I realize that I have a tendency to overplay my emergency services background, but it does provide me with some perspective not common among infosec professionals. One example is crisis communications. While I haven’t gone through all the Public Information Officer (PIO) training, basic crisis communications is part of several incident management classes I have completed. I have also been involved in enough major meatspace and IT-related incidents to understand how the process goes.

In light of everything from HBGary, to TEPCO, to RSA, to Comodo, it’s worth taking a moment to outline how these things work.

And I don’t mean how they should go, but how they really play out. Mostly this is because those making the decisions at the executive level a) have absolutely no background in crisis communications, b) think they know better than their own internal experts, and c) for some strange reason tend to think they’re different and special and not bound by history or human nature.

You know – typical CEOs.

These people don’t understand that the goal of crisis communications is to control the conversation through honesty and openness, while minimizing damage first to the public, then second to your organization. Reversing those priorities almost always results in far worse impact to your organization – eventually, of course, the public eventually figures out you put them second and will make you pay for it later.

Here’s how incidents play out:

  1. Something bad happens. The folks in charge first ask, “who knows” to figure out whether they can keep it secret.
  2. They realize it’s going to leak, or already has, so they try to contain the information as much as possible. Maybe they do want to protect the public or their customers, but they still think they should keep at least some of it secret.
  3. They issue some sort of vague notification that includes phrases like, “we take the privacy/safety/security of our customers very seriously”, and “to keep our customers safe we will not be releasing further details until…”, and so on. Depending on the nature of the incident, by this point either things are under control and there is more information would not increase risk to the public, or the attack was extremely sophisticated.
  4. The press beats the crap out of them for not releasing complete information.
  5. Competitors beat the crap out of them because they can, even though they are often in worse shape and really just lucky it didn’t happen to them.
  6. Customers wait and see. They want to know more to make a risk decision and are too busy dealing with day to day stuff to worry about anything except the most serious of incidents. They start asking questions.
  7. Pundits create more FUD so they can get on TV or in the press. They don’t know more than anyone else, but they focus on worst-case scenarios so it’s easier to get headlines.
  8. The next day (or within a few hours, depending on the severity) customers start asking their account reps questions.
  9. The folks in charge realize they are getting the crap beaten out of them. They issue the second round of information, which is nearly as vague as the first, in the absurd belief that it will shut people up. This is usually when the problem gets worse.
  10. Now everyone beats the crap out of the company. They’ve lost control of the news cycle, and are rapidly losing trust thanks to being so tight-lipped.
  11. The company trickles out a drivel of essentially worthless information under the mistaken belief that they are protecting themselves or their customers, forgetting that there are smart people out there. This is usually where they use the phrase (in the security world) “we don’t want to publish a roadmap for hackers/insider threats” or (in the rest of the world), “we don’t want to create a panic”.
  12. Independent folks start investigating on their own and releasing information that may or may not be accurate, but everyone gloms onto it because there is no longer any trust in the “official” source.
  13. The folks in charge triple down and decide not to say anything else, and to quietly remediate. This never works – all their customers tell their friends and news sources what’s going on.
  14. Next year’s conference presentations or news summaries all dissect how badly the company screwed up.

The problem is that too much of ‘communications’ becomes a forlorn attempt to control information. If you don’t share enough information you lose control, because the rest of the world a) needs to know what’s going on and b) will fill in the gaps as best they can. And the “trusted” independent sources are press and pundits who thrive on hyperbole and worst-case scenarios.

Here’s what you should really do:

  1. Go public as early as possible with the most accurate information possible. On rare occasion there are pieces that should be kept private, but treat this like packing for a long trip – make a list, cut it in half, then cut it in half again, and that’s what you might hold onto.
  2. Don’t assume your customers, the public, or potential attackers are idiots who can’t figure things out. We all know what’s going on with RSA – they don’t gain anything by staying quiet. The rare exception is when things are so spectacularly fucked that even the collective creativity of the public can’t imagine how bad things are… then you might want them to speculate on a worst case scenario that actually isn’t.
  3. Control the cycle be being the trusted authority. Don’t deny, and be honest when you are holding details back. Don’t dribble out information and hope it will end there – the more you can release earlier, the better, since you then cut speculation off at the knees.
  4. Update constantly. Even if you are repeating yourself. Again, don’t leave a blank canvas for others to fill in.
  5. Understand that everything leaks. Again, better for you to provide the information than an anonymous insider.
  6. Always always put your customers and the public first. If not, they’ll know – either during the incident or later.
  7. Don’t lie or blame others, and don’t try to pretend you didn’t make mistakes. Don’t be like Comodo, try to blame Iran, and lump yourself into the same breach as RSA.

I don’t care if it’s the Tylenol scare, a security breach, or a nuclear meltdown – your job is to aggressively communicate so you don’t lose control of the cycle. Give people the information they need to make appropriate risk decisions, and it’s okay to keep certain details private… but only if they really protect someone other than yourself (e.g., sometimes you can’t say anything for legal reasons, but be honest when you can’t). Acting like a patronizing parent never seems to work out as well as you hope.

RSA could have controlled the cycle… especially since they were disclosing on their own terms, rather than responding to external discovery. But while they probably thought they were being responsible and releasing the right amount of information, they released just enough to kick the spin into overdrive; create doubt among their customers and the public; and allow pundits, press, and competitors to take control of the cycle… even though none of them has all the information.

There are exceptions to these rules. But not for you.