A Wednesday Congressional hearing on the Meltdown and Spectre chip vulnerabilities[1] had all the technobabble and painful misunderstanding you might expect. But the Committee on Commerce, Science and Transportation also raised an important practical concern: No one informed the US government about the flaws until they were publicly disclosed[2] at the beginning of January. As a result, the government couldn't assess the national security implications of Meltdown and Spectre, or start defending federal systems during the months that researchers and private companies secretly grappled with the crisis.
“It's really troubling and concerning that many if not all computers used by the government contain a processor vulnerability that could allow hostile nations to steal key datasets and information,” New Hampshire senator Maggie Hassan said during the hearing. “It's even more troubling that these processor companies knew about these vulnerabilities for six months before notifying [the Department of Homeland Security].”
Attackers can exploit the Spectre and Meltdown chip bugs, which foreshadowed an entire new class of vulnerabilities, to steal many different types of data from a system. While the flaws have existed in the world’s most ubiquitous processing chips for 20 years, a series of academic researchers discovered them throughout the second half of 2017. Once informed of the issue, Intel and other chipmakers began a massive, clandestine effort to notify as many supply chain customers and operating system makers as possible, so that they could start creating patches.
'It's highly likely that the Chinese government knew about the vulnerabilities.'
Senator Bill Nelson
While Intel notified a group of international private tech firms—including some in China—during this process, DHS and the US government in general didn’t learn of the situation until it was publicly disclosed at the beginning of January. Numerous senators at Wednesday’s hearing