This is a guest post written by Christine Johansen, a Cisco PR manager.
You may not know Alissa Cooper personally, but you benefit from her work every time you go online. This graduate of Stanford and Oxford is a pioneer in protecting your privacy. She's a Cisco Fellow who was instrumental in the design of Cisco Spark. And when the Internet Engineering Task Force (IETF) meets next week in Chicago, she will become the first woman to ever chair that important standards body.
See also: 5 burning questions with Alissa Cooper
Ask colleagues to describe her and you'll hear words like "humble," "passionate," and "deep thinker." When she isn't doing all things IETF, she's working behind the scenes with Cisco's engineering teams to make sure they understand possible privacy implications of the design choices they make. I spoke with Alissa recently on topics ranging from her work at the IETF to her work in the collaboration group, to how the current political climate might impact the future of the Internet.
Christine Johansen: Pretend you're explaining the IETF to your family at Thanksgiving dinner. How would you explain what it does and why it is important?
Alissa Cooper: Think about the last time you searched for something online. Maybe you typed http://www.google.com and some search terms and magically you got results back. In order for that to work, your computer and Google's server had to talk to each other. If your computer only spoke English and the Google server only understood French, they wouldn't be able to talk. You wouldn't get your search results.
Your computer and Google's server needed a common language called a "standardized protocol" to be able to communicate. The IETF produces standardized protocols for the Internet—including the one you've typed so many times in your life, "https". These core networking standards make the whole Internet work.
CJ: Great explanation… I can tell you've had to explain that a couple times!
AC: Yes, a couple times…or eight thousand times!
CJ: What are some of the trickier topics you've dealt with—things people might not expect to come up as you make standardized protocols?
AC: Definitely privacy. It's what got me working on standards in the IETF in the first place, nearly ten years ago.
Back then I was working at the Center for Democracy & Technology, a technology policy organization in DC. There, we recognized that design choices that get baked into technical standards could affect the privacy of individuals on the Internet. So I started working in the IETF to affect change.
Jana Ašenbrennerová/Panos Pictures/Internet SocietyPrivacy is a thorny issue even at the IETF because really we're creating building blocks that software developers will put together to make a product. When we're creating a standard it's impossible to predict every way it could possibly be used—you don't know what products and uses of technology people will dream up. So, we aim to build a standard with some recognition of what the privacy impact would be. I've focused on things with an interactive component: geolocation, identity, real-time communications, voice, video, and messaging.
See also: Six imperatives to future proof your digital business
CJ: Can you give me an example of a design choice that could impact privacy?
AC: Say you have two computers that are communicating. It is very often useful for one end to have an identifier associated with it and for it to send that identifier with every communication—so the other computer can maintain some sort of knowledge about what has happened previously. So it can, for instance, say, "OK. This is coming from CJ's computer. I remember the last data packet she sent me. This new packet must go with that earlier packet."
It would be useful to have the same identifier in every packet. Useful, but also possibly invasive of your privacy: if you have the same identifier for everything you do on the Internet, then suddenly everything you ever do on the internet can be correlated. Say you go to Google, then the Cisco website, then you call someone, then you read some news sites. If all share the same identifier, then anyone who has access to any of your Internet traffic or your computer can know everywhere you've been on the Internet. So there's tension. The IETF asks: can we randomize those identifiers? Or can we refresh them on a regular basis? Or can we not use an identifier which is burned into the network card by the device manufacturer? Should it be stored anywhere except on your computer? Basically we try to strike a balance between the usefulness of a permanent identifier and the potential privacy risk that it creates for correlation of activities over time.
CJ: When do you start as IETF chair? What does that role involve?
AC: I start at our next meeting, which is the week of March 26th in Chicago.
I will be charged with leading the Internet Engineering Steering Group, which provides the technical oversight for the IETF. I'll also be generally responsible for keeping the trains running on time—making sure all the different pieces are on track and we have support to get our standards published. The IETF chair is a key member of all of the IETF leadership groups that define strategy and oversee the production, review and publication of standards.
The IETF operates on a model called "rough consensus". What that means is we don't actually vote about anything. When we are deciding whether we should publish a particular standard, people come together and state any objections—we try to adopt changes to address the objections, or we at least acknowledge the objection. Once we have rough consensus documented in a "Request for Comments" (RFC), the IETF chair is then responsible for representing these consensus positions externally. There are more than 8,000 RFCs. In theory I'll be responsible for explaining that body of work when there is a debate about a technical topic in the networking industry.
CJ: The size and breadth of the IETF's work is pretty remarkable! What are some of the big discussion topics right now?
AC: IoT, virtualization/automation and security are three technical trends that we have been grappling with for awhile; they will likely continue to absorb a lot of focus.
The standards landscape for IoT is fragmented and would benefit from some consolidation. The IETF will continue to play an important role. We've already done lower layer networking standards for IoT—like how do you run IPv6 over existing IoT access technologies. We'll continue to focus on that but my hope is that we'll also bring it up a level. For instance, we need to get it so that one manufacture's light bulb understands another manufacturer's switch. For that to happen, manufacturers need to represent "on" and "off" the same way. That's called "semantic interoperability", and it's lacking. I hope to see progress there, and also in IoT security.
We also have work going on around automation, network virtualization, and software-defined networking. This whole revolution around taking the intelligence out of hardware and putting it into software in terms of how we route Internet traffic and how we manage it, how we orchestrate network operations—it's going to continue in the industry and at the IETF. Through the IETF's work, the industry has settled on a "model-driven networking" approach to boost interoperability and avoid creating massive industry fractures.
Certainly security in general has been a huge focus for us, even more so over the last couple of years. We all still use many protocols that were defined in the 1990s, before there was as intense of a focus on security as there is today; the IETF is working to beef those up and create more secure versions.
Cisco is deeply invested in the growth of the Internet, and we have always recognized the importance of open standards, so it's natural that we will continue to strongly support the IETF. CJ: IoT, SDN, security—those are key areas for Cisco as a whole. And Cisco has been a big supporter of the IETF for a long time—can you talk about that?
AC:Cisco is deeply invested in the growth of the Internet, and we have always recognized the importance of open standards, so it's natural that we will continue to strongly support the IETF. We invest because these standards are at the very core of our business. However, it is also interesting for us because things are changing. For a lot of the core networking standards, the focus has shifted to operationalization, management, orchestration, and new services. The IETF community is also recognizing that open source is a new outlet for their energy, and there are questions around how open source and open standards work together. For Cisco it is very important to make sure both open standards and open source continue to co-exist and are symbiotic. Weaving the two together is going to be very important for us as an industry moving forward and Cisco has spent a lot of effort and resources to catalyze that relationship.
CJ: You spend about half your time on IETF; the other half you spend in Cisco's Collaboration Technology Group. What do you do there?
AC: I work on Jonathan Rosenberg's CTO team and focus on privacy, policy, and regulatory issues. I work closely with engineering teams as they make design decisions that could affect privacy. When I joined three years ago, we needed to make big decisions as we started to develop Cisco Spark. We were transitioning from premise infrastructure that didn't collect any data to the cloud where all sorts of data might be collected. I spent a ton of time with the team thinking through the architecture; what data we would collect; how we would secure it; who would have access to it and how long we would retain it.
I also lead these types of conversations throughout Cisco and liaise with other parts of the company to align our strategy on privacy and regulatory issues.
CJ: From your perspective, what is the biggest accomplishment in the Cisco Spark platform?
AC: The end-to-end encryption is remarkable. It has yielded a superior product while challenging the team to be innovative in its development process. When you're building this kind of messaging product, frankly, you're used to having immediate access to the content of the messages so you can refine the product and debug. The Cisco Spark team doesn't have that—it has never had that. Frankly, other teams would have abandoned the idea long ago. The fact that the team has built this product from that commitment to security and privacy is a huge accomplishment. It is a huge differentiator. Totally embedding it into the design required a huge mindset change.
See also: Meet Cisco Spark Board
CJ: How did you get into this field in the first place?
AC: I started programming a little in high school and just really liked it. It was like a big logic puzzle. So I studied computer science at Stanford. But I always wanted to do something that had an impact on people; I couldn't see myself building some obscure piece of software that's only deeply embedded in the internals of a product; I've always known that would never be for me. I took two classes in college on technology policy and those were some of my favorites.
After college my then boyfriend now husband got a job in DC and so I was looking for jobs there and I found the job at CDT which was really perfect—I could be a technical person but I could also have an impact on something that matters to people. In that role I got to do some small research projects, the aim of which was to influence policy. Through that experience I decided to see if I wanted to do research full time, so I went to Oxford to get my PhD. and…
CJ: Wait. Let's pause there because that is very, very cool. How long does it take one to get a PhD from Oxford?
AC: It took me four years. They tell you that you can do it in three but I was also working part-time and stayed active in the IETF throughout; I didn't want to leave the workforce for fear that I'd become a permanent student and never go back. When I finished, the opportunity at Cisco came up and it seemed like such a great fit. I wanted to keep working with the IETF and continue working on privacy matters and Cisco was the best place for me to do both.
CJ: You've definitely blazed your own trail. How did you do that? And what advice do you have for others?
AC: It's not easy—you have to get and stay really in tune with yourself. In tech I was struck by how cookie-cutter the jobs being offered were. "You will be a client software developer or you will be a cloud software developer. Here is the job description – you will do these ten things." That will never sing to me. The first step of blazing your own trail is recognizing what really motivates you and gets you going and makes you want to get up and go to work every day. Finding people who have similar interests or have done it before you –that's important. I didn't set out to blaze my own trail. I set out to do something that was satisfying and interesting and oh by the way also pays the bills. It's not always possible, but you won't find out if you don't try.
CJ: You said you were interested in coding in high school. I think it's fair to say that's not the top choice of most high-school girls. Did you have a mentor at a young age?
AC: Well, I did – but it wasn't a woman and it wasn't a computer scientist. It was my dad. He is brilliant and driven and has a remarkable life story. He went to college when he was 16, and while he was there his father died and he basically took over running both the household and the family laundromat business …and then went on to get his PhD. from Yale. He always wanted me to do the thing that I was most interested in, the thing that makes me happy. That's the biggest lesson I learned: follow your passion.
CJ: Wow—that's a great story. I also heard that you are a gymnast and a triathlete. Can you tell me about that?
AC: I was a gymnast my whole life until I graduated college. I started when I was four, competed at the elite level in high school and later at Stanford. It was an amazing experience and my teammates are still my best friends. It's how I met my husband—he is a gymnast, too. For most women—myself included—you can't really do gymnastics past age 20 or so for safety purposes so I needed to find something else to do. I had always run and swam for fitness, so in the mid 2000s I started doing Olympic-distance triathlons. Since I had a baby—a girl, she's now two—I haven't been racing competitively – only racing after her.
CJ: What are your thoughts on the US travel ban and its impact on the IETF's work, and the current political climate in general—does it pose any challenges for the IETF?
AC: The current chairs of the IETF leadership bodies wrote this blog post regarding the travel ban. It's a good articulation of the potential impact and I agree with what they said.
Regarding the political climate, there has always been a certain amount of tension between the notion of a "borderless" global Internet and nations' desires to exercise their sovereign rights within their borders. Part of what everyone loves about the Internet is how easy it is to connect to people and services regardless of where in the world they are. But of course, governments have a desire to regulate within their own territories. And that can mean we end up with different rules about who can travel to where, which data can be stored where, which encryption algorithms can be used where, and how services can be designed or delivered to different populations. Those differences present challenges to the seamless interconnectivity that is at the core of the Internet. The rise of nationalist policies and politics that we're currently seeing has the potential to exacerbate this tension in all of these ways and more. The IETF develops standards for the whole Internet — not for any single jurisdiction or for the tenure of one administration. No one knows exactly what developments are coming down the pike, but I think we can expect to see that aspect of our work face some intensified challenges in the near and foreseeable future.