Intel is under fire for failing to disclose Spectre and Meltdown to the US government after it heard about the attacks in June. A month ago, we reported that some governmental agencies like the NSA hadn’t been informed of the exploits. It now appears that no government agency was informed about the exploits, period, until the news went public.
Current and former U.S. government officials said the government was not informed of the flaws before they became public because the flaws potentially held national security implications, Reuters reports. Intel said it did not think the flaws needed to be shared with US authorities, as “hackers had not exploited the vulnerabilities.” This information is drawn from the letters Intel, AMD, and ARM sent to Greg Walden (R-OR), who chairs the House Energy and Commerce Committee.
This is a laughable excuse. First of all, Intel is not automatically in a position to know if exploits have been used or not. White hats monitor these sorts of problems closely, but mass-produced malware isn’t the only kind of exploit that exists in the universe. If an intelligence agency discovered and deployed targeted software packages to capture data from certain individuals, we’d never know about it. Heck, that’s why some of Snowden’s disclosures surprised people. Folks had suspected that some of this activity occurred, but hadn’t put all the pieces together yet.
The second reason this excuse beggars belief is that Intel didn’t apply it consistently. Here’s Reuters again: “Intel said that it did inform other technology companies that use its chips of the issue, according to its letter.” So it was important enough to tell customers, including some Chinese customers, that its CPUs had critical problems, but not important enough to tell the government which actually depends on Intel CPUs to hold top-secret information and data repositories.
Google first found the flaws as part of Project Zero and informed Intel, AMD, and ARM of their findings. It gave them the standard 90 days to fix the problem, only to extend that deadline to January 3 and then to January 9. This explains, I suspect, why Intel was able to supposedly include hardware mitigations for its upcoming Cannon Lake processors — it had the lead time necessary to do so. Alphabet left it up to the chip company’s themselves as to whether they’d inform the government.
The reason Intel’s decision to withhold this information rankles is because of the incredibly unequal standard it applied to disclosure. If Intel did disclose these flaws to Chinese customers, we can assume the Chinese government likely found out about them, given the degree of data surveillance that country practices.
That’s not a good look for Intel, and the CEO’s decision to sell the maximum allowance of stock he was allowed to sell before the news dropped doesn’t exactly make him look great, either. Given how long it’s taken Intel to develop patches and how fraught development has been, I can understand not admitting the flaw publicly until you have fixes ready to go. That’s common sense. But not informing government agencies under a confidentiality agreement is something altogether different. As a result, some of the customers most likely to be targeted by exploits for Meltdown and Spectre were the last to be notified the problem existed.
Intel Disclosed Spectre, Meltdown to Chinese Companies Before US Government
Intel's Spectre and Meltdown notification process and the rollout of fixes have been pretty rocky. The company is now under fire for notifying its Chinese customers of the flaws before the US government.
CTS Labs Responds to Allegations of Bad Faith Over AMD CPU Security Disclosures, Digs Itself a Deeper Hole
CTS Labs CTO has written a letter addressing and defending his company's disclosure of various vulnerabilities in AMD's Ryzen CPU and chipsets, but his explanation raises more questions than it answers.
Epic Calls Google ‘Irresponsible’ for Disclosing Serious Security Flaw in Fortnite
Rather than accept the responsibility for making a mistake, an Epic founder Tim Sweeney says Google was "irresponsible" to release the bug details after it was fixed.
Intel Discloses New Speculative Execution Security Vulnerabilities
Intel has disclosed a new set of speculative execution security issues that can leak data from CPUs under certain circumstances. How serious a problem they represent as a practical matter is still under debate.