. . . the Empire would have won. A search of records would have revealed where Luke Skywalker was living on Tatooine. A more efficient collection and aggregation of Jawa records would have located the droids immediately. Simple data analysis would have revealed that Ben Kenobi was really Obi Wan Kenobi. A search of birth records would have revealed that Princess Leia was Luke’s sister. Had the Empire had anything like the NSA, it would have had all the data it needed, and it could have swept up the droids and everyone else, and that would have been that.
There is an important lesson to be learned from Star Wars: If you are trying to establish and maintain a ruthless Empire, you can greatly benefit from better data aggregation and analysis.
The Empire also could have benefited from a better knowledge of data security:
1. Key hardware and controls should be secured in a locked area. The controls to the Death Star tractor beam should have been located in a less open location.
2. Strong authentication is essential. Any droid shouldn’t be able to plug right in and access all data on the Death Star. For example, had two-factor authentication been used, the rebellion would have been crushed in the trash compactor.
3. Good data breach response is essential. A better response to the improper accessing of the plans to the Death Star might have averted catastrophe for the Empire.
4. Encryption should be used to protect important data. Encrypting the plans to the Death Star would have been a wise thing to do.
Unfortunately for the Empire, its understanding of data was poor. Had the Empire conducted routine risk analysis, invested adequately in its security program, performed annual training of key personnel, and otherwise maintained reasonable administrative, physical, and technical controls, the problems could have been averted, and the Empire would have won.
Star Wars is essentially a movie about data breach response — one that failed rather miserably. With all due respect to all the hard work and late nights that Darth Vader spent responding to the breach, the breach could have been averted, and the response would have been effective had the Empire employed experts on the use and protection of data.
The Rebel Alliance certainly didn’t win by being more savvy. Obi Wan Kenobi needed to learn better techniques of data de-identification. Most experts will advise you that if you want to hide someone as important as the son of Anakin Skywalker, you shouldn’t have him use the Skywalker last name. With all due respect, if Obi Wan Kenobi wants to go into hiding, the name Ben Kenobi is a rather poor attempt at cloaking his identity.
The ultimate lesson in all this is that it isn’t enough to use light sabers and the Force, battleships and blasters, and an endless supply of storm troopers. It’s knowledge about data that is key. Darth Vader and Obi Wan Kenobi should both have been fired and replaced with privacy and security professionals!
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.