In letters sent to the CEOs of major tech companies on Wednesday, including Apple CEO Tim Cook, the U.S. House Energy and Commerce Committee asks why an agreement was made to keep details of the Meltdown and Spectre chip flaws secret until their public disclosure this month.
The congressional committee seeks answers from Apple, Amazon, AMD, ARM, Google, Intel and Microsoft, each of which released fixes for the hardware vulnerabilities over the past weeks, CNBC reports. A copy of the letter was posted online (PDF link) for public review earlier today.
As noted by the committee, a handful of tech firms, namely large entities directly impacted by Meltdown and Spectre, were informed of the vulnerabilities in June 2017 by Google's Project Zero team. These companies agreed to an "information embargo" originally set to expire on Jan. 9, 2018, when a majority of planned software mitigations would by that point be distributed.
However, details of Meltdown and Spectre began to leak earlier than expected, with major news organizations reporting on the issue as early as Jan. 2. The sooner-than-expected disclosure forced tech firms to accelerate work on their respective mitigation initiatives, the letter claims.
"Though this schedule adjustment has not seemed to overly impact the effectiveness of the response, it does raise questions related to the effects and appropriateness of the embargo on companies not originally included in the June 2017 disclosure, and who were caught off-guard by the January 4 announcement," committee representatives Greg Walden, Marsha Blackburn, Robert Latta and Gregg Harper said in the letter.
Meltdown and Spectre are hardware vulnerabilities that affect nearly every modern microprocessor, including those designed and manufactured by Intel, AMD and Apple. Discovered by Google researcher Jann Horn, the flaws rely on a common performance feature called speculative execution to potentially glean sensitive information like passwords from system memory without a user's knowledge.
The letter raises questions as to whether the collective decision to remain mum on the subject negatively impacted companies, end users and other organizations not privy to the original disclosure. More pointedly, the committee says the recent events call for greater scrutiny of coordinated cybersecurity embargoes.
"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the letter reads.
For its part, Apple began the process of mitigating Mac vulnerabilities in December, with later software and security updates patching iOS devices early this month. Most recently, the company issued additional fixes for macOS High Sierra and older Mac operating systems on Tuesday.
The committee requests each CEO respond to a series of nine questions by Feb. 7.