House panel probes Meltdown, Spectre embargo

By JaysonPhotography Stock photo ID: 201952639 blue screen of death 

Some State Dept. employees and contractors are experiencing fatal crashes -- and the dreaded blue screen of death -- from updates to remediate Spectre and Meltdown flaws. (Image credit: JaysonPhotography/

Leaders of the House Committee on Energy and Commerce want to know how the companies who discovered and coordinated on research related to the Meltdown and Spectre vulnerability disclosures handled the information embargo that left everyone else in the dark.

In a letter signed by committee Chairman Greg Walden (R-Ore.), Oversight Subcommittee Chairman Gregg Harper (R-Miss.), Digital Commerce and Consumer Protection Subcommittee Chairman Robert Latta (R-Ohio) and Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.), lawmakers ask how news of the chip processor vulnerabilities came to light a week before the embargo was set to end on Jan. 9, 2018.

The committee wants to know how these tech companies set up their embargo and why other affected sectors, like health care organizations, manufacturers and energy companies were not included.

The letters were sent to the leaders of Apple, Amazon, Advanced Micro Devices, ARM Holdings, Google, Intel, and Microsoft. They committee wants to know why the information on the flaws was embargoed, how the embargo was established and by whom, when the Department of Homeland Security was notified and what companies did to assess potential fallout of the embargo on critical infrastructure and IT firms.

One unanswered question that was eventually addressed by a top White House cyber official is whether the federal government was aware of or exploiting these chip flaws. The National Security Agency will sometimes keep knowledge of computer and software flaws secret in order to use them for espionage or national security activities. A body known as the Vulnerabilities Equities Process -- essentially a committee of executive branch stakeholders – is responsible for determining whether to disclose a flaw to the greater public or hold onto it for exploitation.

The White House recently rolled out a more transparent version of the VEP and Rob Joyce, White House cyber coordinator, took to Twitter shortly after the disclosure to deny that this was the case with Meltdown and Spectre.

"No nuance to my answer. No lawyerly caveats. NSA did not know about these flaws, nor did they exploit them," said Joyce.

Federal agencies have also struggled to game out a smooth response to the vulnerabilities, and it is possible more oversight could be in the offing on that front. Early reports indicate that initial efforts to patch machines at some agencies have backfired – as has occurred in the private sector.

A Jan. 9 email sent out to State Department employees and contractors noted that a patch caused a "blue screening" stop error – the dreaded Blue Screen of Death -- on "a subset of patched workstations that have older processors." The email also notes "the affected workstations are distributed across the enterprise network.

A State Department spokesperson confirmed in an email that "a recent Microsoft patch negatively affected a very small number of machines" at the agency and that the machines have since been replaced.

"The U.S. Department of State is following internal incident management processes to address impacted machines," said the spokesperson. "The Department continues to follow DHS guidance and timelines associated with the Meltdown and Spectre vulnerabilities."

About the Author

Derek B. Johnson is a staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.