On Jan 3rd, Intel confirmed a leaked report published by The Register that nearly every CPU it had produced since 1995 contained major hardware vulnerabilities. The flaws collectively called Spectre and Meltdown unfortunately were also present on chips from rivals ARM, AMD, Qualcomm and even Apple. How did every major manufacturer have the same flaws? Answer: The simple but cruel irony that great designs are emulated by others and “if it ain’t broke, don’t fix it” mentality.
But for a moment, look past the uproar over of the flaws, vendors having to pull and reissue patches which contained flaws themselves that caused computers to reboot endlessly, and even the fact that collectively this new attack vector is likely to be a source of vulnerabilities for years into the future, and focus on the timeline. Intel and the technology companies behind these patches have known about these flaws since June 2017. The list includes companies based in China for which it’s believed the Chinese government has considerable insight and monitors to learn about zero-day exploits to launch new attacks. Given the history of hostile digital attacks against the U.S. and its allies; was it ethical for Intel to disclose to foreign partners cutting edge vulnerabilities when no code fixes existed at the time?
This line of questioning seemed to have been absent at Intel; as The Wall Street Journal (2018) has reported that Chinese and other foreign companies were alerted mid-2017 despite the clear cyber warfare usage such a flaw presents. Additional reporting by Reuters (2018) has revealed that Intel didn’t report Spectre and Meltdown to the United States Computer Emergency Readiness Team (US-CERT) until Jan 3rd as well – months after Google themselves had developed and deployed Spectre and Meltdown patches for their own data centers (Google, 2018). The justification provided was tone deaf: “[There is] no indication that any of these vulnerabilities had been exploited by malicious actors.” (Nellis, 2018)
It’s time to formalize and re-evaluate disclosure practices in place to ensure all impacted parties are properly informed.
This [frank] disclosure is likely to invite renewed Congressional attention and perhaps the reevaluation of the sticky topic of security vulnerability disclosure requirements. But there is certainly a lesson to be learned here for U.S. based firms. It’s time to formalize and re-evaluate disclosure practices in place to ensure all impacted parties are properly informed. Naturally, this needs to include government via entities such as US-CERT. It’s 2018, the government houses vasts amount of personal information on its citizens, R&D on new advanced hypersonic weapons and command and control systems for our military globally. Intel (and a lesser extent Google, who discovered the flaw but assigns the impacted party to disclose to the government) acted against the interests of its U.S. based users, investors and the very government that has allowed them to flourish by failing to inform the government for 270-days – a fact that is both absurd and unethical. U.S. based firms must do more.
Google. (2018, January 3). Today’s CPU vulnerability: what you need to know. Google Security Blog. Retrieved from https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Khandelwal, Swati (2018, January 4). How-to-patch-intel-flaws.png. The Hacker News. Retrieved from https://1.bp.blogspot.com/-j5ET0G4e1Ic/Wk8vVnQ-bQI/AAAAAAAAvZM/w43UQOgeEFUlk6OU3DefadyB07EEdikGwCLcBGAs/s1600-e20/how-to-patch-intel-flaws.png
McMillan, R. (2018, Jan 28). Intel Warned Chinese Companies of Chip Flaws Before U.S. Government. The Wall Street Journal. Retrieved from https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430
Nellis, S. (2018, February 22). Intel did not tell U.S. cyber officials about chip flaws until made public. Reuters. Retrieved from https://www.reuters.com/article/us-cyber-intel/intel-did-not-tell-u-s-cyber-officials-about-chip-flaws-until-made-public-idUSKCN1G62PS