Letters to lawmakers say Intel took six months to tell the US government about the exploits
Some of the world’s biggest tech firms have written to lawmakers to complain that Intel didn’t warn US cyber security officials about the Meltdown and Spectre chip security bugs until they went public.
In the letters, the companies, which include tech giants Alphabet, Apple and ARM, said Intel didn’t make the issue known to the United States Computer Emergency Readiness Team (US-CERT), until they leaked to the masses at the turn of the year.
The letters, sent on Thursday in response to questions from Republican senator Greg Walden, who chairs the House Energy and Commerce Committee, claimed Intel took a full six months to notify the government’s digital security body after Google’s security researchers notified it in June.
That notification started the 90-day notice period for the chip giant to fix the issues before telling the world. But, Intel didn’t inform US-CERT until 3 January, quite some time after the Meltdown and Spectre bugs had begun to spread. This has led to current and former US government officials raising concerns because the flaws potentially held national security implications.
However, Intel has said that it didn’t believe the flaws needed to be shared with US authorities as hackers had not exploited the vulnerabilities.
“Intel and other industry participants were following the guidelines supported by US-CERT’s Coordinated Vulnerability Disclosure (CVD),” an Intel spokeswoman said in an emailed statement.
In Intel’s letter, the firm stated: “The collaboration between Intel and others in the technology industry regarding the disclosure and mitigation of these vulnerabilities was done in accordance with widely accepted principles commonly referred to as ‘responsible disclosure’.”
Intel said this “responsible disclosure” is based on two foundational concepts: First, it said it’s about when companies become aware of security vulnerabilities, they work as quickly, collaboratively, and effectively as possible to mitigate those vulnerabilities.
Secondly, it said it’s about companies taking steps to minimise the risk that exploitable information becomes available before mitigations are released – through leaks or otherwise – to those who would use it for malicious purposes.
“While one can debate the details of how best to execute responsible disclosure in specific incidents, Intel agrees with the prevailing industry view that in general responsible disclosure is the best practice because it maximises information security while minimising risk to end-user,”, the chipmaker explained.
“Security vulnerabilities vary in their complexity and seriousness, and under responsible disclosure, Intel and other technology companies have identified and fixed many security vulnerabilities over the years.”