Category Archives: Communications

The Five Stages of “Hacked”

[Note: This scale is now posted on its own page here.]

While doing some work around the SolarWinds hacks, I realized that there’s just no simple triage scale that we in the industry can use to simply and succinctly characterize the severity of hacks.

This is my proposal for a simple scale to enable simple but meaningful comparisons of the severity of hacks.

Since the most important thing in hacks is the spread and severity, the cancer staging system gives a good model for measuring these kinds of things so this is adapted from that.

  • Stage 0: The attackers have found or made an entry point to systems or the network but haven’t used it or took no action.
  • Stage I: Attackers have control of a system but haven’t moved beyond the system to the broader network.
  • Stage II: Attackers have moved to the broader network and are in “read-only” mode meaning they can read and steal data but not alter it.
  • Stage III: Attackers have moved to the broader network and have “write” access to the network meaning they can alter data as well as read and steal it.
  • Stage IV: Attackers have administrative control of the broader network meaning they can create accounts and new means of entry to the network as well as alter, read and steal data.

(Also posted on Medium)

Interview on Hacker Valley Studio

I had the pleasure of being interviewed by Ronald Eddings and Chris Cochran with Hacker Valley Studio talking about crisis communications and lessons learned from “making awful news just bad” in their episode “Communicating in a Crisis with Christopher Budd”.


“Hi We’re from the Government, We’re Here to Help You”

Yesterday the President announced a new executive order “to promote information-sharing within the private sector and with the government” around cybersecurity (I HATE that term).

I work in the private sector he’s talking about and have for nearly 20 years now. And I’ve seen and been part of a lot of really important collaboration and information sharing between government agencies and the private sector.

So I generally think this sort of thing is a good thing. The bad guys of all stripes always benefit when dealing with divided defenders.

But I don’t think this can and will be as successful as it could be or needs to be.

Because the fact is that in the security and privacy community, there’s a lot of lingering suspicion and bad feeling around the activities that government agencies are alleged to have engaged in as a result of the Snowden disclosures.

Information sharing will only happen and so only works where there’s trust. And a lot of people I know in the security and privacy space lost a lot of trust in the US government in the wake of those claims.

And that trust hasn’t been rebuilt or regained at all because there still hasn’t been an upfront discussion about what is and isn’t going on. And in that vacuum, a lot of people are assuming the worst, rightly or wrongly.

I’ve taken a very moderate stance on this all myself. I’ve worked with some very good people with intelligence backgrounds so don’t fall into the facile “the NSA is evil camp”. But I also don’t fall into the other, “the NSA can do no wrong” camp either. My views are more nuanced with an underlying respect, gratitude and appreciation for those people willing to do hard, thankless work to protect us (having done a lot of that myself).

Regardless of my own views on this all though, the fact remains that for any information sharing program to succeed, there has to be trust. And it’s hard to argue there’s trust to fuel information sharing when one of the biggest, most important players is involved in a lawsuit to prevent having to disclose information it believes it shouldn’t have to.

In the end, it’s too bad because the horrible way the Snowden disclosures have been handled in terms of a response will undermine what is an important initiative that ultimately will benefit everyone.

This is yet another example that how you handle and respond to what you do is at least (if not more) important than what you do itself.

Getting the story right when you didn’t get it right

Today via Geekwire (and others) we’re hearing about how the radio show This American Life has issued a wholesale retraction of their story from January about factory working conditions at an Apple supplier in China. The full retraction is available on This American Life’s blog.

What’s interesting about this is how they’re handling the issue. News organizations make mistakes and issue retractions regularly: this isn’t a unique incident. But, as This American’s Life’s press release makes clear, this wasn’t just any story for them. This was a very big story for them.

To their credit, since they have to retract a big story, they’re doing so in a big way. They’ve essentially done a new story talking about how they got this wrong. They’re even doing a special broadcast just to focus on how they got this wrong. And, they’ve taken full and clear responsibility, apologized, and spoken openly about how this situation can impact the trust their audience puts in them.

A big mistake on a big story requires a big response to make it right. By handling this like they have, This American Life has not only taken steps that very effectively mitigate the harm of this incident, by being so open and upfront they’ve also taken steps to actively regain the trust that they acknowledge an incident like this can harm.

This is a model for how news organizations can effectively handle situations like this. They really should be commended.

Overresponding: A Lesson

Say this about Twitter, it certainly is a treasure trove of incident mishandling for analysis.

Today’s lesson comes to us from the Topeka Kansas Home Office and is about the danger of overresponding to an issue. Overresponding means you respond to the issue with more force than is appropriate and in so doing your response creates more problems than it solves. Overresponse is actually a very common pitfall in crisis communications and is typically a panic move made by people who aren’t experienced in this arena.

The lesson comes from Kansas governor Sam Brownback, or more accurately his director of communication Sherriene Jones-Sontag. This Associated Press story has all the important details, but the key points are that a high school student joking tweeted something negative about the governor on Friday. His director of communications spotted it and complained to the school, who promptly brought the student in and told her she had to write an apology.

Setting aside the ways this incident from the outset has clear incendiary qualities because of the way it looks (and frankly is) the governor and the school system bringing their coercive force to bear on an expression of speech, this is a classic example of overresponding to a negative comment.

The fact is that this critic had a mere 65 followers. If there had been no response from the governor’s office, the only people that would have even seen this criticism are maybe 100 people at most. It’s a simple bet that well over 100 people have seen that original remark now after the governor’s response. From that standpoint alone, the handling represents overresponse: their response drove more eyeballs to the negative news than would have seen it if they just left it alone.

Add to that then the nature of the response and how broadly negative the response to that response is. On the first business day after the story broke the governor and school district have had to retreat and apologize. That tells us that both the governor and the school district were coming out strongly on the losing end of public opinion. A retraction that quickly is essentially saying “uncle”.

Worse yet, this response has spiraled now beyond the original issue and is prompting broader questions that may linger and be more damaging than this incident was. This opinion piece by Dean Obeidallah on CNN (a high profile site) raises a number of questions that I’m sure the governor’s office would prefer never have been raised, particularly the question about tax payer funding of social media monitoring and the likening of the governor’s actions to Nixon’s enemies list.

What this illustrates is what can go wrong if you overrespond to an issue. What people should take away from this is the importance of understanding that not every negative comment deserves a response. Sometimes your response can make an issue bigger than it would be otherwise. And sometimes your response can take on a life of its own and become more of a negative issue than the original thing that prompted the response. Finally, this also highlights how freedom of speech issues are very hot button and organizations should always try to never look like they’re on the wrong side of that issue.

In the end, sometimes the right thing to do is the less obvious thing: leave the issue alone. And this is where people who are experienced in crisis communications can help, because we understand these risks and can help make an informed assessment on whether it makes sense to respond at all.

JetBlue: A better, more personal response

To follow up my post earlier today, it appears JetBlue is taking a better, more personal track in their response. Late today they posted a video statement by the COO on their blog site that definitely hits a much better tone and hits some of the points I wrote that I thought a better response should contain (including that it be a video response). It acknowledges shortcomings, speaks with empathy and understanding, has an apologetic tone, promises improvements, and most of all, is direct and personal putting a real person with a real name and title up for all to see.

I can’t take any credit for it. I did post a link to my post on their site under their original posting, but have no idea if anyone there read it.

But the important thing is that this shows that some of the points I raised as far as a better, more personal handling are valid ones.

Hopefully they’ll keep on this more transparent, more personal track moving forward. If nothing else, they deserve credit for changing course relatively quickly.

Once is happenstance…

…twice is coincidence. The third time is enemy action. So says Ian Flemming’s Auric Goldfinger in Goldfinger.

I’m thinking of this saying today as I read about JetBlue having another major situation around airline passengers being virtually held prisoner on planes on the tarmac in the Northeast this past weekend. There’s details here, including a recounting of a pilot’s pleading for assistance. By the way, if you want an example of a nightmarish story to try and manage, here’s a local paper recounting the experience of a guy on one flight in a wheelchair who talks about feeling like a “hostage” in the ordeal.

This is the second time JetBlue’s name has been associated with a situation like this. Indeed, the first incident is a key driver for the very regulations that they now face penalties from.

Yes, the circumstances were the result of forces of nature. But the fact that JetBlue already has failed in this arena once before gives them little wiggle room in terms of perception. Further, the fact that other airlines seem to have been unaffected or not nearly as badly as affected puts them in a class by themselves on this.

Their response to the first incident wasn’t enough to undo the damage then. And if you look at their response to this, I predict once again it won’t help. Their blog in particular is a very poor attempt to manage this situation and may well make things worst. First, the blog starts with a joking tone. While I advocate humor and levity as a means of injecting an authentic voice, this isn’t the time or place. People felt like hostages: don’t make light of that. In that vein, the blog also totally lacks any empathetic acknowledgement of the pain and suffering passengers experienced. Also, the blog lacks any clear taking of responsibility for the situation. And finally, the “remedy” that is offered won’t seem like compensation to anyone outside of JetBlue. Not making passengers pay for their own incarceration shows, as a friend once put it, “delusions of adequacy”. If they want to make it up to people, they’re going to have to start there and move upwards.

If JetBlue wants to nip this in the bud and prevent if from being as big a harm to their brand as the last tarmac debacle, they should quickly pivot their handling, put out a statement by the CEO (preferably on video so the sincerity, if it’s there, can be seen) that very clearly says:

  • Yes, we screwed up, again. I am sorry for the genuine pain and suffering you all experienced because of our failures. Ultimately, it’s my responsibility and I personally apologize to all of you.
  • The weather was unprecedented and everyone scrambled. But somehow, we seemed to fall short yet again. I don’t know why we fell down so badly yet again but I will.
  • To our affected customers, and all customers, I promise a complete, transparent investigation as to how this happened, how we can prevent this from happening again, what we’re going to do to try and keep this from happening again, and regular updates on how we’re coming with these changes. As part of this,  I promise real consequences for people who let you down.
  • Of course, we’re not going to charge any of you for these flights. But we will also try to make it up to you and give you a reason to give us another chance.
If they don’t do something like this, the risk is that others will think about this like I do. And if there IS a third incident like this, the enemy action that Goldfinger talks about: that’s the action of JetBlue against its passengers. It’s generally bad for brand when customers start to think of you as an enemy.

Don’t be too Qwik

The latest chapter in the NetFlix situation is a good lesson in the importance of the rule that it’s not just what you do, but how you do it, in terms of perception.

Specifically, the handling of the short-lived and now defunct “Qwikster” project, NetFlix’s attempt to split their DVD rental business off onto a separate brand has been an abject failure. Certainly it’s been a failure from a business and customer satisfaction point of view. NetFlix has had to completely reverse direction based on another wave of customer ire and dissatisfaction. Reversing direction on a major initiative like that is never a success.

Beyond that though, the entire Qwikster episode, from start to finish, has caused an important hit in terms of perception by making NetFlix look like they don’t have a plan and are making major decisions without thought, deliberation, and research. It’s one thing for your image to take hits around customer satisfaction and even “being out of touch”. But for people outside to look at you and start saying “What the heck is going on there? Who’s making these decisions and how are they making them” hurts a business’ image at very fundamental levels. It shakes or even shatters the trust people have in the leadership of the company. That’s particularly bad from an investor relations point of view: if these major decisions are being made in such a reactive, ad hoc manner, why should you expect the company will respond any better to future challenges?

All major reversals like this have some degree of reputational damage around leadership. Whether it’s “New Coke” or the Microsoft KIN, major reversals have led outsides to ask how those failed decisions were made. But the Qwikster episode has been executed in a way that makes these questions more acute. It was clear at the outset that the decision to spin off Qwickster was a rushed, reactive plan.

One need only look at the debacle around the Qwikster Twitter handle where the handle wasn’t under their control and in fact was already being used by someone Tweeting on topics no marketing person would want associated with a brand new brand. That said clearly that this wasn’t a planned launch at all: it was a reactive, ad hoc decision.

That misstep could have been overlooked and eventually forgotten if Qwikster had been a success. Sometimes companies have to move quickly and the furor that NetFlix was facing over their new fees was intense and clearly they felt they had to do something. But rather than quell the customer anger over the fee changes, this decision stoked it even more. And so in less than one month, they’ve had to suddenly reverse their previous hasty decision. And now, in addition to the customer anger over the fee increases (which still hasn’t abated), NetFlix now has to cope with serious questions about their decision making process and capability. That hit to their reputation comes through loud and clear in this Wall Street Journal article by Stu Woo and Shara Tibken:

While investors and customers expressed some relief Monday, concerns still remain about Netflix’s recent actions and future. Adam Hanft, chief executive of consumer marketing and branding firm Hanft Projects, said it is difficult to understand Mr. Hastings’s thought process in planning to separate its businesses.

“He’s usually a much better chess player than this,” Mr. Hanft said. “It’s a total blunder, and he misread consumer intentions and interest completely. … It’s clearly a company that’s lost its way, which is unusual for a CEO with a pretty firm grip on things.”

What should NetFlix have done differently? It goes back to planning and the original fee increase announcement. Delivering negative or potentially negative news should be carefully planned. The decision makers should work with those who work most directly with customers to understand the likely response. They should also work with industry experts and analysts to understand the likely response and pitfalls. Then, they should build a plan to mitigate the risks that are identified. In this case, a plan for what to do if customer response is so overwhelmingly negative that they suffer major losses in customers. And if the worst happens, you break out the plan and implement it. You show that you’re adaptable but that you are in control and have a direction. This underscores why it’s so important to involve people with expertise in crisis communications and reputation management in the planning for major announcements: we can help you identify the risks and plan for them.

In the case of NetFlix, I would have recommended that their recovery plan around the fee announcement involve giving customers options around the fees. Either more granular ability to limit the impact of the fee increases or a promise that they won’t raise fees for some set period of time. And if the fees are driven in part by fee increases by the content providers, they should have been more up front about that. Customers don’t like but understand when you have to pass on increased costs from your suppliers. And, anyway, there’s few industries that already have as bad an image as the large entertainment conglomerates.

NetFlix now has to start working to repair its relationships with its customers and rehabilitate its image around corporate decision making. A first step in that latter process will be to do all they can to make the next major step they take a success. Hopefully they’ll do better planning for that next step.

Lead or go out of business

That’s increasingly the reality around communications and online security/privacy incidents. If you don’t lead in providing information then others will do it for you. And that can mean your company could be out of business in just a few days. Google, Microsoft, Mozilla and the Dutch government have all made this point very clear over the course of the past few days in regards to the DigiNotar compromise.

You can get full details in Gregg Keizer’s story but the important facts are that DigiNotar is a Dutch company that issues digital certificates used for secure web browsing. Around August 29, 2011 Google discovered a forged DigiNotar certificate was being used on the Internet. In real terms, this means that someone could use this certificate to watch what you’re doing on the Internet when you’re using a secure channel without you knowing it. Google, Microsoft, and Mozilla all responded by making the forged certificate unusable in their browsers but keeping the rest of DigiNotar’s certificates usable. This is a standard response when situations like this have happened in the past.

But over the next four days, it emerged that DigiNotar had been aware of this attack since mid-July, that it was broader than a single certificate and had said nothing. In response to that lack of transparency and communication Google, Microsoft, Mozilla, and the Dutch government, now involved because they used DigiNotar for sensitive government websites, took an unprecedented step in response. They revoked all certificates that DigiNotar has issued or will ever issue, basically putting them out of business. It would be like United States Government declaring that a state’s driver’s license issuing procedures were so weak that none of their licenses will be accepted as valid IDs ever again.

If you need any proof that the lack of transparency and communication was the chief driver of this decision,  Johnathan Nightingale who is Director of Firefox Engineering over at Mozilla cites the lack of notification as the first reason behind their decision. He goes on to talk about  how “Incidents like this one demonstrate the need for active, immediate and comprehensive communication”. While his comments are to this specific incident, they apply to any online security/privacy incident.

DigiNotar had two chances to take the lead in this situation. First, when it was discovered in mid-July, and then when it first broke publicly in late August. If they had made a point to be the source of authoritative information at either of these junctures, they may have been able to keep control of the situation and keep from being shunted to the sides and shuttered by the other affected parties. As it is, though, they’ve become a cautionary tale of how fast things move in Internet time and how quickly one poorly handled incident can close down a business.

The Skype Blogger Proxy War

I said last week it would be interesting to see how the Skype story about firing executives ahead of the Microsoft acquisition would play out. And this week is proving me right, though in unexpected ways. With the latest developments, the Skype story has turned into a full-blown blogger proxy war. Third party bloggers are making arguments for and against Skype while the main players sit on the sidelines feeding the bloggers ammunition for their cases. What’s most interesting in this is that Skype appears to making no effort to manage the story openly in the mainstream press. Blogger proxy wars aren’t unheard of, but letting that be the only avenue you pursue in managing a situation is unusual and bears watching for lessons.

As a reminder, last week’s story focused on eight executives being let go by Skype ahead of the acquisition. Skype gave little real information about the move. That naturally begged questions that third parties were happy to try and answer, suggesting the motivation was greed on the part of Skype’s owners, the private equity firm Silver Lake Partners. Apparently someone at Skype or Silver Lake wasn’t happy with that story and “unnamed investors” started giving interviews explaining that it wasn’t greed, that the firings were part of a planned restructuring by the CEO. Most notably, this explanation was never delivered by Skype through any official, named sources. Skype opted to let the unnamed spokespeople carry their key message, something most of us would strongly recommend against (and I did last week).

Now, another phase in the story has come out, with a former Skype executive, Yun Lee, who voluntarily left, detailing how vested stock options were yanked back by Silver Lake after he left. He doesn’t argue that they had the right to do that, but he is making the case that it’s sketchy thing to do. His story handily picks up and builds on the “greed” narrative that started last week. Because Skype didn’t actively work to shut down that narrative, it is fertile ground for Lee’s claims and, predictably, his claims are taking hold.

On the heels of last week’s tactics working poorly for Skype, they are, amazingly, following the exact same playbook. Skype’s official spokesperson has again issued a vague statement at the start of the cycle that fails to address the questions and concerns that reasonable people might have. Again, more detailed information about Skype’s point of view is coming out through interviews with “unnamed investors”. And once again, we’re not hearing that more detailed information come from any official, named sources at Skype.

At this point, this somewhat bizarre, disengaged public relations strategy on the part of Skype and Silver Lake has turned this story into a proxy war. There are bloggers/reporters like Sarah Lacey and Henry Blodget who are talking with these unnamed investors and themselves making the case for why Skype acted in a reasonable way. Meanwhile, lining up on the opposite side, you have Michael Arrington and most notably Felix Salmon who has written on this three times in the past two business days and used “evil” in every posting title.

It can be argued that Skype’s approach has succeeded in keeping this story out of the mainstream press generally. Aside from an article last Friday at Bloomberg Businessweek which has Skype’s only official statement, there’s not been much coverage. But it would be a mistake to count that as a clear victory. Damage to reputation doesn’t have to be widespread to be harmful. Felix Salmon’s most recent post on this touches on the impact of this all on Silver Lake’s reputation. While he doesn’t think Silver Lake will suffer, an Investment Banker who Tweets under the handle EpicureanDeal calls out the harm this will have to their reputation within their business community and that could be very bad for Silver Lake.

It remains to be seen how this will sort out. But Skype and Silver Lake’s failure to openly engage on this story means they’re relying on the skill of their blogger proxies and luck for this not to end badly for them. That’s not an approach I would ever recommend. As I said last week: Skype should go out and tell their story openly and engage with the mainstream press who have written about this. That doesn’t preclude arming their blogger proxy allies: it supports it.

UPDATE: Kara Swisher over at AllThingsD has a posting with information from an internal presentation that bolsters some of the arguments in favor of Skype’s and Silver Lake’s position. But, yet again, this appears to be information being passed on background directly to specific bloggers/reporters. There’s still no public statement of the case by a named Skype or Silver Lake spokesperson.