Lessons from ‘Star Trek: Picard’ – a cybersecurity expert explains how a sci-fi series illuminates today’s threats

Photo courtesy of NASA, ESA, Joseph Olmsted (STScI)

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Richard Forno,
Senior Lecturer, University of Maryland, Baltimore County,
The Conversation
 

Connecting state and local government leaders

By Richard Forno ,
The Conversation

|

Centrally administered systems offer cost savings and advanced capabilities, but could expose Earth-bound organizations to potential risks and vulnerabilities when used without proper precautions.

Editor’s note: This article contains plot spoilers.

Society’s understanding of technology and cybersecurity often is based on simple stereotypes and sensational portrayals in the entertainment media. I’ve written about how certain scenarios are entertaining but misleading. Think of black-clad teenage hackers prowling megacities challenging corporate villains. Or think of counterintelligence specialists repositioning a satellite from the back of a surveillance van via a phone call.

But sometimes Hollywood gets it right by depicting reality in ways that both entertain and educate. And that’s important, because whether it’s a large company, government or your personal information, we all share many of the same cybersecurity threats and vulnerabilities. As a former cybersecurity industry practitioner and current cybersecurity researcher, I believe the final season of “Star Trek: Picard” is the latest example of entertainment media providing useful lessons about cybersecurity and the nature of the modern world.

So how does “Star Trek: Picard” relate to cybersecurity?

The nature of the threat

The show’s protagonist is Jean-Luc Picard, a retired Starfleet admiral who commanded the starship Enterprise-D in a previous series. Starfleet is the military wing of the United Federation of Planets, of which Earth is a member. In Season 3, the final season, Picard’s ultimate enemy, the Borg, returns to try conquering humanity again. The Borg is a cybernetic collective of half-human, half-machine “drones” led by a cyborg queen.

The Borg has partnered with other villains and worked for over a decade to deploy hidden agents able to compromise the DNA data contained in the software underpinning the transporter – a teleportation device used regularly by Starfleet personnel. Over many years, a certain subgroup of Starfleet personnel had their DNA altered by using the transporter.

Thus, in launching their final attack, the Borg is able to instantly activate thousands of “drones” to do its bidding in the form of altered, compromised Starfleet personnel. As Geordi La Forge, the Enterprise-D’s engineer, notes, “They’ve been assimilating the entire fleet this whole time, without anyone ever knowing it.”

The Borg’s prolonged, stealthy infiltration of the federation is indicative of how today’s most effective cyberattackers work. While it’s relatively easy to detect when hackers attempt to breach a system from the outside, experts worry about the effects of an enemy infiltrating critical systems from within. Attackers can put malicious code in software during manufacturing or in software updates, both of which are avenues of attack that do not arouse suspicion until the compromised systems are activated or targeted.

This underscores the importance of ensuring the security and integrity of digital supply chains from product development at the vendor through product deployment at client sites to ensure no silent “drones,” such as malware, are waiting to be activated by an adversary.

Equally important, “Star Trek: Picard” presents the very real and insidious nature of the insider threat faced by today’s organizations. While not infected with a cybernetic virus, recently arrested Massachusetts Air National Guard airman Jack Teixeira shows the damage that can occur when a trusted employee has malicious intent or becomes co-opted and inflicts significant damage on an employer.

In some cases, these compromised or malicious individuals can remain undiscovered for years. And some global adversaries of the U.S., such as China and Russia, are known for taking a long-term perspective when it comes to planning and conducting espionage activities – or cyberattacks.

Humans remain the weakest link

“Synchronistic technology that allows every ship in Starfleet to operate as one. An impenetrable armada. Unity and defense. The ultimate safeguard.”

With these words, humanity’s military defenders activated a feature that linked every Starfleet vessel together under one unified automated command system. While intended to serve as an emergency capability, this system – called Fleet Formation – was quickly hijacked by the Borg as part of its attack on Earth. In essence, Starfleet created a Borg-like defense system that the Borg itself used to attack the federation.

Related articles

Generative AI helps spot malicious open-source code

Most multicloud troubles are self-inflicted, security researchers say

Password mismanagement still at the heart of security issues

Here, the most well-intentioned plans for security were thwarted by enemies who used humanity’s own technologies against them. In the real world, capabilities such as on-demand real-time software updates, ChatGPT and centrally administered systems sound enticing and offer conveniences, cost savings or new capabilities. However, the lesson here is that organizations should not put them into widespread use without carefully considering as many of the potential risks or vulnerabilities as practical.

But even then, technology alone can’t protect humans from ourselves – after all, it’s people who develop, design, select, administer and use technology, which means human flaws are present in these systems, too. Such failings frequently lead to a stream of high-profile cybersecurity incidents.

Resiliency is not futile

To counter the Borg’s final assault on Earth, Picard’s crew borrows its old starship, Enterprise-D, from a fleet museum. The rationale is that its ship is the only major combat vessel not connected to the Borg collective via Starfleet’s compromised Fleet Formation protocol and therefore is able to operate independently during the crisis. As La Forge notes, “Something older, analog. Offline from the others.”

From a cybersecurity perspective, ensuring the availability of information resources is one of the industry’s guiding principles. Here, the Enterprise-D represents defenders in response to a cyber incident using assets that are outside of an adversary’s reach. Perhaps more important, the vessel symbolizes the need to think carefully before embracing a completely networked computing environment or relying on any single company or provider of services and connectivity for daily operations.

From natural disasters to cyberattack, what’s your plan if your IT environment becomes corrupted or inaccessible? Can your organization stay operational and still provide necessary services? For critical public messaging, do governments and corporations have their own uncorruptible Enterprise-D capabilities to fall back on, such as the fediverse, the decentralized microblogging platform that is immune to the impulsive manipulations of Twitter’s ownership?

Prepare for the unknown

The “Star Trek” universe explores the unknown in both the universe and contemporary society. How the crews deal with these experiences relies on their training, the appreciation of broad perspectives and ability to devise innovative solutions to the crisis of the week. Often, such solutions are derived from characters’ interests in music, painting, archaeology, history, sports and other nontechnical areas of study, recreation or expertise.

Similarly, as modern digital defenders, to successfully confront our own cyber unknowns we need a broad appreciation of things beyond just cybersecurity and technology. It’s one thing to understand at a technical level how a cyberattack occurs and how to respond. But it’s another thing to understand the broader, perhaps more systemic, nuanced, organizational or international factors that may be causes or solutions, too.

Lessons from literature, history, psychology, philosophy, law, management and other nontechnical disciplines can inform how organizations plan for and respond to cybersecurity challenges of all types. Balancing solid technical knowledge with foundations in the liberal arts and humanities allows people to adapt comfortably to constantly evolving technologies and shifting threats.

Dystopic metaphors in fiction often reflect current social concerns, and the “Star Trek” universe is no different. Although rooted in a science fiction fantasy, “Star Trek: Picard” provides some accurate, practical and understandable cybersecurity reminders for today.

Season 3, in particular, offers viewers both entertainment and education – indeed, the best of both worlds.

The Conversation

Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore County

This article is republished from The Conversation under a Creative Commons license. Read the original article.

NEXT STORY: Why take the whole-of-state approach to ransomware protection and remediation

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.