Intel is stating the reason behind its decision to not inform industry organizations and the federal government of crucial flaws in its processors is it was following established industry reporting standards designed to protect users until a fix is developed.
In a letter responding to a query from the House Committee on Energy and Commerce Intel said it abided by standard industry practices in how and when it disclosed the Spectre/Meltdown vulnerabilities in its processors. The letter was sent in response to a committee inquiry sent on January 24 asking Intel, along with Apple, Amazon, AMD, ARM Google and Microsoft, to explain their actions that led to the public disclosure of the flaws taking place six months after Intel was informed of the problems by Google’s Project Zero.
Intel’s response, dated January 31, and the others were made public by the committee on February 22.
Intel said it was informed by Google of the flaws in June 2017 and following the industry standard had 90 days to develop appropriate mitigations before Project Zero would make the flaws known publicly. The remaining companies all made it clear in their responses that they were merely down chain users of Intel technology and therefor not directly responsible for initiating any mitigations nor did they have the ability to analyze the problems first hand.
This explanation did not fly with Mike Kail, CTO of CYBRIC.
“In my opinion, Intel did literally everything wrong. They didn’t disclose the issues to the US Government because they didn’t believe hackers had exploited the flaws, but since they didn’t bother to perform even basic validation of the flaws, it is doubtful that they had any real data around that belief. On a minor level, this was careless, and it seems to point to a larger issue where proper checks and balances aren’t in place,” he said to SC Media.
The letters note that Project Zero also informed ARM and AMD of the issues in June and in turn these companies informed Amazon, Microsoft and Apple.
Intel said in its letter that it intended to inform U.S. CERT and Computer Emergency Readiness Team Coordination Center on January 9, 2018, but the news was leaked on January 3.
“According to one report, on January 3, 2018, just one week after an AMD engineer made a brief comment to a public discussion group about the capabilities of the company’s processors relating to “speculative references,” a proof of concept emerged showing how to exploit the Meltdown and Spectre hardware vulnerabilities, which rely on techniques known as speculative execution,” Microsoft wrote.
Intel’s explanation as to why it did not inform any agency prior to its planned disclosure to U.S. CERT or any federal agency was that there was no indication the vulnerabilities were being exploited in the wild.
“It was, therefore, consistent with widely accepted principles of responsible disclosure to engage in limited disclosure of detailed information about these vulnerabilities to certain information technology companies to enable them to help develop and implement mitigations,” Intel wrote.
In its letter AMD noted that while federal civilian agencies are required to report security incidents to U.S. CERT private companies similarly required.
“Current guidance from the U.S. Department of Homeland Security (“DHS”) provides for voluntary reporting of cybersecurity incidents and malicious software to US-CERT. Conversely, DHS guidance provides for voluntary reporting of vulnerabilities, such as those at issue here, to Carnegie Mellon University’s CERT/CC,” AMD wrote