How the Galactic Empire Got Cyber Security Wrong All Three Times
“Always pass on what you have learned.” – Master Yoda
Who says you can’t find real-life cyber security lessons in an epic space opera that has reigned in over 40 years’ worth of pop culture admiration? While the time-proven Star Wars media franchise tells the story of intergalactic relations, an ongoing war pitting good against evil, and the timelessness of friendship and hope, it surprisingly lends more insight than you may think on the importance of protecting your assets from cyber criminals. Let’s talk about Star Wars cyber security.
A crucial part of maintaining a healthy operation is debriefing and reflecting on Lessons Learned regularly. Lessons Learned is knowledge gained over the course of conducting a project. The process includes identifying, documenting, analyzing, storing, and retrieving all feedback and recommendations at the end of the project before starting the next one. The goal is to repeat the positive aspects of the project and learn from any mistakes or missed opportunities.
In cyber security operations, the learning phase of incident response is a crucial step that can help organizations fortify their preventative measures and move faster against forever-evolving cybercrime. After the resolution of any security incident, holding a Lessons Learned session means investigating the root of the issue, measuring how well an incident response plan was carried out, identifying areas of improvement, and drafting a plan of action for remediation.
When we look at the fate of the Galactic Empire throughout the Star Wars saga, we see that Emperor Palpatine’s obsession with creating colossal planet-destroying weapons fails to succeed in bringing down the Rebel Alliance not once, not twice, but three times. The Death Star, in all its iterations across Episodes IV through VII, is the epitome of failure due to lack of proper Lessons Learned analysis. This May the Fourth, let’s delve into where poor Palpatine went wrong and shed some insight on Star Wars cyber security and why his critical infrastructure Death Stars always end up exploding with Michael Bay-esque fury.
Death Star No. 1
Consider: Star Wars: Episode IV – A New Hope
What Went Down: In the throes of an intergalactic civil war, Rebel Alliance spies manage to steal schematics of the Galactic Empire’s Death Star, a massive space station super-weapon with enough power to destroy an entire planet and bring the universe to its knees. Imperial Senator Princess Leia, a Rebel leader, obtains the Death Star plans but is captured. Before being detained, she hides the plans in an unassuming astromech droid, R2-D2, who makes off in an escape pod with instructions to seek out Jedi Master Obi-Wan Kenobi for help. The plans reveal the Death Star’s one hidden vulnerability – a thermal exhaust port that leads directly to the station’s main reactor core from the surface. If the Rebels could trigger a chain reaction through that design flaw, they could destroy the Death Star.
Consider: Star Wars: Rogue One
What Went Down: In this prequel to A New Hope, we learn that the Death Star project is wrought with constant delays and setbacks until Orson Krennic, Director of Advanced Weapons Research for the Imperial Military, forcibly recruits scientist and designer Galen Erso. In an act of resistance, Erso deliberately sabotages the design by adding the very same vulnerability that Luke Skywalker exploits years later. Directly before the events of A New Hope, Erso’s daughter, Jyn leads a small squad of Rebel volunteers to raid the Empire’s databank and steal the Death Star schematics. They successfully transmit the data to a Rebel command ship where Princess Leia declares that the plans will provide hope for the Rebellion going forward.
Summary of Mistakes:
- Poor protection of sensitive data: Not only was Jyn Erso’s team able to infiltrate the Imperial database, it was also able to steal and broadcast the data back to a Rebel resource where it was later used to bring down the Death Star. The data was not encrypted allowing the Rebels to formulate a precise exploit with relative ease.
- Lack of audits and penetration testing: If the Empire had performed adequate security audits and penetration testing on the station post-build, they would have identified Galen Erso’s sabotage and patched the critical vulnerability before declaring the station operational. It is easy for vulnerabilities to be introduced unknowingly when using third-party contractors and developers. Regular audits would have caught the security flaws and made sure that the design and product were up to standard.
- Deliberate negligence: When your IT department/SOC Team raises an issue, please take it seriously. Admiral Motti had to learn the hard way after shutting down General Tagge’s warning about the Death Star’s vulnerability. Let the force choking commence.
- Lack of intrusion detection systems: Once the rebels infiltrated the station, none of the operating staff received alerts notifying a power outage for a critical infrastructure system. Once Obi-Wan disabled the tractor beam, it allowed the others to escape and continue their assault on the Death Star. With primary power down, there was no backup source to support the system.
- Lack of network segmentation: If there had been additional layers of protection around the design flaw and the main reactor core properly isolated, then the Rebel’s torpedo attack in the exhaust port would have been contained locally rather than leading to a chain reaction that ultimately destroyed the station.
Status of Death Star No.1: PWNED
Death Star No. 2
Consider: Star Wars: Episode VI – Return of the Jedi
What Went Down: After the destruction of Death Star 1.0 in A New Hope, Emperor Palpatine decides to have a second go at constructing his massive planet-killing laser – but it doesn’t seem as if he’s taken any Star Wars cyber security lessons to heart. This time the station is at least protected by an energy shield projector as efforts to complete its construction take place. Han Solo leads a ground strike in collaboration with local Ewok guerrilla fighters to destroy the shield generator. With the main means of protection compromised, Rebel pilots Lando Calrissian and Wedge Antilles fly directly into the station’s main reactor core and take down Death Star 2.0 in an organized missile attack. Sound familiar?
Summary of Mistakes:
- Lax physical security measures on premise: The Rebels stole the Tydirium, a small Imperial shuttle instrumental in their infiltration mission on Endor where they worked to disable the shield generator protecting the half-built Death Star 2.0.
- Lack of Star Wars cyber security education in staff: Using fake credentials and old clearance codes, Han Solo’s team of commandos used classic social engineering methods to be cleared for access and have Endor’s shields deactivated. Though Sith Lord Darth Vader was able to use the Force to sense a ploy ahead, the traffic controller was ready to accept the older code and clear the shuttle for entrance. Had Vader’s staff been better educated on identity and access management, the Rebels would have been intercepted immediately and never stepped foot on Endor.
- Lack of Lessons Learned in design and defense systems: Although the second Death Star was much larger compared to its predecessor and able to fire more frequently, it still contained a laughably similar design flaw that we saw in version 1.0 and only one main method of protection. Once the planetary shield projector on Endor was destroyed by Solo’s ground attack efforts, the Rebel Fleet was able to detonate the reactor core.
Status of Death Star No. 2: PWNED again – this time with little excuse.
Death Star No.3 (re-branded to ‘Starkiller Base’ but we aren’t fooled)
Consider: Star Wars: Episode VII – The Force Awakens
What Went Down: Set 30 years after the Galactic Civil War, the fallen Empire has regrouped and undergone a major rebranding scheme, now calling themselves the First Order. Despite their PR efforts, they have gone right back to what they do worst – building yet another planet-based weapon of mass destruction. Much like the second Death Star in comparison to the first, the ‘Starkiller Base’ (read: Death Star 3.0) boasts only some surface-level and showy improvements but fails to enhance its cyber security defense mechanisms by much. The Resistance, led by General Leia, devises a plan to attack the base’s thermal oscillator (read: main reactor core 3.0) by deactivating its protective shields and targeting the oscillator in an X-wing assault effort. With the oscillator core destroyed, the Starkiller Base implodes as the Resistance fighters take yet another victory. We’re getting bored here, Palpatine.
Summary of Mistakes:
- Undermanaged biometrics: A lot of sneaking around happens in The Force Awakens particularly aboard First Order property. This was enabled by their possession of a captain’s medallion that allowed the resistance fighters to maneuver within any Imperial territory without anyone knowing better. With high-level clearance and access to all portions of Imperial fleets, the group was able to move laterally and execute their reconnaissance.
- Data leaks and betrayal from internal sources: Early in The Force Awakens, we learn that a mole within the First Order had been feeding the Rebellion with critical information.
We later learn in The Rise of Skywalker, after Rey and her ragtag group of fighters were finally discovered on a First Order ship, the indignant General Hux revealed himself as the spy, bypassed the lockdown procedures, and allowed them to escape.
- Using predictable, conventional pattern recognition systems: Our heroes realized that the Starkiller Base’s planetary defense shield was only able to protect against objects travelling slower than the speed of light. Exploiting this flaw, the Millenium Falcon jumped through hyperspace to bypass the shield and then survived a crash landing once through.
- Lack of Lessons Learned in design systems (again): Using detailed scans of the base, defected First Order Stormtrooper Finn reveals a critical vulnerability they can leverage – if they were able to destroy the Starkiller’s thermal oscillator while the weapon was fully charged, it would destroy the entire structure inside out. After blowing charges to the access tunnel leading directly to the oscillator, what we see here is, yet another single point of vulnerability attacked by a one-person ship with missiles.
Status of Death Star No. 3: …you guessed it. P-pp-p-pppWNED
“In a dark place we find ourselves, and a little more knowledge lights our way.” – Master Yoda
Establishing a Lessons Learned process is foundational to an organization’s success. With cyber criminals and threats moving faster than ever, it is crucial to learn as much as possible from previous security incidents, investigative data, and measure your response against industry standards.
Clearly, Emperor Palpatine couldn’t grasp the concept that throwing time, resources, and force lightning bolts at a flawed design wasn’t going to fix the problem. Combine his incredibly potent hubris with a habit of undermining Star Wars cyber security best practices and a flair for repeating the same mistakes, we get three scarily similar instances of total catastrophe for the Empire and himself. Star Wars fans throughout the years and going forward all cheer on our favorite heroes as they defeat the dark side of the force again and again, but the truth is that the Empire really didn’t make it too difficult for them to win. Bottom line? Don’t be like Palpatine.
As always, may the force be with you, but also…may the ability to learn from your lessons be with you even more.