SANS Digital Forensics and Incident Response Blog

Public Communications Are Critical to Computer Security Incident Response

Law, Forensics and Public Relations

Historically IT security and incident response programs did not include much of a public communications component. Enterprises spoke little about attacks or breaches of security; they quietly focused on defense, investigation and remediation.

Law and politics have changed the game. Since 2003 many laws such as California's Senate Bill 1386 have required data holders to notify constituents and sometimes government authorities when private data have been compromised. For many private and government organizations, their data security posture has become a subject of keen public import. Lawsuits and government investigations are becoming more common.

Today when security incident happens, public communications can be critical to an effective response.

A high profile example is Google's announcement that it was the target of an attack allegedly from China. Google views the incident as much more than just a technical matter. It sees it in the context of a larger struggle over law, censorship and Internet freedom. On its official blog, the company . . . described the incident and its investigation and said the event could undermine the company's future operations in China. Google explained how the incident had caused the company to tighten security, and reminded customers of particular steps they should take to protect their accounts and information.

Google's announcement sparked a round of diplomatic fulminations by China, the US Secretary of State and Google officials, including the CEO. See Bluminstein and Fidler, "Google Takes Aim at Beijing Censorship," Wall Street Journal, 30 January 2010.

As Google decided what to say and how, it had to take into account the digital forensic evidence it had accumulated, as well as the interests of customers, governments and its corporate reputation. Articulate, accurate communication was paramount to Google's effectiveness.

The geopolitical uproar triggered by Google's revelation is an extreme example of the noise that commonly follows an IT security incident within the relevant community of interest — more commonly the community of interest includes people like a company's customers, the local news media and the local attorney general. The final outcome of an incident — in terms of legal liability and public perception — depends in large measure on the statements the enterprise makes, both before the incident happened and afterward.

Best Western Hotels, for instance, defused a crisis after a newspaper reported the company had suffered a major data breach. The company's CIO vigorously explained in the media that the newspaper report was overblown and the incident was very limited and inconsequential.

Public communications is dicey business. Missteps and misinterpretation are easy, and open dispute is common. For instance, after the Google announcement, the company's rival Microsoft criticized Google's approach to China. Further, some have questioned the strength of Google's evidence that the attack came from China.

Modern IT security programs must prepare and deliberate on what to say to the public, where to say it, how to say it and when. Also, after they make a statement, they must be facile at replying to critics and skeptics.

Attorney Benjamin Wright is the Senior SANS Instructor teaching LEG523 Legal Issues in Information Technology and Information Security. The course emphasizes the role of public communications — from contracts, disclaimers, web notices and terms & conditions, to blogs, policies, press conferences and proclamations in courts of law — as tools for coping with the legal and reputation dimensions of eDiscovery and cyber defense.