Legal Doubts Rise in Computer Virus Case
WASHINGTON — FBI agents moved Tuesday to collect potential evidence in the computer virus investigation amid questions over prosecuting the prime suspect because of legal doubts that he intended to create the havoc that hit computer networks last week.
Thomas Guidoboni, lawyer for Robert T. Morris Jr., the Cornell graduate student who is the central figure in the inquiry, said that FBI agents had not yet contacted him about questioning Morris. Authorities said this signaled that agents are compiling the “electronic footprints” left by Morris’ computer programming and related evidence before confronting him.
Guidoboni declined in an interview to discuss whether his 23-year-old client had the necessary “intent” to convict him under the Computer Fraud and Abuse Act--a question raised skeptically by Justice Department attorneys familiar with the law, who emphasized that their knowledge of the case was limited to news accounts.
Programming Error
Friends of Morris have said that he created the virus but said that he unintentionally caused it to replicate itself rapidly in computer systems throughout the nation because of a programming error. His father, Robert T. Morris Sr., chief computer scientist for the National Computer Security Center near Baltimore, also has emphasized lack of intent to do harm in his comments.
“Everything I have heard indicates that there was no intent of damage” when the virus shut down an estimated 6,000 computers in the ARPANET network last Wednesday, the senior Morris said.
Meanwhile, computer experts from around the country met to begin taking the first steps in preventing a future computer virus epidemic like that which last week disabled thousands of university and military computers around the country connected by the INTERNET network.
Gathering at the headquarters of the National Security Agency in the Washington suburb of Ft. Meade, Md., some 60 researchers recommended measures that included creating a 24-hour hot line that will serve as a central clearinghouse for information about viruses, according to some of the scientists who were present at the closed meeting. Another recommendation included publishing lists of researchers to be contacted in the event of future disruptions.
Confusion at Outbreak
At the meeting at the National Security Agency, it was disclosed that containment of the viral outbreak was slowed because many researchers who observed difficulties caused by the virus did not know whom to notify in the middle of the night when the outbreak was discovered.
Because the computer networks by which the researchers normally communicate were disabled by the virus, information about how to halt the outbreak was not disseminated until two days after the initial infection.
According to some of those present, the researchers also learned that there apparently had been a first attempt to inject the virus into the INTERNET network on Oct. 29 and 30, leading some researchers to call it the “Halloween virus.” For reasons that are not yet clear, the earlier attempts were unsuccessful and the virus did not enter the system until Wednesday evening, Nov. 2.
The outbreak was largely contained by Friday morning, but some computers were infected as late as Sunday. Published reports have suggested that as many as 6,000 computers, about one in every 10 on the INTERNET system, were infected by the virus. But some researchers said Tuesday that the actual number could be less than 1,000. A census of infected computers is now being conducted at Harvard University.
Meeting Closed to Media
Reflecting the secretive nature of NSA, which is responsible for the security of government computers, the meeting was closed to the news media, despite the objections of some researchers. Participants were told to direct inquiries about the meeting to the Defense Communications Agency, which operates INTERNET, but a spokesman said that he had no information about it. Details of the meeting were provided to The Times by researchers who were present but who asked that their names not be used because the meeting was not open to anyone beyond the invited researchers.
A computer virus, like its biological counterpart, takes control of infected computers, replicates feverishly and infects other computers through telephone links. The INTERNET network, which provided those links for last week’s virus, has two main parts: ARPANET, which is used for transmission of non-classified data among universities and military contractors, and MILNET, which is used for the same purpose by military facilities.
The virus loosed on INTERNET did not damage any of the infected computers or destroy any data contained in them. Instead, it tied up computing and memory capacity by its replication, thereby preventing the computers from conducting their normal tasks.
Found No Permanent Harm
Three groups--from UC Berkeley, the Massachusetts Institute of Technology and the Army Ballistics Research Laboratory in Aberdeen, Md.--reported Tuesday that they had nearly finished decoding the virus. They concluded that the virus left no hidden programs in any of the infected computers and did no permanent harm.
Government attorneys noted that one section of the largely unused federal law that covers the computer virus case bars intentionally using a government computer without authorization. But violation of this section constitutes only a misdemeanor, punishable by a fine or as much as a year in prison.
“You’re not going to bring a complex, complicated case that takes a month to try if it’s only a misdemeanor,” one prosecutor said.
Two other sections of the 1986 law are felonies, providing for imprisonment of as much as five years, but they both require more sweeping intent than the misdemeanor provision. One involves using a federal computer with intent to defraud and obtaining anything of value. The other involves intentionally using a federal computer without authorization and altering, damaging or destroying information that causes a loss of $1,000 or more.
Mitigating Steps
If it can be shown, as Morris’ associates have claimed, that he took steps to halt the spread of the virus, it would make it more difficult to establish criminal intent on his part, one Justice Department attorney said.
It was not clear Tuesday whether the U.S. attorney in Washington, Alexandria, Va., or Syracuse, N.Y., would take charge of the legal case, but sources familiar with it said that the computer trail has been carefully preserved by authorities at Cornell, where the virus was created. FBI agents are expected to attempt to obtain the material with a search warrant, possibly as early as today.
Ronald J. Ostrow reported from Washington and Thomas H. Maugh II reported from Los Angeles.
Novel may have sparked computer virus. View, Page 1.
More to Read
Sign up for Essential California
The most important California stories and recommendations in your inbox every morning.
You may occasionally receive promotional content from the Los Angeles Times.