Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Intel is under fire for failing to disclose Spectre and Meltdown to the US government after it heard about the attacks in June. A month ago, we reported that some governmental agencies like the NSA hadn’t been informed of the exploits. It now appears that no government agency was informed about the exploits, period, until the news went public.

Current and former U.S. government officials said the government was not informed of the flaws before they became public because the flaws potentially held national security implications, Reuters reports. Intel said it did not think the flaws needed to be shared with US authorities, as “hackers had not exploited the vulnerabilities.” This information is drawn from the letters Intel, AMD, and ARM sent to Greg Walden (R-OR), who chairs the House Energy and Commerce Committee.

This is a laughable excuse. First of all, Intel is not automatically in a position to know if exploits have been used or not. White hats monitor these sorts of problems closely, but mass-produced malware isn’t the only kind of exploit that exists in the universe. If an intelligence agency discovered and deployed targeted software packages to capture data from certain individuals, we’d never know about it. Heck, that’s why some of Snowden’s disclosures surprised people. Folks had suspected that some of this activity occurred, but hadn’t put all the pieces together yet.

The second reason this excuse beggars belief is that Intel didn’t apply it consistently. Here’s Reuters again: “Intel said that it did inform other technology companies that use its chips of the issue, according to its letter.” So it was important enough to tell customers, including some Chinese customers, that its CPUs had critical problems, but not important enough to tell the government which actually depends on Intel CPUs to hold top-secret information and data repositories.

Google first found the flaws as part of Project Zero and informed Intel, AMD, and ARM of their findings. It gave them the standard 90 days to fix the problem, only to extend that deadline to January 3 and then to January 9. This explains, I suspect, why Intel was able to supposedly include hardware mitigations for its upcoming Cannon Lake processors — it had the lead time necessary to do so. Alphabet left it up to the chip company’s themselves as to whether they’d inform the government.

The reason Intel’s decision to withhold this information rankles is because of the incredibly unequal standard it applied to disclosure. If Intel did disclose these flaws to Chinese customers, we can assume the Chinese government likely found out about them, given the degree of data surveillance that country practices.

That’s not a good look for Intel, and the CEO’s decision to sell the maximum allowance of stock he was allowed to sell before the news dropped doesn’t exactly make him look great, either. Given how long it’s taken Intel to develop patches and how fraught development has been, I can understand not admitting the flaw publicly until you have fixes ready to go. That’s common sense. But not informing government agencies under a confidentiality agreement is something altogether different. As a result, some of the customers most likely to be targeted by exploits for Meltdown and Spectre were the last to be notified the problem existed.

Continue reading