More than a week after a ransomware attack sparked the shutdown of servers at cloud and email-hosting provider Rackspace Technology, questions are still rising and its customer base is growing frustrated.

The big picture: Experts tell Axios that corporate ransomware victims face a tough dilemma: Sharing too much info risks it being weaponized in lawsuits or ruining negotiations with attackers. Not sharing enough could lead to customer outrage or even a mass exodus.

Driving the news: Over the weekend, Rackspace released more details about how it's responding to a Dec. 2 attack that prompted the shutdown of its Hosted Exchange servers, leaving thousands of small to medium-sized businesses without access to their email inboxes.

• It hired incident response firm CrowdStrike, got two-thirds of affected customers set up with alternative email services, and ensured that any emails archived before the attack were safe.
• But some customers tell Axios they still haven't received any word about whether the company will be able to bring their servers back online or what data, if any, hackers have stolen.

Why it matters: How a company responds to an ongoing security event can have a serious impact on their short-term business and any litigation outcome or regulatory reviews that come from the incident.

• "You'll be in a much better position when those lawsuits happen if you're demonstrating good faith, if you're demonstrating empathy, if you're demonstrating a quick response," says Melanie Ensign, founder and CEO of Discernible Inc. and press lead at DEFCON.

Flashback: Since Rackspace's incident, customers have been swarming social media to complain about what they describe as a lack of communication and transparency in the early days of the company's response.

• Some customers tell Axios they've already left the service for competitors like GoDaddy and Wix.

Usually when a customer base is upset, that means something was missing in the communications strategy, Ensign said.

• "Whether it was intentional or not, they did not communicate the principal attribute of, 'We've got your back. You can trust us. We're going to make this right,'" Ensign says of Rackspace's early communications.

The intrigue: Rackspace chief product officer Josh Prewitt told Axios on Monday that part of the reason the company's communications haven't been able to answer all customer questions is that his team wants to make sure all information is accurate.

• "Ultimately, we don't want to walk back anything that we said like we've seen so many companies have to do," Prewitt told Axios. In the last year, companies like Okta have had to revise details about how widespread a breach was.
• "When you're in the fog of war, there are some things that you think that you know, and then it turns out you didn't know them."

Details: Rackspace officials did answer a few lingering customer questions:

• The company knows which hackers are behind the attack, but it declined to say who to protect an ongoing FBI investigation.
• It’s going to take longer than was internally anticipated to get customers’ original servers back online. The company has relied on transitioning customers to alternative services like Microsoft 365 or recovering already archived emails.

Between the lines: The ransomware attack at Rackspace serves as a good reminder that companies need to always be revisiting incident response plans before a cyberattack happens, experts tell Axios.

• "The best way to deal with these things is to have already had these discussions and conversations," says Connie Stack, CEO at data protection company Next DLP.

What's next: Rackspace is working on releasing so-called "indicators of compromise," along with a blog detailing how the breach happened.

Utah became the latest state this week to issue an executive order banning TikTok from state-owned devices due to national security and cyber concerns, Axios Salt Lake City's Kim Bojórquez writes.

The big picture: The ban on the popular video-sharing app owned by Chinese company ByteDance comes after a growing number of GOP-led states like Maryland and Texas also prohibited the app in government agencies.

• Oklahoma, South Carolina and South Dakota also banned TikTok on government devices in the last month.

What they're saying: "China's access to data collected by TikTok presents a threat to our cybersecurity," Utah Gov. Spencer Cox said in a statement Monday.

• "As a result, we've deleted our TikTok account and ordered the same on all state-owned devices. We must protect Utahns and make sure that the people of Utah can trust the state’s security systems," the GOP governor said.

The other side: In a statement, TikTok representative Jamal Brown told Axios such decisions are fueled by misinformation.

• "We are happy to continue having constructive meetings with state policymakers to discuss our privacy and security practices," he said. "We are disappointed that many state agencies, offices and universities will no longer be able to use TikTok to build communities and connect with constituents."

Flashback: Earlier this month, the FBI warned TikTok is used by a Chinese government that "doesn't share our values" and could use it for "influence operations."

Go deeper

Government agencies and critical infrastructure operators will now have the opportunity to test out zero-trust security tools at a lab opening Tuesday at a U.S. Cyber Command-run innovation center in Maryland.

Driving the news: Cisco, CyKor and nonprofit MISI are unveiling a testing lab at Cyber Command's DreamPort innovation center right outside of Baltimore.

How it works: Zero-trust tools can take several forms, but each one is geared toward limiting how much access users have on a network, rather than giving each employee universal access to a company's files.

• This way, a hacker would need to gain access to top-level network administrators' accounts to be able to get valuable information like source code or customer documents.
• However, transitioning to a zero-trust security architecture is difficult and often requires a complete overhaul of legacy networks.

The big picture: The lab will allow agencies and operators to get in-person advice on how to transition to zero-trust security tools ahead of a 2024 fiscal year deadline in President Joe Biden's cyber executive order for agencies to transition to a zero-trust security architecture.

Details: Cisco, CyKor and MISI will co-run the lab at DreamPort, where they anticipate meeting with government agencies and critical infrastructure operators, like utility companies, to walk through their transition, as well as testing and creating new zero-trust security solutions.

• Part of the appeal of building this at DreamPort is the access to government offices, Cisco vice president of federal Carl De Groote tells Axios.
• The lab will also be home to product demos and tech testing, and De Groote says he anticipates bringing students in to study zero-trust security.

What they're saying: "It incubates that public-private partnership in a safe harbor," De Groote says. "It's open, it's extensible, it's built on standards. So that's really where government can more easily take advantage of it."

• "Seeing the technology as it applies to the cities and the waterways and the light systems promotes a good understanding and good foundation for people to get excited about it," CyKor CEO Mike Guadagnini tells Axios.

@ D.C.

🔐 The Senate passed legislation requiring the Office of Management and Budget to prioritize federal agencies' transition to post-quantum encryption standards. (FedScoop)

🏛 Lawmakers and law enforcement are struggling to keep up with the proliferation of darknet marketplaces. (Politico)

@ Industry

💰 Cyber-focused private equity firm Thoma Bravo is acquiring Coupa Software in a $6.15 billion cash deal. (CNBC)

💸 Boston-based security company Snyk raised a $196.5 million down round. (Axios)

🐦 Questions remain about whether fast-growing Twitter alternatives are equipped to handle privacy and security concerns like securing private messages and responding to law enforcement requests for data. (CyberScoop)

@ Hackers and hacks

🚙 Uber is responding to a data breach at one of its third-party vendors that has resulted in source code and other corporate information leaking online. (BleepingComputer)

👾 California officials are investigating a cyber incident at the state's Department of Finance, and ransomware gang LockBit has claimed responsibility. (Sacramento Bee)

👀 New documents reveal that Xnspy, an app for parents to monitor their children, is actually a "stalkerware" app marketed to spouses to surveil their partners without permission. (TechCrunch)

RIP to CISA's @cyber handle, which the agency is retiring on Thursday. Now the big question is: Will CISA just sit on one of the most desirable Twitter handles in the cyber community ... or will one of you end up seizing it? 👀.