Intel didn’t warn US-CERT of Meltdown and Spectre until hacks were public

Letters to lawmakers say Intel took six months to tell the US government about the exploits

Some of the world's biggest tech firms have written to lawmakers to complain that Intel didn't warn US cyber security officials about the Meltdown and Spectre chip security bugs until they went public.

In the letters, the companies, which include tech giants Alphabet, Apple and ARM, said Intel didn't make the issue known to the United States Computer Emergency Readiness Team (US-CERT), until they leaked to the masses at the turn of the year.

The letters, sent on Thursday in response to questions from Republican senator Greg Walden, who chairs the House Energy and Commerce Committee, claimed Intel took a full six months to notify the government's digital security body after Google's security researchers notified it in June.

That notification started the 90-day notice period for the chip giant to fix the issues before telling the world. But, Intel didn't inform US-CERT until 3 January, quite some time after the Meltdown and Spectre bugs had begun to spread. This has led to current and former US government officials raising concerns because the flaws potentially held national security implications.

Advertisement - Article continues below
Advertisement - Article continues below

However, Intel has said that it didn't believe the flaws needed to be shared with US authorities as hackers had not exploited the vulnerabilities.

"Intel and other industry participants were following the guidelines supported by US-CERT's Coordinated Vulnerability Disclosure (CVD)," an Intel spokeswoman said in an emailed statement.

In Intel's letter, the firm stated: "The collaboration between Intel and others in the technology industry regarding the disclosure and mitigation of these vulnerabilities was done in accordance with widely accepted principles commonly referred to as responsible disclosure'."

Intel said this "responsible disclosure" is based on two foundational concepts: First, it said it's about when companies become aware of security vulnerabilities, they work as quickly, collaboratively, and effectively as possible to mitigate those vulnerabilities.

Secondly, it said it's about companies taking steps to minimise the risk that exploitable information becomes available before mitigations are released through leaks or otherwise to those who would use it for malicious purposes.

"While one can debate the details of how best to execute responsible disclosure in specific incidents, Intel agrees with the prevailing industry view that in general responsible disclosure is the best practice because it maximises information security while minimising risk to end-user,", the chipmaker explained.

Advertisement - Article continues below

"Security vulnerabilities vary in their complexity and seriousness, and under responsible disclosure, Intel and other technology companies have identified and fixed many security vulnerabilities over the years."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020