the first thing about crisiscommunication is that your communication has to make sense or otherwise it will be unbelievable
* unbelievable is it that you say that you have cleaned it up in a few weeks while at the other hand you say that it has been a state actor with enormous resources. This is unbelievable because we can hardly believe that a state actor with such enormous arsenal of possibilities and resources would only have placed one virus that one could clean with a simple update of Microsoft Defender. So they didn't install other backdoors and they didn't install sniffers and they didn't take control of servers and so on ? Unbelievable.
the second thing about crisiscommunication is that your communication should not be contradicted by other information published by other trusted sources
* there was a clear contradiction between the communication by Belgacom and the information in the slides about the 'operation socialist' against Belgacom published by Der Spiegel. THe information in these slides (from the NSA) were even never incorporated into the communication which made the contradiction even more apparent.
There were three big contradictions. The first was that it was a highly specialised targeted attack while in the slides you could read that in fact it was probably done by spearphishing (which puts questions about the antiviruscontrols in the heads of professionals). The second was that the penetration attempt was succesful in 2010 while Belgacom just continued to talk about 2011 or 2012. The third contradiction was that the goal of the penetration by the NSA was to become CNE (certified Network Engineer) which means that you have full control over the switches and routers (and also all the passing passwords) while Belgacom said that the penetrators had no control over the switches and routers.
the third problem with the crisiscommunication by Belgacom is that their communication about the impact of the penetration was confusing and contradictory and for that reason unbelievable.
* You can't say in the first hearings (in the European Parliament) that at the one hand there has been no impact about the data of the communication networks and the users and a bit earlier say that you don't know which data has been compromised because you aren't capapble yet to decypher the encrypted packages that you have found and weren't transferred yet. Or you know it or you don't know it. If you aren't sure, you don't know and if you don't know you can't say there has been no impact.
* it is impossible to believe that communication because the NSA slides of Der Spiegel made it clear that the only goal of the penetration was to be able to intercept all the communciations on the mobiles of the thousands of targets that they were using in PRISM and other interception methods. If you believe those secret leaked slides than (which date from 2010) than there is information that will have been transferred to another destination. Not all information but specific information will have been intercepted, collected, packaged, encrypted, channeled and send.
the fourth problem is that when there are leaks (and those may have mistakes in their information because the journalists doesn't really understand the technical aspects or doesn't understand the intelligence objectives as explained in the slides and doesn't put the facts and leaks aside those) you will have to respond to at least some information in the article. Saying that there is a judicial investigation has nothing to do with this because most of the technical information that has to be corrected will have no impact whatsoever on the investigation or trial (if there is even ever to be one).
If it is a state-actor, than he will be following the news and the rumors and there will be agents swirling around the place looking for information to know what we know by now.
the fifth problem is that by giving no usable actionable intelligence you are really frustrating a lot of network and securityworkers in Belgium who have also to secure their network and also want to know - aside from the name of the virus and the used channels and IP addresses - a few more general things that you may have learnt by now and that would make ik possible to revise their securitystrategies and methodologies and controls for their own networks.
* it is a 64bit windows virus and has the definition or sample already be communicated to other securityservices
* were there attack or managment tools or platforms on linux and solarisservers and what were they
* does the virus has signature or a certificat
* which channels were used
* was the penetration done by spearphishing and/or by webservers in the DMZ
and there are a lot of other questions out in the open
and don't come telling that there is an investigation if it is a state-actor you will never be able to prosecute because there is no law against spying in other countries against other nationals. THe only laws about intelligence are about the interdiction to spy on its own citizens and the procedures an agency has to follow when it wants to spy on someone in their own country and what kind of actions need what kind of approval. and the rest is all political and diplomatic.
and the last reminder is that according to other leaks by SNowden is that Belgium was selected as a target by the NSA in 2006.
So Belgaom your first objective has been accomplished, your stock wasn't too much affected by the news
but now you have to communicate better - even if it is behind closed doors so the rest of the Belgian security officials can do their work as they should be and as you are the first of having discovered the total take-over of your network by the NSA, you are a good reference to give at least some 'actionable' intelligence
and yes we understand that for the coming year you will have problems and it will take months, even years if you have cleaned and controlled your netwerk of whatever backdoor or software or channel or code or account that was place during those 3 years
there is nobody going to blame you for that, as long as you work together with the security community because we are all in this together