China Likely Knew about Spectre and Meltdown Bugs Before the US

Fixing hardware and software vulnerabilities requires global information sharing—and that includes U.S. cyber adversaries.

Sharing information about newfound hardware and software vulnerabilities is a global project and there’s no good way to coordinate a major digital fix while ensuring the Chinese government is out of the loop, witnesses told the Senate Commerce Committee Wednesday.

During a six-month secret process to repair the Spectre and Meltdown computer chip vulnerabilities in 2017, chipmakers notified numerous Chinese companies about the vulnerabilities and those companies likely passed that information along to Chinese officials and intelligence agencies, witnesses told the committee.

Among the Chinese companies notified was the telecom Huawei, which U.S. intelligence agencies fear could be used as to spy on Americans.

The U.S. government, on the other hand, only learned about the vulnerabilities, which affected nearly every computer chip produced in recent decades, when they were publicly disclosed in early January 2018, Committee Chairman John Thune, R-S.D., said.

The committee’s ranking member Sen. Bill Nelson, D-Fla., called that late notification “just baffling and also inexcusable.”

Computer hardware and software makers should alert the U.S. government earlier in the fixing process for future wide-scale vulnerabilities, industry and academic officials told lawmakers, noting that the Homeland Security Department could have provided helpful guidance in the disclosure process.

Trying to keep that information from cyber adversary governments, who might use the unfixed vulnerability for spying or sabotage, is probably a lost cause, though, said Art Manion, a senior vulnerability analyst at a Carnegie Mellon University center that helps coordinate the work of public and private computer emergency response teams, or CERTs.

“The internet doesn’t stop at national borders, so it’s practically quite difficult to avoid notifying non-U.S. persons and organizations,” Manion said. “The relationships of those persons and organizations to their national governments … is almost a step too far to really have any control over.”

Manion’s organization, the CERT Coordination Center, was also not given advance notice about the Spectre and Meltdown vulnerabilities, he said. If the center had received a heads up, officials there would have suggested informing more hardware vendors about the vulnerabilities before public disclosure, he said.

Going forward, the center might update its guide to coordinated vulnerability disclosure policy to clarify the importance of government involvement, Manion said. As companies and other organizations get more practice with coordinated vulnerability disclosure, however, it may simply become a norm or habit to keep government in the loop.