- We informed the world that computer systems are exposed to threats and require better security.
- Hacking or cyberattacks have changed dramatically over the years. Hackers are more equipped now and capable of launching attacks in more professional ways.
- Social footprint of any nation, community, clan and group has become the most sought after commodities of the virtual world. Our social profiles in the virtual world are at great risk because companies are trading our data for various purposes.
- The government should maintain its regulatory oversight and ask private sector to develop a pool of experts to safeguard national interests in the virtual world.
Tell us something about ‘Brain’ – the first IBM PC virus.
Some three decades ago, we were learning a low-level computer language called Assembly. My brother, Basit, and I were experimenting with the security provisions of different operating systems, including Disk Operating System (DOS) and UNIX. We wrote a piece of code just to test the security provisions of DOS platform. We wanted to figure out how our data traveled across computers.
However, later our experiment was recognized as the world’s first IBM PC virus known as Brain. It was the time when data traveled through floppy disks. Hard disks were not commonly available in computers. People used to run operating systems and user files from floppy disks. Internet or network computing was a dream.
It was the time when multitasking was in conceptual stage. The DOS platform had limitation to execute one program or a task at a time. We used a programming technique called ‘terminate and stay resident (TSR).’ In other words, we coded Brain – the first known IBM PC virus detected in 1986 – in a way that it could execute itself and rename the disk label during the boot process. It stayed in the system memory after boot to monitor floppy disk drives. Whenever a new or clean floppy disk was inserted in the drive, the virus copied itself to the disk and spread itself.
Did you make some other viruses too?
No! Brain was our first and only virus. The idea behind coding the virus was to highlight the vulnerability and insecurity associated with DOS operating system. We did not want to exploit data or computer user and did not have any commercial interest. We just wanted to warn people around us that DOS was not a secure operating system. We never thought that our code, the Brain virus, would break geographical boundaries and spread across continents.
What do you mean by spreading across the continent?
It was probably 1988, when I received the first phone call from the United States. The lady on other side of the phone asked me, “Are you Amjad or Basit? Are you the inventor of Brain virus?” I replied in affirmative but I was surprised to know Brain had traveled overseas because we never sent or transferred any floppy disk to the U.S.
Your experiment provided foundation for the antivirus industry. Did you ever try your luck in antivirus or information security areas?
Though the multibillion-dollar antivirus market and information security field is result of our experiment or the Brain virus but we had other business preferences and priorities.
We never thought of trying our luck in antivirus market because someone commented about the Brain that ‘first you make viruses and will later sell antivirus to mint money.’ This statement hurt me a lot, so we decided to test our limits in other areas of technology.
Pakistan always remains in headlines for negative things. Have you ever regretted that you invented the first malware?
I believe it is a matter of pride for all Pakistanis. We informed the world that computer systems are exposed to threats and require better security. The Brain actually helped software and technology companies to rethink about operating system and data security that made the technological ecosystem more secure.
Now after three decades of creating the Brain virus, how do you rate computer and data security?
In software and computer industry ‘change’ is the only constant. Every day we see new software and innovative technologies. Internet has shrunk the world into a few million pixels. Over the years, computer security has improved manifold but still a lot is on risk because good and evil are growing at a similar pace or in some cases evil souls are moving faster than the good ones. In the Internet age it is impossible to claim that we are 100 percent secure.
What is the biggest security threat associated with computers and the Internet?
I believe electronic and psychology warfare are some of the prime concerns of the Internet age. Social profiling or social footprint of any nation, community, clan and group has become the most sought after commodities of the virtual world. Our social profiles on the Internet are at great risk because companies are trading our data for various purposes.
You see, in the western world companies are selling cloud-based solutions and high-end servers for a few hundred bucks—the price that is far below the cost of diesel for generators to keep servers up in Pakistan. It does not mean that their cost is too low but it indicates that their objective is different. They have more interest in the data that is hosted on these machines. These companies have various data manipulation technologies which help them to gather valuable information from this data.
What difference do you see in cyberattacks in the past and at present?
Hacking or cyberattacks have changed dramatically over the years. Hackers are more equipped now and capable of launching attacks in more professional ways. Initially, people started hacking for fun and to test abilities of different software but now they have monetary interests.
Each byte of data on the Internet has some value. Hackers dig data from various sources depending on the task or target and sell it in the black market over the Internet despite the fact that unauthorized access to others’ data or violating intellectual property rights is a crime everywhere in the world. Though some countries, like China and Pakistan and other developing states, are not willing to enforce these laws in true letter and spirit.
Reportedly, in various cases the money earned through these illegal sources is used for criminal activities, including terrorism.
Do you think Pakistani governments or law enforcing agencies are capable of dealing with these threats?
The governments in Pakistan have always remained one step ahead of the private sector when it comes to cybersecurity. The government organizations have better cybersecurity arrangements. Public sector institutes are more aware and technological advanced, especially, the defense organization. They have more resources to invest in security than the private sector.
On the other hand, apart from a few organizations, private sector lacks in this area. We are pioneer in computers and the Internet business in Pakistan and know many incidents where security breaches caused huge financial losses to private enterprises. But it does not mean that private sector cannot cope with the situation. The government has to create space for private sector and give them awareness about cybersecurity. There are many companies working in the field but they require some framework along with awareness and training to effectively deal with these threats.
Viruses and identity thefts are the most common attacks these days. Are all our systems on attackers’ radar?
No, it’s not like that. Pirated software and torrents are the root cause of this problem. It is very common in Pakistan and other developing countries that people, even companies, use pirated software to cut their budgets. Generally, we do not see any harm in installing cracks and patches on our computers, without considering that why we are being offered software worth hundreds or thousands of dollars for free.
In most cases crack and patch developers embed their malicious code in crack files. When someone installs these cracks the malicious code creates a backdoor in the system and gives access of our systems to unidentified people. Sometimes the malicious code installed with cracks makes our system behave like a bot and allows unidentified users to use our systems processing power for various tasks.
Mostly these cracks and patches are developed by Chinese, Russian and Indian developers.
Some people suggest we need to get rid of proprietary software regime and should develop our own software and operating systems to address all such problems. Do you agree that it eliminates all threats?
It is true. But it is like reinventing the wheel. We need to do a lot of research for developing our own software ecosystem. Initially, China had thought on similar lines. They refused to use Windows operating system, but later they had to surrender and adopt various security solutions to safeguard their boundaries in the virtual world.
However, it still keeps the country isolated from popular social networking platforms. It has developed its own communication tools and has one of the biggest cybersecurity operations in the world.
How can we address these issues?
Pakistanis are one of the most robust and intelligent nations of the world, but neither the government nor the private sector can overcome these problems alone. It requires a holistic approach and integration of all stakeholders. The government should maintain its regulatory oversight and ask private sector to develop a pool of experts to safeguard national interests in the virtual world.
Singapore has one of the best cybersecurity models in the world. Initially, it conducted a survey to assess the security needs and created awareness among masses about new threats associated with the Internet age. They have developed a legal framework and a world-class certification system to ensure proper implementation of security regulations.
Though, Pakistan Telecommunication Authority (PTA) and other government authorities have started thinking along these lines but ultimately the country has to follow a similar path to secure nation’s future.