House panel probes Meltdown, Spectre embargo

By JaysonPhotography Stock photo ID: 201952639 blue screen of death 

Some State Dept. employees and contractors are experiencing fatal crashes -- and the dreaded blue screen of death -- from updates to remediate Spectre and Meltdown flaws. (Image credit: JaysonPhotography/

Leaders of the House Committee on Energy and Commerce want to know how the companies who discovered and coordinated on research related to the Meltdown and Spectre vulnerability disclosures handled the information embargo that left everyone else in the dark.

In a letter signed by committee Chairman Greg Walden (R-Ore.), Oversight Subcommittee Chairman Gregg Harper (R-Miss.), Digital Commerce and Consumer Protection Subcommittee Chairman Robert Latta (R-Ohio) and Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.), lawmakers ask how news of the chip processor vulnerabilities came to light a week before the embargo was set to end on Jan. 9, 2018.

The committee wants to know how these tech companies set up their embargo and why other affected sectors, like health care organizations, manufacturers and energy companies were not included.

The letters were sent to the leaders of Apple, Amazon, Advanced Micro Devices, ARM Holdings, Google, Intel, and Microsoft. They committee wants to know why the information on the flaws was embargoed, how the embargo was established and by whom, when the Department of Homeland Security was notified and what companies did to assess potential fallout of the embargo on critical infrastructure and IT firms.

One unanswered question that was eventually addressed by a top White House cyber official is whether the federal government was aware of or exploiting these chip flaws. The National Security Agency will sometimes keep knowledge of computer and software flaws secret in order to use them for espionage or national security activities. A body known as the Vulnerabilities Equities Process -- essentially a committee of executive branch stakeholders – is responsible for determining whether to disclose a flaw to the greater public or hold onto it for exploitation.

The White House recently rolled out a more transparent version of the VEP and Rob Joyce, White House cyber coordinator, took to Twitter shortly after the disclosure to deny that this was the case with Meltdown and Spectre.

"No nuance to my answer. No lawyerly caveats. NSA did not know about these flaws, nor did they exploit them," said Joyce.

Federal agencies have also struggled to game out a smooth response to the vulnerabilities, and it is possible more oversight could be in the offing on that front. Early reports indicate that initial efforts to patch machines at some agencies have backfired – as has occurred in the private sector.

A Jan. 9 email sent out to State Department employees and contractors noted that a patch caused a "blue screening" stop error – the dreaded Blue Screen of Death -- on "a subset of patched workstations that have older processors." The email also notes "the affected workstations are distributed across the enterprise network.

A State Department spokesperson confirmed in an email that "a recent Microsoft patch negatively affected a very small number of machines" at the agency and that the machines have since been replaced.

"The U.S. Department of State is following internal incident management processes to address impacted machines," said the spokesperson. "The Department continues to follow DHS guidance and timelines associated with the Meltdown and Spectre vulnerabilities."

About the Author

Derek B. Johnson is a staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.