The Buzz

What Star Wars Can Teach Us About Cybersecurity

The new Star Wars movie, The Force Awakens, comes out in about a month. As with most people, I can’t wait for the new movie. I’ve been re-watching the old ones–except for The Phantom Menace, it’s terrible–and getting hyped for the new release.

In re-watching the old movies, I’ve been struck by just how bad the Empire was at cybersecurity. It’s not surprising given that the Empire, despite its resources and power, had some pretty glaring security gaps. I mean, who builds the most complex and destructive weapon in the galaxy and equips it with a single point of failure in the form of an exhaust port? Its cybersecurity gaps don’t fare that much better. In fact, three critical cybersecurity improvements would have made it much more difficult–if not impossible–for the Rebel Alliance to defeat it in Return of the Jedi.

1. Limiting Access Controls:

This is probably the Empire’s biggest vulnerability. Based on what we know from R2-D2 plugging himself into every foreign computer imaginable, the Empire didn’t employ basic access controls. Anyone plugging into an Empire-controlled network could find out anything they wanted to know. That’s how R2-D2 was able to find out where Princess Leia and the tractor beam controls were in Episode 4 (Star Wars/A New Hope). It’s also how R2-D2 was able to find out from the Cloud City network–presumably that was under the control of the Empire given Lando’s terrible deal making–that the hyperdrive on the Millennium Falcon was deactivated at the end of Episode 5 (The Empire Strikes Back). Good access controls allow people to only have access to computer functions that are necessary for them to do their jobs and should prevent anyone that connects to a network from accessing the whole thing. That’s why in most companies, you have to ask your IT department to install new software. When hackers infiltrate a network, generally their first priority is to find ways to gain more network privileges. Had the Empire even implemented basic access controls, there’s little chance that R2-D2 would have been able access everything he did.

2. Two-Factor Authentication:

The lack of two factor authentication is also a huge problem for the Empire. Two factor authentication essentially requires someone to use two credentials to access a system or device, like a password and security token, instead of a simple password. Had the Empire actually deployed two factor authentication throughout the Death Star, it would have been impossible for Ben Kenobi to deactivate the tractor beam in Episode 4. You could make the case that some form of Jedi mediation or mind trick could have gotten him over this obstacle by correctly guessing the two forms of authentication he needed, but in the Star Wars canon, those techniques don’t work on non-organic creatures like computers or droids. In the same movie, R2-D2 also would have had a much harder time shutting down the garbage compactor on the detention level, possibly not giving him enough time so save Han, Leia, Chewie and Luke.

3. Encrypting sensitive data:

The Empire has a patchy record with encryption. In Episode 5, they actually seem to use it. When the Rebels discover an unknown transmission on Hoth early in the movie, they can’t decipher its contents. C-3PO, whose primary function is translation and protocol, admits to the Rebel radio operator that it could be an imperial code but doesn’t provide any more information, leading us to believe that the message is encrypted. If only the Empire had used encryption with all of their sensitive data, like the blueprints for the Death Star. It’s also pretty appalling that they didn’t encrypt the fact that they had deactivated the hyperdrive on the Falcon in Episode 5. Even with sloppy access permissions, encrypting that fact meant it would have taken longer for R2-D2, Chewie and Lando to figure out what was wrong with the Falcon as they escaped Cloud City. That extra time would probably have given Admiral Piett more time to activate the Executor’s tractor beam and recapture them.

It’s probably impossible to argue that the Empire’s poor cybersecurity practices led to its downfall. After all, the Star Wars universe is science fiction and there are probably ways the Rebels could have gotten around the security measures had they been in place. No security control is ever perfect.

Here’s hoping that Kylo Ren and the First Order step up their game in The Force Awakens.

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.

This piece first appeared in CFR’s blog Net Politics here.

Image: Creative Commons/Flickr.