Senators question vulnerability disclosure process after Spectre and Meltdown stumbles
Shortcomings in the industry-led process for disclosing software and hardware bugs could rear their heads again, U.S. senators said Wednesday at a hearing on the Spectre and Meltdown chip flaws.
“While these vulnerabilities seemed to have been patched reasonably well, what about the next one? And we might not know about it until it’s too late,” Florida Democrat Bill Nelson said at the Commerce, Science and Transportation Committee hearing.
Lawmakers are pondering what can be done to improve the complex vulnerabilities disclosure process, which involves spreading enough word among vendors to address a bug but not so much as to risk leaking information before patches are ready.
“We need to consider additional ways to require the federal government’s equipment suppliers to promptly notify [the Department of Homeland Security] of potential breaches or vulnerabilities that could weaken our federal systems,” Sen. Maggie Hassan, D-N.H., said at the hearing.
The worry is always that foreign governments could find out about critical vulnerabilities before Washington does, leaving U.S. computer systems exposed to cyber-espionage or hacking. The case of Spectre and Meltdown, two vulnerabilities made public in January that affected virtually all modern computer chips, offers a prime example.
Tech giants like Intel and Google worked for months to privately address the Spectre and Meltdown vulnerabilities after their initial discovery in June 2017 in a disclosure process that proved controversial.
As the Wall Street Journal reported, Intel’s initial disclosures of the vulnerabilities were limited to a small group of customers, including Chinese companies Alibaba and Lenovo, while other vendors – and the Department of Homeland Security – were left in the dark. Intel has said it wasn’t able to tell all parties it had planned to, including the U.S. government, because news of the chip flaws was published in the media days before Intel’s planned announcement.
Chairman John Thune, R-S.D., said the committee confirmed that Chinese telecommunications giant Huawei also found out about the vulnerabilities before the public announcement.
“Given their close ties to the Chinese government, Huawei’s involvement in the coordinated vulnerability disclosure, while perhaps necessary, raises additional questions about supply-chain cybersecurity,” Thune said.
“The delays in notification and in some cases just the complete lack of notification was a big mistake,” Thune told reporters after the hearing.
Intel was invited to testify but declined to do so, according to Thune. The chip giant “should have been here,” he said.
Intel spokesman William Moss told CyberScoop in a statement: “We have been working with the Senate Commerce Committee since January to address the committee’s questions regarding the coordinated disclosure process and will continue to work with the committee and others in Congress to address any additional questions.”
Moss declined to comment on why Intel did not send a representative to testify at the hearing.
The recovery process for Spectre, which spoofs applications and causes a computer to spill key information, and Meltdown, which could let hackers circumvent an application-memory barrier to steal sensitive data, has also been rocky. One round of firmware updates caused computers to reboot and another patch introduced a new vulnerability altogether.
The fallout continues: On Tuesday, security researchers revealed two more Spectre variants to which chips are vulnerable.
Hassan said she wants to know how many government computers are still plagued by the dual chip flaws.
“I would like to know how many of our government computers still have this vulnerability and whether all of them have received the mitigation updates that would make it more difficult for a foreign actor to try to exploit these government computers,” the New Hampshire senator said at the hearing.
UPDATE, 07/12/18: This story has been updated with a statement from Intel.