The computing world was turned on its ear January 2 when the Spectre and Meltdown chip vulnerabilities were first reported, revealing that billions of devices deployed in the past 20 years were potentially open to attack. The news leaked out roughly about one week before Project Zero, a group of hundreds of engineers assembled by Google, insist they planned to release information about the flaw.
Experts such as CrowdStrike’s Chief Architect Alex Ionescu wrote in a blog post that a brand new computer science had to be invented to properly repair the vulnerabilities in the chip design.
While techies will roll up their sleeves and make the necessary repairs over the next several months and years, as CISO or CIO you need to explain what this all means in plain English to top management. Here’s a good start:
The sky is not falling. Don’t panic. Fixing Spectre and Meltdown will take time but as Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint told SC, most typical consumers are still much more likely to be targeted by a phishing email than an attack exploiting Spectre or Meltdown.
Spectre and Meltdown target the hardware in just about every computer. As Mark Weatherford, chief cybersecurity strategist at vArmour explained, Spectre and Meltdown are different from the typical software vulnerability because they are flaws in the actual microprocessor hardware of all Intel, AMD and AMR processors. These represent close to 100% of all computers deployed worldwide. The vulnerabilities take advantage of an architecture flaw where these microprocessors employ a feature called speculative execution to speed up performance. The vulnerabilities let bad actors access information at a very granular level of the microprocessor and reveal highly privileged data.
Take a go-slow approach to patching. Weatherford also makes this important point. While hardware and software vendors have responded vigorously with software and firmware patches, there have been complications. One wrong move, and many of the company’s servers could be fried. There have already been several instances where vendor patches completely disabled computers and other cases where there were significant performance-related problems.
A short-term software fix does exist for Meltdown. Despite Weatherford’s cautionary tale, a team of computer scientists did publish a white paper in January that details a temporary software fix for Meltdown. They recommend that their fix, known as KAISER, be installed in all operating systems until a hardware patch can be developed.
Be patient, the full fix may not come for 12 to 24 months. In an advisory published by Gartner on February 15, analysts explained that it could take two years before the hardware fix required to fix the vulnerability in Spectre and Meltdown will be available, so we’ll need patience.
Small and midsized cloud and hosting providers could be hardest hit. Alan Liska, intelligence architect at threat intel company Recorded Future, told SC that while large cloud providers such as AWS, Microsoft Azure and Google are working hard to patch their servers, the smaller cloud and hosting providers may not always have advanced access to the latest patches. They have to wait for their hardware and OS providers to send patches and it could take weeks or months before they receive what they need to make the fixes.
Bottom line: We really don’t know the bottom line. Various reports in the tech press estimate the performance damage from Spectre and Meltdown in terms of servers and systems running 10 percent to 20 percent slower. While it’s clear that Intel will have this matter tied up in the courts for several months, none of the major analyst houses have dared put a financial figure on what this vulnerability will take to fix. Unfortunately, nobody really knows how long it will take to develop the full hardware fix, or how well the temporary fixes will work. What will the first major exploit cost? No one knows.
While it’s all a bit unsettling, the security world has finally caught up to the chip manufacturers. Application programmers have been pushed to build security into their software for several years. So have OS makers. It’s now time for the chip makers to build security in from the start. The old yarn of “there’s fast, cheap and secure, pick two” won’t work for chipmakers anymore. It will be interesting to see how this gets resolved. Will there be a fix? Or will the chipmakers – primarily Intel – just offer workarounds for the next decade?