by Peter Fogarty
on December 08, 2016
Cyber Security & Data Privacy
Legal & Industry Education
It’s here. The next film in the Star Wars universe—Rogue One: A Star Wars Story—is on the verge of release. This post won’t contain spoilers, but previews have announced that Rogue One will set the stage for the original Star Wars film (Episode IV: A New Hope), following a band of rebels whose mission is to steal the secret plans for the Death Star.
There are many opportunities to find connections between Star Wars and e-discovery. In fact, Princess Leia is originally introduced as a “custodian” of stolen plans, and the first words spoken to Darth Vader on screen describe a digital forensics investigation: “The Death Star plans are not in the main computer.”
This recurring focus on stealing, concealing, and pursuing critical data got us thinking: would there even be a Star Wars film series without the themes of physical and cybersecurity? Is the entire saga a parable about an organization’s failure to adequately address security risks and the plucky ingenuity of a group of revolutionaries who seek to exploit them?
To test this theory, we consulted with kCura’s own chief security officer, Bill Lederer (aka, “Security Bill”), about common online and physical threats and how they played out a long time ago in a galaxy far, far away. His conclusion was clear: the Empire may have been immensely powerful and eminently ruthless, but they were terrible at security. The kind of terrible that gets all your best ideas stolen and all your most powerful people and resources destroyed by a cabal of rogues and teenagers.
So where, specifically, did the Empire go wrong? Let’s look at three key security preparedness tips and how they played out in the Star Wars series.
"Evacuate? In our moment of triumph? I think you overestimate their chances." — Death Star commander Grand Moff Tarkin, moments before his station’s annihilation
Perhaps the greatest flaw in the Empire’s security strategy is their inability to give credence to their own vulnerabilities. In fact, the first scene set within the Death Star in A New Hope reveals a vigorous debate between members of the high command. One general implores the group that “we are vulnerable,” arguing vociferously that “if Rebels have obtained a complete technical reading of this station, it is possible, however unlikely, they might find a weakness and exploit it.”
However, blinded by pomposity, Imperial leadership sides with the counterpoint—that any attack against the Death Star would be a “useless gesture” even with the stolen data.
This sort of arrogance and contempt for one’s adversaries is at the root of many issues in today’s security landscape. When an organization (or even an individual person) feels they are invincible, it will almost always fail to commit to the people, technology, and practices necessary to protect itself from both large-scale and small-scale incursions. The humility in acknowledging vulnerability will always pay off in the end.
"The Empire doesn't consider a small, one-man fighter to be any threat." — Rebel General Dodonna, shortly before a small, one-man fighter destroys the Death Star
Along with their arrogance, the Empire’s leadership was strikingly unimaginative. Because their power was derived from brute strength, they naively assumed that brute strength would be their only adversary. The rebel pilots being briefed for their attack on the first Death Star are informed it is “heavily shielded and carries a firepower greater than half the star fleet. Its defenses are designed around a direct, large-scale assault.” In other words, the designers and strategists of the Death Star defense plans thought big—and left it at that.
Subsequent Star Wars films show the Empire repeatedly trapped in its unoriginal thought patterns. In The Empire Strikes Back, the Millennium Falcon is able to evade detection by landing directly on one of the Empire’s Star Destroyers—yet none of the vessel’s crew remotely considers this possibility (even a swiftly offered apology can’t forestall Darth Vader’s termination of the ship’s commanding officer, Captian Needa). Similarly, in Return of the Jedi, Imperial forces greatly underestimate the spirit and ability of the cuddly, teddy bear-like Ewoks to engage in ferocious battle. The little monsters ultimately defeat a battalion of Stormtroopers protecting critical energy shield generators on the moon of Endor.
As Security Bill explains, many of the most significant security lapses in recent times have been the result of this sort of “failure of imagination.” From terrorist attacks to hacks, leaks, and data breaches, governments and corporations are often shocked by the tactics of those conspiring against them. By investing time and energy into considering any and all scenarios and adversaries, you can render such attacks inert before they ever come to fruition.
"That’s nothing. Top-gassing. Don’t worry about it." — Death Star Stormtrooper, ignoring strange noises as Obi-Wan Kenobi escapes behind him
The phrase “If you see something, say something” has become a cliché in a world where we’re constantly reminded to be vigilant, but it’s amazing how little attention Imperial employees paid even to seemingly obvious threats and warning signs. Whether the result of poor training or lack of accountability, there are countless examples across every Star Wars film where a single soldier or staffer could have thwarted the entire Rebellion by speaking up or taking better-informed action.
Glaring examples of this neglect include:
So would a better approach be provoking an organizational culture of fear and anxiety over “insider threats?” On the contrary: as Security Bill puts it, each employee is best served with training and empowerment to become an “insider defender.” This includes regular security refreshers, compliance quizzes, status reports, and tips on how to create a safer, more secure environment for not only employees, but ultimately customers.
As you cheer on the heroes of Rogue One, remember that while rebellions are built on hope, a good data security plan isn’t. Don’t be like the Empire, digging in your heels and doubling down on antiquated strategies in the face of rapidly evolving security threats. Instead, learn and adapt with the changing landscape. Stay on top of your game with webinars, blog posts, Relativity Fest sessions, and Relativity User Group meetings.
What other security lessons can you take away from the Star Wars saga? Let us know in the comments or @kCura on Twitter, and we might feature your insights in an upcoming blog post.
Peter Fogarty is an instructional design lead on kCura’s education team, focused on developing and delivering educational materials for Relativity users, including in-person trainings, webinars, and interactive tutorials.
Now in Relativity Analytics: 3 Customer-Driven Enhancements
4 Ways to Move e-Discovery Data That You May Not Know About