This week because of Star Wars Day has been a great week to rewatch Star Wars. I was watching Return of the Jedi, and entertainingly during the scene when Han Solo is trying to breach the entrance to the Empire’s bunker on the Ewok planet, I started thinking about how the Empire approached security. Initial attempts to tinker with the door lock don’t go so well so Chewy just blasts the doors open. Once they are inside the bunker, it is incredibly easy for them to blow up the systems and disable the shields around the Death Star. This is a typical traditional cybersecurity approach - protect the perimeter. This approach assumes that you can protect the perimeter and do not have to worry about securing the system endpoints inside because you assume bad actors (or in the case of Star Wars - the Rebel Alliance) can’t get inside.
The Empire seems to make this mistake often. In fact, the first movie in the series, Star Wars, A New Hope, shows our heroes getting on to the original Death Star. In fact, they were able to get on the ship using a classic Trojan Horse method. The Millenium Falcon was captured and they were hiding in the Millenium Falcon. This was an easy breach of the Death Star’s perimeter defences. Once they were in, R2D2 connected to the main computer and quickly accessed all the blueprints of the Death Star and found Princess Leia. The Empire left their systems open and vulnerable behind the perimeter. They assumed the perimeter would keep them safe.
In fact, it is common throughout the Star Wars movies to see droids easily connect to computers as long as they get physical access to a port. R2D2 is often seen connecting to strange computer systems and gaining control of them. During Empire Strikes Back, R2D2 connects to a door control in Cloud City, enabling Leia, Lando, Chewy, and C3PO to escape. In Rogue One, K-2SO and the rebels breach a security complex and Kaytoo is able to connect to the computers and steal the plans for the Death Star. L3-37, in Solo: A Star Wars Story, hacks the mainframe and disables the security monitors so they can break into the mines on Kessel. Basically, the lesson learned is that if you can get past the perimeter, you can connect to the computers inside and do whatever you want.
Today’s security designs no longer assume that simply protecting that perimeter is enough. In fact, with more and more employees working remotely, there is no longer a clearly defined perimeter to protect. Security and IT folks can no longer assume that their users are only accessing systems from inside a network that they have the ability to lock down. This shift in focus has given rise to new design concepts such as Zero Trust. The Zero Trust model is built on the premise that organizations can’t trust anything outside or inside their organization and instead must always verify any sort of attempt to connect to their systems before granting access.
Imagine if the Empire had taken a Zero Trust approach. The rebels would have never been able to steal the plans for the Death Star because Kaytoo could never have connected to the computer and stolen the plans to the Death Star. He would have had to provide multiple forms of authentication just to make the initial connection let alone access data that should be secured behind further verification steps. Leia would never have been rescued because there is no way that R2D2 would have been able to authenticate to this completely foreign system. The Rebel Alliance’s key winning strategy of breaching the perimeters and using a droid to connect to the systems would have been impossible. If the Empire had implemented stronger cybersecurity methods, we’d be binge-watching an entirely different set of movies today!
For other parts in this series, see:
Cybersecurity Lessons We Should have Learned from Star Trek