I’m a Woman in Cybersecurity: A Code Lover’s Story
From MIT to founding a company, Raluca fell in love with the magic of cybersecurity, and she still loves it today.
I am undoubtedly in love with cybersecurity.
- I teach cybersecurity to the 600 students in my class at UC Berkeley.
- I also run a cybersecurity research group at UC Berkeley.
- Additionally, I co-founded a cybersecurity company called PreVeil.
But let me tell you that my love for this field is not merely subjective. Cybersecurity is a uniquely beautiful and rewarding discipline of computer science. While theoretical disciplines in computer science feature beautiful and deep results, they rarely get adopted in the real world.
Conversely, while applied disciplines of computer science build innovative new systems, they often lack a deep analytical core. Cybersecurity provides the best of both worlds.
For example, one of the core tools of cybersecurity is cryptography. It can do magic. For example, cryptography allows you to compute on data you cannot see (see homomorphic encryption), or to prove that you know the solution to a hard problem without revealing the solution (see zero-knowledge proofs).
At the same time, cybersecurity targets real and important problems facing society, such as the numerous cases of data breaches, identity theft and privacy violations which abound in our daily news. Building better security systems often involves designing cryptographic protocols and then engineering systems to leverage them.
In other words, cybersecurity makes magic real.
The Magic, Practicality and Rigor of It All
The rigor and practicality are why I chose to work on cybersecurity as early as my undergraduate studies at MIT. I loved the ability to play with powerful theoretical tools while also building systems that addressed real problems. You get both meanings of code in one discipline. You design new cryptographic codes to protect sensitive data and you can code up new security systems using them.
I loved the ability to play with powerful theoretical tools while also building systems that addressed real problems.
Let me give you an example, taken from my company PreVeil of performing “real magic” in cybersecurity:
PreVeil protects sensitive data in common collaboration tools (like email, file sharing) by encrypting the data with end-to-end encryption. Only the message recipient can decrypt the data using their private (client) key on the their devices (e.g. phone, laptop). This strategy provides a strong degree of protection because if an attacker steals the data from the data server or the cloud, the attacker cannot decrypt the data. The data will essentially look like garbage to the attacker.
The physical analogue of this strategy is putting data in an insurmountable safe on the cloud but keeping the key to the safe on the client’s device. If the attacker breaks into the cloud and steals the safe, the attacker cannot open the safe and access the data.
A big problem in such encryption systems is a tension between usability and security. For example, a user can lose their decryption key. This typically means that the user can no longer access their data, which would be a usability hurdle. To avoid this issue, some systems attempt to store the key at the server. However, this affects the security of the system because an attacker at the server can steal the key along with the encrypted data and can thus decrypt the data.
Secrets and Magic at PreVeil
This is the point where the magic of cryptography comes to solve this problem. At PreVeil, we leverage a concept called secret sharing. With secret sharing the client’s key is split into multiple pieces, and each piece is given to a member of a group of trustworthy people.
For example, one piece of Alice’s key is given to the head of IT, another to the floor admin and a third to Alice’s boss. If Alice loses her key, two of these people can come together and reconstruct the key. Any one of these people alone cannot reconstruct her key.
In fact, one piece of the key gives an outsider zero information about Alice’s key. If you think about implementing this concept with physical keys, it sounds impossible. Consider attempting to split a physical key into three pieces where each piece does not resemble the original key, However, any two pieces put together do create the original key.
Are You Ready for the Challenge?
Cybersecurity undoubtedly has its challenging sides too. Perhaps the most frustrating of all is that we can never build a perfectly secure system. For example, there will always be bugs that can be exploited in the software we write, or humans who make mistakes when using a system. Any security protection needs to be rooted in some trust so a security system will inherently rely on trust assumptions, which could be violated. Furthermore, in some parts of security, there is a continuous arms race between the strength of the protection and the strength of the attackers.
If one is considering a career path in security though, this tension turns into an advantage. There will always be jobs in cybersecurity.
Raluca Ada Popa is an assistant professor of computer science at UC Berkeley. Her research is in security and applied cryptography. Raluca has developed practical systems that protect data confidentiality by computing over encrypted data as well as designed novel encryption schemes. Raluca received her PhD in computer security as well as two BS degrees, in computer science and in mathematics, from MIT. She is the recipient of an Intel Early Career Faculty Honor award, George M. Sprowls Award for best MIT CS doctoral thesis, a Google PhD Fellowship, a Johnson award for best CS Masters of Engineering thesis from MIT, and a CRA Outstanding undergraduate award from the ACM.
Check out more from our series I’m a Woman in Cybersecurity:
Are you inspired by Raluca’s story, or any other story in our series? Don’t forget to sign up for our Weekly Security Experts Newsletter for more interesting articles, inspiring stories and much more.
