OPINION
Cyber-Meltdown: Managing the Message When IT Hits the Fan

It started as an act of Web site defacement by some anti-capitalist zealots, attacking one of Canada's largest multinational corporations. You know the kind -- they've got their fingers in all kinds of business pies, from airplane parts to media content to their own very popular brand of hand sanitizer. So they were ripe for some cyber-sabotage, judging from the overheated invective that appeared scrawled all over the corporate Web site.

Things went downhill fast, however, for the information technology specialists on hand trying to clean up the vandalism. It soon became clear the corporation was under attack by sophisticated cybercriminals. They had taken the company's network hostage and were actually targeting access to individual executives within the corporation. Critical business data was stolen. Supply chain partners' information was compromised.

Once the media got hold of the story -- not just media, mind you: cable news media! -- the stock price sank and it took worldwide markets with it as other multinationals wondered if they were next. Forget about those sexy aliens in "V." These hackers fought ugly.

Back up a second. Did you say ... hand sanitizer?

Don't Panic

As with those civil defense announcements that interrupt TV programming, the preceding was merely a test. Had this been an actual emergency, hopefully things would turn out better for a company like Acme Global Enterprises.

AGE exists only in the minds of those who planned this week's 20th World Congress of the Information Security Forum, a nonprofit organization made up of some of the top computer security experts from around the world. The ISF works to establish best practices in an industry growing more important by the day. Its members are employed by top multinational corporations in a wide range of industry sectors. They also come from governmental agencies, law enforcement and nonprofits. Every year, they get together for three days of keynote speeches, panel discussions, plenary and breakout sessions and some wining and dining. This year, the annual World Congress was in Vancouver, British Columbia, and I was asked to serve as a host and panel moderator.

They also asked me to write a script for the AGE exercise and play the role of a TV news anchorman (big stretch, I know) telling the world about the data breach. They gave me an anchor desk on stage, some newsy music and a spotlight. What recovering TV newsie could resist? I was given some details of the fictional corporation's break-in and allowed to craft my own "breaking news" reports. I chose to satirize typical breathless American cable news coverage. The hand sanitizer detail was my touch. Mega-topical, right?

To the ISF's credit (full disclosure coming), I was also allowed to report on the proceedings for a couple of media outlets, including TechNewsWorld and the E-Commerce Times. The ISF never told me what I could and couldn't report on, and I was not paid a fee for my services. I accepted the invitation because I wanted to hear the speakers -- ranging from tech-trend tracker/entrepreneur extraordinaire Esther Dyson to Microsoft's (Nasdaq: MSFT) top security guy Scott Charney to the FBI's assistant director for cybersecurity Shawn Henry -- and because I wanted to hear about the latest network security trends and threats. I also wanted to try poutine -- a french fry/brown gravy/cheese curd Canadian comfort food mashup.

A Security Nightmare

The test was the ISF's idea of a team-building exercise: Stick about eight security experts at each table (total attendance: about 500), throw some fast-moving events at them and see how they react. I did three "reports," and the attendees were given 28 minutes between each one to work up an action plan. During that time, they were also told to open information packets at pre-determined intervals that gave them a few more clues: the discovery of keylogging devices hidden in computer mice, the distribution of a fake CEO memo, a problem with baggage sorting equipment at airports, etc.

As the exercise went on, blackmail began to rear its ugly head as a motive. Also, an item taken straight from the headlines, as they say on "Law & Order," was revealed: A shipment of 50 corporate laptops loaded with customer and personal data was lost en route to a destruction facility. It turned out that two employees at the destruction facility were in cahoots with the hackers and gave them information on the laptop route. The security experts at the tables were now dealing with a company being hammered by outside AND inside forces. And thanks to that pesky media coverage and the fact that no one at AGE was willing to give anything other than the briefest and vaguest of public statements, the company's Bethesda, Md., office is reminding the executives that the Maryland Attorney General's office must be informed of any data breaches.

All this situation needed was Keanu Reeves in full "Speed" mode sneering, "Pop quiz, hotshot -- your company is suffering the mother of all hacks, the media is camped out at your Vancouver global headquarters demanding answers, your stock price is heading south and you are just NOW talking about calling law enforcement? What do you do? What DO you do?"

I couldn't say it was fun to watch the proceedings, even though I tried to stick some humor into my faux news reports. It became painfully clear after hearing the FBI's Henry speak about real-life attacks and breaches his agency has investigated in the past year that a lot is at stake in how these members do their jobs. The business world is sticking its head in the cloud -- as in cloud computing. More people are banking and shopping online. The human element continues to bedevil the best authentication and redundancy procedures. Usernames and passwords are so 20th century, it seems.

Face-Saver

The exercise's post-mortem was revealing. Although reputation concerns trumped financial realities at first, many thought that law enforcement should be brought in immediately and that the public relations and communications angle was important to get right at an early stage. This was legal, unpirated music to my ears, as you can imagine, and while it may sound like a "duh" moment, I've done enough stories in the past 10 years about companies that got hacked/extorted and didn't come clean with authorities or shareholders, preferring to either pay up or take care of the situation on their own.

The airport baggage element? A red herring, unrelated to the attack. Just faulty baggage equipment, which I'm sure comes as a shock to many of you.

My time in Vancouver turned out to be illuminating indeed, and I have a better understanding of the challenges facing IT security experts in an online world. That won't stop me from asking them questions, and it shouldn't stop customers, shareholders or consumers either. But they have my respect.

The 2010 ISF World Congress will be among the high-stakes casinos of Monte Carlo, Monaco. Here's hoping the odds are in favor of more secure computing by then.