Company officials say they waited to report the Spectre and Meltdown chip flaws to U.S. national security agencies until they were able to better contain the threat.
(TNS) — Intel has confirmed to Oregon Rep. Greg Walden that the company withheld information about security weaknesses in its computer chips from U.S. national security officials until after news of the vulnerabilities leaked out online.
Intel said there was "no indication that any of these vulnerabilities had been exploited by malicious actors," wrote Greg Pearson, an Intel vice president in charge of the company's public affairs.
Standard practice, he wrote, is to keep security flaws secret until companies - working collaboratively - have had a chance to develop fixes. That prevents hackers from taking advantage.
Intel and Microsoft, which wrote its own letter to Walden, said the government's own protocols call for a collaborative response by the companies affected. Those procedures don't necessarily include a coordinated response with U.S. security agencies.
The flaws, known as "Meltdown" and "Spectre," could allow hackers access to passwords or other private material stored in computer memory. The flaw affects a wide variety of chips, not just Intel's. But the company is at the center of the tumult because Intel chips run the vast majority of PCs and laptops, and nearly all data centers.
"While the tech companies proved able to effectively contain the Spectre and Meltdown cybersecurity vulnerabilities, this incident brought to light the critical conversation about when to disclose a vulnerability and to whom," Walden said in a written statement Thursday. "The claim that information about the flaws may have fallen into the Chinese government's hands, before the U.S. was aware, is obviously disturbing."
Intel declined additional comment Thursday. Its letter says that Google researchers discovered the issues and notified Intel of the issue last June, and that several companies went to work collaboratively on finding a fix.
They had planned to disclose the issue on January 9, according to Intel, but online tech journal The Register broke news of the problem a week earlier.
Intel initially called the reports "wildly inaccurate," but subsequently confirmed they were substantially correct. The company's letter said it then notified the U.S. Computer Emergency Readiness Team, US-CERT, and began deploying fixes for existing microprocessors.
Those repairs have themselves been problematic, sometimes slowing computer speeds and in some cases prompting computers to spontaneously reboot.
Still, there have been no public reports of hackers exploiting the underlying security flaws. And Intel has rolled out additional fixes, including some this week, that it says address the security problems.
"Cybersecurity is a collective responsibility," Walden said. "My committee will continue to investigate this issue and the trade-offs between disclosure and secrecy in cybersecurity incidents."
©2018 The Oregonian (Portland, Ore.) Distributed by Tribune Content Agency, LLC.