Browser Boss
It’s 9 a.m. in Silicon Valley, and the fog has burned off to reveal a spring day worthy of the California tourist board. Inside Google’s Building 900, past the gourmet coffee bar and a nook of nap pods shaped like space-age clamshells, Parisa Tabriz, ’05 ENG, MS ’07 ENG, sits at a laptop, her fingers running over the keys.
“This is kinda fun,” she says in a half-whisper, turning off her laptop’s Wi-Fi and prompting an error page. “If you press the ‘Up’ arrow, you’ll see this.” An oddly jaunty T-Rex, its features blocky like a 1980s arcade game, begins jogging across the unfurling screen, jumping cacti and ducking pterodactyls at Tabriz’s command—a hidden-in-plain-sight video game in Google’s Chrome browser. “The Dino is our unofficial mascot,” she explains, tucking back a strand of her magenta-streaked hair. She plays for a few moments before abandoning the controls and allowing the Dino to run into a cactus. Game over; time to move on.
Tabriz has precious little time for play these days. The 36-year-old senior engineering director manages more than 350 employees spread across eight time zones, overseeing Chrome along with much of the company’s security work, guarding against assaults by bedroom hackers, hostile nation states and everything in between. In fact, Tabriz is something of a cybersecurity celebrity. In 2012, Forbes named her to its “30 Under 30” tech pioneers list, and last year she keynoted the Black Hat USA conference, the world’s premier hacker gathering. She was a cybersecurity adviser for the U.S. Digital Service under President Barack Obama and has consulted on TV shows and films such as AMC’s Halt and Catch Fire and Michael Mann’s Blackhat. In the process, Tabriz has become one of the most prominent women in an overwhelmingly male industry, a role model for the next generation of female programmers.
As the world grows more networked by the day, from refrigerators to banking to elections, the threats are ever-changing. Tabriz takes a big-picture approach to security, seeking the optimum trade-off between safety and ease of use. “A perfectly secure computer is one that’s at the bottom of the ocean and not connected to the internet.” She pauses for emphasis. “That’s also not a very useful computer.” For too long, Tabriz says, security has been based on how humans should behave. The most effective security, however, accounts for how we actually behave—reusing passwords, clicking on shady links and ignoring patches—and shepherds us toward safety. “You have to deal with the messiness of the world,” she says.HACKED!
Tabriz came to her work almost by accident. Growing up in the Chicago suburbs of Olympia Fields and Orland Park, she played Super Mario Bros. and The Oregon Trail, but her tech engagement ended there. Mostly, she played tennis and soccer and created art, from painting to sewing to sculpture. “I wasn’t really into computers in any way,” Tabriz says.
Nor was she the kind of person who had her life all mapped out by age 16. Her father is a doctor, her mother a nurse; Tabriz knew she didn’t want a career in health care, but that’s about it. Computer engineering, she figured, offered a variety of career possibilities. She chose the University of Illinois because of its well-regarded engineering school.
Once she got to the U of I, Tabriz taught herself to code and began building websites. She loved the creativity of programming—it was like making art—and soon switched majors to computer science. One day, however, she opened her blog to find it defaced by Viagra ads. She had been hacked. “That was super-scary,” she recalls. “I wanted to figure out how that happened—and how I could prevent it from happening again.”
That desire led her to SIGMil, a student-run group focused on security and hacking that met on Friday evenings (a time chosen to weed out dilettantes). Tabriz dove into this new field, learning how to hide secret messages in photos of kittens and construct operating systems in JavaScript. As she steeped herself in hacking’s colorful history, she saw that it wasn’t just a tool for mayhem. While the 1970s-era “phreakers” scammed Ma Bell into giving them free calls, 1980s antihero Kevin Mitnick hacked into computers at Motorola and Nokia out of pure intellectual curiosity. At its best, hacking was about creative inquiry, and as Tabriz puts it, “understanding how a full system works and bending it to your will.”
At the time, SIGMil’s members were more interested in the traditional nuts and bolts of computer security—hardware and operating systems. E-commerce was still new and social media was years away. Tabriz was the first to bring web security to the group’s attention. “We didn’t really understand it, didn’t really know why it mattered,” says Chris Grier, ’04 ENG, MS ’07 ENG, PHD ’09 ENG, a SIGMil member who is now a software engineer in security and privacy at Google. As virtual shopping carts started getting hacked and malware proliferated online, though, Tabriz’s prescience became clear. “Parisa was much more ahead of the curve than any of us were,” he says.
Grier wasn’t the only one who was impressed. Within a couple of years, Tabriz was elected president of both SIGMil and the U of I chapter of the Association for Computing Machinery. In 2007, however, instead of pursuing her Ph.D., she moved to California to join Google’s security team as a hired hacker. Giving herself the playful title of “Security Princess,” she set about hunting and fixing bugs.
THINK LIKE A HACKER
For all of its creative possibilities, security can seem dauntingly abstract to the uninitiated. This was true even at Google, and Tabriz suspected the company’s software would benefit if its coders better understood their enemies. So she pioneered a program that taught Google’s non-hacker programmers to think like hackers. (She later brought those lessons to schoolkids and, in classes at Harvard’s John F. Kennedy School of Government to government cybersecurity officials.) In a favorite scenario, Tabriz asks her audience to consider how to steal snacks from a vending machine. The options are almost endless—people suggest using fake coins or coat hangers, or filling the machine with water until the snacks rise to the top—and that’s the point. She says, “Talking about an example in the physical world seems, for whatever reason, more approachable to most people.”
As Tabriz rose through the ranks, she began to develop a distinctive management philosophy. “I see my job as removing things that keep people stuck,” she says. Nasko Oskov, ’04 ENG, another SIGMil alumnus who is now an engineer and manager for Chrome security, agrees. When last year’s Spectre and Meltdown viruses exposed dangerous vulnerabilities in computer chips that allowed hackers to steal private data, the news caught most of the security world flatfooted. Oskov’s team, however, had been working for five years on what became Chrome’s best defense. Until then, Oskov’s work had seemed mostly theoretical, offering little immediate benefit, but Tabriz backed him fully. “Her style is basically ‘Don’t micromanage,’” Oskov says. “[She] gives us the space to do the best we can, and helps us along the way with whatever we need.”
Tabriz also became an evangelist for a more people-centered view of cybersecurity. “When I was at Illinois,” she recalls, “I focused a ton on theory and math and software in a very pure sense of zeroes and ones.” But the more time she spent guarding against hackers at Google, the more she came to see the failings of the traditional security approach. “Just because something is more secure from a technological standpoint doesn’t [mean it] necessarily addresses the human factors,” Tabriz says. In other words, security doesn’t just need to work; it needs to work for human beings or they won’t use it.
That epiphany informed her years-long drive to secure the internet’s infrastructure. The default state was insecurity: As recently as 2015, less than a third of all web traffic through Chrome was encrypted. Most web pages were unencrypted, and the average user thought little about security unless he or she got hacked. Security experts had long recommended that all websites switch from the unsecured HTTP protocol to the encrypted HTTPS, but educating and persuading users and businesses to make the change was incredibly difficult. Tabriz believed she knew how to do it, but first she had to win over dissenters on her own team. She began by organizing a brainstorming session in which engineers wrote haikus about encryption. An example:
Secrets in the tubes.
People in the middle snoop.
Protect with crypto.
Once everyone was on board, Tabriz and her team rolled out a psychologically nuanced campaign to nudge the world into making the switch. To raise public awareness and change long-standing user assumptions, Google began marking HTTP sites as “Not Secure,” and warning users when they entered data. The company also made it cheaper for websites to go secure and tweaked its code to address concerns that encrypted web pages loaded more slowly.
The approach paid off. More than half of web traffic is now encrypted, and HTTPS usage on Chrome is more than 90 percent. The key, Tabriz says, was “getting to the root problem of why people weren’t doing it as opposed to just saying, ‘Oh, you should do it.’”
Her concern for everyday users sets Tabriz apart from many security experts, Oskov says. “There’s a certain set of techies who can stay safe online because [they] understand how tech works,” he says. “But she seems fueled by this set of people who are not techies, who don’t quite understand what everything means.”
ROLE MODEL
One of Tabriz’s biggest challenges as a manager is more intractable, at least in the short term: women’s participation in the industry. Women make up only 26 percent of the global tech workforce; at Google it’s 32 percent. Tabriz’s advocacy for the issue is the result of a long personal journey. In college, her computer groups were heavily male and women’s issues simply weren’t on her radar. “I remember at Illinois really not being interested in any women’s-only groups and, in some ways, probably judging them a bit,” she says.
At Google, however, she began to notice the myriad ways in which women were made to feel that they didn’t belong, from micro-aggressions to full-blown sexism. It was a sobering realization. “You’re like, ‘Oh, yeah, I’m the only woman in the room,’” Tabriz says. “‘Oh, that is weird—maybe that’s why I feel extra-cautious or extra on-edge.’”
Meanwhile, the world was beginning to see Tabriz as a feminist icon. “With any luck, this Googler will turn more girls into hackers,” Wired gushed in 2014. She’s all for the idea, but sometimes feels unqualified for the task. “I’m proud when people tell me, ‘You’re a role model to me,’” Tabriz says. “But I also find it awkward because it’s not like I have any answers.”
The best she can do, she says, is try to make her team as diverse as possible, while empowering those who don’t feel welcome. She says she believes things are improving, albeit slowly. “If it was easy, it’d be solved,” Tabriz says. “So I actually think it’s encouraging that we’re talking about it a lot more.”
Twelve years after her arrival at Google, Tabriz remains committed to her work, and happy in her Silicon Valley life with her husband, a neuroscientist who works in law enforcement, and their two cats. She might move on eventually, though: She muses about art school or opening a cat café. “Julia Child didn’t publish her first cookbook until she was 40,” Tabriz says, laughing.
Despite her success, Tabriz admits that security work sometimes feels Sisyphean. Each day she has to push the boulder up the hill, because the bad actors never quit. She sighs, “It can feel hopeless.”
But that’s not most of the time. Brightening, Tabriz notes that the internet is a far safer place than it was 10 years ago. “That keeps me optimistic,” she says. “I recognize there are a lot of threats and dangers, and I don’t trivialize those. But I’m not gonna go live off the grid, and I’m not gonna recommend that anyone else does either.”