In previous posts, I examined the use of communication at the more granular level of technical attribution, now I'd like to zoom out a bit. I want to examine incident response and how communication can be used throughout the process. Based on my research and conversations, incident response is a pretty siloed process, particularly from communication. It's frequently undertaken by teams external to the organization experiencing the incident and isn't something integrated into most organizations' normal operations or culture.
Communication and security efforts in an organization should be working together at all times, not just times of crisis. However, because there is such a gulf between security and communication in most organizations, there needs to be an entry point. Risk and crisis communication can be one of those entry points. Major incidents and public/media attention are making executives and security people realize the importance of communication during these incidents and, based on most crisis models, communicating about incidents can expand to pre-incident communication. Crisis communication can act as an entry-point for more nuanced application of communication to all security issues, hopefully.
There is a widely used model for risk and crisis communication called CERC (Crisis and Emergency Risk Communication). It's used by government agencies like FEMA and the CDC and it offers guidelines on the sort of actions that should be taken at the various stages of a crisis regardless of what caused the crisis. What I want to do here is go through the lifecycle of infosec incident response from the perspective of CERC. According to CERC, how should communication be used throughout incident response?
The first step in any crisis response happens long before the crisis actually happens. I don't want to spend too much time on risk and preparedness communication here. I've covered some of it in previous posts and will cover it more in the future. Pre-crisis is (usually) the longest part of the cycle because it encompasses all of the time in which you aren't actively experiencing a crisis. Many of your actions in this phase won't be directly related to crisis response but a lot of them will support future crisis communication, even if it's just building strong relationships and a good reputation with employees, partners, and customers through the course of normal operations.
The pre-crisis stage is mostly about risk assessment, management, and preparedness. You install fire extinguishers, conduct routine maintenance on appliances that might cause fires, map and drill evacuation routes, etc.
In terms of the technology side of this, there are plenty of experts and guides that can tell you what to do to establish a strong security stance. I am not one of those experts. One of my experts told me that, at the pre-crisis stage, you establish the incident response team and standard operating procedures: "Who talks to the press, who in the company needs to be involved, who doesn't need to know what's going on. When to notify law enforcement if appropriate." These questions are appropriate for most crises so they shouldn't be too difficult to answer. You just have to be sure that they're being asked specifically about infosec crises.
Discover & Disclosure (Initial)
Someone notices something funky is going on and the incident begins. In some cases, the incidents are small and don't develop into a full blown crisis, fantastic. That doesn't mean communication isn't required but it mostly pulls us out of the CERC model. Look for a future blog "When an Incident Isn't a Crisis."
However, some incidents do develop into crisis and those definitely require communication. As soon as an unexpected, negative event takes place, people search for causes of the event (Coombs, 2007). Initial judgments of responsibility are based on how much personal control the organization is perceived to have - how much did the organization's action or inaction cause the crisis. These initial assessments are based on how the crisis is framed when it is first communicated to them.
As I said in a previous post, the instinct at the early stages of a crisis is not to communicate at all. However, strategic communication early on makes future communication easier and may lessen the chances that the crisis will escalate.
As a matter of fact, voluntarily disclosing or announcing a crisis before it is broken by the media (or anyone else) is called "stealing thunder" in scholarship and is linked to consumer perceptions of higher credibility and less severe risk (Arpan & Ewoldsen, 2005). "If they're announcing it, they aren't trying to hide something. They must have it under control" as opposed to being outed by the media which leads to: "They were trying to hide this, it must be pretty bad." The mandated communication of breach disclosure can be used to steal thunder, even if it isn't technically voluntary.
Once a breach is disclosed to those directly impacted - customers whose service has been interrupted, people whose PII was lost - the information spreads quickly. Disclosure notifications don't come with NDAs. In many cases, the breach notification is the only messaging coming out of the organization so it gets published widely.
Despite this, breach disclosure (and other forms of required communication) is commonly treated as formulaic, throw-away messages. There are requirements for what breach disclosure must say, but there is still an opportunity to use the mandated communication strategically. This opportunity is usually squandered in favor of the bare minimum which doesn't offer a lot of comfort for the recipients who have just learned that they're now experiencing a crisis.
Does the message above do the things listed in the CERC table on the right? This isn't the full text of the email which does include directions for the recipient, says what the organization is doing about the crisis, and offers some assurances. However, these are all extremely vague. I wouldn't say that the email does anything on this list strongly enough. Overall, the email is lukewarm and doesn't make the reader feel comforted.
At the earliest stage of an infosec crisis, as I understand it, the priority is containment and protection of critical assets. You need to identify patient zero, see how deep the intrusion goes. With some situations, you might reach out to others to see if they are experiencing or have experienced a similar incident (like the global ransomware/wipers we've seen recently).
While this early stage involves some investigation, the who-what-where-when-how of it all isn't the focus yet. The focus is on shutting things down, disconnecting infected assets. Internal communication is much more important to these efforts - telling employees how to shut off/unplug their computers, giving updates to executives, alerting partners, etc. The people responsible for the technical side of incident response should be allowed to do what they need to do without worrying about messaging. However, that requires a level of planning and foreknowledge that doesn't exist on the communication side of things.
So, both internal and external communication are crucial to this step of the process but for very different reasons. Internal communication is critical to functionally addressing the incident while external communication is mandated. Both can determine the success of the response, in different ways.
In a more traditional crisis, the initial stage has a quick turnaround. You announce that something has happened, give some recommendations, and establish channels for future communication. However, this stage of incident response takes time. This is one of the ways infosec crises break the rules and standards of crisis communication. You may not know the scope of the incident for months. The first case I studied was the Office of Personnel Management breach in 2014. Over the course of a year, the incident went from no loss of PII to approximately 4.2 million individuals' records at risk. This sort of change in scope and long time frame breaks most crisis communication standards.
Wrapping it up
This is only the first two steps of the CERC model and this blog is already too long. Next time, I'll get into the other three stages. What I want to illustrate here is that risk and crisis communication is a decent starting point for better integrating communication and security efforts. I also want to show that there are limitations to applying standard crisis communication to infosec issues. Crisis can be an entry point for communication but everything that happens before a crisis is much more important to infosec overall.
Arpan, L. M., & Roskos-Ewoldsen, D. R. (2005). Stealing thunder: Analysis of the effects of proactive disclosure of crisis information. Public Relations Review, 31(3), 425-433.
CERC manual and tools from the Centers for Disease Control and Prevention
Coombs, W. T. (2007). Attribution theory as a guide for post-crisis communication research. Public Relations Review, 33(2), 135-139.