In a response to a U.S. government inquiry on the Meltdown/Spectre incident, Intel and other companies agreed that embargoing the disclosure of the vulnerabilities was the correct choice.
The Meltdown/Spectre incident brought the tech industry’s disclosure process for security issues to the public’s attention. As we reported before, the vulnerabilities were discovered by Google’s Project Zero research team. A multi-company initiative to fix them began in June 2017. To ensure there was enough time to develop fixes, the companies agreed to a non-disclosure policy that set the official reveal of the vulnerabilities on January 9. However, the story was leaked earlier, which ultimately forced the reveal to occur on January 3.
The U.S. government was not among those with advance knowledge of the vulnerabilities--it learned of them when the public did. Congress began an inquiry into the incident and sent letters to companies such as Intel, Amazon, Apple, Google, Microsoft, AMD, and Arm. The letter is published here and contains nine questions. The ones of particular interest are why the companies chose to embargo information about the vulnerabilities and whether the companies analyzed the risk of the vulnerabilities to U.S. infrastructure or the risk of delaying disclosure.
The response letters from the companies have been published, and they give an interesting view into the lead up to the Meltdown/Spectre incident. They make it pretty clear that Google began the initiative by disclosing the vulnerabilities to other companies, all of which collectively agreed to its standard policy, which provides a 90-day window for fixes to be developed before it makes a public disclosure. Due to the extent of the problem, the companies and Google agreed to extend the period to reach the originally intended disclosure date of January 9.
The focus will of course be on Intel’s letter. The company said it believes it acted correctly by maintaining, and later extending, the embargo. Its reasoning was that limited disclosure would allow for fixes to be developed, while public disclosure would only have increased the speed with which attackers could develop exploits, potentially outpacing the companies as they scrambled to patch the vulnerabilities.
Intel also didn’t believe that Meltdown/Spectre was a risk to the U.S. infrastructure. The company said there was no evidence that the vulnerabilities had been exploited and that any exploit code would have to be run locally. Because Intel understood that most U.S. infrastructure uses embedded systems that run embedded code, have no access to the internet, and cannot run multiple programs simultaneously, it did not see Meltdown/Spectre as a threat in that area.
Intel did not say why it chose not to disclose the vulnerabilities to the U.S. government, but it did admit to disclosing the issues to some partners, however. In late January, rumors circulated that Intel had discussed the vulnerabilities during the embargo with Chinese firms that are closely connected to the Chinese government, but Intel did not name any specific firms in its letter.
The response from Google is also interesting. The company sees its real responsibility as a neutral player that finds and notifies other companies of their vulnerabilities. The 90-day window is a policy that other companies can choose whether or not to follow. The decision on whether or not to disclose with the U.S. government, or any other parties, is left to them. Google is straightforward in its response: they don’t analyze the risk from others’ vulnerabilities. This response is a little different from the other software companies which effectively point fingers at the chipmakers.
AMD's and Arm’s responses are predictable. AMD agreed to Google’s deadlines and did not disclose the vulnerabilities to any parties. Its letter makes few references to the Spectre vulnerabilities, which AMD has admitted it is vulnerable to. Arm points out that its business model includes direct IP licensing and architecture IP licensing, but not chipmaking. Hence, the company has partial responsibility for chips that license its designs, but it has no ability to fix them. Arm said it worked with its customers on the issue.
Clearly, Intel continues to be the center of attention in the ongoing Meltdown/Spectre issue. Why it chose not to disclose with the U.S. government is up for question. Perhaps it was because the company thought it was useless to do so without having a fix in place. It’s easy to place blame on Intel, but let’s not forget that AMD and Arm CPUs are both partially involved in this incident too, and neither of them chose to disclose the vulnerabilities either.