Intel Didn’t Inform U.S. Government About Spectre and Meltdown Until After Flaws Were Public

To start 2018, Intel (and other CPU manufacturers) were faced with a sweeping critical issue in the form of Spectre and Meltdown hardware vulnerabilities.

Apple, for its part, was on top of issuing software updates that fixed as much as they could from a software point of view, and Intel was boasting about its own efforts earlier this year as well. But the impact was surely felt, especially by the companies and the public’s trust.

That last bit won’t be helped now, in light of a new report from Reuters. According to the publication, Intel did not inform the United States Computer Emergency Readiness Team (US-CERT) about Meltdown or Spectre until January 3. Keeping track of the timeline reveals that the confirmation on Intel’s part wasn’t provided until after the hardware vulnerabilities were public knowledge.

As far as when Intel was aware of the situation? That dates back to June of 2017, which was revealed in documentation. Alphabet says it disclosed the vulnerabilities to “chipmakers Intel, Advanced Micro Devices Inc and SoftBank Group Corp-owned ARM Holdings” dating back to June of last year.

From that point, of that initial disclosure to the chip manufacturers, Alphabet (and other companies) had to give 90 days for a patch to be created. After that 90 days, though, the vulnerabilities could be made public. Meanwhile, Intel and the other companies had the ball in their court regarding letting the necessary U.S. government officials know about the vulnerabilities.

Which they did not appear to do in a timely manner.

Now, Intel has a defense for its decision, stating that there was “no indication that any of these vulnerabilities had been exploited by malicious actors”. Which apparently meant they didn’t need to inform US-CERT or any other officials, for that matter.

Our Take

This situation with Intel isn’t all that similar to Apple’s slowing down older iPhones situation, at least not on the micro level, but certainly on the macro. When we look at these companies going out of their way to keep information from the public, and even regulatory bodies, one has to wonder if they realize they’re going to get “caught” eventually. That’s the through line here. Even with the best intentions in place, the information is going to get out to the public at some point.

[via Reuters]