How Bad Was Imperial Cybersecurity in Rogue One? We Asked Some Experts.

You’d be bummed out too if you got pwned as often as this guy does.

Lucasfilm

This post contains spoilers for Rogue One: A Star Wars Story. But come on: If you’re reading this, you’ve probably already seen it.

Late in Rogue One, Grand Moff Tarkin confronts a data breach with brutal efficiency, destroying the entire planet Scarif after rebels steal information from a facility on its surface. Shockingly, this is the second time he’s employed such a tactic to just such an end: Not long before, he anihilates a moon called Jedha in order to cut off a related leak. In both cases, Tarkin’s swift actions are ultimately impractical, making it all but impossible to evaluate what was stolen—and how the Empire could do better next time.

This is, of course, a work of fantasy, and much can be forgiven in the name of telling a good story. But where the film’s politics proved considerably more complicated—for good and for ill—than early speculation suggested, the careless way its villains handle their cybersecurity is all too familiar. Tarkin’s gambit is military computing as imagined by Donald Trump: Got hacked? Just nuke the place!

As it happens, though, the Empire’s cybersecurity crisis runs much deeper than one loose cannon. With that in mind—and with tongues planted firmly in cheeks—we tracked down a pair of experts and asked them to help us evaluate the Rogue One baddies’ very bad infosec policies and practices.

The trouble starts, as Nicole Becher, director of cyber operations at Fractal Industries, told me, with the surprisingly lax way that galactic power handles its data. “You would think there would be some sort of key that you would need to access data from that giant file vault,” Becher said of the surprisingly pregnable storage facility the titular crew raids in the film’s conclusion. But as it happens, the Empire seem to have eschewed such practices altogether. By the time the time the Death Star plans make their way to Adm. Raddus, it appears to be fully accessible, complete with retro wire frame schematics.

The vault itself is a strangely designed facility, “a single point of failure,” as Kevin Bankston, director of New America’s Open Technology Institute put it. (New America is a partner with Arizona State University and Slate in Future Tense.) For unclear reasons, the Empire stores information in a giant tower of tapes, accessible by anyone able to manipulate a set of remote controlled arms—or even by an agile pair of climbers, as it happens. The best thing you can say for that tyrannical government’s data management, Bankston observed, is that “all of its equipment looks really neat,” however dubious its efficacy.

But it’s also not a great idea to stick all of your most sensitive information in one place, Bankston noted, especially when friends and foes alike know where to go to find the intel they need. Like Bankston, Becher suggested it might be wiser to distribute hard copies of files throughout the galaxy, making it more difficult to track down any one item. “If I was Darth Vader,” Becher said, “I probably wouldn’t have my crown jewels sitting in one obvious looking tower, which is apparently widely known to be the place where all their data is stored.”

That might not matter so much if data center itself weren’t protected by a simultaneously under- and overcomplicated system, an atmospheric shield that Becher described as a planetwide firewall. When it’s closed, the shield blocks signals from traveling out into space, which temporarily prevents our heroes from sending the stolen Death Star plans to their allies. Unfortunately for the Empire, that defense mechanism serves double duty, opening to let ships in and out of the atmosphere, at which point data moves freely. Imagine that the Pentagon could only protect its information as long as the front door of the building remained locked, and that it allowed anyone within to send unmonitored information out while guests were entering, and you’ll have a tidy image of the Empire’s defense system. “You have to train people about what information should be able to pass through, and there’s no indication that they did that,” Becher noted.

Not everyone in the Empire screws up all the time, of course. Just before the film’s climactic battle breaks out, the villainous bureaucrat Orson Krennic orders an evaluation of the engineer Galen Erso’s communications to try and discern what he leaked to the rebels.* But as both Becher and Bankston pointed out, Krennic probably should have been monitoring Erso’s movements long before, especially since he was always an unwilling participant in the military’s machinations. “The lesson here is don’t wait for the breach,” Becher said.

And, to return to the original point, once you have discovered a breach, blowing up the data center is probably the worst thing you could do. As Bankston noted, best practices dictate that you should at least wait until you’ve “been able to conduct a meaningful forensic examination” before testing out your planet-killing super weapon. In fact, if the Empire had taken longer to figure out what went wrong, it might have been able to prevent the rebels from landing on Endor using a strikingly similar strategy (a purloined Imperial ship) years later during the events of Return of the Jedi.

All told, the Empire’s approach likely has more to do with security theater than it does with “risk calculus,” as Becher put it. “They obviously commit to the flashy parts of cybersecurity—biometric authentication, crazy firewalls, and things like that,” she said. “But there was no effective audit or incident response policy.” And that may be the most realistic feature of this imaginative, bittersweet film. “I think it’s indicative of where the cybersecurity industry’s at. There are a lot of flashy products, but there’s not a lot of meat behind that flashiness,” she said, adding that she was inclined to give the Imperial forces “a C or D” for their efforts.

Bankston agreed, suggesting that the Empire might want to spend a little less on shock troops and a little more on information professionals: “It seems like the guys who developed digital security for the Empire are the same guys who developed that completely useless storm trooper armor.”

*Correction, Dec. 20, 2016: This post originally misspelled Orson Krennic’s last name.