Star Wars: Lessons in Cybersecurity
Star Wars is in many ways a story about a data breach of the Empire’s plans for its most valuable IP- the Death Star plans, and the Empire’s poor response to the breach. On this Star Wars Day (May the Fourth), let’s look at some of the cybersecurity lessons learned.
One huge mistake the Empire made was not encrypting the Death Star plans. If they had done so, the Rebel Alliance would not have been able to read them, and the Empire would have ruled the galaxy forever. Unfortunately, many businesses make this same mistake, and do not realize that encrypting data is easy. On Macs, you can use FireVault to encrypt your information. PC encryption can be accomplished with Windows’ BitLocker. For Apple iOS devices, encryption is the default setting. And, Android device encryption information can be found here.
There were multiple times that the Rebellion would have been crushed (one time, literally) had it not been for R2-D2’s ability to take advantage of the Empire’s poor cybersecurity. After the Rebels penetrated the physical security of the Death Star, R2-D2 was, as Obi-Wan Kenobi said, “able to read the entire Imperial network.” Doing so enabled him to:
- learn the location of the tractor beam controls, along with schematics that allowed Kenobi to disable it and allow the Rebels’ escape;
- obtain prisoner detention data, including the information that Princess Leia was being held prisoner on the Death Star, on level five, in detention block AA-23, and scheduled to be “terminated”; and
- at Luke Skywalker’s request, “shut down all the mashers on the detention level” and save the Rebels from being crushed.
None of that would have been possible had the Empire placed restrictions on who (or, in the case of a droid, what) could access its network. A better practice would have been to implement the principle of “least privilege access,” which means limiting network access to the minimal level that will allow the organization to function. This essentially means giving people (or droids) the lowest level of user rights while enabling them to do their jobs.
In Star Wars, the Empire should have had a list of approved users who could access the network and restrictions in place based on job duties: CEO Palpatine and CSO Vader get the highest level of access, Stormtroopers get the lowest level, and those not on the approved list (such as Rebel droids) get no access.
In the real world, businesses have faced regulatory enforcement actions for not implementing this layer of cybersecurity. One example is the FTC’s case against Twitter. In that case, Twitter granted almost all of its employees the ability to exercise administrative control of the Twitter system, including the ability to reset a user’s account password, view a user’s nonpublic tweets and other nonpublic user information, and send tweets on behalf of a user. By doing so, Twitter increased the risk of a serious breach.
Of course, even those permitted to access a network should first be required to authenticate their identity. Ideally, in addition to having a strong password, two-factor authentication should be required. Two-factor authentication requires input of a second “factor” beyond a password. The way this usually works is after a password is entered, a text message with a six-digit code is sent to the account owner’s cell phone, and that code must be entered after the password in order to access the account. Setting up two-factor authentication is extremely easy and it provides an excellent layer of cybersecurity. For Gmail users, more information about two-factor authentication can be found here.
Learn from mistakes
Once the Rebels had the plans for the Death Star, they were able to find and exploit its vulnerability to small fighters blowing it up by attacking its reactor core. The Empire later (in Return of the Jedi) built a new Death Star, but failed to learn from prior mistakes and again left the Death Star vulnerable to a similar attack which led to it being destroyed as well.
In the real world, not learning from mistakes can be harmful to an organization’s reputation and bottom line, and can also lead to regulatory enforcement. One example is the FTC’s case against Wyndham Hotels. In that case, Wyndham’s inadequate cybersecurity led to three data breaches in less than two years (which involved the personal identifying information of more than 600,000 consumers). All three of Wyndham’s breaches were similar, and after each of the first two, Wyndham failed to take appropriate steps to prevent further compromise of their network.
May the Force, and good cybersecurity, be with you.