Four Republican members of the US House of Representatives sent letters on Wednesday to the leaders of Amazon, AMD, Apple, ARM, Google, Intel and Microsoft seeking answers about how the embargo on the Meltdown and Spectre bugs was handled.
The secrecy agreement, put in place by these same companies, demanded silence from June 2017, when researchers recognized the seriousness of the processor design flaws, through the planned date of coordinated disclosure on Tuesday, January 9, 2018.
However, unaware of any embargo and after some detective work, The Register broke the news a week early, on January 2, 2018. Google then posted technical details about the flaws on January 3, with Arm following suit with a white paper and mitigation code, and AMD pitching in information.
Chaos ensued as Intel rushed out patches – some of which proved faulty – and tried to reassure customers and stockholders that they would not have to replace most of the CPUs shipped in the past two decades. Meanwhile, operating systems from Windows to macOS to the various Linux distros emitted a range of fixes and mitigations for Meltdown and Spectre over the course of several days.
The dust still hasn't settled. On Sunday, Linux kernel leader Linus Torvalds fumed that Intel's approach to mitigating the Spectre flaw is "pure garbage."
The four congressional representatives – Greg Walden (R-OR), Gregg Harper (R-MS), Bob Latta (R-OH), and Marsha Blackburn (R-TN) – affiliated with the House Energy and Commerce Committee and various subcommittees, have asked Amazon's Jeff Bezos, Arm's Simon Segars, Apple's Tim Cook, AMD's Lisa Su, Google's Sundar Pichai, Intel's Brian Krzanich, and Microsoft's Satya Nadella the same questions about how the embargo and disclosure were handled.
The breakdown of the embargo, they note, raises questions about whether it was effective and appropriate, given how companies left out of the agreement were caught off-guard.
"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the legislators say in their letters, dated Wednesday.
Cybersecurity, they insist, has become a collective responsibility that extends beyond the information technology community to include energy, healthcare, manufacturing, and other sectors.
"This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general," the letters conclude.
Intel, which is already facing several lawsuits over the vulnerabilities and reports its Q4 2017 earnings tomorrow, is apparently thrilled.
"The security of our customers and their data is critical to us," a spokesperson told The Register via email. "We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues. In addition to our recent meetings with legislative staff members, we have been discussing with the Committee an in-person briefing, and we look forward to that meeting."
Meanwhile, Google meanwhile insists it behaved in accordance with established practices. “After working with security teams across the industry for months, we released our findings according to established principles of vulnerability disclosure, and deployed mitigations to help secure people’s information on Google and other platforms,” a spokesperson told The Register via email.
Lawmakers are seeking similar answers from the US government itself, which has been criticized for opaque and inconsistent handling of vulnerabilities. The House of Representatives earlier this month approved the "Cyber Vulnerability Disclosure Reporting Act," to ensure that the Department of Homeland Security tells elected officials about its policies and procedures for bug reporting. ®