The "Spectre" and "Meltdown" hardware vulnerabilities discovered by private-sector researchers last June were among the most earthshaking cybersecurity finds of the last decade. So why was the U.S. government one of the last institutions on the planet to learn about them?
Members of the Senate Commerce, Science, and Transportation Committee posed this uncomfortable question to a panel of industry representatives, government researchers, and academics on Wednesday. Senators were particularly upset that the security flaws—which researchers say threatened the integrity of nearly every computer chip now in use worldwide—were handed over to Chinese companies months before the notification of any federal agency.
“Given the history of the Chinese government to exploit cyber-vulnerabilities, the lack of this disclosure is just baffling, and also inexcusable,” ranking member Bill Nelson said.
Despite their displeasure, some lawmakers appear willing to give the industry one more chance to utilize the voluntary disclosure channels administered by the National Institute of Standards and Technology and the United States Computer Emergency Readiness Team.
Chairman John Thune said he “hesitates” to craft legislation that would require U.S. companies to promptly hand over information on new cyber-vulnerabilities to the government, or to deny that same information to Chinese firms.
“You’d like to see that happen sort of organically, which is what we tried to suggest today and which many of the panelists indicated is happening in a better way, a more structured way,” Thune told reporters after the hearing.
But he also warned tech companies not to make the same mistake again. “We’ll continue to monitor it,” Thune said. “Our committee is one of several committees that has jurisdiction over this issue. But I think it’s important that as we look to the future, that there be a more coherent, organized way of getting everybody notified, and then getting these events disclosed in a more timely way.”
The Spectre and Meltdown vulnerabilities are the first of what’s expected to be a wave of new security flaws directly affecting computer processors—a type of vulnerability some researchers thought impossible until recent discoveries proved otherwise.
The flaws are so far considered “speculative,” meaning there’s no proof to indicate they’ve been deployed “in the wild.” But because the new methods work by exploiting loopholes found on nearly every chip made over the last two decades, experts say they could conceivably affect most computers, smartphones, and tablets worldwide. And related flaws are being discovered constantly—including one called "Chipzilla," which researchers only revealed on Tuesday.
Though it’s hard to know for certain, the vulnerabilities appear to have first been discovered last June by a team of white-hat hackers from Google’s Project Zero. Google rapidly informed American chipmakers, who passed on that knowledge to their global supply chain in a feverish rush to patch the affected systems.
That supply chain included Alibaba and Lenovo, two Chinese companies regarded with suspicion in Washington for their ties to the Chinese state.
The Homeland Security Department and other federal agencies say they didn’t learn of the flaws until January, when Google publicly disclosed them. That’s conceivably many months after the Chinese government learned about the security flaws, and some experts worry the Chinese could have weaponized Spectre or Meltdown to spy on U.S. targets.
“If something of this scale is discovered, then you probably want to make sure that the important branches of the U.S. government are aware of it, so that they can start to take the necessary precautions,” said Shuman Ghosemajumder, the chief technology officer at Shape Security.
Art Manion, the senior vulnerability analyst at the quasi-governmental CERT Coordination Center, told lawmakers on Wednesday that the industry’s seven-month delay was way too much lag time. “In our professional assessment it’s probably too long, particularly for very special, new types of vulnerabilities like this,” Manion said.
Some chipmakers are pledging not to leave the government in the dark going forward, even if they can’t quite explain what caused the lack of disclosure in the first place. Joyce Kim, the chief marketing officer at smartphone-chip manufacturer ARM, told lawmakers that the “unprecedented scale” of Spectre and Meltdown meant that informing their business partners was their top priority. In the future, she promised, her firm would not give the government short shrift.
But it’s not clear that every manufacturer shares ARM’s commitment to greater transparency with the federal government. Intel, one of the world’s largest chipmakers and the company with arguably the most to lose from Spectre and Meltdown, did not testify at Wednesday’s hearing. Thune told reporters that Intel turned down a committee invitation to testify.
“Intel should’ve been here,” the chairman said. “They had some significant explaining to do after this last event.”
There’s also a question of how serious lawmakers are about solving the issue. Dave Aitel, the chief executive of cybersecurity firm Immunity, said Wednesday’s Senate hearing would likely do little to enhance the security of vulnerable processors.
“Those hearings are often used as grandstanding for particular cyber centers in a particular senator's state, or from various government centers claiming some level of participation (NIST, CERT, etc.),” Aitel wrote in an email. “They are not discussions of the issues.”
Other cybersecurity experts believe that one way or another, the U.S. tech industry will have to develop a relatively standard framework for disclosing cyber-vulnerabilities to the relevant federal agencies.
“You don’t want to leave it up to the security researchers to decide whether or not they should disclose to Chinese companies versus the U.S. government, and which Chinese companies versus which U.S. companies, and so on,” Ghosemajumder said.
If security researchers leave the government out of the loop during another major cybersecurity crisis, Manion says, Congress could step in with laws mandating greater transparency. But compulsory reporting requirements could have a negative impact all their own.
“You have the problem of every other government wanting to do the same thing, and that puts binds on all the disclosure processes,” Manion said. He hopes NIST and US-CERT will be able to promote a voluntary disclosure system that puts the U.S. government on an equal footing with China and other potential adversaries.
“I’m not exactly sure why government was not directly notified; that’s an important thing to look at,” Manion said. “My hope is that it’ll adjust back to, at least, the recent baseline and not continue with excluding governments.”