A major hack to cybersecurity firm SolarWinds raised the alarm at thousands of companies and government agencies, including Microsoft and the Department of Homeland Security.
Following infiltration of SolarWinds' network management software by what is widely believed to be a Russian hacker group, the cyberattack was deployed via malware snuck inside a software update installed by SolarWinds customers. (If you’re still catching up, CNET’s Steven Musil has a summary of the developments so far.)
Both SolarWinds and Microsoft have made public statements around the hack, while some organizations stay mum—including some federal agencies suspected to have been impacted. SolarWinds also counts in its customer base AT&T, Procter & Gamble and McDonald's, so expect PR responses of varying success to emerge in coming weeks as more details around the breach come to light.
So far, FireEye, another SolarWinds client (and a cybersecurity firm) is the only private company besides Microsoft to issue a statement picked up by the mainstream media. However, The Wall Street Journal today named Cisco, Nvidia and Intel as impacted organizations, none of whom have issued a statement on the breach as of this writing.
Whether or not the SolarWinds hack touched your company, it's important for your 2021 PR strategy to include a cybersecurity response. “I think the odds are high that most of us will use our crisis plan sometime in the coming year, given the changing landscape,” says Kristin Miller, director of corporate communications at Ping Identity, a network security firm. To file away for your reference when (not if) that day comes, here are communication takeaways from organizations responding to the SolarWinds hack.
Regular Updates
While locating the the source and onset of a breach can take months or years, it is a PR best practice to inform customers, and in certain cases, the general public, of the breach ASAP—and provide frequent updates, even when there is little to report. There are several regulations governing how soon firms must inform the public of a cyberattack. Firms in the cybersecurity business may also be obligated to file with the Security & Exchange Commission within a specific length of time after the breach is discovered. All of this means PR pros must work closely with legal. [Read SolarWinds' SEC filing here.]
Microsoft made an initial statement Sunday Dec. 13, but followed up with another statement Thursday Dec. 17 that malware had indeed been detected and impacted customers of its cybersecurity software.
Microsoft’s Dec. 17 statement to the press notes actions taken (“we detected malicious Solar Winds binaries in our environment, which we isolated and removed”) as well as reassuring customers who were unaffected. The company stated it found “no evidence of access to production services or customer data.”
The challenge for companies in Microsoft’s position is balancing the need to reassure customers with a lack of visibility into the exact security vulnerabilities of a vendor. “The SolarWinds attack has changed the game for many PR professionals who now need to layer in third-party supply chain attacks into their crisis plans,” says Miller.
Consistency and Repetition
Reuters, the Washington Post and Wall Street Journal found that the hack impacted U.S. Homeland Security, State, Commerce and Treasury Departments. In addition, the National Institutes of Health, Department of Energy and the National Nuclear Security Administration also were compromised. However, not all these agencies have issued statements. Treasury has stayed mum, with no response to the press as of this writing.
For its part, the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency charged with investigating national cyberattacks, has done its communication due diligence. It warned the American public about an “active exploitation” of the SolarWinds Orion platform. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” a Twitter notice reads.
.@CISAgov encourages organizations that use SolarWinds Orion Platform software to review the following advisories for information on publicly identified nation state backed threat actor activity:https://t.co/zcAREzsbAXhttps://t.co/EvIwOsUusVhttps://t.co/fs5Cn40WAI
— US-CERT (@USCERT_gov) December 14, 2020
In subsequent days, CISA posted iterations of the warning to its Twitter page, illustrating the PR challenge of reaching every possible audience impacted by a cyber breach. While it may seem counterintuitive to repeat an announcement with potentially damaging reputation impacts, PR pros can better control a message when it isn’t buried.
If a statement or response is too challenging for a reporter to find, they may turn to other sources outside your organization who are under no obligation to provide a rosy description of your cyberattack response.
Microsoft Responds from the Top
Microsoft is among the few private players to respond publicly to the breach so far, likely because the press broke early last week that the cyberattack impacted its clients. Instead of having a company spokesperson issue messages to the press, however, Microsoft President Brad Smith was the point of main response.
Smith penned a lengthy blog post Dec. 17 chronicling the SolarWinds breach. He argued that the recent breach is an indication of a broader global trend of increasingly sophisticated cyberattacks against the U.S. and other countries. The post places responsibility for nations’ cybersecurity at the federal level, using the word “government” no less than 40 times.
“There's a fine line between how you communicate and take ownership of an issue that is your company's fault versus one that was caused by another company,” says Miller. Still, “at the end of the day your customers won't care who is to blame, but how you frame your statement.”
Framing was clearly a consideration in Microsoft’s response. Rather than an apology or tech update, the post reads as an exercise in thought leadership, a call-to-action for the government to take more steps to protect the nation’s cybersecurity while partnering with the private tech sector. Smith points to Microsoft’s long-term status as a government contractor, stating that “perhaps no company has done more work than Microsoft to support agencies across the federal government.”
Smith next excoriates the government for failing to share information between agencies and with the private sector. “Federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy,” he writes.
Smith's missive mirrors widespread criticism over the Trump administration's weakening of cybersecurity failsafes, including firing civilian cybersecurity chief Chris Krebs. Moreover, Smith provides recommendations for the incoming administration, including strengthening international cooperation and rules around cyberattacks.
What is to be Done?
While Microsoft’s call-to-action likely will stand out among the more unique responses as the private sector continues to assess the damage, it buries the lede—the status of the breach and the steps the company is taking to respond. The following notice appears at the very bottom of the 3,500-word blog post:
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
For Microsoft’s sake, one would hope the company continues to find “no indications” that hackers used its services to attack its customers. Otherwise, the post may age poorly, in retrospect appearing as overly defensive and dismissive of the company’s role.
Still, Microsoft’s plight may soon fade from public awareness if the list of impacted companies continues to grow. In that case, will it even be considered a true communication crisis?
Perhaps not: “The SolarWinds espionage attack reframes how to define a cybersecurity crisis,” Miller argues. “Prior to the attack, a data leak by a major brand was an attention-grabbing headline, and the company would most certainly suffer reputation damage.” However, given the context and breadth of the SolarWinds attack, she adds, “I think the bar for a true crisis has elevated.”
Sophie Maerowitz is senior content manager at PRNEWS. Follow her on Twitter @SophieMaerowitz.