What it Takes to Keep Billions of Internet Users Safe

Pera tze started as a hacker now she's Known as Google's security princess Tasked with protecting the data of Billions of users around the world and Because she oversees Chrome browser Security and Google security research Team project zero she's all about web Security so she'll be interviewed now by Tech crunches Cari paage Round of Applause everyone thank [Applause] [Music] You [Music] Good morning good morning guys good Morning Teresa thank you so much for for Joining us that's awesome to be here Okay so you have quite the job you're in Charge of Google Chrome which I'm sure Most people in this room use along with Billions of others um what are you Seeing as the biggest security threats Facing these users Today uh well awesome to be here um Awesome awesome to see lots of folks Here and have this conversation um and Yeah I'm responsible for Chrome today Started uh Google a while ago working on Security generally and then came to Chrome to work on security and now look At the whole browser which is both you Know end user product as well as a a Platform and so we think about both uh You know people using a browser on their

Desktop computer uh Windows Mac OS maybe A Chromebook uh people using a browser On their phone could be Android phone IPhone and then also the platform and The web platform at large um and Thinking about how do we help developers Or what are some of the threats that Developers face and we're super lucky to Have a lot of people that use Chrome and So um as the browser's gotten more Popular over the past uh 15 years we Actually just celebrated our 15th Birthday this year the uh attacks have Um also increased in terms of range of Attackers and um you know number of Attackers I I would say um you know Typically a product launches nobody uses It you don't have too many attackers Facing you and so like it's it's a it's A good problem to have um and we um face Threats you know that are sort of of the Broad spam fishing uh attacks to end Users as well as hyper targeted attacks That are really looking at you know a Patch gap between a security bug that we Just fixed and uh you know the window by Which a user is going to be updated Which um now you know can be a week and So it's it's not a big a big window and I think uh with that ends up requiring Just a a really multi-pronged approach In terms of how do we approach security To uh you know defend against all of Those attacks and attackers and uh it's

Been an interesting You know journey in security because Some things are always the same like you Have untrusted input and you know that Typically is how you're going to run Into security problems or security bugs And like in some ways that's been a Theme since I've been working on Computers and and Computing uh for the Past two decades on the other hand Things have gotten so much more complex And and advanced in a lot of ways and uh One of the uh things I love about the Space and browsers and and the we um and Security is just like you're constantly Learning and adapting and really Thinking about how to be pragmatic and Protect people from real threats given Sort of there's no Perfect Solutions to The space absolutely and when it comes To protecting all these people what are The biggest challenges faced by you you And your Engineers Um lots of challenges um I would say uh You know I started my career in more of Security Consulting uh mode and you Weren't really close to kind of the Product or the business and so you think About like common patterns of problems And then you end up kind of handing this Over to a different team and they have To figure out what to do with it um Working in Chrome now um I think about

How do we build a product that is secure And we think about how do we make it Safe by default but also fast and usable And simple because you know we know that People are choosing to use software Because it's easy to use and it's fast Like that's one of the most important Features of of any product or service And the challenge is often in that Trade-off space of like how you build Something that is secure um and fast and Um you you want to optimize for both and Then when you get kind of into the Details some of the security protections That you want to build in like exploit Mitigations um okay that's going to like Take extra uh checks in code and so like Oo that's going to actually impact Performance and so that trade-off space Is um uh something that is just a real Challenge and one that we face every day Security and performance is one security And usability is one you know we have a Wide range of users each with different Personal preferences or even um you know Kind of threats that they're thinking About and there are uh some users who Want to make sure that they're opting Into the most advanced security Protections and they have a higher Threat profile journalists you know Politicians uh you know um lots of Vulnerable populations who are are Really wanting to opt in um and take on

Additional protections and some people That don't want to and so how do you Support kind of that range of of users Make it simple to use make it default But then also give um options in a way That doesn't result in just like hard to Use complex uh um crappy software is is One of the big challenges I face I think Another thing is just the space moves so Fast and um you know I took a artificial Intelligence machine learning course in College uh and and for me that was kind Of a while ago um and I mean it it was Kind of lame then and now I think even Just in the past 6 to 12 months what We're seeing is made possible by um Applications of of llms or geni um it it Both you know is I'm learning so much And trying to learn so fast and the the Pace of of innovation and opportunity is Is happening really fast and so one Challenge is also just learning and how Do you stay like on The Cutting Edge Both in terms of building defenses but Also knowing that you know Bad actors Are also taking advantages of advances In Tech technology and like this means That it's going to be harder to defend Against those sure I guess from an Outsider's perspective as well another Challenge for you and your team must be Balancing privacy and security so it's No secret that's where Google makes its Money it collects user data for

Advertising how do you ensure the Security of your users well balancing Those privacy Considerations um well I think that um Security and privacy are super related Um and uh for Chrome which is probably Where I'm the closest to you know we've Had um an investment in privacy since The beginning even before since before I Worked on Chrome um our privacy team is Uh pretty International Chrome's a Pretty international team um probably The biggest part of it is uh in Germany Actually and um I spent some time in Germany and I actually think in a lot of Ways um thinking about kind of uh Privacy and some of the features we need To build in some of the protections we Need to build into the browser um like Some of those early insights came from Our team you know outside of the the the US and um that's you know building Incognito as a as a feature building Options and um you know more recently How do we make security privacy features Like more comprehensible for people to Understand those those Trade-offs um so super top of mind I Think um in C home uh we think about the Web and how do we make the um web a Really thriving ecosystem and and one of The things I love about the web is uh I Think it's so related to Google's Mission of universal access to

Information and Universal in a lot of Ways is you know free in some ways and Um you I've been working on the web for A long time how do we ensure there's Great content on the web how do you Ensure it's Free you have to make sure that people Can have you know businesses and Monetization and so like ads is is a Part of that and that's you know been The the primary way I think a lot of People who've created uh you know create Content on the web actually can do that In a sustainable way so you know ads are Part of the web and the ecosystem and I Think within Chrome um we Have both invested in making sure we're Mitigating security attacks from ads um I remember uh for a while that was you Know a vector for driveby malware and so Like how are we actually investing to Make sure that ads also are not Introducing security risks not creating Crappy experiences from a performance Standpoint or even just from like a uh a User experience standpoint and Acknowledging that like hey that's an Important part of even just content on The web um uh so again a trade-off space And and whether it's you know security And privacy or just thinking about kind Of um uh ads content on the web um I Think of these as complex problems and Complex ecosystem problems and ones that

Continue to advance and that we think About a lot at Google but also get Feedback on from you know the rest of of The world too to make sure that we're Continuing to adapt to kind of user Expectations norms and also you know Ultimately making things better sure So Speaking of complex problems you also Run project zero which is they are a Complex problem no I'm just kidding Which is Google's team for finding uh Zero day vulnerabilities in products I Think you found I don't know how many This year a lot a lot this year a lot Yeah yeah is it a bit of a game of cat And mouse you find these zero days next Week there's more how do you how do you Deal with that yeah uh so project zero Is um security research Team and um they the the mission is to Make zero days hard and um I'm Embarrassed to say that I don't uh know What birthday they're on um but they've Worked really closely with uh Chrome Android other parts of Google but Actually are a vendor agnostic team so They don't you know I have a product Security team with chrome that really Focused on making Chrome uh secure Project zero is just like hey attackers Don't care who made the software um and So they're going to really focus on with An attacker Mindset how to mitigate make zero zero

Days make zero days more expensive and Part of it is vulnerability research They have a a Blog um where they're Regularly publishing research um and They have a techer mindset but it's Ultimately to make defenses better um And we'll share very detailed analysis Of how to write an exploit because it Also makes um defenses uh easier to Build and really to understand very Practically how these things uh happen Um team has you know they do Vulnerability research uh they've also Helped establish kind of industry dis Norms on on disclosure um really Striking that balance between uh making Sure vendors have some space to be able To address really critical security bugs But also making sure that there's Transparency to the to the public about Um what issues exist and so I think um How do you approach this it's one a mix Of like incredible security research Technical Talent um and and sharing Learnings uh broadly um I think that's Maybe the second one too of transparency And really working with the broader Community versus just keeping your Learnings to yourself and then I think Um you know project zero has also worked To actually build mitigations too and so Uh for me people who are some of those Brilliant Minds and have the biggest Impact are those that actually work kind

Of on offense for a while and then we'll Work on defense and really manage to Kind of get both perspectives because if You're focused too much on one you Sometimes I think can lose either Empathy or understanding from kind of The the I guess the cat or Mouse uh Perspective on that and um yeah I I uh Am proud of the team and also proud of How the team works with so many other Security researchers um in the broader Industry uh and uh yeah like I think They've had a lot of impact and there's Clearly a lot more impact to have Because we haven't solved this problem By any means sure and to the founders in The room how can they stay on top of These threats that haven't even yet been Discovered um uh I would say to the Founders in the room um one it's great If you're in the room because it means You're thinking about security and I Actually think the first the first thing Is probably just even think thinking About security and acknowledging there's A problem um second I would say like try Not to get overwhelmed by it because uh You know I have pretty big team focused On security and and if you're a founder And kind of in an early startup phase You might be like if you know Chrome Can't solve it like how will I be able To solve it and um you know y'all are Balancing probably like getting some

Customers and so if you don't have Customers don't worry about protecting Yourselves from the nation states Because the nation states are not going After you until you get some customers And high level I think being aware of Sec Um uh and having that as a consideration Choice because look if you have an Incident or attack it's going to impact Your brand it's going to impact could Lead to fines could lead to opportunity Cost and ultimately people choose Products and services that they trust so It's important um one thing I say is you Know someone needs to own security um if Everybody owns it nobody owns it and at A certain point um you know you you Really should identify one person and They don't have to be the the expert but They need to be able to own it and Figure out the experts and figure out Kind of you know from an infrastructure Standpoint from a corporate you know uh Security standpoint like what are your Risks and like you know what decisions Are you making that are actually going To impact your corporate security a long Time same with you know product and Services and um usually around like you Know when you're seven to 10 people you Probably should have somebody who owns It and if you don't have someone else Named the founder owns security um uh I

Tell people to think about like the the Infrastructure the open source projects Or infrastructure you're you're uh Choosing to use because that becomes Your dependencies that you take on um And you know security bugs abound and Like those those services or projects That you're depending on like what is Their patch plan how are you going to Approach their patch plan um because That's typically I think how people get Into trouble like these dependencies um I think identity is important because if You're a startup you know people are Coming in going so how are you Provisioning de-provisioning uh new Employees uh that come and um you know As you scale you have to adapt uh and um Uh it's it's tough but totally Manageable and I would say that um uh in Some ways you know it it's just a space That moves so fast where you don't have To worry about becoming an expert Because you're just constantly kind of Adapting and figuring out um how to Approach it hypers specific to kind of Like what is your your company's uh Mission and objective and I think those Are those are some things that are top Of Mind absolutely and another thing I Want to touch on is diversity um I think The industry has long had a diversity Problem it's improving but we're still Not there yet for the founders building

Out security teams what what does a Diverse team look Like um yeah I think that security has Improved somewhat but there's still a Long way to improve and I think Sometimes when people hear diversity They're like you mean women and I'm like No it's not just women it's not just Skin color um and like yes those are Those are uh aspects too but I also Think even just like functional uh Diversity of of skills and Representation and a thing I love about Cyber security is it's so Interdisciplinary and so people who I Learned so much from people with a legal Background comms uh background you know A government uh backgr versus academic Versus like completely practical and Self-trained and so I think that you you You know independent of what you is the Right thing to do and feels like the Right thing to do I actually think it's Just critical to actually building a Strong cyber security uh strategy team And uh um to to find uh diverse talent And um one of the things I've enjoyed is I had a chance to work a little bit in Academia and and then a little bit with Sort of um you know hackers who are Selftaught many of whom dropped out of School and then also a little bit with Um the government and so you you there's So much actually common Mission and

Desire to work together but also very Different perspectives that that come to The the table and for me I I do a lot of Hiring whether it's security or just um Uh you know any role I'm looking Typically for someone who's got a growth Mindset is curious to to learn has Demonstrated ability to learn and Actually like willingness and openness To kind of learn more and it's so Important for security too just because Things move so fast and you're just Constantly learning um and then someone Who's who's hardworking and I actually Think that um those things if those are Your top attributes they really broaden Your aperture of like who you Potentially want to take bets on um I Look at that so much more than you know What level what acronyms and and kind of What previous jobs are and you know Those can be signals too but I think That the the broader the pipeline um or The broader the aperture you do the the Broad the pipeline you can have for Talent and uh I think it builds better Teams and is also pretty important Because there's we have a supply and Demand problem problem too and so Finding the people to take bets on um is Important can you give an example of Where having a diverse team has worked Has proved successful in the area of Cyber security yeah I mean um so for

Chrome you know when I when I joined uh The team I took on the team was about Six people fantastic uh group three of Them were named Chris so like we did not Even have name diversity uh um uh all Deep experts in system security and Software security um and you know a Thing I realized hey we're building a Product so like cool we we've we have a Lot more work to do as it really to Fuzzing sandboxing and these Technologies but also like we have Nobody who's thinking about usability of Security warnings and so many people run Into kind of like fishing malware Warnings um um and we didn't have Anybody who was like passionate and and Wanting to focus on some of these Important usable security warnings that Practically were probably a bigger Threat to like users at large uh and so You know a hire that I did intentionally Was to find someone who had PhD and Human computer interaction um and uh I Remember actually kind of even within Our our team it was like oh but like Will they like the team and like you Know they don't no one said they weren't Named Chris thankfully but it was like This person doesn't fit into kind of What the the team you know mold looks Like and so um uh uh but you know they Came in forged uh alliances Partnerships With our design team who at the time was

Kind of you know annoyed with our Security team security team was annoyed With the design team because in some Ways you're speaking different languages And um it ended up kind of being the Formation of our usable security team Which um I Think in this case actually it it it did Improve gender diversity within our team But to me it was actually even more Critical that it was just a skills Diversity perspective and um I think uh You know we found people who are Performance experts to come and work on Security or Security Experts to go work On performance and I think that just Builds better problems because you get Somebody who has just a different Perspective looking at the same problem Um so sure and we're rapidly running out Of time somehow um people want to go to Lunch I'm Keen to hear about what Google Is doing internally to protect itself Against attackers it must be targeted Quite frequently um this summer it was Reported that Google was running a pilot Program where it was giving employees Laptops without internet access is that Correct o I don't know and this is not My area of expertise um and so I'm a Little bit nervous to talk talk to it Because um I know we have teams of of Hundreds of people thinking about how to Protect Google and yes like we're being

Uh uh uh attacked kind of from all all Angles um kind of like want to phone a Friend and like ask Heather Atkins to Answer those questions but but or we Might go to a different one because I'm Not as close to that sure I guess my Point here is we see headlines all of The time about high-profile cyber Attacks affecting everyone tech Companies gaming companies Casinos Google is rarely in those Headlines what is it doing differently To protect itself um well I think um you Know and Google had has gotten hacked Operation Aurora now this was maybe a Decade ago um was was a pretty big Profile uh hack and we were sort of Transparent about what had happened and Um since then I mean we we invest tons In actually um making sure that you know We're evolving Google's infrastructure To uh you know in some ways assume like Hey maybe some employee has been hacked How do we mitigate the actual risk of That especially when when it comes to User data so some of it's access control Like I don't have sometimes people are Like hey can you help me you know debug This thing in Gmail I'm like I'm not on The Gmail team I can't help and also Even my access is limited even within Chrome because now I'm like a manager And so like I don't you know need access To kind of some highly privileged uh um

Environments so some of it's access Control um some of it is investing in Great talent thinking about um Technology and processes um because the The threat is is is super high Um and we're very proud that uh there's Not headlines on it but that doesn't Mean that there aren't you know issues That we we work on um and and address And in some ways part of it is an Architecture of how do we mitigate Knowing that just we're constantly under Under attack sure and I think we have Time for one final question from me so If you could do things differently if You could go back and re architect Chrome with cyber security in mind what What would you do differently Oh um let's see I try not to live a life Of regret and just like software it's You know constantly evolving um and uh I Think of it like as this organism that You constantly you know need to um Invest in I probably would say that um One of the things we're focused a lot on Now is memory safety issues like these Things still happen and C++ is in some Ways a very powerful language and you Can do things that can really optimize For performance it also um is a language That can lead to a lot of problems and We still run into you know various Memory corruption bugs so a thing that We're um focused on now is like how can

We experiment with rust or other memory Safe uh languages and it's it's hard to Kind of retroactively do that so if You're starting from scratch maybe think About a language Choice um uh and uh It's it's it's hard to know because you Know Tech advances and uh 15 years ago That wasn't really an option and so in Part some of what we try to do is like Look at the state of the world today and Like what's happening and how do we Apply this to Chrome is kind of the the Continual thing that we think about Brilliant thank you so much for joining Us it was a fascinating tour thank you Super fun everyone enjoy Lunch