Intel has confirmed that they did not alert security officials about the “Meltdown” and “Spectre” CPU bugs until the security vulnerabilities were made public.
Reuters reports that Intel has informed Rep. Greg Walden, an Oregon Republican and chairman of the House Energy and Commerce Committee, that they did not inform U.S. security officials about the “Meltdown” and “Spectre” CPU bugs until they were known to the public, nearly six months after Alphabet informed Intel about the bugs. On Thursday, Walden published a letter he received from the CPU manufacturer which reveals that they did not inform the United States Computer Emergency Readiness Team (US-CERT) about the Meltdown and Spectre CPU bugs until January 3.
Intel stated that it was common practice for companies to keep security flaws private until they had a chance to collaborate on a fix for the issue with other tech firms. Alphabet claims that they informed CPU manufacturers Intel, Advanced Micro Devices, and ARM Holdings of the security flaws in June and gave them 90 days to fix the issue before disclosing them publicly. Alphabet stated that they left it up to Intel to inform government organizations of the security flaw. In the letter, Greg Pearson, Intel’s vice president in charge of the company’s public affairs, argued that there was “no indication that any of these vulnerabilities had been exploited by malicious actors,” so Intel did not need to inform US-CERT about the bug.
Intel also stated that they did not examine how the CPU bugs could affect government infrastructure as the company did not think it could affect industrial control systems. Intel did, however, inform multiple other tech companies that used their CPU’s. Greg Walden said in a statement, “While the tech companies proved able to effectively contain the Spectre and Meltdown cybersecurity vulnerabilities, this incident brought to light the critical conversation about when to disclose a vulnerability and to whom.” He continued, “The claim that information about the flaws may have fallen into the Chinese government’s hands, before the U.S. was aware, is obviously disturbing.”
Walden promised that his investigation into the issue wasn’t over saying “Cybersecurity is a collective responsibility.” He continued, “My committee will continue to investigate this issue and the trade-offs between disclosure and secrecy in cybersecurity incidents.”