Wednesday, February 27, 2013

To Tell, or Not To Tell? A Question of Cybersecurity


I am currently teaching two fully-online graduate courses in Marist College's master's program in integrated marketing communication. One of the courses is COMI 610 Social Media Strategies and Tactics. This week, COMI 610 students and I have been reading about and discussing a variety of topics related to privacy and security in social media and other forms of Internet or computer-mediated communication. 

We have been having a fascinating exchange of information and ideas about this topic on Facebook, Twitter, Pinterest, and our own course Web site. Here is the latest issue in this interesting series of news and feature stories: the question of whether or not organizations (especially publicly-traded companies) have a legal, or at least moral, obligation to report cyberattacks (e.g., hacking) against them.

According to The New York Times, "Apart from a few companies like Google, which revealed that Chinese hackers had tried to read its users’ e-mail messages, American companies have been disturbingly silent about cyberattacks on their computer systems" ("An Eerie Silence on Cybersecurity," Editorial, February 26, 2013).



Apparently, there is a silent majority of organizations in this country and elsewhere that remain mum about the constant cyberattacks (hacking) against them. The rationale seems to be "fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government" ("An Eerie Silence on Cybersecurity," para. 1).

Protecting information about cyberattacks might be sensible if you are investigating the crimes and want to avoid tipping your hand to the bad guys that you might be on their trail. On the other hand, witholding information from shareholders could be a crime itself. In the United States, state and federal agencies mandate the reporting of breaches in personal information security.

For instance, the U.S. Securities and Exchange Commission has reminded organizations registered with the SEC of their obligations to provide the public with information about cybersecurity risks and cyberattacks:
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. (Division of Corporate Finance, U.S. SEC, CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 18, 2011, para. 7). 
Furthermore, U.S. private and public institutions have over our nation's history assumed a social responsibility to provide audiences with accurate and timely information on matters of public interest. Ivy Ledbetter Lee, often called "the father of public relations" in the United States, stated at the turn of the 20th century his concept of public relations: 
In brief, our plan is frankly, and openly, on behalf of business concerns and public institutions, to supply the press and public of the United States prompt and accurate information concerning subjects which it is of value and interest to the public to know about. (Ivy Lee, Declaration of Principles, 1906, para. 5)
The U.S. Department of Defense, like many other federal agencies, also advocates a free flow of information, constrained only by the need to protect operational security and the safety of DoD personnel and their families. According to DoD principles of information, like the principles of Ivy Lee, the defense department has an obligation to
Ensure a free flow of news and information to the news media, the general public, the
internal audiences of the Department of Defense, and the other applicable forums, limited only by the security restraints. (DoD Directive 5122.05, 2008, Responsibilities and Functions, para. d.)
In fact, the U.S. Department of Defense strictly prohibits the witholding of information solely for purposes of avoiding embarrassment or criticism. The DoD information principles state clearly, "Information will be withheld only when disclosure would adversely affect national security, threaten the safety or privacy of the men and women of the Armed Forces, or if otherwise authorized by statute or regulation. (DoD Directive 5122.05, 2008, Enclosure 2, para. d.)

I support The New York Times' position that withholding public (versus legitimately classified) information about cyberattacks undermines the public trust in our nation's institutions and weakens our security. By disclosing information about cyber attacks, organizations can keep publics informed while also sharing valuable information with other organizations who might be under attack. Such information sharing and collaboration might actually strengthen security and prevent against future attacks. 

And in a profession that acknowledges "perceptions are reality," public relations officials for organizations should remind their executives that protecting the public trust is every bit as important as protecting against cyberattacks. Even if a company succeeds in fending off a cyberattack and withholding this information from its publics, in the end the organization will lose valuable trust if it tries to avoid embarrassment or criticism by creating a false perception of security. 

True security comes in the form of trust -- or perceptions that are based on reality. Trust is based in part on our confidence that an organization will do what it says it will do when a) it safeguards our interests and b) tells us when our interests are threatened. 

It's time for organizations to heed Ivy Ledbetter Lee's century-old advice and provide their publics with prompt and accurate information on matters that are of "value and interest" to us. Draw a sharp line between matters that are truly security threats and other matters that are simply risks of embarrassment or criticism. 

ADM Leighton W. Smith, Jr.
As one of my former military commanders once told me, with regard to military public information obligations to journalists and publics, "Tell them, and tell them now, unless it poses a risk to our operational security or the safety of my men and women." (U.S. Navy Admiral Leighton W. Smith, Jr., personal communication, December 1995, preparing to deploy to Bosnia-Herzegovina with NATO forces in Operation Joint Endeavour).