Herding cats: lessons learned from the chaotic disclosure of the Meltdown and Spectre vulnerabilities

The fallout from a major security flaw can take months, even years, to fully realize. With the recently disclosed Meltdown and Spectre vulnerabilities, we’ve barely scratched the surface, but what we do already know, is that the fallout from the poorly organized disclosure is likely to exacerbate whatever damage is ultimately done.

So, what happened? Here we look at a few of the challenges faced by multi-player disclosures and identify ways you can avoid making the same mistakes in your own company.

Best laid plans still need backups

As a general rule, the more complex the situation, the more carefully you need to plan and execute the disclosure. That means expecting the unexpected – and planning for it. In the case of Meltdown/Spectre, the original plan was to embargo the disclosure until everyone had time to develop a fix. Unfortunately, the embargo didn’t hold.

Information rushed out the door a week early, because a growing number of researchers were beginning to discover – and talk about – the flaw. This led to a scramble as each company addressed the issue from its own perspective with varying levels of fact and spin.

When you are forced to abandon your original announcement plan, you have to be ready with a backup. It may not be a fully polished strategy like Plan A, but it should at least cover the basics.

We’re in the business of risk management. It’s always tricky to strike a balance between transparency and security, but the longer you try to keep bad news under wraps, the greater the chances are that it will leak out. If you don’t want to rip the bandaid off quickly, you shouldn’t be caught off guard when someone else does it for you.

Prisoner’s dilemma

When multiple organizations have to respond publically to a single incident, controlling the message gets exponentially harder. The temptation is high for everyone to fend for themselves at the expense of the broader, often clearer, explanation. It’s unfolds like a prisoner’s dilemma, where no one wants to take the fall, so they maximize their own positive spin, often to the detriment of others.   

The same is true for a single company facing a cyber incident. Individuals within the organization will kick into survival mode, and the plan to tackle the challenge as a unified team gets thrown out the window in favor of not being the scapegoat.

Either situation can be remedied by a strong leader willing to step in and take control of the planning and response. Unfortunately, for multi-player issues, this is far from a perfect solution. In the case of Meltdown/Spectre it was clear that everyone’s hesitation to be transparent and a universal aversion to admitting weakness trumped the need for someone to step up and play this role.

For individual companies, a well-rehearsed incident response plan with an authorized manager and pre-assigned roles and responsibilities can go a long way towards keeping folks focused on the greater good.  

Complex situations need clear explanations

There will be times when you have to communicate about a highly technical issue that may impact multiple audiences in different ways. The relationships and priorities of each group may also be complex, and in these situations, clarity and consistency are critical.

In the case of Meltdown/Spectre, there were multiple audiences ranging from highly technical customers to less savvy end users. Ultimately, everyone needed to know what was going on, and more importantly, what to do about it, but the companies involved took different approaches and the resulting confusion made it harder to quickly implement anyone’s solution.

Some, like ARM opted to issue highly technical white papers, while others, like Intel, chose initially to release statements aimed at non-technical explanations. (They later issued a white paper). When combined with a survival instinct and the rush of having to execute Plan B, this initial, uncoordinated approach just served to further confuse the situation.

To avoid this, it is important to have both a good stakeholder analysis in place and a team with the expertise to effectively communicate complex issues to each group. This level of planning can go a long way towards minimizing the headaches caused by disclosures of highly technical information across complex stakeholder networks.

Self-inflicted wounds still hurt

At the end of the day, your business requires you to maintain the trust and confidence of your customers. Any incident or disclosed vulnerability is going to test that loyalty, so don’t invite people to question your motives or integrity by making unforced errors. Be transparent, be honest, be consistent, and for the love of all things, stop scheduling stock sales just prior to major vulnerability disclosures.

As time goes on, the impact of Meltdown/Spectre flaw will eventually touch every aspect of our digital lives. However, we can minimize future damages from multi-player vulnerabilities by having a good cyber communications plan – or two – in place.