A Wednesday Congressional hearing on the Meltdown and Spectre chip vulnerabilities had all the technobabble and painful misunderstanding you might expect. But the Committee on Commerce, Science and Transportation also raised an important practical concern: No one informed the US government about the flaws until they were publicly disclosed at the beginning of January. As a result, the government couldn’t assess the national security implications of Meltdown and Spectre, or start defending federal systems during the months that researchers and private companies secretly grappled with the crisis.
“It’s really troubling and concerning that many if not all computers used by the government contain a processor vulnerability that could allow hostile nations to steal key datasets and information,” New Hampshire senator Maggie Hassan said during the hearing. “It’s even more troubling that these processor companies knew about these vulnerabilities for six months before notifying [the Department of Homeland Security].”
Attackers can exploit the Spectre and Meltdown chip bugs, which foreshadowed an entire new class of vulnerabilities, to steal many different types of data from a system. While the flaws have existed in the world’s most ubiquitous processing chips for 20 years, a series of academic researchers discovered them throughout the second half of 2017. Once informed of the issue, Intel and other chipmakers began a massive, clandestine effort to notify as many supply chain customers and operating system makers as possible, so that they could start creating patches.
‘It’s highly likely that the Chinese government knew about the vulnerabilities.’
Senator Bill Nelson
While Intel notified a group of international private tech firms—including some in China—during this process, DHS and the US government in general didn’t learn of the situation until it was publicly disclosed at the beginning of January. Numerous senators at Wednesday’s hearing noted that this delayed disclosure may have given foreign governments the early warning the US didn’t have. If nation state hackers weren’t already aware of Spectre and Meltdown and exploiting the bugs for espionage operations, they could have started in the months before patches started going out.
“It’s been reported that Intel informed Chinese companies of the Spectre and Meltdown vulnerabilities before notifying the US government,” Florida Senator Bill Nelson said on Wednesday. “As a result, it’s highly likely that the Chinese government knew about the vulnerabilities.”
Intel declined to attend the hearing, but Joyce Kim, chief marketing officer of ARM—a Softbank-owned company that creates processor architecture schematics that are then manufactured by other companies—told the Committee that ARM prioritized notifying its customers within 10 days of learning about Spectre and Meltdown. “At that point, given the unprecedented scale of what we were looking at, our focus was on making sure that we assessed the full impact of this vulnerability, as well as getting [information] to potential impacted customers and focusing on developing mitigations,” Kim told the Senators. “We do have architecture customers in China that we were able to notify to work with them on the mitigations.”
Since the initial disclosure in January, researchers have discovered multiple other variants of Meltdown and Spectre that chipmakers have worked to patch. Kim explained that as these new strains have emerged over the last six months, ARM has worked more closely with DHS to create communication channels for disclosure and collaboration.
“We always want to be informed of vulnerabilities as quickly as possible, so that we can validate, mitigate, and disclose vulnerabilities to our stakeholders,” a DHS official told WIRED.
Intel said in a statement to WIRED, “We have been working with the Senate Commerce Committee since January to address the Committee’s questions regarding the coordinated disclosure process and will continue to work with the Committee and others in Congress to address any additional questions.”
Managing vulnerability discoveries is always complicated, but becomes especially so when it involves numerous organizations. And the stakes of Spectre and Meltdown were even higher than usual, because the bugs were found to be in the majority of devices around the world, and had persisted for two decades. These conditions not only created a massive patching challenge for dozens of major companies, but also raised the question of whether the vulnerabilities had been discovered and quietly exploited for years by unknown entities or governments. The flaws would have been extremely valuable for intelligence-gathering if a country knew how to exploit them.
‘Nobody can address or even mention any of the real issues in these types of public hearings.’
Dave Aitel, Immunity
That’s what makes the notion, first reported by The Wall Street Journal, that Intel prioritized notifying Chinese firms over the US government so problematic. There is no specific evidence at this point that China actually abused Meltdown and Spectre as a result of these pre-disclosures, but the country is well known for aggressive state-sponsored hacking campaigns that have recently only grown in sophistication.
“A number of things probably combined to lead to the insufficiency of US government notification,” Art Manion, a senior vulnerability analyst at the CERT Coordination Center at Carnegie Mellon, which works on coordinating disclosures worldwide, told the Committee. “We are actively working with industry contacts to remind them of the existing practice of notifying critical infrastructure and important service providers before public disclosure happens to avoid costly surprises.” When pressed by the Committee, he added that the months-long wait to notify the US government about Meltdown and Spectre was a mistake on the part of chipmakers like Intel. “It is a rather long time and in our professional assessment it is probably too long, particularly for very special new types of vulnerabilities like this,” he said.
Analysts say that pre-notifying DHS would be valuable in situations where a major vulnerability is about to be publicly disclosed. But they also caution that Congressional hearings about security in general tend to mask or oversimplify deeply complex and nuanced topics. “Nobody can address or even mention any of the real issues in these types of public hearings,” says Dave Aitel, a former NSA researcher who now runs the penetration testing firm Immunity. “DHS probably won’t get substantially more cooperation.”