> I'm sorry, but what else are defenders trying to do that isn't defense? are all defenders completely incompetent then?
You've misunderstood me. Defenders aren't the "cyber security team employed by AT&T to keep customer data secure". The Defenders are AT&T, who would rather spend their cyber security budget on just about anything else that could actually generate a profit. The cyber security team that AT&T hires might have the sole job of building the most robust defense system imagined, but even if they do, their efforts will be continuously stymied and reduced because true, complete, robust security will get in the way of actually doing the things the AT&T wants to do.
Or to put another way, a company that spends all their money on perfect cyber security is as useful as the proverbial perfectly secure computer encased in concrete and buried a mile underground with no power or network connections.
But that's false equivalency. The attackers also work for organizations. It is a bit rare for individuals to hack companies these days. APTs are teams, sometimes they are employed by intelligence or military units of countries, other times they are employed by a criminal organization and yet other times they are loosely formed organizations between individuals with a financial or political goal, like hacktivists as an example. But they have hierarchy, motive, goals, even a work schedule and paid vacations and bonuses.
Even for individual hackers, there are individual good hackers (commonly called "whitehat" although I deride that term) doing bug bounties and finding CVEs.
The main differences between attackers and the attacked are intent, resources and which side you're on. The NSA and CIA are the good guys from my perspective, but they are the bad guys for defenders working in Russian or Chinese government cyber defense teams.
> But that's false equivalency. The attackers also work for organizations.
You've missed my point or I wasn't clear enough. It doesn't matter that they're part of a larger organization. That organization's goal is attacking, or at one step removed, selling/using the resources gained from attacking. Defenders are never in an organization whose business is the Defending.
Or lets use your CIA example, and for the sake of argument, lets pretend there are no other counties in the world other than the USA, Russia and China. In a world where there are no Russian or Chinese Attackers, the CIA would not spend money on defense against Russian and Chinese attackers. But in a world where there are no defenders in Russia and China, the CIA would still spend money on attacking and exfiltrating data from Russia and China. They would just be vastly more successful at it.
Or as a different analogy, mining companies mine because they want to sell the ore and gold in the mountains. But we still call them "minim companies" because thats their job. And they are often opposed by environmental groups working to defend the mountain. In a world where there were no mining companies, no one would be organizing an environmental group to defend the mines because there's no gain to spending time and resources standing around and guarding mountains and ore that no one is trying to get access to. But in a world where there are no environmental groups, there would still be mining companies.
> I'm sorry, but what else are defenders trying to do that isn't defense? are all defenders completely incompetent then?
You've misunderstood me. Defenders aren't the "cyber security team employed by AT&T to keep customer data secure". The Defenders are AT&T, who would rather spend their cyber security budget on just about anything else that could actually generate a profit. The cyber security team that AT&T hires might have the sole job of building the most robust defense system imagined, but even if they do, their efforts will be continuously stymied and reduced because true, complete, robust security will get in the way of actually doing the things the AT&T wants to do.
Or to put another way, a company that spends all their money on perfect cyber security is as useful as the proverbial perfectly secure computer encased in concrete and buried a mile underground with no power or network connections.