Re: Blame the Russkies
If the Russians want in to your network they will get in. Period. Believing anything else is hubris and arrogance of the most overwhelmingly egotistical type.
The NSA couldn't keep the Russians out if they were determined to get in. There is absolutely no way a charitable foundation or a political party's IT team could keep out a state actor with that kind of ordinance and experience.
The only thing that the Clinton foundation could have done - that any of can do - is try our damnedest to raise the cost of success beyond the value that success brings to the attacker. Success is measured in many ways, meaning that for some strikes the value of success is worth nearly any cost.
In this case - and in the DNC case - I personally don't believe that Russia (or whomever) approached the target with a "success at any costs" valuation. Most likely they regularly probe such high value targets and stumbled upon a target of opportunity.
The truth is, we'll likely never know. What exploits were used, if classified ordinance was deployed or merely public vulnerabilities were exploited. I'm not sure it matters.
The question is what can we - what can anyone reasonably expect from these organizations for security? Perfect security is impossible, and the costs of raising the cost to attackers rises disproportionately fast for the defenders. At what point is it irrational to expect increased spending on IT security, on end user training, or to expect that human beings operating in various positions won't make errors?
"They were asking for it" or "they had it coming" or "maybe they wouldn't have been attacked if they didn't dress (their IT security) like that" aren't acceptable responses to this. Collectively, we can't keep blaming the victim for not spending irrational amounts of time and money on defense. Most of us simply can't afford it.
And where does it stop? Where does this attitude of "security is everyone's individual responsibility so we all have to pay and pay and pay and keep paying and pay some more" end? At what point do we start to see this as an issue we need to band together on and start pooling our resources so that we can come up with defenses collectively that, quite frankly, we'd never afford individually?
Mocking, victim blaming and traditional unrestricted capitalism have all failed to win this war. Maybe now that it has impacted some of the elite we'll see some fucks given and new approaches taken. I can only hope.