Earlier this month, the world of cybersecurity was shook by the discovery of two serious exploits, namely Meltdown and Spectre. The former allows hackers to navigate around the hardware barrier protecting the computer's kernel memory, while the latter allows them to trick applications into divulging a user's sensitive information.
While some companies like Microsoft, Apple, Google, and Intel released patches and mitigation for the vulnerabilities, their efforts have largely been hampered by the nature of the exploits themselves as well as the wide variety of different devices that need to be patched.
Now, the United States Congress wants to know why the disclosure of Meltdown and Spectre was clumsily handled.
In an open letter sent to executives of various tech companies, the Committee on Energy and Commerce has praised the efforts of firms to mitigate the problems posed by Meltdown and Spectre, saying that the full fledged solution requires the redesign of the processor, which isn't a trivial issue. However, the Congress has questioned the disclosure policy of the vulnerabilities, saying that even though the embargo was supposed to last from June 2017 to January 9, 2018, information began to leak to the public as early as January 4.
While the Congress believes that this does not seem to have majorly affected the release of mitigation techniques, the leakage of sensitive info such as this does raise some questions regarding the nature of the embargo. It went on to say that even though most tech companies were impacted by these vulnerabilities, only ten of them were part of the June 2017 disclosure. The authority adds that the handling of the embargo also raises concerns regarding the sharing of information, not only among tech companies but also among different sectors, because many institutes such as hospitals and electric grid companies utilize connected devices which were affected by Meltdown and Spectre.
Questions from tech companies include information regarding the time frame in which the embargo was imposed, names of firms which enforced this disclosure's regulations, the reasons behind imposing an embargo, and the timeframe for when government authorities were informed of the vulnerabilities, among other things.
The open letters in question have been sent to Microsoft's Satya Nadella, Apple's Tim Cook, Amazon's Jeff Bezos, Intel's Brian Krzanich, AMD's Lisa T. Su, and Google's Sundar Pichai, among others. You can view the letters and the questions raised in detail here. The recipients of the document are expected to respond by no later than February 7, 2018.
25 Comments - Add comment