. . . the Empire would have won. A search of records would have revealed where Luke Skywalker was living on Tatooine. A more efficient collection and aggregation of Jawa records would have located the droids immediately. Simple data analysis would have revealed that Ben Kenobi was really Obi Wan Kenobi. A search of birth records would have revealed that Princess Leia was Luke's sister. Had the Empire had anything like the NSA, it would have had all the data it needed, and it could have swept up the droids and everyone else, and that would have been that.
There is an important lesson to be learned from Star Wars: If you are trying to establish and maintain a ruthless Empire, you can greatly benefit from better data aggregation and analysis.
The Empire also could have benefited from a better knowledge of data security:
1. Key hardware and controls should be secured in a locked area. The controls to the Death Star tractor beam should have been located in a less open location.
2. Strong authentication is essential. Any droid shouldn't be able to plug right in and access all data on the Death Star. For example, had two-factor authentication been used, the rebellion would have been crushed in the trash compactor.
3. Good data breach response is essential. A better response to the improper accessing of the plans to the Death Star might have averted catastrophe for the Empire.
4. Encryption should be used to protect important data. Encrypting the plans to the Death Star would have been a wise thing to do.
Unfortunately for the Empire, its understanding of data was poor. Had the Empire conducted routine risk analysis, invested adequately in its security program, performed annual training of key personnel, and otherwise maintained reasonable administrative, physical, and technical controls, the problems could have been averted, and the Empire would have won.
Star Wars is essentially a movie about data breach response -- one that failed rather miserably. With all due respect to all the hard work and late nights that Darth Vader spent responding to the breach, the breach could have been averted, and the response would have been effective had the Empire employed experts on the use and protection of data.
The Rebel Alliance certainly didn't win by being more savvy. Obi Wan Kenobi needed to learn better techniques of data de-identification. Most experts will advise you that if you want to hide someone as important as the son of Anakin Skywalker, you shouldn't have him use the Skywalker last name. With all due respect, if Obi Wan Kenobi wants to go into hiding, the name Ben Kenobi is a rather poor attempt at cloaking his identity.
The ultimate lesson in all this is that it isn't enough to use light sabers and the Force, battleships and blasters, and an endless supply of storm troopers. It's knowledge about data that is key. Darth Vader and Obi Wan Kenobi should both have been fired and replaced with privacy and security professionals!
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. Along with Paul Schwartz, Solove is a Reporter on the American Law Institute’s Principles of Data Privacy. He is the author of 10 books includingUnderstanding Privacy and more than 50 articles.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum – Oct. 21-23 in Washington, DC, an event aims to bridge the silos between privacy and security.
90+ Speakers at the Privacy + Security Forum
The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.
Photo Credits (in post): FreeImages.com; R2D2 by Marco Verch on Wikipedia
Professor Solove's Privacy + Security Training
Professor Solove's Social Media
Please join one or more of Professor Solove's LinkedIn groups:
Twitter: Follow Professor Solove on Twitter @DanielSolove.
Newsletter: Click below to sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.
No comments:
Post a Comment