Mikey Campbell
In letters sent to the CEOs of major tech companies on Wednesday, including Apple CEO Tim Cook, the U.S. House Energy and Commerce Committee asks why an agreement was made to keep details of the Meltdown and Spectre chip flaws secret until their public disclosure this month.
The congressional committee seeks answers from Apple, Amazon, AMD, ARM, Google, Intel and Microsoft, each of which released fixes for the hardware vulnerabilities over the past weeks, CNBC reports. A copy of the letter was posted online (PDF link) for public review earlier today.
As noted by the committee, a handful of tech firms, namely large entities directly impacted by Meltdown and Spectre, were informed of the vulnerabilities in June 2017 by Google's Project Zero team. These companies agreed to an "information embargo" originally set to expire on Jan. 9, 2018, when a majority of planned software mitigations would by that point be distributed.
However, details of Meltdown and Spectre began to leak earlier than expected, with major news organizations reporting on the issue as early as Jan. 2. The sooner-than-expected disclosure forced tech firms to accelerate work on their respective mitigation initiatives, the letter claims.
"Though this schedule adjustment has not seemed to overly impact the effectiveness of the response, it does raise questions related to the effects and appropriateness of the embargo on companies not originally included in the June 2017 disclosure, and who were caught off-guard by the January 4 announcement," committee representatives Greg Walden, Marsha Blackburn, Robert Latta and Gregg Harper said in the letter.
Meltdown and Spectre are hardware vulnerabilities that affect nearly every modern microprocessor, including those designed and manufactured by Intel, AMD and Apple. Discovered by Google researcher Jann Horn, the flaws rely on a common performance feature called speculative execution to potentially glean sensitive information like passwords from system memory without a user's knowledge.
The letter raises questions as to whether the collective decision to remain mum on the subject negatively impacted companies, end users and other organizations not privy to the original disclosure. More pointedly, the committee says the recent events call for greater scrutiny of coordinated cybersecurity embargoes.
"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the letter reads.
For its part, Apple began the process of mitigating Mac vulnerabilities in December, with later software and security updates patching iOS devices early this month. Most recently, the company issued additional fixes for macOS High Sierra and older Mac operating systems on Tuesday.
The committee requests each CEO respond to a series of nine questions by Feb. 7.
Andrew Orr
Christine McKee
Sponsored Content
Wesley Hilliard
AppleInsider Staff
Amber Neely
8 Comments
So the bad guys could not use it before the industry could figure out a fix. Yeah that was not completely obvious to the fine people our government hires.
"We told the FBI and CIA. We assumed they would inform Congress and the information would be leaked like every other secret. Is that not the process? -Tim;)
Captain Obvious meet Captain Oblivious
Most of the questions being asked by the committee are completely legitimate, especially those related to how and when US-CERT was notified and engaged. For the most part the questions and inquiries are seeking to collect more information in order to perform an accurate retrospective. My hope is that this incident will be used to help inform and refine the overall process and to make sure it is working effectively to quickly protect critical assets when a serious threat is identified anywhere in the critical asset sourcing stream, e.g., microprocessors and chipsets that are components of critical IT and control systems. It's not altogether obvious to me at least whether a company that's making smartphones, music players, tablet computers, and selling music streaming subscriptions is going to have a clear understanding of how security issues related to their components or products fit into the federal cybersecurity incident reporting requirements managed via US-CERT and other federal agencies. Any lingering ambiguity needs to be cleared up and awareness of US-CERT requirements needs to be extended further out into the technology provider space to include companies like the ones getting letters. This should be treated as a learning opportunity to further improve public-private sector cybersecurity collaboration and not a blame & shame game. Fingers crossed.