The public unveiling of the Spectre and Meltdown CPU bugs has caught the tech industry by storm over the last several weeks. We’ve been getting constant updates on patches and new information on how the bug was handled prior to going public is still coming to light. Now, it turns out that the US government has some questions for leading tech companies, including Intel, ARM, Microsoft, Apple and Amazon, regarding the secrecy and selective sharing of information once the bugs were discovered.
The US House Committee is calling on Intel, ARM, Microsoft, Apple, Amazon and some unnamed companies to respond to allegations surrounding the selective revealing of vital information regarding the CPU bugs. Aside from a few select companies, the vast majority of US companies were largely unaware of these bugs until the public unveiling in early January, leaving thousands unprepared.
The lack of pre-warning has led to many companies facing difficulties with their IT infrastructure. In a letter (via Tech Republic) directed at CEOs of leading tech firms, the leaders of the House of Representatives Committee on Energy and Commerce wrote that due to secrecy, many firms did not have enough time to properly assess the risk imposed by Spectre/Meltdown or take measures to protect themselves.
“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures”.
The letter acknowledges the need for secrecy so as not to give hackers the opportunity to exploit bugs before fixes are in place. However, the US house committee does want to know why an embargo was imposed after the flaws came to light in June 2017, who proposed it and when CERT was told about these vulnerabilities.
KitGuru Says: Intel has already set up various meetings with legislative staff members, so the company is on the ball when it comes to explaining the situation to government officials. Still, there is plenty to criticize about the approach taken here. Hopefully a situation like this never pops up again, but if it does, different tactics will need to be used so as not to catch so many off-guard.