Congress: Please tell US about security vulnerabilities sooner

The US government has some FOMO on security disclosures.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Spectre and Meltdown were disclosed to the US government seven months after companies found out about them.

James Martin/CNET

The US government wishes it had gotten the memo on Spectre and Meltdown sooner.

On Wednesday, the Senate Committee on Commerce, Science and Transportation held a hearing on cybersecurity issues related to the Spectre and Meltdown vulnerabilities, which left hundreds of millions of computer chips open to attacks.

The Spectre and Meltdown flaws were first announced in January, after Google's Project Zero, as well as independent researchers, discovered problems with processors that created the vulnerabilities and dated back 20 years. Project Zero is a team of Google security analysts that looks for vulnerabilities in software.

Researchers notified chip companies of Spectre and Meltdown in 2017, but the US government wasn't informed of the vulnerabilities until they were publicly disclosed. That's an issue for lawmakers, who argue the government should have known about the vulnerabilities immediately so that it could protect itself from foreign cyberattacks.

Sen. Bill Nelson, a Democrat from Florida on the committee, pointed out that seven months too long for the companies to wait before disclosing major vulnerabilities, such as Spectre and Meltdown, to the US government.

Joyce Kim, a chief marketing officer for chip designer Arm, told senators the company had informed affected companies 10 days after learning about the vulnerabilities, but wasn't focused on informing US officials immediately.

"Given the unprecedented scale of what we were looking at, our focus was assessing the full impact of this vulnerability and getting to potential impacted customers and focusing on developing mitigations," Kim said.

The vulnerabilities allowed potential attackers to read sensitive information that's stored on your CPU. It affected chips from Intel, Arm and AMD. Those chips are used in devices made by major companies like Apple, Google, Microsoft and Amazon.

Because the vulnerability was so widespread, it caused lots of complications with disclosure, Art Manion, a senior vulnerability analyst with CERT, said at the hearing. He pointed out that disclosing vulnerabilities is already a difficult process, but when it's something on the scale of Spectre and Meltdown, it can be even harder.

"A number of things probably combined to lead to insufficiency of US government notification," Manion said. "We are actively working with other industry contacts to remind them of the existing practice of notifying critical infrastructure and important service providers before public disclosure happens to avoid costly surprises."

The fallout is still trickling through, with Google and Microsoft discovering another set of vulnerabilities related to Spectre and Meltdown in May. Updates to fix the flaws haven't been smooth either, sometimes causing slowdowns and sacrificing speed for security.

Senators raised concerns with reports that companies notified Chinese companies about Spectre and Meltdown before the US government, arguing that those companies could have leveraged these flaws for cyberattacks. Sen. Richard Blumenthal, a Democrat from Connecticut, asked if these vulnerabilities would have been "attractive to foreign intelligence services."

Manion said there haven't been any documented cases of Spectre and Meltdown being used for attacks. He called the disclosure process for the two vulnerabilities successful, but added there was room for improvement.

"We hope ongoing that we can adjust this process to not have a situation like Meltdown and Spectre occur again," Manion said.