House technology committee leadership called on officials at the top IT companies in the U.S. to explain their collective decision to impose an embargo on disclosing information related to two serious cyber security vulnerabilities affecting their processors.
The CEOs of seven major technology companies are asked to describe the decision-making process behind withholding a public announcement detailing the “Meltdown” and “Spectre” chipset vulnerabilities, first discovered in June 2017 and only fully disclosed seven months later on Jan. 4.
House Energy Committee Chairman Greg Walden (R-Ore.), Oversight and Investigations Subcommittee Chairman Gregg Harper (R-Miss.), Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-Ohio) and Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.) sent letters on Jan. 24 to the top officials at Intel [INTC], AMD [AMD], ARM, Apple [AAPL], Microsoft [MSFT], Amazon [AMZN], and Google [GOOG].
“…This situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures. As demonstrated by numerous incidents over the past several years, cybersecurity is a collective responsibility,” the lawmakers wrote in their letter.
Researchers with Google’s Project Zero alerted tech companies of the “Meltdown” and “Spectre” vulnerabilities in June 2017, but a collective decision was made to impose an information embargo until January.
The software vulnerabilities allegedly allowed for potential unauthorized access to information on systems using the affected processors.
During the imposed embargo, the companies released periodic updates to mitigate the worst effects of “Meltdown” and “Spectre.”
The lawmakers appreciated the CEO’s effort to form a collective response to the issue, but pointed to leaks that occurred before the public announcement that had the potential to compromise the proof-of-concept exploit code.
“As nearly all modern technology companies are impacted by these vulnerabilities, and less than ten companies were included in the original June 2017 disclosure, it is reasonable to assume that additional companies have been negatively impacted by the embargo,” the lawmakers wrote in their letter.
To set standards for for determining future vulnerability disclosure procedures, the House tech leadership asked CEO’s in the letter to describe why they imposed an information embargo.
The CEOs are already asked to provide information on analyses conducted to see how an embargo would negatively affect critical infrastructure sectors and other smaller IT companies.
“More work remains to be done, however, because the vulnerabilities stem from a common and previously accepted computer engineering method. As such, full mitigation will require the rearchitechting of many chipsets. This is not a trivial problem, and will take some time to address,” the lawmakers wrote in their letter.