Intel Alerted Chinese Firms To Spectre-Meltdown Before The US Government But Did It Even Matter?
Intel is in hot water after a report from The Wall Street Journal surfaced yesterday that claims that Intel announced to a handful of customers, including several Chinese companies, that its chips were susceptible to Meltdown and Spectre security flaws. Those two flaws affected chip technologies from Intel, AMD, and ARM. Security experts have taken issue with what Intel did because the early warning to the Chinese firms could have allowed the companies to alert Beijing officials on the flaws, giving China operatives extra lead time to exploit the vulnerabilities in the chips.
Jake Williams, head of Rendition Infosec and a former NSA employee said that it was a "near certainty" that the Chinese government knew about the security vulnerabilities in the Intel chips from Intel's correspondence with the Chinese firms. Williams says that the Chinese government keeps tabs on communications of that sort.
According to the WSJ, Alibaba Group, a top cloud-computing service provider in China, was among the firms that Intel notified ahead of making notifications to the U.S. Government. An Alibaba spokesperson has stated that suggestions that it shared the information with the Chinese government were "speculative and baseless."
Another major Chinese company that was notified of the security issues early by Intel was the Lenovo Group. Lenovo's spokeswomen told the WSJ that it had signed a nondisclosure agreement and that Intel's information was protected under that agreement. While Intel is certainly going to be questioned over early notification of Chinese firms, security experts had stated that there is no evidence that any shared information was misused.
Intel maintains that it followed best practices and responsibly coordinated the disclosure of the Meltdown and Spectre flaws. An Intel spokesman told The Hill, "Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others."
The Department of Homeland Security likely feels much different than Intel about the way disclosures were handled. A DHS official has stated that the department learned about the chip flaws the day the news broke leaving them blindsided and unable to provide guidance on how to handle the vulnerabilities. The NSA has also stated that it didn't know about the flaws.
We don't know if the officials are just trying to act surprised to keep up appearances, or if the government truly did not know about the vulnerabilities. Given what we know about the U.S. government's secret skunkworks that are in existence for no other reason than to find exploits like these -- remember Vault 7 -- it is highly likely that it already knew about Spectre and Meltdown.
Tech firms such as Microsoft, Google, and Amazon were among others that received advanced warning of the vulnerabilities.