That didn’t take long: the leaders of the Energy and Commerce Committee within the U.S. House of Representatives sent letters to the CEOs of six companies involved in the effort to deal with the Meltdown and Spectre chip design flaws on Wednesday, asking how the process was coordinated and whether more companies should have been informed about the problems.
“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the committee wrote in identical letters sent to Amazon, AMD, ARM, Apple, Google, Intel, and Microsoft. After Google informed Intel in June 2017 that it had discovered a glaring security hole in chips used by nearly all the computers in the world, the six companies collaborated in secret for six months to understand the flaws and find ways to get around them.
This practice is not uncommon when it comes to dealing with security flaws, and in general, it’s actually a good thing. If Google had just dropped that information on the internet in June 2017, it’s quite likely malicious hackers would have found a way to exploit the security holes before fixes could have been applied.
But Congress is concerned about the fact that lots of other prominent tech companies were put at a disadvantage by the secret process, and caught off guard when Intel and Google abruptly released the news following reports by The Register a few days before the embargo was set to expire. The letter cites a blog post by Digital Ocean Chief Security Officer Josh Feinblum expressing frustration over the situation: “Unfortunately, the strict embargo placed by Intel has significantly limited our ability to establish a comprehensive understanding of the potential impact.”
“As more products and services become connected, no one company, or even one sector, working in isolation can provide sufficient protection for their products and users. … This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general,” the committee wrote.
Companies that received the letters have until February 7th to respond to several questions about how the embargo process was created and managed. The entire letter can be read here.