One important feature of national security-theatre establishments makes ‘cyber-war’ a guaranteed loss-leader. Namely, that like all public bureaucracies (and like all bureaucracies generally) they are toxic, stultifying workplaces where advancement is far more affected by game-playing and triangulation, than by talent.
Even if there exists some top-drawer talent who are on-board with the nonsense idea that government institutions do meaningful work… well, that top-drawer talent arrives, does its induction, gets its first posting, and finds out just how toxic the workplace actually is. And they leave after their first hitch (generally two years).
What is left is the careerists and the power-hungry (two groups that overlap).
This dynamic means that at every level above entry, the overwhelming bulk of the power structure cannot do anything themselves — since generally they got to where they are by äss-kissing upwards, and exploiting the output of their equals and subordinates.
This strategy (buttkiss up, exploit below) works because at any given level, your immediate superior is incapable of determining whether their immediate subordinates are doing the work properly… because like you, they got to where they are on triangulation, not domain-specific talent.
Want to know why the main places that got ‘attacked’ were so vulnerable?
Because the ‘Head of IT’ thinks that DBAs and sysadmins do stuff that isn’t mission-critical, because he’s technologically illiterate and got the job because he did a 6-week subject on IT during his MBA.
As such a senior DBA — the guy who oversees the most critical infrastructure in any large org — is lucky to make 2x AWE, while the head of IT at a hospital will make “half a bar” and will be the sort of dill who opens virus-laden PDFs.
That’s a recipe for ticked-off DBAs and sysadmins, which is a recipe for high turnover, which is a recipe for unpatched security holes.
People should treat the term ‘cybersecurity’ as a charlatan-detector: anyone with that word in their job title or the title of the org they work for, is either ignorant or a charlatan. (The people at the tops of such orgs are charlatans through and through — they are universally political appointees, which means that they are second-quintile talent at best).
The notes are important.
 ‘loss leader’ because in the public sector, failure leads to larger budgets.
 genuine top drawer talent in a domain, for me means top 2–3% of a student body in a discipline (i.e., the top 1–2% of students from the top 10–15% of institutions). Such individuals are unlikely to be ‘True Believers’ in any bureaucratic endeavour. Greater intelligence and talent Granger-causes greater distrust of power structures (which is why Anonymous and other ‘harder’ phyles consistently make .gov, .mil and major orgs look retarded).
 ‘attacked’ is a misnomer, deliberately confected so that the security-theatre industry can try to make money off the event. Having a vulnerability exploited by an untargeted event is not being ‘attacked’: if your badly-maintained roof collapses during a rainstorm, you don’t say it was ‘attacked’. If your badly-designed roof collapses during a mild rainstorm and you have been paying a team of people a million dollars a year to keep it maintained, you still weren’t ‘attacked’ — you were defrauded by the people you were paying to maintain it.
 ‘half a bar’: $500k. Half of senior management at any public hospital of decent size will be on $300k or more.