It's scary to think who they have on the inside helping out.
You touch on the real vulnerability.
It’s not so much protecting a system from outside threats. Protective measures and software have progressed to the point that that’s not nearly the threat it once was.
The real threat comes from inside. You get the wrong person owing to the wrong people money they can’t pay, but can make all that go away with “only a little“ cooperation, and all those protective measures don’t mean a blessed thing.
Doesn’t matter if you’re talking about the military, the civilian government, financial institutions, your 401k’s custodian.....the real risk is internal, and it’s incredibly hard to mitigate.
Could be as simple as the Administrative Assistant of the head of Corporate Security comes into the boss’s credentials. His girlfriend owes the Russian mafia a bunch of money because of a previous boyfriend’s gambling and drug habit.
Ivan is making her (and his) life hard in ways the American legal system wasn’t built to counter, and can’t even imagine. The AA can clear all that up by “misplacing” credentials nobody even knows he has.
Out of the millions of employees at these places, at salaries ranging from low five figures to low seven figures, it takes only one person, knowing one thing too many, at only one of these, and it’s a problem that affects tens or hundreds of millions of people.
If you’re a bad guy, with essentially unlimited state-sponsored resources, it’s a ton easier to find the vulnerable key person than it is to hack in from the outside, unaided.