Berkman Community Newcomers: Josephine Wolff
This post marks the first in a series featuring interviews with some of the fascinating individuals who joined our community for the 2014-2015 year. Conducted by our 2014 summer interns (affectionately known as "Berkterns"), these snapshots aim to showcase the diverse backgrounds, interests, and accomplishments of our dynamic 2014-2015 community.
Interested in joining the Berkman Center community? We're currently accepting fellowship applications for the 2015-2016 academic year. Read more on our fellowships page.
Q+A with Josephine WolffBerkman fellow and PhD candidate in the Engineering Systems Division at MIT studying cybersecurity and Internet policy |
Tell us about the work you've been doing at MIT and what your plans are for your research moving forward.
JW: The research I'm doing at MIT is focused on understanding how the different components of computer security fit together and interact. There are lots of tools and techniques we use to defend computer systems - everything from encryption software and antivirus programs to firewalls and passwords—but it can be difficult to look across all the layers and functions of a system to say what they all add up to, what they collectively do (and don't) defend against. I'm interested in how we characterize these different classes of defense and say something about the ways they relate to each other, the ways they can be most (and least) effectively combined. People in computer security sometimes talk about "defense-in-depth" or the idea that you want to construct multiple layers of defense so that an attacker has to breach all of them and each individual defense is reinforced by the others. It's an idea that's often invoked with an analogy to the defenses used to protect medieval castles—the moat, the stone walls, the archers poised on the towers - but it can be difficult to translate the relationships between those physical protections to the virtual world where it can be harder both to dictate the order in which an attacker will encounter the defenses you set up and to ensure that the weaknesses of one defense are reinforced by the strengths of others. My research is on how different forms of defense for computer systems can be combined to achieve both of those aims.
It sounds like you are not only interested in studying how cybersecurity works (or fails to work), you are also working on defensive designs yourself. Is it ever difficult to balance the more theoretical aspects of your work with the practical side of it?
JW: It can definitely be challenging to mesh theoretical frameworks for computer defense with more practical examples. For instance, one of the things I've looked at recently is how MIT has been changing the security of its network: what motivated those changes, how they designed the new set of security measures, and the impact those changes had. That has been great in terms of giving me a chance to think really concretely about how different types of defenses are combined in practice, but I'm still working out the different possible ways to tie it in with the more theoretical work I've done on what defense-in-depth means in the context of computer systems. One thing that practical examples often reinforce is that people tend to purchase or implement individual security measures without regard for how those measures fit into a larger strategy and relate to the other defenses already in place. So in some sense, they help motivate my more theoretical research questions by illustrating the gaps in existing frameworks for computer defense.
Having worked in policy, industry, and academic environments in the past, how do the workplaces compare when it comes to thinking about, talking about, and interacting with your research/areas of interest and with the technology itself?
JW: There are elements I really like about all three perspectives on and approaches to computer security. Policy-makers and private companies tend to be more focused on what's happening right now and how to address it, which means you may get to work on ten different things at once, or over a relatively short period, while academic research often has a longer timeline and allows for a slower, deeper dive into a particular topic. Tech companies also tend to be more action-oriented than academics when it comes to computer security. They're interested in what they themselves can directly do to improve security, and that sense of agency can be tremendously motivating and exciting. But it can also be interesting to take a broader view of all the different players involved in and their respective roles as an academic researcher or policy-maker. I think what really stands out for me about the policy environment is the emphasis on mitigating harm, something which of course underlies a lot of industry and academic computer security work as well but is really front and center in the policy community. So there are aspects of all of them that I enjoy, and I've been extremely lucky in getting to work with academic and industry groups who are interested in policy, and vice-versa.
What projects or people at the Berkman Center are you especially excited about? Whose work (in or out of Berkman) do you find particularly provocative or interesting?
JW: Because I've been thinking a lot about computer security at MIT recently, I've been particularly interested to follow Berkman's Student Privacy Initiative and the work they've been doing around the use of technology in educational environments and how to make different trade-offs in that context. I'm also very excited about the Internet robustness project at Berkman and its potential to serve as a model for a new kind of Internet defense.
You've been writing about a variety of issues relating to technology, policy, and society for Slate's Future Tense, a collaboration with the New America Foundation and Arizona State University. What motivates you to publish articles in the popular press as well as more scholarly journals?
JW: I've always enjoyed both reading and writing journalism. I like the relevance - reporting on things that are happening right now and talking to people who are directly involved - as well as the writing style, with its emphasis on clarity and engaging the reader. Initially, in both high school and college, I worked for my school newspapers just writing news stories, and then my junior year of college a very indulgent editor let me write a tech column and that turned out to be a really fun way to blend my academic interests with my journalism hobby. It's also a nice contrast to more scholarly styles of writing and, especially given the extent to which cybersecurity stories have been all over the news lately, writing for Slate has been a great way to force myself to think about how the ideas I think about in an academic context play out in the real world and to try to articulate some of those ideas in an accessible and engaging way.
If you could demonstrate one piece of modern technology for one historical figure, who and what would you pick?
JW: GPS for Christopher Columbus since I'm an adventurous person without a great innate sense of direction.