House panel probes Meltdown, Spectre embargo

By JaysonPhotography Stock photo ID: 201952639 blue screen of death 

Some State Dept. employees and contractors are experiencing fatal crashes -- and the dreaded blue screen of death -- from updates to remediate Spectre and Meltdown flaws. (Image credit: JaysonPhotography/

Leaders of the House Committee on Energy and Commerce want to know how the companies who discovered and coordinated on research related to the Meltdown and Spectre vulnerability disclosures handled the information embargo that left everyone else in the dark.

In a letter signed by committee Chairman Greg Walden (R-Ore.), Oversight Subcommittee Chairman Gregg Harper (R-Miss.), Digital Commerce and Consumer Protection Subcommittee Chairman Robert Latta (R-Ohio) and Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.), lawmakers ask how news of the chip processor vulnerabilities came to light a week before the embargo was set to end on Jan. 9, 2018.

The committee wants to know how these tech companies set up their embargo and why other affected sectors, like health care organizations, manufacturers and energy companies were not included.

The letters were sent to the leaders of Apple, Amazon, Advanced Micro Devices, ARM Holdings, Google, Intel, and Microsoft. They committee wants to know why the information on the flaws was embargoed, how the embargo was established and by whom, when the Department of Homeland Security was notified and what companies did to assess potential fallout of the embargo on critical infrastructure and IT firms.

One unanswered question that was eventually addressed by a top White House cyber official is whether the federal government was aware of or exploiting these chip flaws. The National Security Agency will sometimes keep knowledge of computer and software flaws secret in order to use them for espionage or national security activities. A body known as the Vulnerabilities Equities Process -- essentially a committee of executive branch stakeholders – is responsible for determining whether to disclose a flaw to the greater public or hold onto it for exploitation.

The White House recently rolled out a more transparent version of the VEP and Rob Joyce, White House cyber coordinator, took to Twitter shortly after the disclosure to deny that this was the case with Meltdown and Spectre.

"No nuance to my answer. No lawyerly caveats. NSA did not know about these flaws, nor did they exploit them," said Joyce.

Federal agencies have also struggled to game out a smooth response to the vulnerabilities, and it is possible more oversight could be in the offing on that front. Early reports indicate that initial efforts to patch machines at some agencies have backfired – as has occurred in the private sector.

A Jan. 9 email sent out to State Department employees and contractors noted that a patch caused a "blue screening" stop error – the dreaded Blue Screen of Death -- on "a subset of patched workstations that have older processors." The email also notes "the affected workstations are distributed across the enterprise network.

A State Department spokesperson confirmed in an email that "a recent Microsoft patch negatively affected a very small number of machines" at the agency and that the machines have since been replaced.

"The U.S. Department of State is following internal incident management processes to address impacted machines," said the spokesperson. "The Department continues to follow DHS guidance and timelines associated with the Meltdown and Spectre vulnerabilities."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.