Where there is no law, but every man does what is right in his own eyes, there is the least of real liberty
Henry M. Robert

“How to protect people from technology?”

White House adviser and Google’s “secret weapon” speaks about challenges of “technological revolutions”
13 February, 2018 - 10:41
Photo by Ruslan KANIUKA, The Day
Photo courtesy of the author

Step by step, humanity is relinquishing its power to take decisions by delegating it... to computer algorithms. With the development of artificial intelligence, scientists predict that humans are at risk of losing their monopoly of controlling Earth in its entirety. This topic, in particular, is addressed in the 2018 trends report “Zero Interface/Zero Decision,” which will be presented by the Netexplo Observatory at the UNESCO Headquarters during the annual Innovation Forum (February 13) and the Talent Forum (February 14-15).

The authors of the report note that with the development of artificial intelligence, which requires less interference from the user side, humans move away from making a decision. And they do not even care that every algorithm embodies the ideology of its author. In addition, such carelessness is predicated on 100 percent confidence that the technology in question will not be hacked by attackers, or even more importantly, intentionally designed to restrict the rights and freedoms of its user.

So far, artificial intelligence is still in its early stages. However, a small number of “Digital Titans” (Google, Amazon, Facebook, Apple, Netflix, Airbnb, Tesla, and Uber to name but a few) which collect a nearly infinite mass of data about their users are working hard to create a “synthetic super brain.” And strategies which are needed to protect the user in the digital world are one of the key issues in the abovementioned report.

The Day was able to discuss the challenges which the digital world poses to us, the rules of online behavior, and how the Internet can… threaten humanity with Parisa TABRIZ, who is among the 30 coolest tech professionals in the world according to Forbes.

The Telegraph called her “Google’s top secret weapon.” After all, Tabriz is responsible for the security of one of the most expensive global brands – the Internet browser Google Chrome, which is daily used by about two billion users. She is 33 and dyes her hair pink. On Tabriz’s business card, her job title reads “Security Princess.” She teaches at Harvard and advises the White House.

“When I started working in security, I originally was doing web security, and I think at the time it was considered very lame.

“Cross-site scripting was the first vulnerability I knew about, and I found ways to do it, but everyone was like, ‘it does not matter.’ You know, nothing is actually happening on the web where security matters. That’s really changed now. It was especially Google. Gmail, search, history, dark search, and Drive are actually our applications. So what once was kind of lame vulnerability, now can actually lead to theft of updater. So, one thing is that web security has just become much more important.

“When I started in security, a lot of hacking was done by people who were just interested in exploring, understanding how systems worked, maybe pulling pranks on people, but kind of doing it for fun in some ways, or as a hobby. Whereas now, you just see like crime has really moved from being mostly done on the streets to now being done online. We just see it: it’s not jokes anymore. It is really an active threat to people’s identities, to their safety in the real world, to their property and data.

“We [Google. – Author] have the best of the best security, I think it is way better than when I joined. I think the approach that we have in Chrome and in general other technologies too, where you have layered defense and technologies actually makes exploitation much harder, but you also have software that is vulnerable.

Photo by Ruslan KANIUKA, The Day


How about an example?

“It makes you think about just the range that is available. I think about the Internet of Things, and how it’s exciting that people can really get anything connected to the Internet – your light bulb, your toaster... But a lot of people haven’t thought about how you can actually update that software. For me, there is no such thing as a fully secure system connected to the Internet. So, when I hear ‘our company is making very, very cheap software, and you don’t actually have to update them,’ – I just know that there is going to be some problems.

“It’s both cool that it is so easily accessible. On the one hand, I see programming classes being available to kids, and that’s really exciting, that you can learn technology at an early age, and it’s very powerful to learn those skills and be able to apply them. At the same time, when we have a lot more people who are creating technology, you know, if they are doing it in a wrong way, then it could lead to a lot of security problems.”


Last month at the annual economic forum in Davos, many world leaders, including French President Emmanuel Macron, spoke about the great number of challenges facing humanity because of the cascade of technological revolutions that we are experiencing. Can you rank these challenges? What is frightening you, as the “Security Princess,” in the development of the web space?

“I do not know specifically what point he was making, but in general, I see it like, you know, more and more business and financial dependence on the Internet. You start thinking, ‘OK, how are we going to regulate and protect the Internet, as the Internet is not owned by any country, right?’ It’s a fully interconnected global system. In some ways that’s quite cool that no country owns it, but it also means that it’s much harder to protect, and you really rely on kind of a standards process, which again, no one person owns.

“But within technology space and in Chrome, we think like, ‘What are these Internet protocols that are secure?’ We work with other experts around the world and we come together and say, ‘OK, we don’t want any company or any country to own this, but what is a secure protocol that the Internet can use?’ But that’s a very slow process. You know, we learned things over time. One of the concerning things is just how fast the technology is evolving. In some ways it’s evolving faster than we know how to think about it from a legal perspective, from a regulation perspective. And keeping peace with that and figuring out how to keep people safe from that is just a really big challenge.

“You have these large industrial power plants or water filtration systems, or power grid, and these systems were not built with security in mind. I mean, you actually saw this with Stuxnet, which was a malware that ended up infecting Iranian nuclear plant, and it infected PLCs, which are programmable logic controllers, as it made them go really, really fast, until they broke. You can see it as an example of malware that actually can take down a nuclear power plant. You can imagine how dead serious is that. If you have a power grid that’s connected to the Internet, something can go wrong. How we are actually thinking about updating those systems is a big challenge, but I know something is being done by the very top-of-line people.”


What do you think about the cryptocurrency boom? Is it safe?

“I personally don’t use cryptocurrency.”


“I think I’m very conservative when it comes to investing. So, I am happy to let other people get a lot of money, but it’s very risky, so I don’t gamble.

“I think, the US dollar is pretty stable, so I feel OK with that. My dad came from the country where the currency inflation happened, and he ended up thinking about gold and diamonds as a stable asset. So, cryptocurrency is not for me.”

And what do you think about the technology behind the block chain? Is not it a technology of the future?

“Yes. I think there are applications for it. I think right now, in some ways, everyone is trying to solve everything with the block chain. I think there is more excitement than probably what it needs. I make jokes that everyone is going to solve global warming with the block chain, which we really cannot do. But I think that like many other types of cryptography, there will be purposes for it and usages for it.

“Every time you have a new technology boom, everyone is going a little bit crazy, trying to solve all the problems. You know, like with 3D movies, everyone wants to have 3D movies, and now I feel like, we are at the point of ‘there are some good 3D movies, but not everyone is doing 3D.’ There will be some good applications of block chain, but right now, people are going a little bit crazy about it.”


Do you think artificial intelligence can enhance cybersecurity?

“Yes, I think that with every new technology, it can help defense, it can also potentially help offense. In machine learning a lot of advances have happened recently – I remember in college I took artificial intelligence class, and it was really boring, because it just wasn’t something that you could really use, it was more work and didn’t actually yield interesting results. I think that now we are seeing machine learning be able to definitely detect anomalous activity, which could be an attacker, and be able to detect abusive comments in social networks, like be able to find people who are harassing other people.

“But in the same way, you can imagine how this is potentially useful for an attacker. Every new technology, it can be used for good and bad.

“We use machine intelligence to solve a lot of different problems at Google, and we are definitely trying use intrusion detection, being able to detect: ‘Oh, this is malicious behavior or something.’”

Are you able to predict attacks?

“I don’t think we will be able to get to the point where we can predict it, but you can sort of say, ‘this is suspicious, and either it should be blocked or we should do some kind of manual review to look into it.’ The work with abuse detection also relies on machine intelligence. Something we have done actually in Chrome is to use machine intelligence to determine whether a page is trying to fish data. For this, we have done things like constantly updating the learning model. And it is kind of learning based on other behaviors and other side actions as well.”


How does international law protect users of the web space? I know that you advise the White House, can you say that the US legal system regulates best what is happening on the global Internet?

“My mom is Polish, she is from Poland, my dad is from Iran, I grew up in the US, I have friends from all over the world, and so, in some ways, I think of myself as a citizen of the world. In some ways, the Internet is cool because it’s not anyone’s country, and protecting people on the Internet feels like just a very important role, and determining how it should be on the Internet, not just thinking about your own country – it is a challenge.

“I have my own experience, and knowing what it is like to be a user in India, or to be a user in Brazil, or to be a user in, you know, Africa, it’s constantly something I’m learning about.

“When I went to South Africa for the first time, I learned that they actually use their phones for mobile payments much more commonly than in the US, and so the attacks to the mobile finance system are much more sophisticated.

“So it’s always interesting for me to learn what software is popular in the country, what attacks are popular, what defenses are popular. It’s a huge challenge, but I think it’s also very cool.”

What can you say about a cyber attack on Ukraine that used a new model of Petya virus (*)? The CIA has stated that this was the work of Russian hackers, do you agree?

“Yeah, and I think it was vulnerable Microsoft Windows software.

“I think this is a really good example where updates are just important, because in that case, Microsoft Windows patches were available, but the system just had not been updated. That’s where things like Chrome Automatic Updates is really nice, because it just makes sure that the software really up to date. But I don’t know any specifics of who did it. I just read about it in the news.”


What basic skills are you looking for in a person you are willing to hire at Google’s security department?

“First, we really want people who want to make software more secure and protect users, and I think that’s very, very important, right? We are wondering what the motivation of people is, because, if it’s purely money, and they don’t care about user’s security, there are other places that they can work for and get their money from. But we really want people to actually care about user’s security and also care about Google products.

“I think security is a field where you are always learning, and there are common classes of problems that happen, but you are constantly learning new technologies because whenever new technology comes, you need to learn it, because that’s where will be the potential for attack. So we are looking for people who like to learn new things constantly and are very, very curious. You know, in a movie you see somebody being able to hack into a system in a couple of minutes, in reality it doesn’t happen that fast. You actually have to be a very disciplined and hard worker, and very patient, sometimes even a little bit stubborn in finding the way to solve the problem.

“I think with security it is similar in some ways to other creative fields. Like in art we are looking for people with portfolios as well. A lot of people who apply, they have found these vulnerabilities and can point to them, or done this work to actually make software more secure.

“All of that put together actually leads to a very, very small number of people. I mean, we always want to hire more people than those that we find. So, I think it’s a really good field for kids or other people to be thinking about, because the needs for more people working in cyber security are very high.

“There’s a myth that you have to be genius, or only interested in engineering or technology, but in cyber security we need a lot of different skills. We need lawyers and people who think about psychology, human factors, and user interface to come together and help keep people safe.”


You have a pretty cute job title, which reads “Security Princess.” Will you tell us the story behind it?

“When I joined Google, my official job title was ‘information security engineer’ in the information security engineering team, and I found that very boring. It did not really mean anything and was very boring, and so I chose to change it to Security Princess, because I just thought it would be funny. I’m not very girly, I never wore very girly dresses, I have two brothers and I played football and wrestled with my brothers, so for me I was not a princess, but I thought it was funny and a little bit ironic.

“And then I went to a security conference in Japan. And in Japan it’s a very official process – business cards are expected, there is a formal exchange of business cards – and so I kept my title for that and made my business card with it, in part because I just thought it was funny, when you are meeting someone, they read it and sort of laugh. It is a nice way to meet someone – you need it to be memorable. And it was. I think it’s been a nice way to break ice when I meet someone. Especially in security, sometimes you are meeting people who work in the government or in defense, and they are all very serious. But when they see it, they smile a little bit and laugh. I like it, since my old title did not mean anything anyways, and this is kind of a bit funny and ironic.

“In some ways, it’s nice to be a role model, a different type of princess role model. Growing up, I watched Disney movies, and the princess is always trying at the end of the movie to get married, like that’s what the goal is. I thought it would be nice to have a different kind of princess role model – trying to keep people safe.”

A question from our reader on Facebook: “It is always interesting to see what morning rituals open the professional’s day: what do you start your day with?”

“I wake up very early. When I was in Germany, I woke up at like 4 a.m. Normally, I wake up at 6 a.m. I have at least two cups of coffee and eat pretty much the same breakfast every day and do some emails, or actually, first of all I feed my cats. They wake me up. I feed my cats, go to work, do emails. Then I see, based on what’s in my inbox, what the day is going to be like. Sometimes it’s helping people on the projects, sometimes it’s dealing with a new incident. It’s cool.”

By Alla DUBROVYK-ROKHOVA, The Day, Kyiv – Munich – Kyiv