Communications Daily is a Warren News publication.
‘New Class’ of Vulnerability

Nelson, Other Lawmakers Question Industry, Intel Response to Chip Flaws

The tech industry’s lack of disclosure to the federal government about computer processor design flaws was “baffling” and “inexcusable,” said Senate Commerce Committee ranking member Bill Nelson, D-Fla., Wednesday during a hearing on Spectre and Meltdown vulnerabilities (see 1807100057). He told us later that Intel’s absence gives him little confidence industry will alert the government in a “timely fashion” on future vulnerabilities.

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

Researchers discovered the computer processor vulnerabilities, which have existed for more than 20 years, in June 2017, and they were publicly disclosed in January. Reports suggest Intel informed Chinese companies before U.S. agencies, Nelson said. The company didn’t comment.

Chairman John Thune, R-S.D., said IBM reported contacting the federal government before public disclosure. Chinese manufacturers, like Huawei, were informed of the vulnerability first, he said. “Cybersecurity standards should be industry-led and remain voluntary, but the cybersecurity risks that threaten our nation are too great to be handled solely by the government or by industry.” Thune cited reports about a Spectre variant discovered this week that he called “Chipzilla.”

Arm was the lone chip manufacturer attending. Chief Marketing Officer Joyce Kim said industry collaboration was “unprecedented,” given information exchanged among competitors. Carnegie Mellon University Software Engineering Institute CERT Coordination Center Senior Vulnerability Analyst Art Manion said friendly industry interaction on security matters is common.

Kim said companies have invested more in research on vulnerabilities, and Arm welcomes collaboration between industry and government agencies: “We will leverage all and every resource we can get.” During questioning from Nelson, Kim said Arm notified its architecture customers, some of which are Chinese, before public disclosure. Given the scale of attacks, she said, Arm’s focus was to assess full impact of vulnerability, communicate with at-risk customers and mitigate. Dialogue since with the Department of Homeland Security will continue, she said. When Nelson asked if industry thinks it can handle the issue on its own, Kim said Arm welcomes government partnership, which has been helpful.

During questioning from Sen. Cory Gardner, R-Colo., National Institute of Standards and Technology Chief Cybersecurity Adviser and Director-National Cybersecurity Center of Excellence Donna Dodson conceded the government is using unsecure devices and not all devices purchased by the government are secure: “We have some [devices] that could be improved.”

Gardner said the government shouldn't buy software and firmware that can’t be updated. A bill he sponsored, the IoT Cybersecurity Improvement Act (S-1691), would update processes for U.S. government procurement of secure devices, he said. Dodson said NIST is aware the government will be addressing Spectre and Meltdown issues for years. Sen. Maggie Hassan, D-N.H., a sponsor of the bill introduced by Sen. Mark Warner, D-Va., and Gardner, said it’s “really troubling” that all government devices contain processor flaws and that companies knew about the vulnerabilities for six months before alerting DHS.

Dakota State University President José-Marie Griffiths​​​​​​​ said Spectre and Meltdown created a new class of vulnerability, to the extent people were in disbelief. Don’t rule out discovery of other new classes, she said. Manion said Spectre and Meltdown attacks haven't been observed since January, only evidence of malicious test code. Kim agreed there were no recent exploits.