[imajoredinecon]

I'm sure this is true to a certain extent, but it'd be interesting to see how it varies in degree. For instance

* do some companies have good enough insider risk controls to make it expensive or risky to access particular kinds of sensitive data?

* not all nation state actors are equally well-resourced (and not all of them have equally large populations of computer science grads from which to recruit potential spies): is there a difference between what (say) KSA or Iran could get, vs US/UK/China/Russia?

[_8j50]

Insider risk can be reduced, not eliminated. Let's say a company has more stringent checks than TS//SCI and pays employees that handle sensitive info well. People can always be turned, if not direct then indirect extortion through loved ones and family. You don't need that much money to develop an asset (it can be a lot but even the poorest nation would find it trivial).

If you can't get to data handlers then you can go after developers and the software supply chain. You have to understand, people can cooperate with threat actors without implicating themselves by getting paid or coerced to allow an intrustion (fall for a phish link or email, install seemingly legit software, insert a USB drivr they found in the parking lot,etc..). Worst case they get fired.