Intel’s response to Spectre and Meltdown has been, on balance, fairly good. While the company’s initial PR on the subject left much to be desired, it followed up with much clearer reporting on the scope of the problem. The actual rollout of solutions has been slow and fitful, but that’s to be expected when dealing with a problem as complex as this, particularly given the number of actors that are collaborating to field solutions.
One decision the company made, however, could come back to bite it. According to the Wall Street Journal, Intel notified a small group of customers, including several Chinese companies, before it clued in the US government. In fact, some US agencies were “clued in” by public reports, not any kind of pre-disclosure notification process.
Today’s story about the Trump administration’s willingness to consider nationalizing a 5G network as a means of securing US assets against foreign countries, including China, highlighted one area where national security policy and economic policy don’t always cleanly align. Intel’s behavior in warning Chinese companies before the US government is another illustration of the same. There is, at present, no indication the information was misused or that any harm occurred, but it’s an example of how sometimes the best corporate policies (in this case, sharing information with major partners) isn’t always the best national security policy (updating the US government or other companies on the existence of security flaws).
Meltdown and Spectre are uniquely suited to highlight such concerns because they’re not so far from hypothetical worst-case scenarios. These are flaws that affect CPUs going back decades, in some cases. The reason you see different timelines on that depends on which bug variant and the degree of risk, but in aggregate, most Intel CPUs since the Pentium Pro are affected. The 2008 Atom, based on the Bonnell microarchitecture, might not be, since it decodes and mostly executes native x86 instructions, but that’s a bit of an outlier. (More details at WikiChip, for those of you curious about the unusual decoder capabilities of a low-power x86 CPU from 2008.)
The problem, according to Jake Williams of Rendition InfoSec LLC, is these flaws can hypothetically be leveraged to sneak information out of data centers and cloud providers, and the Chinese government would’ve become aware of the problems immediately, since authorities there routinely monitor all communications. Williams claims there’s a “near certainty” the Chinese were aware of the problem — and with fixes still underway, it’s possible exploits could surface before bug repair patches are ready.
The way flaw information was distributed has left a bad taste in many vendors’ mouths, for multiple reasons. Some actors were aware by last June that the problem existed, which is probably why Intel had time to bake a solution into its upcoming 10nm chips, but other companies had no warning before stories started popping early this month. Intel (and presumably AMD and ARM) worked with companies like Google for months, but the WSJ notes Joyent, a Samsung-owned cloud service provider, had no warning anything was wrong. Neither did Rackspace or DigitalOcean.
Jake-No nuance to my answer. No lawyerly caveats. NSA did not know about these flaws, nor did they exploit them. I don’t put my good name on the line lightly. I understand you are disinclined to believe, 1/2.
— Rob Joyce (@RobJoyce45) January 13, 2018
Authorities at the Department of Homeland Security told the WSJ they only found out about the bugs on January 3, from public reporting. The NSA has also stated, in no uncertain terms, it had no information Spectre or Meltdown existed.
One does not expect national security agencies to disclose every flaw of which they are aware, but the NSA has staked a strong position on this. Lenovo, Microsoft, and Amazon, in addition to Google, were also aware of the problems (Google has stated it knew by June 2017), as was China’s Alibaba. The lack of coordination with US agencies led US-CERT to issue improper guidance initially. The organization first stated companies and customers would have to replace the affected Intel chips, before amending that guidance to suggest software patches would be sufficient.
A comparison between Meltdown and Spectre. From this presentation, by Rendition InfoSec
Intel’s initial disclosure timetable was calibrated for January 9, when the Consumer Electronics Show would’ve been in full swing. The January 3 unveil undoubtedly complicated some mitigation efforts, but the decision not to loop in the NSA or DHS would’ve been a deliberate one. There’s no way Intel discovers CPU bugs that impact most of the CPUs it’s shipped over 23 years and forgets to notify the US government.
Relations between Silicon Valley and the US government have been souring for years, particularly after the Snowden leaks, but it’s genuinely surprising to read Intel didn’t notify DHS or the NSA. No explanation has been offered for the company’s actions at this time.
Now read: What is speculative execution?