Re: Collateral damage in the Cyberwar
If your house is burgled because you left all the doors and windows wide open and put up a sign reading "on holiday for 6 weeks", that wouldn't be unfair.
State actors have created absurd advantages for themselves over anyone else when it comes to physical, mechanical warfare. The same is not true when we're talking about data security. A clever individual or a corporation with the kind of resources that Marriott International has can defeat this kind of threat, and I would argue is obligated to make every reasonable attempt to do so.
It's one thing for China to employ sleepers who take IT security jobs with a foreign target corporation, corrupt their auditing software, and send their customers' data back to the PLA. That's difficult (though not entirely impossible) to defend against, but it's also very risky for China: phrases like "international incident" and "act of war" get thrown about, as well as a fairly automatic espionage conviction. It's another thing entirely to simply not bother training staff, employing industry best practices, or really making any kind of effort at all to prevent unauthorised remote access, which is how 99%+ of all these breaches occur. If you want to argue that you couldn't possibly have prevented the breach because it was orchestrated by a state actor, you should have to prove that your countermeasures were strong enough that only a state actor could have pulled it off. Good luck with that.
Biting the hand that feeds IT
