Star Wars and Cyber Defence

Dave McMahon · Clairvoyance Cyber Corp. · Posted: January 25, 2021

While binge-watching Star Wars over the holidays, I could not help see similar tropes in my chosen field of cyber defence:   

Stormtroopers, despite training their whole life for combat, really suck at it! They can't hit anything they aim at. It all falls apart in a real engagement.  
Conventionally cyber security training does not prepare folks to conduct active cyber defence operations against a sophisticated adversary within contested environment.  

A great deal of time is spent monologuing, instead of acting in the movies.  
Endless meetings or hours in an office or spending budgets are a poor measurement of performance. We can’t talk, work or spend our way into better security posture or mission assurance. Organizations often suffer from red tape, processes and paralysis by analysis. Mission performance in cyber defence is to stop attacks. Period!

Rather than nuking the adversary from space, someone has the bright idea of fighting hand-to-hand on the ground. 
Detecting, reacting to a breach and trying to mitigate compromises inside your perimeter is to practice disaster continuity. A strategic defence would deploy upstream security and intelligence services to stop attacks at scale from ever reaching the organization. Ideally as far forward as possible.

Deaths stars and multi-trillion dollar weapons systems are all built with catastrophic single-points of failures, which can be destroyed by a few people and minimal resources.  
Cyber defences are often under-looked in high-value platforms and facilities. A hacker in their pyjamas operating out their parent’s basement should not be able to break into major corporation, nuclear power plant, research facility and warship, or take the government off-line.  

Death Stars keep getting blown up in much the same way. Apparently the after action report was never read. 
Not only do organizations fail to patch known vulnerabilities, but they get compromised by the same actors in the same way over and over again. We can’t just recover from an incident and then set up as before. Defences have to be improved and we need to prosecute the actors. And read the after action reports instead of supressing them. 

Characters penetrated with a laser-blast or sword, can be easily fixed up by cleansing the wound with alcohol and applying a bandage. 
Bandages are applied after a breach, but often the compromise goes deep and metastasizes.  The solution may require a specialist, surgery and organizational chemotherapy. 

Speak in jargon so no one understands. But it sounds impressive. 
Cyber security practitioners need to speak a language that resonates with decision makers and employees alike. The fear, uncertainty and doubt pitch needs to be replaced with one where security is used to enhance performance and profitability. 

There are always more bad guys than you anticipated. The same henchmen appear to be resurrected and return in the next scene.
Defining the problem at teenage hackers is naïve. Competition and conflict in cyberspace is planet wide and practiced by a multifarious set of actors and mixed agendas.  Just wait for Artificial Intelligence Agents. 

Protagonists blindly follow anachronistic doctrine and code even when it is demonstrably ineffective. 
Doctrine, policy, standards and law are hopelessly outmatched by the speed of cyber and the ingenuity of the threat. Canon needs to be redefined by technology and tactics. Rather than forcing cyber defence solutions to be redesigned to match antiquated requirements, doctrine, standards or regulations. Any standards we do write, cannot be so technologically prescriptive that that are not future-proof. 

Speaking truth to power never ends well, nor does being a messenger of bad news. 
Many times I have witnessed CSO/CISOs dismissed for providing accurate and timely security advice to the C-suite, only to have the organization suffer catastrophic losses after the fact. This culture need to change.

The insider threat can bypass well-designed static safeguards.  
Sometimes the simplest people and methods can cause immense harm to an enterprise. Look no further than Edward Snowden. 

Blaster fire to the access mechanism for a secure door will always cause it to fail open.  
So many systems behave poorly and give access when an unexpected state is triggered (eg: Buffer overflow). We need to design software and systems that fail closed.  Similarly, when I upgrade my software (browser, IOS or apps) I prefer if all my security and privacy settings are not reset to open by default.  

Adversary drives innovation while we are driving machines designed in the 1970s.  
To many security solutions of built to comply with standards or align to standing offers or RFP requirements rather than stop a real adversary. 

All the Empires’ advanced weapons are conceived of and built by industry. Even the clone army is manufactured. They also use mercenaries and bounty hunters to do carry-out the hardest operations.  The rebel alliance itself is a volunteer force.
Cyber space is owned and operated by the private sector. Industry designs and builds the cyber technology. Having a sovereign cyber defence industrial base at your disposal is a powerful thing – not just as a vendor but equitable partner in the contest to control and defence cyberspace. 

Divisive politics of republic loses to singular purpose of the Empire. 
The government, industry, society and crime organizations of our adversaries collaborate with intent along one mission.  

A small rebel force takes on the Empire 
Asymmetric nature of cyber space means that a dozen talented individuals with access to the cloud can generate nation-state capabilities overnight.  

Imperial star cruisers and bases have insecure USB ports everywhere that any droid can port into and steal the most sensitive data or control vital systems. 
The Internet-of-Everything will drive hyper-connectivity and ubiquitous access to information, people and things.  

In the end, most things in life can be solved with a light-sabre. 
An active defence is often more effective than a reactive one. Defending forward through threat hunting, adversarial pursuit, attribution, targeting, fire and effects contributes to successful threat reduction.  Cyber power can be used to both protect and project. 

This is the way. 

Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.


Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence.  Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp. 

 

Security, Economics & Technology Blog

Browse Recent Posts

June 15, 2021 - CANADIAN FOREIGN INTELLIGENCE SERVICE – DISCUSSION PAPER 

June 8, 2021 - The Idaho Mass Shooting and the Australian Example ​ 

June 1, 2021 - Jordan: Still Stable, but Less So 

May 13, 2021 - Are we Entering a new "Threat Wave"?

March 16, 2021 - Insider Threat Bias

March 2, 2021 - If the head of a spy agency speaks publicly, shouldn't we listen?

February 9, 2021 - The Socialization of Terrorism

February 1, 2021 - Star Wars and Cyber Defence

January 25, 2021 - Understanding the Wave of Normalization in the Middle East​

January 19, 2021 - Top 10 Cyber Defence Predictions for 2021

January 11, 2021 - What will Canada’s National Security and Public Safety Challenges be in 2021?

December 16, 2020 - Countries Treat First Degree Murder Seriously, as they Should: why doesn’t Canada when it comes to Terrorism?

December 7, 2020It’s Time for Our Government to Walk the Walk, Not Just Talk the Talk, (and talk and talk…..maybe) When it Comes to the PRC?  

November 23, 2020Digital Citizen

November 16, 2020Why can’t the Canadian PM denounce a brutal act of terrorism? 

November 2, 2020Piecing Together the Puzzle of a Potential Terrorist Plot 

October 13, 2020State Sponsored Kidnapping -  What are the options? 

October 06, 2020The Taliban Deal & U.S. - Jihadist Negotiations

September 28, 2020This Threat to National Security may be out of this World!

September 22, 2020FUDging the odds: Security as business enabler

September 14, 2020 - Is the violent extremist issue bigger than a shoebox?

September 1, 2020 - Canada is getting a failing grade when it comes to terrorism prosecutions

August 24, 2020 - Strike Back: Canadian context to cyber vigilantism and the active cyber defence certainty act

August 17, 2020 - Canada must send a strong message to Saudi Arabia

August 7, 2020 - Is Canada Really The 'True North Strong and Free' When It Ignores Arctic Sovereignty?

July 22, 2020 - Russian Espionage and Dirty Tricks During a Global Pandemic

June 24, 2020 - Déjà Vu for Canada’s Security Intelligence Service

June 17, 2020 - So Canada is Bringing Back ISIS Women – Now What?

June 11, 2020 - Terrorism means many things to many people and we may be heading down an unhelpful pathway

June 5, 2020 - Canada’s Supply Chain Vulnerabilities and the Links to National Interests

May 28, 2020 - How Foresight Could Help us Prepare for the Next Crisis

May 20, 2020 - Allegation from a Former Spy's Kiss 'n Tell Memoir

May 13, 2020 - "Money Often Costs too Much"

May 6, 2020 - Where is the COVID-19 terrorism spike?

Visit the SET Homepage for Upcoming Courses and Events

Back to top