called ARPANET. From its inception, ARPANET served dual purposes: providing a testbed for advanced computer network research, as well as network services for the research community. In the early 1980s, DoD set a new communications protocol, Transmission Control Protocol/Internet Protocol (TCP/IP), as the standard for all military computing networking. TCP/IP allowed different kinds of computers on different networks to communicate with each other. On Jan. 1, 1983, TCP/IP was installed in the ARPANET and the internet was officially born.
Interestingly, in 1964, five years prior to the launch of ARPANET, Livermore computer scientists had created a local classified time-sharing network called Octopus run on a Control Data Corporation (CDC) 6600 machine. In 1964, the pilot Octopus network provided the means for just 12 people to work on one 6600 at the same time. However, by 1974, Livermore’s classified Octopus network, run on two CDC 6600s and four CDC 7600s and supported by the Livermore Time Sharing System (LTSS), which included large libraries of subroutines to meet users’ mathematical and graphical needs, was simultaneously connecting more than a thousand remote terminals and printers around the Lab.
By the early 1980s, around the same time that DoD’s ARPANET was giving birth to the internet, the National Science Foundation was expanding its reach with the establishment of its Computer Science Network (CSNET). CSNET provided network service access to all university computer scientists. In 1986, NSF established NSFNET, connecting academic researchers across the country to its newly established supercomputer centers. NSFNET was the backbone of the early internet, and its establishment laid the foundation for the internet’s explosive growth in the 1990s. In many ways, the hardware-software combination pioneered at Livermore during the 1970s for its classified Octopus network became the model for the creation of NSFNET.
At the time of the Morris worm attack in 1988, there was almost a sense of complacency and familiarity amongst users of the nascent internet. An awareness as to the vulnerability of computer systems, along with a corresponding notion of cybersecurity, had yet to filter into the consciousness of the American public. The awakening, though, came in jarringly quick fashion on Wednesday, Nov. 2, when the Morris worm was unleashed on the internet from a computer at the Massachusetts Institute of Technology (MIT). Within hours, an estimated 6,000 of the approximately 60,000 connected computers were hit — clogging systems and slowing vital military, government and university functions to a crawl.
That evening, the creator of the worm, a graduate student in computer science at Cornell University named Robert Morris, Jr., hacked into a MIT computer from his terminal at Cornell, and let loose the experimental self-replicating program. The worm was designed to attack computers running a particular version of UNIX and spread rapidly by exploiting a security flaw known to Morris and a subset of skilled programmers. However, soon after unleashing the worm, Morris realized his program was much more successful than intended and that it was replicating and reinfecting machines quicker than anticipated. After consulting with a friend at Harvard on a solution, they sent out an anonymous message from Harvard with instructions on how to kill the worm. However, the network was bogged down by Morris’ creation and the instructions did not get through until too late.
LLNL’s efforts to battle the cyberattack went into full swing after the Lab’s Russell Brand notified LLNL Computer Security manager Chuck Cole of the cyber intruder. After discovering that computers using UNIX operating systems were the most vulnerable, Cole decided in the early Thursday morning hours to sever the connections amongst the Lab’s 825 unclassified computers (700 of which were UNIX-based), LLNL’s Open Labnet network, and the internet.
A computer patch was quickly developed by the students at UC Berkeley’s Experimental Computing Facility and subsequently modified by the Lab’s Computer and Communications Security Group (CCSG) for patching on LLNL’s systems. Because of the Lab’s early knowledge of the attack and its coordinated efforts with Berkeley, LLNL became the focal point for assistance for other institutions throughout the country. According to CCSG’s Doug Mansur, “[w]e were apparently one of the main sources of information about the worm from around the country. Many of the people we spoke with didn’t have accurate information or have procedures for dealing with the problem … and they relied on the experience we had gained during the night.” Calls for help came from five of the national laboratories, as well as institutions like the Princeton Plasma Physics Laboratory, the National Security Agency and the National Science Foundation’s supercomputer centers.
Thanks to the quick response from LLNL employees like Russell Brand, Doug Mansur, and others, damage was limited to just six infected Lab computers — none of which crashed, unlike systems at other institutions. While Livermore restored its computer connections to its Open Labnet within less than a day and reconnected to the internet on Friday, other organizations simply wiped their systems or remained disconnected from the internet for as long as a week. While the Morris worm did not damage or destroy files, it slowed systems to a crawl, creating havoc and causing damage estimated in the millions of dollars.
In the aftermath, the creator of the worm, Robert Morris, became the first person convicted under the 1986 Computer Fraud and Abuse Act. Morris was spared prison time and instead received a fine, probation and community service. He later became a professor at MIT and co-founded an e-commerce platform called Viaweb that was acquired by Yahoo in the 1990s for nearly $50 million.
At LLNL, acting on lessons learned, the Department of Energy (DOE) stood up the Computer Incident Advisory Capability (CIAC) on Feb. 1, 1989. Livermore was chosen to host this DOE center because of the expertise and leadership demonstrated by the Lab in response to the Morris worm attack. According to the first CIAC head, Eugene Schultz, the purpose of CIAC was to respond to computer security incidents or attacks throughout the DOE on a 24-hour basis, as well as to lend assistance and technical expertise across the complex. This capability evolved over the ensuing years and is now centered within the DOE Joint Cybersecurity Coordination Center.
Today, LLNL is applying its cutting-edge science and technology and leveraging its interdisciplinary workforce to help defend the nation from an advanced landscape of cyber threats. The Lab’s cyber programs work across a broad sponsor space to develop technologies that address the most sophisticated cyber threats directed at disrupting our national security and critical civilian infrastructure.