Insider risk can be reduced, not eliminated. Let's say a company has more stringent checks than TS//SCI and pays employees that handle sensitive info well. People can always be turned, if not direct then indirect extortion through loved ones and family. You don't need that much money to develop an asset (it can be a lot but even the poorest nation would find it trivial).
If you can't get to data handlers then you can go after developers and the software supply chain. You have to understand, people can cooperate with threat actors without implicating themselves by getting paid or coerced to allow an intrustion (fall for a phish link or email, install seemingly legit software, insert a USB drivr they found in the parking lot,etc..). Worst case they get fired.
If you can't get to data handlers then you can go after developers and the software supply chain. You have to understand, people can cooperate with threat actors without implicating themselves by getting paid or coerced to allow an intrustion (fall for a phish link or email, install seemingly legit software, insert a USB drivr they found in the parking lot,etc..). Worst case they get fired.