Liz Kelly | Social Program Manager
"A long time ago in a galaxy far, far away...."
That was the opening crawl that marked the beginning of the epic Star Wars series that took the world by storm and changed sci-fi, cinema, and pop culture since 1977 and well into the future. It is no secret that Lucasfilm has announced the release of another three films in 2025, 2027, and 2029.
This intergalactic adventure can teach us a lot about real-life cybersecurity issues, including the importance of strong and secure passwords. To celebrate Star Wars Day – May the 4th be with you – and World Password Day on May 5th, here are some cybersecurity lessons we can all learn from Star Wars.
1. Any Vulnerability Can Be Your Downfall
The Death Star was created to be the most impenetrable battle station in the galaxy and was the Galactic Empire’s pride and joy. However, it took a Trojan Horse in Star Wars: Episode IV – A New Hope, where Luke Skywalker and Han Solo were smuggled into the Death Star, to discover a weak point and wreak havoc. Luke launched two perfectly placed proton torpedoes into a small thermal exhaust port on the Death Star, thus blowing it to smithereens in seconds.
While the Galactic Empire thought the Death Star was impenetrable, it is a clear lesson that nothing is bulletproof, and there isn’t any 100% security. Even the tiniest vulnerability on devices could allow an adversary to sneak in malware. Computers, smartphones, and tablets all have software updates that need to be applied to patch security vulnerabilities, and these should be installed as soon as they are available.
2. Things Are Not Always as They Appear
Stormtroopers all look the same, and it is easy to steal their outfits and, with it, their identity. This was shown in Star Wars: Episode IV – A New Hope, where Luke Skywalker and Han Solo commandeer the outfits of two stormtroopers to move undetected within the Death Star and rescue Princess Leia.
Stealing identities is very easy, and only requires a couple of pieces of key information that criminals can exploit. Attackers are not using some kind of Jedi mind tricks. They’re using social engineering techniques to cloud our decisions and persuade us to take actions we might otherwise refuse. While Force projections cannot be “hacked”, accounts and networks can, so it is important to remember that what looks like one thing is often another entirely, especially regarding the internet and cyber threats. “On the internet, nobody knows you’re a dog,” was the caption of a famous cartoon of Peter Steiner that appeared in The New Yorker in 1993.
3. No Password is Required to Access the Entire Imperial Network
In almost every Star Wars movie, the droid R2-D2 plugs himself into the network on various ships, even the Death Star. From there, R2-D2 communicates with the central computer system, discovers valuable intelligence about where the Princess is, and even manages to disrupt vital components of the physical environment, such as the compactor unit and multiple doors allowing the Rebels to escape capture.
This highlights a couple of critical cybersecurity flaws. First, the lack of any authentication method – such as a code or password – allowed a random droid to plugin and gained immediate access to vital information and systems.
Second, a lack of network segmentation was evident. For example, in Star Wars: Episode IV, had the Galactic Empire divided the Death Star’s network into different independent segments, protected with strong access controls, R2-D2’s access might have been more limited.
4. I Find Your Lack of Faith in Cyber Security Disturbing
In Star Wars: Episode IV – A New Hope, Princess Leia talks about information vital to the rebellion’s survival in a recording she made for Obi-Wan Kenobi that was stored in R2-D2. That information turned out to be the plans for the Death Star, which ultimately made it into the hands of the Rebel Alliance.
One of the Galactic Empire’s generals pointed out that the rebels might find and exploit weaknesses within the Death Star with this information. However, the Admiral dismisses the warning stating, “I think you overestimate their chances!” But the plans allowed the rebels to identify that one weak point in the Death Star, formulate an attack plan, and ultimately destroy it.
The lesson learned here is that if your IT department or CISO warns you about a potential security vulnerability or threat, it is worth assessing the implications rather than dismissing it.
Furthermore, it shows that no amount of “faith” can replace necessary security measures. Trust can be your weakness in a world of dispersed computing systems and data. Instead, having a zero-trust stance can save you from many disturbing incidents. Better safe than sorry.
5. Social Engineering Can Make You Do Anything
When Luke, Obi-Wan Kenobi, R2-D2, and C3PO visit Mos Eisley, they get pulled over by some stormtroopers who are on the hunt for two fugitive droids. The stormtroopers ask questions and demand to see some ID until Obi-Wan uses a Jedi mind trick to convince them to let Luke go about his business and move along.
For the entire history of Star Wars, Jedi mind tricks have played prominently in the franchise. It’s no wonder why – when characters have such an ability at their fingertips, they will use it. Cybercriminals operate in much the same way, and since they have figured out social engineering, they rely on it quite heavily a lot of the time.
While a Jedi mind trick requires the power of the Force, cybercriminals will often use lies, charisma, and charm to play with human biases and get what they want from you. You should be wary of any social engineering attempts that cybercriminals undertake to get hold of confidential or sensitive data. Social engineering is manipulative, playing on people’s instincts and tendencies so insidiously that it almost does seem like a mystical Force is at play.
Conclusion
As Yoda famously says “Difficult to see; always in motion is the future.” This is especially true in cybersecurity – new threats emerge almost daily, so knowing what will happen tomorrow is impossible. However, much like the Mandalorian code of tradition or the Jedi teachings that continue to aid Rey and Finn long after the Jedi were thought to be gone, underlying cybersecurity principles never go out of style. Access management will always be a significant factor in protecting yourself and your data.
This is the way.