After rewatching the early Star Wars films in anticipation of the latest theatrical release, I have reached a conclusion: the Galactic Empire fails at cybersecurity. (Don’t worry; I haven’t seen Rogue One: A Star Wars Story yet, so no spoilers.)
Fran Brown, a managing partner at the cybersecurity firm Bishop Fox, tipped me off in a whimsical blog post on his company’s website. His assessment points out a glaring oversight in the architecture of the Death Star’s software environment. In his view, the ultimate destruction of the doomsday device is attributable to poor network segmentation. Yes, really.
Get Data Sheet, Fortune’s technology newsletter, where this essay originated.
Consider the design of the Death Star’s IT systems. R2-D2, the franchise’s inquisitive bleep-blooping droid, repeatedly connects to the weapon’s open and unsecured ports and gains unrestricted access to sensitive data and operations. The robot runs amok, gleaning critical information about the station’s technology and secrets, like how to kill a pesky tractor beam’s power generator or the whereabouts of certain political prisoners (i.e. Princess Leia). R2’s work eventually allows the band of rebels—the same ones that later blow up the Death Star—to escape.
There are no firewalls, no authorization requirements, no security policies to speak of. “Plug in,” Jedi master Obi-Wan Kenobi orders the wheeled hacker inside a control room in Episode IV: A New Hope, “we should be able to interpret the entire imperial network!” Emphasis mine.
For more on Star Wars, watch:
Either R2-D2 is the most sophisticated code-cracker in the galaxy, or the Empire failed to properly secure its computer network. Given how many organizations make similarly ruinous mistakes—look no further than Yahoo (YHOO), which this week revealed that it suffered the largest data breach on record—I will hazard a guess that ordinary carelessness is to blame.
In the words of another Jedi master: Do, or do not. There is no try.
