Intel is stating the reason behind its decision to not inform industry organisations and the US federal government of crucial flaws in its processors is it was following established industry reporting standards designed to protect users until a fix is developed.
In a letter responding to a query from the US House Committee on Energy and Commerce Intel said it abided by standard industry practices in how and when it disclosed the Spectre/Meltdown vulnerabilities in its processors. The letter was sent in response to a committee inquiry sent on 24 January asking Intel, along with Apple, Amazon, AMD, ARM Google and Microsoft, to explain their actions that led to the public disclosure of the flaws taking place six months after Intel was informed of the problems by Google's Project Zero.
Intel said it was informed by Google of the flaws in June 2017 and following the industry standard had 90 days to develop appropriate mitigations before Project Zero would make the flaws known publicly. The remaining companies all made it clear in their responses that they were merely down-chain users of Intel technology and therefore not directly responsible for initiating any mitigations nor did they have the ability to analyse the problems first hand.
This explanation did not fly with Mike Kail, CTO of CYBRIC.
"In my opinion, Intel did literally everything wrong. They didn't disclose the issues to the US Government because they didn't believe hackers had exploited the flaws, but since they didn't bother to perform even basic validation of the flaws, it is doubtful that they had any real data around that belief. On a minor level, this was careless, and it seems to point to a larger issue where proper checks and balances aren't in place," he said to SC Media.
The letters note that Project Zero also informed ARM and AMD of the issues in June and in turn these companies informed Amazon, Microsoft and Apple.
Intel said in its letter that it intended to inform US CERT and Computer Emergency Readiness Team Coordination Center on 9 January, 2018, but the news was leaked on 3 January.
“According to one report, on 3 January, 2018, just one week after an AMD engineer made a brief comment to a public discussion group about the capabilities of the company's processors relating to “speculative references,” a proof of concept emerged showing how to exploit the Meltdown and Spectre hardware vulnerabilities, which rely on techniques known as speculative execution,” Microsoft wrote.
Intel's explanation as to why it did not inform any agency prior to its planned disclosure to US CERT or any US federal agency was that there was no indication the vulnerabilities were being exploited in the wild.
“It was, therefore, consistent with widely accepted principles of responsible disclosure to engage in limited disclosure of detailed information about these vulnerabilities to certain information technology companies to enable them to help develop and implement mitigations,” Intel wrote.
In its letter AMD noted that while US federal civilian agencies are required to report security incidents to US CERT private companies aren't similarly required.
“Current guidance from the US Department of Homeland Security (“DHS”) provides for voluntary reporting of cyber-security incidents and malicious software to US-CERT. Conversely, DHS guidance provides for voluntary reporting of vulnerabilities, such as those at issue here, to Carnegie Mellon University's CERT/CC,” AMD wrote.