The federal response to the recently revealed “Meltdown” and “Spectre” computer chip vulnerabilities, requiring a massive “patch” to public and private systems, is earning rare high marks from lawmakers and industry sources.
Federal officials are unlikely to mandate private-sector actions related to the vulnerabilities discovered in chips made by Intel, Advanced Micro Devices, and ARM Holdings, but rather are playing an information-sharing and supportive role, according to government and private-sector sources who said this is the appropriate response.
The vulnerabilities render the chips — and the systems they operate — susceptible to hacking, but so far there have been no reports that these security flaws have been exploited.
“Not every vulnerability requires a government solution or intervention,” said one source from the tech industry. “In these circumstances, the proper government response should be to help spread accurate information about the nature of the vulnerability and its mitigations.”
Within the government’s own systems, the Department of Homeland Security and the Office of Management and Budget are expected to play key roles in the implementation of patches. Some sources suggest that DHS could issue a binding operational directive, or BOD, to require specific actions at other departments and agencies.
Such a move has yet to be publicly announced, but DHS in recent months has begun using the BOD tool to drive cyber improvements across the federal government.
“OMB and DHS are doing quite well,” said Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis. “The information [on the vulnerabilities] was disseminated before the hackers could exploit it. DHS has the authority and acted appropriately.”
“DHS is increasing its value to the dot gov space,” said Rep. Will Hurd, R-Texas, an influential member of both the House Homeland Security and Oversight and Government Reform committees. “The various agencies recognize the importance of patching, but the proof will be in implementation. CIOs across the government need to be addressing this.”
According to sources, Intel and other companies have been working with DHS’s National Cybersecurity and Communications Integration Center to identify and share information about the vulnerabilities.
“Information sharing is a key part of DHS’s important mission to enhance the awareness of new vulnerabilities and malicious cyber activities,” a DHS spokesman said. “DHS actively collaborates with public and private sector partners every day to share actionable information gleaned from research, network defense, cyber crime investigations, and incident reports.”
According to published reports, Intel was about a week away from releasing a patch when the vulnerability was publicly disclosed.
The tech industry source noted: “The goal is to announce the vulnerability after a fix is available. Announcing a vulnerability before a fix is available only alerts the bad guys to the vulnerability and puts customers at greater risk. Based on the statements from some of the vendors, it appears this coordination had been ongoing for quite some time. As a result of this, companies were prepared with fixes, even though it appears information about the vulnerability leaked out before the agreed-to disclosure date.”
Ari Schwartz, a top cybersecurity official in the Obama White House, said “Intel did a good job of keeping it under wraps” until just before it had the patch ready to go.
In response to the discovery of the vulnerability, Michael Daniel, White House cybersecurity coordinator under President Barack Obama, said the federal government should be providing “baseline, nonhyperbolic descriptions of the vulnerability and how the bad guys can exploit it. The government should be giving companies the information they need to make risk decisions. For the private sector, it’s a risk decision.”
But he doesn’t see the need for government mandates aimed at the private sector, “given what we know now. But if the government learns a particular actor is using this vulnerability to target, say, the electric grid, the government would have a greater role,” he said.
