Intel CEO Brian Krzanich directly addressed the questions about the security of Intel processors during the Intel earnings call on Jan. 25 even before reporting Intel’s strong results.
“We've been around the clock with our customers and partners to address the security vulnerability known as Spectre and Meltdown,” Krzanich said during the call. “While we made progress, I'm acutely aware that we have more to do, we've committed to being transparent keeping our customers and owners appraised of our progress and through our actions, building trust.”
Krzanich said that Intel is going to focus in the near term on delivering high-quality mitigations to protect customers from potential Meltdown and Spectre exploits. He also added that Intel would incorporate silicon-based changes into its new processor designs scheduled for release later this year to eliminate the threat from Spectre and Meltdown.
Exactly when the additional mitigations or the new processors will appear is unclear. Krzanich did not provide any specifics on when to expect further fixes or in what form they might come.
There were also no specifics on exactly when Intel learned about the vulnerabilities, but rumors have been making the rounds that Intel probably learned about the problems during the early summer of 2017 and only admitted to the problems when independent researchers went public.
In fact, the rumors about Intel’s secrecy regarding the vulnerabilities have been referred to as an information embargo, suggesting that there was a coordinated effort among several technology companies to keep the vulnerabilities under wraps.
Public attention to the alleged embargo has reached the point that Congress has now become involved. On Jan. 24, the House Energy and Commerce Committee announced that it was sending a letter to executives at seven technology companies demanding more information on whether the embargo existed, why it took place and whether proper authorities were notified. The companies were Apple, AMD, Amazon, ARM, Google, Intel and Microsoft.
The Committee’s letter acknowledged that Intel and the technology industry in general had reacted quickly to fix the problem starting in June, 2017. But the letter also said that some members of the industry had expressed concern about the information embargo agreed to by several companies involved.
“This embargo restricted the dissemination of information related to the vulnerabilities outside of these companies,” the letter said, noting that originally the information was going to be released in January, 2018.
The letter also noted that the embargo raised questions related to the effect and appropriateness of the embargo on companies not originally included in the June 2017 disclosure and thus were caught off guard. The letter questioned why only ten companies were eventually included in the group sharing the information.
“We believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the letter continued. “As demonstrated by numerous incidents over the past several years, cyber-security is a collective responsibility. Further, it is a responsibility that is no longer limited solely to the information technology sector; connected products exist in electric grids, hospitals, manufacturing equipment, and in innumerable other sectors.”
The letter from the committee also asked a series of nine very pointed questions, starting with why the embargo was imposed, what companies proposed the embargo and whether US-CERT or CERT/CC were informed of the vulnerabilities.
Other questions requested details on any negative impacts resulting from an embargo on critical infrastructure or other IT companies. Other questions related to lessons learned from such a multi-party embargo.
Even if the committee gets detailed answers to all of these questions, you can assume there committee will hold a hearing perhaps followed by one before the Senate Commerce Committee as well. The concern is not that the vulnerabilities exist, but rather whether critical users as well as the public at large should have known about them sooner.
As it stands right now, it appears that the chip makers were planning to come up with fixes to the vulnerabilities and then just sort of release them without much explanation. This is the reason why the Congressional letter asked about notifications to the IT sector as well as to government users.
As the letter points out, during the six month window between when the vulnerability was known and when it was fixed, nobody was aware they had to take certain precautions.
For Intel and the other chip makers, this story is far from over. While it would be wrong to fault the chipmakers for creating processors with a vulnerability that nobody suspected could exist until researchers figured it out, they still have the responsibility to fix it.
Meanwhile, bad actors are everywhere, especially those with the resources provided to state-sponsored hackers, know what they have to do and know how to do it. The next question won’t be whether such an exploit will exist, but rather who will the first to take advantage of it.
“This will be an ongoing journey,” Krzanich said during his call, “but we're committed to the task and I'm confident we’re up to the challenge.” Unfortunately for everyone involved, it’s proving to be very great challenge indeed.