House panel probes Meltdown, Spectre embargo
- By Derek B. Johnson
- Jan 24, 2018
Some State Dept. employees and contractors are experiencing fatal crashes -- and the dreaded blue screen of death -- from updates to remediate Spectre and Meltdown flaws. (Image credit: JaysonPhotography/Shutterstock.com)
Leaders of the House Committee on Energy and Commerce want to know how the companies who discovered and coordinated on research related to the Meltdown and Spectre vulnerability disclosures handled the information embargo that left everyone else in the dark.
In a letter signed by committee Chairman Greg Walden (R-Ore.), Oversight Subcommittee Chairman Gregg Harper (R-Miss.), Digital Commerce and Consumer Protection Subcommittee Chairman Robert Latta (R-Ohio) and Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.), lawmakers ask how news of the chip processor vulnerabilities came to light a week before the embargo was set to end on Jan. 9, 2018.
The committee wants to know how these tech companies set up their embargo and why other affected sectors, like health care organizations, manufacturers and energy companies were not included.
The letters were sent to the leaders of Apple, Amazon, Advanced Micro Devices, ARM Holdings, Google, Intel, and Microsoft. They committee wants to know why the information on the flaws was embargoed, how the embargo was established and by whom, when the Department of Homeland Security was notified and what companies did to assess potential fallout of the embargo on critical infrastructure and IT firms.
One unanswered question that was eventually addressed by a top White House cyber official is whether the federal government was aware of or exploiting these chip flaws. The National Security Agency will sometimes keep knowledge of computer and software flaws secret in order to use them for espionage or national security activities. A body known as the Vulnerabilities Equities Process -- essentially a committee of executive branch stakeholders – is responsible for determining whether to disclose a flaw to the greater public or hold onto it for exploitation.
The White House recently rolled out a more transparent version of the VEP and Rob Joyce, White House cyber coordinator, took to Twitter shortly after the disclosure to deny that this was the case with Meltdown and Spectre.
"No nuance to my answer. No lawyerly caveats. NSA did not know about these flaws, nor did they exploit them," said Joyce.
Federal agencies have also struggled to game out a smooth response to the vulnerabilities, and it is possible more oversight could be in the offing on that front. Early reports indicate that initial efforts to patch machines at some agencies have backfired – as has occurred in the private sector.
A Jan. 9 email sent out to State Department employees and contractors noted that a patch caused a "blue screening" stop error – the dreaded Blue Screen of Death -- on "a subset of patched workstations that have older processors." The email also notes "the affected workstations are distributed across the enterprise network.
A State Department spokesperson confirmed in an email that "a recent Microsoft patch negatively affected a very small number of machines" at the agency and that the machines have since been replaced.
"The U.S. Department of State is following internal incident management processes to address impacted machines," said the spokesperson. "The Department continues to follow DHS guidance and timelines associated with the Meltdown and Spectre vulnerabilities."
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.