What the heck just happened? We went from cyber battle-stations and the sky is falling to pretty much \u201cnever mind\u201d over the New Year holiday. Let\u2019s look at how this went down and what we might learn from it.The president, in cooperation with the DNI, FBI and DHS, released documents to include a Joint Analysis Report (JAR) regarding an incident called GRIZZLY STEPPE, the code name for a Russian APT group or groups accused of tampering with the US elections. The president chose to release this information at about 3 pm EST, Dec. 29, 2016.\u00a0DHS and the FBI \u2013 at 4 pm on the same date, initiated a joint conference call to the National Council of ISACs and designated energy and law enforcement members.\u00a0 A follow-on technical threat mitigation call was scheduled for the next morning at 11:30 am EST.AnalysisIt is probably not advisable to release an all-hands, emergency action required statement from the office of the president at closing time prior to a major holiday for all federal and many private sector workers. A significant portion of those who were available to receive the message and responsible for acting upon it encountered difficulty due to empty desks and holiday departures.The timing of the release was not ideal. Most East Coast workers already were preparing to depart for the day and Washington, DC was no exception. DHS and the FBI scheduled the Friday technical threat mitigation call, lasting an hour, about 30-minutes prior to a traditional half-day release for federal employees at many organizations.The status of the GRIZZLY STEPPE APT had been known within the intelligence and law enforcement communities for a significant amount of time and could have been released at any point.Regardless of our level of automation or cybersecurity prowess, we still require human interaction to function. Consider the human factor before pressing a panic button.The threat(s)The JAR and associated documents released specifics on IPs, malware and indicators. It called for immediate action to analyze logs and determine if any organization had been affected by GRIZZLY STEPPE.The U.S. Government named a large number of common hacker tools in use by individuals and groups worldwide. Most of the tools (Neutrino, PAS tool web kit, for example) and techniques (phishing, web page spoofing to harvest credentials) are not unique to the Russian APT 28 and APT 29 actors who conducted the GRIZZLY STEPPE intrusions. Entire families of malware were attributed to these events; this completely obfuscated any claim of attribution.Author \u201cPaul,\u201d at Securityledger.com explained it quite well: \u201cConceptually simple, GRIZZLY STEPPE is an analytic grenade, scrambling already complex inter relations between malware authors, government sponsored hacking crews, cybercriminal and politically motivated hacktivist\u00a0groups and neutral third party providers.\u201dThe JAR opens with the following statement: \u201cThis report is provided \u201cas is\u201d for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within.\u00a0DHS does not endorse any commercial product or service referenced in this advisory or otherwise."The JAR appears to have been a mishmash of several reports and already published mitigations. How are you supposed to attribute GRIZZLY STEPPE to Russia when DHS openly and adamantly disclaims any \u201cwarranty of any kind regarding any information contained within?\u201dOne must wonder if government analysts jumped onto this analytic grenade or were thrown onto it.GrizzlygateThe Washington Post on Dec. 30, 2016, broke the following headline and its accompanying story: \u201cRussian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.\u201d\u00a0In the subsequent hours, designated Federal agencies and compliance enforcement bodies came together to determine what, if any, threat existed to the nation\u2019s Critical Cyber-Electrical Infrastructure. They found none.In spite of the inflammatory article penned by the Post, the Vermont Utility (victims of the news avalanche now to be referred to as Grizzlygate) determined that upon a single, non-networked laptop, a copy of the common malware NEUTRINO had been discovered. NEUTRINO is a package of attack tools, an \u201cexploit kit,\u201d that has been for sale on the internet since March of 2013. Though NEUTRINO may have been used in the GRIZZLY STEPPE intrusion, it is not specifically attributed to APT 28 and APT 29.[ ALSO ON CSO: The power grid hack that wasn\u2019t \u2013 Vermont\u2019s Burlington Electric\u00a0 ]This is where the confusion started. Since the net cast by the GRIZZLY STEPPE emergency action request covered such a wide range of malware and techniques, NEUTRINO was caught up in it. The Vermont utility reported they found a named malware on their laptop. This became, \u201cRussian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.\u201d\u00a0The most reasonable response I have found from any involved party originated from the Edison Electric Institute, which is the association that represents all U.S. investor-owned electric companies. Their media statement:\u00a0\u201cOn Thursday, December 29, 2016, senior government officials with the Departments of Energy and Homeland Security briefed the CEOs of the Electricity Subsector Coordinating Council (ESCC) and other energy sector representatives regarding Russian cyber incidents against U.S. interests. Critical infrastructure sectors\u2014including the electric power sector\u2014took immediate steps to review and to secure their systems based on this new intelligence.\u00a0\u201cAt this time, we are aware of a single instance in which a U.S. electric utility discovered a suspected Russian presence on its enterprise network. The utility has shared this information with DOE, DHS, and all appropriate authorities. At this time, there is no evidence that any systems responsible for grid operations were impacted.\u201dThat, ladies and gentlemen, is how it should be done.Where does that leave us?There was no immediate threat to or action required by the private sector. Information provided by the government was generic, certainly not specific to Russian actors such as APT 28 and 29 who are being assigned the blame for the GRIZZLY STEPPE intrusions (stealing the Democratic National Committee\u2019s emails). This event was poorly timed, managed, and quickly spun out of control with the help of media sensationalism and lack of media cyber-savvy.