Alumni Profile: Josephine Wolff
Josephine Wolff (TPP ’12, ES ’15) is the Assistant Professor of Cybersecurity Policy at Tufts University’s Fletcher School of Law and Diplomacy. She researches cybersecurity policy and cyber-insurance, and is the author of “You’ll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches.”
What brought you to TPP, and what did you research while you were here?
I studied math in college and spent the summer before my senior year interning at the Department of Defense while U.S. Cyber Command was being set up. I was aware of cybersecurity as a growing area of interest within the government at exactly the moment when I was realizing that I was not going to be a great theoretical mathematician and should probably pursue some more applied topic in graduate school.
On top of that, I was working all summer at an air-gapped computer, so I did not have access to the Internet – but I did have access to a cached, offline copy of Wikipedia. So while my code was running at work I would browse month-old Wikipedia articles, including one that listed technology policy graduate programs, which was where I first learned about TPP.
In TPP, I studied cybersecurity policy with David Clark in the advanced network architecture group in CSAIL, primarily focusing on different opportunities for intervening in cyberattacks and the relative advantages and disadvantages of targeting defensive interventions at different stages of those attacks.
Where did you go after TPP? What kind of work and/or research have you been doing?
After TPP, I finished my PhD in MIT’s Engineering Systems Division and then took a job as an assistant professor at Rochester Institute of Technology, where I taught for four years in the public policy and computing security departments. My research during that time focused on expanding and revising some of the cases I worked on for my dissertation into a book. “You’ll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches” (MIT Press, 2018) looks at how cybersecurity incidents play out in the years following their discovery and who ends up paying for them, being blamed for them, and being held responsible for fixing the shortcomings they bring to light. This summer I started at Tufts University’s Fletcher School of Law and Diplomacy as Assistant Professor of Cybersecurity Policy.
What is a focus for your work now, and how did TPP help you on your journey?
Right now, I’m focused on looking at the growing market for cyber-insurance, especially how insurers are assessing and pricing these types of risks and what sorts of disputes emerge when their customers try to file claims under these relatively new and often ambiguous policies. I’m especially interested in the question of whether there’s a role for regulators in trying to standardize and clarify these insurance policies, and also perhaps prohibit some of the most damaging types of coverage, such as policies that cover ransomware payments and thereby directly fund criminal organizations and other attackers.
I’ve also been looking at some of the early complaints and fines under the EU’s General Data Protection Regulation as well as the different approaches countries have taken to funding cybersecurity workforce training and education initiatives.
TPP has fundamentally shaped my understanding of how regulators and governments around the world deal with the threats and risks posed by emerging technologies – and it has helped me think about how to frame my work to speak to both policy-makers and technologists, and draw on the respective skills and capabilities of each.
One of the great joys of returning to Cambridge has been reconnecting with the many fellow TPPers still in the Cambridge area, especially Tommy Leung ’12 and Nathan Perkins ’11, who live upstairs from me and often make me dinner (Tommy) or hang pictures on my walls (Nathan) when they’re not working on their extremely cool protest tracker site, countlove.org.