The road to hell is paved with good intentions. Just ask Albert Einstein, Robert Oppenheimer – or Robert Morris.

In November 1988, a self-replicating computer worm spread at a dramatic rate across the Arpanet (the American precursor to the world wide web). Computer systems at a wide range of universities and research centers, such as Nasa, were slowed down to ultra-fast. Normal work processes became almost impossible to carry out; for example, it could take days for an ordinary email to arrive. When restarting the computers didn’t help, some institutions instead tried formatting them entirely. Large sections of the Arpanet were shut down as administrators fought day and night to stop the spread.

While they were tearing their hair out, a message suddenly appeared on Usenet that solved the problem for them, explaining exactly how they could stop the worm’s progress. Who was behind the disclosure? The mask’s own creator.

Turns out the culprit wasn’t some evil computer geek in his mother’s basement, or a foreign terrorist. Not a bit of a declared genius research student at Cornell University. Robert Morris, as he was called, had, according to his own statement, created the mask as a research project to measure exactly how big the Arpanet was. The plan was that it would indeed spread stealthily, via various security flaws in the Unix systems of the time. However, it had no destructive functions – at least no planned ones. When he realized it was starting to multiply out of control and slow down precious computer systems, he panicked.

But his anguish fell on deaf ears. Robert Morris became the first in the United States to be convicted of orchestrating something completely new at the time: a cyberattack.

And perhaps it was lucky that there was no malice behind the first widely spread computer worm. Although the “Morris worm” became a costly story for those affected, it was a much-needed, and relatively mild, wake-up call for institutions with lax cybersecurity. Because if a lone student could bring several large universities and research institutes to their knees by accident – what then could a genuinely malicious actor, with an army of coders, not be able to accomplish?

It’s a question that is still, after several decades of cat-and-mouse between hackers and security experts, highly relevant. Admittedly, it is unlikely that a single person could knock out large parts of today’s internet. But more targeted attacks and intrusions have become commonplace. Many reading this text have probably already forgotten that the biggest password leak ever took place as recently as last year, when over 8 billion login credentials to various services were spread like wildfire. Maybe even that cyberthieves on behalf of Russian agents stole the personal information of 500 million Yahoo members in 2014. Or that Adobe, Sony, Microsoft, Samsung and Uber have all suffered similar attacks.

The attack methods themselves have of course become much more refined than in the 80s. But they have also been democratized. The teenager accused of infiltrating game developer Rockstar and leaking the upcoming Grand Theft Auto VI allegedly used no weapon other than his phone.

In a way, it’s no wonder that the ever-recurring attacks on tech companies and entertainment services are quickly fading into oblivion, overshadowed by the bloodiest form of digital attack: cyberwarfare. A term we have become familiar with during Russia’s ongoing invasion of Ukraine.

In early 2022, for example, the web services of several Ukrainian authorities and banks were temporarily shut down, and some were also vandalized with digital Russian propaganda. The attack methods? Not least overload attacks and malware – in the form of worms.

34 years after Robert Morris accidentally brought the proto-internet to its knees, his innovation continues to spread terror and mayhem far beyond his wildest imaginations.