This is a memo from Imperial Fleet CISO Jace Sloane to Sith Lord and Apprentice to the Emperor Darth Vader concerning the theft of the Empire’s proprietary Death Star plans.
***Warning, this article contains minor spoilers for Star Wars: Rogue One.***
I was disturbed to hear of the successful attack by the Rebel Alliance ‘Rogue One’ team on the Empire’s data storage facility on Scarif. The purpose of this memo is to document the multiple failures leading to the catastrophic loss of the ‘Death Star’ plans and suggest paths to mitigation.
As your dark excellency will see, the attack’s success was not a result of the lack of planning by the office of the CISO, but rather poor enforcement of Imperial policies and best practices on the part of Empire commanding officers. A requirement for executive training on these policies and commitment to a budget increase could help avoid future incidents.
Penetration of Scarif’s planetary shield
Before the ‘Rogue One’ incident, Scarif’s planetary shield had never been knowingly penetrated by an intruder. It served as an effective firewall, but its potential vulnerability as the result of a single point of failure has been documented in multiple past reports I’ve filed with you.
The original plans for Scarif’s planetary shield called for a more resilient, multi-nodal network that would have avoided the single point of failure. The original RFP we put forward to the authorized list of Empire vendors detailed the construction of a self-healing network of multiple shield generators. By this design, if one shield gateway were to be destroyed, power would be re-routed autonomously to the rest of the network to maintain security.
Yet after the ‘Death Star’ project went over-budget by millions, our department was asked to scale back the project and left Scarif vulnerable to this attack.
Breakdown of data storage protocols around the ‘Death Star’ plans
I’m informed the Alliance rebels were able to retrieve a backup tape containing the plans for the big, planet-killing weapon. The way this data came to be stored in this form represents a breakdown in employee knowledge and respect for Imperial data policies. It’s a shame, as my team holds regular “lunch and learn” sessions on Coruscant to instruct these policies.
First of all, Imperial Director Orson Krennic never should have authorized the storage of the Death Star plans on Scarif’s tape drive bay. These plans are in active use and considered of a sensitive proprietary nature. The data is already available in the Flash Arrays stored in the colocation facility located on Balmorra, where it was readily accessible for the hundreds of highly-paid engineers working on Death Star construction. The tape system is only to be used for archival purposes once data’s no longer in high demand. This was a needless backup of the plans that should never have been made.
Secondly, our data motto on the IT team couldn’t be simpler: “encryption, encryption, encryption.” If Director Krennic had encrypted the plans before storing it to tape using our 256-bit strength crypto algorithms, the fact the rebels managed to steal it wouldn’t be a concern, because they couldn’t read the data. Further, proprietary data like this should contain a “poison pill” measure that would delete all the files permanently after three failed attempts to make a connection with Imperial servers for user authentication. Of course, Krennic also failed to take that precaution. No doubt he was too busy building the Death Star as it is now months overdue.
Post-breach mitigation plans
Given the Rebel Alliance now has the plans, we must assume they’ll put them to use. While we can’t be sure what vulnerabilities research scientist Galen Erso embedded in the design, we can’t underestimate the damage this insider threat could have wrought. We recommend ensuring there are no X-wing size shafts leading directly to the main power core.
Also, while my knowledge of how ‘The Force’ works is limited, I feel I should ask if there’s any chance you could use it to demagnetize the tape?