I have been isolating and getting back into Star Wars. And even though I hate these “This is what Sex and the City can teach us about X”-type of articles, I really did think we could learn a lot from the downfall of the Death Star – in particular about cybersecurity. So please bear with me as we travel to a galaxy far, far away…
Don’t underestimate your enemy
First of we need to look at the Death Star, a weapon capable of destroying entire planets. Nuking it was an excellent idea (spoiler alert). But there was a reason that Luke Skywalker was able to do so: Princess Leia found the blueprints and located a major security flaw, essentially enabling him to take down the entire Death Star with only two proton torpedoes and a little help from The Force.
Now why in the world would the Empire leave an exhaust port completely open for attacks? Well, as a big mighty Empire they didn’t even consider a small one-man fighter a danger. They were busy frying bigger fish and the shot would need to be so incredibly precise, that they considered it unlikely to ever happen. Little did they know that Luke Skywalker used to shoot womp rats on Tatooine.
Arrogance like that is always the enemy of protecting critical infrastructure. You’d have to be quite a half-witted, scruffy-looking nerf herder to think your system is perfect. No matter your brilliance, systems always have weak points. This is why many businesses now employ white hat hackers: Your personal Luke Skywalker, hurling torpedoes at your systems to ensure you find the exhaust ports before the rebels do. In most cases, no womp rats need be hurt.
The human element
Alright but why was the exhaust port even there to start with? Here, as it is often the problem with cybersecurity, that there was a human weakness to be exploited by the rebels: Galen Erso, then main engineer behind the Death Star had plenty of reason to design a system with vulnerabilities as Darth Vader had literally kidnapped him.
In many Earth-based cybersecurity incidents, it is also the human element that endangers the whole system – in this case it’s not a grudging engineer held against his will, rather Benny from accounting. If Benny is not well-informed on cyber threats, he’s gonna open one faulty link in an email and down comes the entire orbital space station.
Phishing, as it’s called here on Earth, accounts for 90% of all cyber-attacks. That’s 90% of your attacks depending on Benny knowing how to handle his emails. Knowing what people work for you and how they’re likely to respond is key to keeping mission critical infrastructure up and running. Don’t let spyware ruin your intergalactic peace of mind.
Don’t be a Darth Vader
Alas, here we are with an exhaust port wide open for attack – yet the rebel scum don’t know it exists. All is well as good old Count Dooku is the only dude in the universe with the plans on a Lucas-films version of a thumb drive. The plans then travel from Dooku to Darth Sidious, to Palpatine (according to Wookiepedia) and honestly I’m surprise things didn’t go wrong already there. The amount of times the complete plans could have been intercepted… Have you not heard of secure file exchange!?
But alright. Death Star is in the making, finally, after years of hot potato’ing between Counts and Darths. I understand that Darth Vader must have been very proud, and I get it. But he really messes everything up for himself, as he brags about his awesome plans to some Rebel Leaders that he was planning to execute. Don’t you hate it when this happens in movies? The bad guy always has to reveal his plans before off’ing the good guys. Good guys escape and now privileged information is out there for the Rebels to use.
Similarly, in business you’ve probably heard expressions like “don’t tell anyone but […]” or “I shouldn’t be telling you this”. It’s a sure tell-tale sign that someone is “doing the Vader”. It’s extremely simple, but for some people it’s incredibly hard to understand: Don’t share sensitive information with outside parties! Noticed how this always goes wrong in the movies? It does in real life too!
The Empire did one thing right
The smartest decision Palpatine makes is to split up the
plans and send them to different places in the galaxy. We’ll assume here that
it was split into so many parts that it was not possible to reverse engineer
the plans without all parts. I guess you could call this an analogue version of
encryption: Without all the parts (keys) you’re simply unable to decipher the blueprints.
Bad news was that the rebel alliance through quite a few successful missions (go Toprawan Rebels) and essentially brought all the plans to Princess Leia. From then on, you probably know the story (otherwise I’m guessing this article is quite confusing to you): Plans go to R2-D2, R2-D2 goes to Tattooine, Luke finds him, then they find Obi-Wan, the whole “you’re my only hope”-thing happens and essentially Luke ends up saving the day, turning the Death Star into overpriced firework.
So, what did we learn?
I’ll admit to you that I lied a little in the title of this piece. What ultimately brought down the Death Star was not a thermal exhaust port, it was the people that built the Death Star that caused its demise. Actually, when you look back at it, the cybersecurity was abysmal – if it hadn’t been the exhaust port, those clever rebels would probably have found another way to ruin Vader’s show.
But apart from the systems being faulty, they also completely overlooked how critical human interaction is to keeping systems safe. It only takes one clicking Benny, one bragging Vader, one annoyed engineer to open up massive holes in the security net. So, don’t be like the Empire, guys. Fix your exhaust ports and educate your people.
Wanna know more about how we can help protect your Death Sta… power plant, factory or buildings? Check out our “Securing Digitalization”-website (less Star Wars, more concrete tips).
Also check out this other article “Targeting the Ego”, essentially about not being a Darth Vader with your information.