Intel is not having that great of year thus far in the face of a slew of information about security flaws in it hardware coming out — and you can add another new report from The Wall Street Journal today, which suggests that Intel didn’t immediately notify the U.S. government of the issues, to that list.
The Journal is reporting that Intel notified some of its customers of the security flaws in its processors, dubbed Spectre and Meltdown, but left out the U.S. government as part of that. Some of the companies Intel notified included Chinese technology companies, though the report suggests there is no evidence that any information was misused. An Intel spokesperson told The Journal that the company wasn’t able to tell everyone it planned because the news was made public earlier than expected.
The latter part of that is probably going to sting a little harder because it would seem that Intel was going to give the U.S. government little lead time ahead of disclosure of the flaw, as security editor Zach Whittaker points out on Twitter:
“The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure,” an Intel spokesperson said. “Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others.”
Intel has had to scramble to respond to the news, which came out nearly a week earlier than expected. Companies can notify some major customers and parties of flaws before they’re publicly disclosed so fixes and patches can come out and contain as much of the fallout as possible. The Meltdown and Specter flaws were particularly hazardous because they theoretically can affect pretty much everyone and the end result is a massive cleanup effort to make sure everything gets patched.
But because of the scale of the issue, and Intel’s very precarious position of having to ensure as limited impact to its customers as possible, it’s a very tricky situation to figure out who to inform and when in order to ensure everything gets resolved without the information becoming widespread and a source of additional risk for those customers. Intel reported its fourth-quarter earnings last week, after which the stock jumped nearly 10% despite the news about Meltdown and Spectre continuing to trickle in.
“While we’ve made progress, I am acutely aware that we have more to do,” Intel CEO Brian Krzanich said on the call to discuss its fourth quarter results. “We’ve committed to being transparent, keeping our customers and owners appraised of our progress and, through our actions, building trust. Security is a top priority for Intel, foundational to our products, and it’s critical to the success of our data-centric strategy. Our near-term focus is on delivering high-quality mitigations to protect our customers’ infrastructure on these exploits. We’re working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware, and those products will begin appearing later this year. However, these circumstances are highly dynamic, and we updated our risk factors to reflect both the evolving nature of these specific threats and mitigations as well as the security challenges more broadly.”