The sophomore season of “Star Trek: Discovery” beamed and streamed its way to critical acclaim this year, praised by viewers and reviewers alike for improved writing, interesting characters and a unique take on the classic Star Trek mythos. But the tech-driven science fiction series also offers an interesting perspective on information security and data protection: Even in the 23rd century, organizations are still making critical missteps when it comes to basic cybersecurity hygiene.
So let’s break it down: Where did Star Trek’s information security go so badly? What does our vision of evolving technology say about the security of today? And even if Star Trek isn’t part of your cultural lexicon, how can companies avoid these four common cybersecurity missteps and help future-proof IT operations?
1. Where Starfleet Stumbled on Artificial Intelligence Monitoring
The Non-Trek Takeaway
In the show, our ragtag band of heroes on the run encounters a rogue artificial intelligence (AI) threatening the galaxy. Originally helpful — and analogous to the increasing use of AI to help under-resourced security operations stay ahead of emerging threats — the AI goes off the rails and ends up doing more harm than good. That’s what happens when AI falls into the wrong hands: Companies could be exposed to AI-enhanced attacks, AI-based threat frameworks and adversarial attacks designed to subvert helpful AI algorithms.
The Trek Enthusiast Evaluation
In season two, episode nine, the Discovery crew learns that Starfleet’s threat assessment AI, “Control,” has gone rogue and killed its handlers. Now, it’s on a mission to eliminate sentient life from the galaxy because — as always — sentient life is the universe’s real problem. In true Trek fashion, the problem is massive, overwrought and oh so immediate, but there’s a crucial underlying cybersecurity lesson: Even great AI needs to be monitored.
As noted above, if AI is repurposed by cybercriminals, it can quickly pivot from helpful collaborator to high-risk attacker. For organizations, oversight is key — human management of AI tools both informs their efficacy and helps reduce the chances of creating a 23rd-century, digital, homicidal maniac driven to make the galaxy “safe.”
Also an option? Magnets. Magnets worked in the show to disrupt the angry AI avatar — and would probably work in real life. Not a great idea for continued data protection, though.
2. Where the Federation Failed on IoT Security
The Non-Trek Takeaway
Even in the future, malware is making things worse. When one cybernetically enhanced crew member — read: a walking, talking internet of things (IoT) device — is infected by the rogue AI mentioned above, it has no trouble forcing her to follow its directions. According to IoT World Today, this is on-brand for current trends: IoT malware attacks are on the rise and even high-value devices such as GPS satellites have a blind spot when it comes to software vulnerabilities.
The Trek Enthusiast Evaluation
A moment of silence for Lt. Cmdr. Airiam. She had a rough go before joining Discovery — a shuttle accident forced the replacement of many human parts with cybernetic alternatives, which affected her strength, mental processing capabilities and memory. But as season two, episode seven demonstrates, apparently no one in the 23rd century considered adding antivirus or anti-malware solutions to her new hybrid framework. As a result, when a future version of Discovery’s own probe is infected by Control — and is destroyed before accessing critical data — it still manages to infect Airiam.
Acting like an advanced persistent threat (APT), the infection bides its time, at first compromising her actions in small ways and eventually forcing her to attack other crew members. With her greatly enhanced strength and speed, it’s not exactly a fair fight until she’s blown out an airlock in a classic Trek death scene.
For companies living in the here and now — and witnessing the rapid rise of IoT devices — the Federation’s failure to bother with basic AV tools highlights the need for organizations to proactively protect and secure intelligent devices across their networks. Sure, compromised IoT sensors probably won’t try to kill you in the break room, but they could be modified to hand over critical intellectual property (IP) or, in the case of supervisory control and data acquisition (SCADA) or industrial control system (ICS) controls, disrupt critical utilities.
3. Where Trek Tanked on Identity and Access Management
The Non-Trek Takeaway
Next on the list of bad Star Trek information security is authentication. When unauthorized messages are transmitted to malicious AI, the real culprit implicates another crew member to avoid suspicion. It’s classic account compromise: The affected party had no idea what was happening or how it happened. And it’s yet another reminder that single-factor authentication (SFA) isn’t sufficient — not now, and certainly not in a starship-driven future. Many end users still reuse the same password across multiple accounts, making SFA a bad idea for any critical-data access. Instead, opt for step-up solutions such as one-time text codes or fingerprints, or more secure alternatives such as single sign-on (SSO) or universal second factor (U2F).
The Trek Enthusiast Evaluation
Poor Ash Tyler; the solider-turned-Klingon-turned-spy just can’t catch a break. After a frosty reception on the Discovery from captain and crew — he did murder the ship’s doctor last season, after all — he’s implicated as the go-to guy in sending messages to Control, an accusation made more believable because he’s working for the morally gray Section 31, which uses Control for threat assessment, and because the messages appear to be coming from him. Instead, it’s a compromised Lt. Cmdr. Airiam sending them under false pretenses thanks to her malware-infected brain hardware. As a result, Tyler is confined to quarters and the threat rolls on.
What does all this mean for companies? While Starfleet has probably moved past fingerprints and USB sticks, even low-key multifactor authentication (MFA) could have prevented this problem or, at the very least, given Tyler a heads-up that someone was trying to access his Starfleet email account. It wouldn’t have taken long for him to notice — you just know he’s on the 23rd-century equivalent of Amazon ordering Klingon beard wax to keep those jet-black bristles looking tight.
4. Where Discovery Dropped the Data Protection Ball
The Non-Trek Takeaway
Data protection is everything. Discovery is tasked with defending information critical to the survival of all life in the galaxy, but no one bothers with encryption. Many real-world companies also skip this step: As noted by eSecurity Planet, just 41 percent of organizations have an enterprisewide encryption strategy. And while encryption isn’t a cure-all — even AES256 encryption, used by the U.S. government for top-secret data, could eventually be cracked — minimal efforts at encryption go a long way in frustrating attackers’ efforts.
The Trek Enthusiast Evaluation
In season two, episode four, Discovery encounters the “Sphere,” a living, intelligent entity with 100,000 year’s worth of data it wants to transmit before dying. The problem? It also contains data on AI systems that Control needs to advance its planet-killing agenda. The rest of the season is spent finding ways to defend this data, culminating in a time-travel trip 930 years into the future.
But here’s the issue: At multiple points during the season, both morally gray and inherently evil characters begin downloading this data despite its supposedly protected status onboard a Starfleet ship. As noted above, while encryption wouldn’t have stopped Control’s body-snatched puppet Captain Leland from trying to access the information on board or former Terran Empress Philippa Georgiou from using a remote download device, better Star Trek information security would have given the crew more time to do something other than stand around and worriedly shout about how much information had already been stolen.
Here, the takeaway is simple: Whether it’s defeating a rogue AI, securing personally identifiable information (PII) or simply keeping up basic security hygiene best practices, even a little encryption goes a long way.
To Boldy Go Where No Information Security Program Has Gone Before
While Star Trek is fiction, its 23rd-century escapades raise salient cybersecurity and data protection issues that can be applied today. Sure, Starfleet seems to have forgotten the need for robust security controls on the way out of their space dock, but there’s still time for companies to embrace the new rules of emerging digital environments and deploy security solutions that can help meet any enterprise objective.