Congress wants answers on embargo of Spectre and Meltdown information
Lawmakers on the House Committee on Energy and Commerce have sent letters to various CEOs at top tech companies asking why information about massive computer chip vulnerabilities was held under embargo for months.
The letters focus on the Spectre and Meltdown bugs, deep-rooted flaws in chips produced by leading computer hardware companies that could allow hackers to access steal sensitive data from machines created as far back as 1995.
Co-authored by panel Chairman Greg Walden, R-Ore., and members Marsha Blackburn, R-Tenn., Bob Latta, R-Ohio, and Gregg Harper, R-Miss., the letters request answers about why the bugs weren’t disclosed when the companies learned about them in June 2017. The committee has jurisdiction over technology issues.
Information about the flaws was supposed to go public in late January, but security researchers tweeted proof-of-concept code before the companies were ready to make announcements. That tweet lead to wider public scrutiny, forcing the companies involved to quickly go public with their work.
“As more products and services become connected, no one company, or even one sector, working in isolation can provide sufficient protection for their products and users,” the letter reads. “Today, effective responses require extensive collaboration not only between individual companies, but also across sectors traditionally siloed from one another. This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.”
The letters were sent to the following CEOs:
- Tim Cook, Apple
- Jeff Bezos, Amazon
- Lisa Su, AMD
- Simon Segars, ARM Holdings
- Sundar Pichai, Google
- Brian Krzanich, Intel
- Satya Nadella, Microsoft
Lawmakers want the executives to provide more information on why an embargo was needed, if the government’s U.S. Computer Emergency Readiness Team was looped in, and if impacts to critical infrastructure, such as health care or energy companies, were considered prior to the embargo.
“As demonstrated by numerous incidents over the past several years, cybersecurity is a collective responsibility. Further, it is a responsibility that is no longer limited solely to the information technology sector; connected products exist in electric grids, hospitals, manufacturing equipment, and in innumerable other sectors,” the letter reads.
The letters are not the only instance of a lawmaker asking the companies for more information on the flaws. Rep. Jerry McNerney, D-Calif., has requested a briefing with the CEOs of AMD, Arm Holdings and Intel to learn what the companies have done to mitigate the problems caused by the bugs.
You can read the letters below.
[documentcloud url=”http://www.documentcloud.org/documents/4358960-Meltdown-Spectre-Letters.html” width=675 height=500]