[shadowgovt]

It's complicated.

The short answer is "yes. Much like a pilot's first job is 'fly the plane,' it's Delta IT's responsibility to run the infrastructure. Their house and their responsibility."

But the challenge here is the balance point on how to optimize that responsibility. Zero-days can go from dark web disclosure to one actor surreptitiously plugging a USB stick into a flight-information display kiosk that exfiltrates your ticket sale database in hours. To guard against that, Delta IT gave a vendor the ability to mass-distribute zero-day protection into all machines in drop-everything emergency mode. The fact they did so to dump an empty file that crashed every machine that read it is on them.

If a plane crashes because the propeller falls off, we blame the pilot for not keeping enough altitude to land safely in event of failure but we also absolutely blame the mechanic who's job it is to certify that propeller.