Senators vexed by slow pace of Spectre/Meltdown disclosures

Members of the Senate commerce committee expressed frustration about a delay in notifying government about the Spectre and Meltdown chipset bugs, and they want to see a change in industry's approach to notifications after it uncovers vulnerabilities.

After initially discovering the widespread hardware vulnerabilities in 2017, Intel reportedly alerted a group of customers that included Chinese companies before it notified the U.S. government, prompting concerns of Senate Commerce, Science and Transportation Committee members at a July 11 hearing that foreign governments may find out about security flaws before U.S. officials do.

Sen. Maggie Hassan (D-N.H.) called the delay "troubling" and added, "we need to consider additional ways to require the federal government's equipment suppliers to promptly notify [the Department of Homeland Security] of potential breaches or vulnerabilities that could weaken our federal systems."

Joyce Kim, the chief marketing officer with ARM, testified that her company first learned about the flaws in June 2017 and told some customers within 10 days -- but not government officials because the complexity of the flaws represented "a very, very unprecedented event." She added, "I believe [more prompt notification] is something you'll see going forward."

The period between the initial discovery of the hardware flaw and the notification of DHS "is a rather long time, and, in our professional assessment, it's probably too long, particularly for very special, new types of vulnerabilities like this," said Art Manion, senior vulnerability analyst at Carnegie Mellon University's CERT Coordination Center, which has a partnership with DHS.

"When you see a response" that leaves government in the dark for months, said committee Chairman Sen. John Thune (R-S.D.), "it suggests we need a different approach."

On the House side, in January a group of lawmakers pressed leaders of Apple, Amazon, Advanced Micro Devices, ARM Holdings, Google, Intel and Microsoft about the decision to embargo information related to the vulnerabilities.

However, Thune said he doesn't view legislation as a desirable fix.

"My preference would be if there's a way this could happen without Congress mandating a solution," he told reporters after the hearing.

Manion added he would also like to see industry go back to its practice of informing government promptly after finding security flaws rather than relying on regulations, adding he was "stumped" about why that didn't happen in the Spectre and Meltdown case.

But there will be opportunities in the future for industry to remedy this approach, as "there was a new Spectre variant released yesterday, so we're not done with this line of disclosures," he noted.

The discovered vulnerabilities are so deep in the hardware itself, he added, that the new types of attacks based on the flaws will crop up for "years and years."

Sen. Cory Gardner (R-Colo.) made the point that due to the widespread nature of the flaw, government itself "is currently purchasing unsecured devices" and can use its purchasing power to improve security.

"The federal government, I believe, needs to do a better job from a procurement perspective about ensuring we have more secure devices and more secure software," he said. "By implementing some very basic security standards and practices in the acquisition process, the federal government can absolutely raise the bar."

Gardner co-sponsored a bill in August 2017 that would restrict government purchases of connected devices to those with certain cybersecurity protections. The Internet of Things Cybersecurity Improvement Act of 2017 has yet to receive a committee hearing or vote.