Lawmakers last Wednesday decried a surreptitious industry effort to correct longstanding hardware vulnerabilities affecting nearly all modern computer processors. The reason? The Federal government didn’t get the memo.
At a hearing to examine the Meltdown and Spectre vulnerabilities, Senate leaders discussed the steps that followed the discovery of two major computer hardware flaws and lamented the private sector’s exclusion of U.S. law enforcement and emergency cyber response teams from subsequent actions. The discussion then shifted to how the Federal government, along with private technology companies, will work to address threats to the IT supply chain that will likely rear their heads again in the future.
Background on Meltdown and Spectre
Meltdown and Spectre rightly set the technology world afire at the beginning of this year. The vulnerabilities were first discovered by independent groups of researchers, including Jann Horn at Google Project Zero, in June 2017.
Those researchers alerted major technology providers privately of the vulnerabilities, which affected almost every computer made in the last 20 years and could have allowed hackers to steal sensitive information and protected data through the microprocessor hardware itself, rather than a software flaw or malware.
While private disclosure of vulnerabilities is common practice in the technology industry–to allow affected companies to correct the problem–the scope of this particular problem was what caused the Federal government ire at its exclusion. The public–and Federal government–did not learn of the flaw until January 2018. U.S. Senators then sent letters to 12 major technology companies in February to question their response to Meltdown and Spectre, which prompted last week’s hearing.
Industry Response
“Only one company, IBM, reported that it contacted the U.S. government prior to the January 3, 2018 public disclosure,” said Sen. John Thune, R-S.D., chairman of the Senate Committee on Commerce, Science, and Transportation that held the hearing Wednesday. “No vendor engaged CERT/CC [The Computer Emergency Readiness Team Coordination Center] to assist coordinating the vulnerability disclosure response. Even the largest affected chip manufacturer, Intel, did not provide advance notice.”
Intel–the market leader in chip manufacturing–along with other companies said that a premature public leak prevented the government disclosure from happening sooner. Thune said at the hearing that Intel “should have been present” but declined an invitation to testify.
Sen. Bill Nelson, D-Fla., the ranking member on the committee, expressed grave concern that many tangential companies were notified before the United States Computer Emergency Readiness Team (US-CERT), National Security Agency, and the Department of Homeland Security (DHS).
“The lack of this disclosure is just baffling and also inexcusable,” he said. “While these vulnerabilities seem to have been patched reasonably well, what about the next one? And we might not know about it until it’s too late. So, what are we doing about it?”
Joyce Kim, chief marketing officer at Arm–a microprocessor designer–was the lone industry witness on the panel and said that Arm did in fact notify the Federal government before the public disclosure, but not before telling the individual manufacturers it shares its designs with. She said Arm is committed to partnering with DHS to address similar cyber vulnerabilities in the future.
Thune noted that when new vulnerability variants were discovered–likely referencing new Spectre vulnerabilities publicly revealed in May–several companies notified the Federal government more than a month before the public disclosure, so collaboration could be seeing a more notable uptick in light of the publicity of these issues.
Supply Chain Threats and Future Outlook
The further-reaching implications of the hearing were not retrospectives about Federal government involvement, but rather what these types of exploits could say about future supply chain risks.
“While the Spectre and Meltdown vulnerabilities are ostensibly the topic of today’s hearing, the truth is, in the world of cybersecurity they are old news,” said Sri Sridharan, managing director for the Florida Center for Cybersecurity. “They’ve been discovered, researched, and patched. What they represent, however, is something of far greater concern: the multitude of vulnerabilities that most assuredly still lurk in cyberspace.”
Sridharan noted that it took 20 years to find these problems, which could all the while have been exploited by adversaries without detection, as there was no way to track whether the exploit had been used. The pervasive nature of the threat also cuts across companies.
“Vulnerabilities that affect multiple vendors usually do so because of shared supply chain connections, and due to the way modern software and devices are built with increasingly connected supply chains, we anticipate more vulnerabilities of this Spectre and Meltdown style with multiple vendors involved,” said Art Manion, senior vulnerability analyst at CERT/CC.
Manion said that the coordinated response to Meltdown and Spectre was “reasonably successful” but “could’ve been tuned differently” to include more vendors and the Federal government.
But perhaps the biggest concern voiced by lawmakers was exactly who was included on the list of notified private sector companies.
“Some Chinese manufacturers including Huawei were informed of the vulnerability prior to public disclosure,” Thune said. “Given their close ties to the Chinese government, Huawei’s involvement in the coordinated vulnerability disclosure, while perhaps necessary, raises additional questions about supply chain cybersecurity.”
Threats from technology firms with ties to the Chinese government, chiefly Huawei and ZTE, have been a persistent worry for the Federal government due to their perceived risks to the U.S. IT supply chain. It’s led to constant discussion of late over whether or not to prevent those firms from supplying the Federal government or even operating in the United States altogether.
But Manion cast doubt on the possibility that we could altogether prevent vulnerability information from reaching the Chinese government for potential weaponized exploitation. “The Internet doesn’t stop at national borders,” he said.