The process by which technology companies coordinate and fix vulnerabilities is flawed, according to two lawmakers issuing a warning just months after researchers identified microchip flaws that could impact national security computer systems.
Rep. Greg Walden, R-Ore., and Sen. John Thune, R-S.D., said in a July 17 letter that the recent public disclosure of the Spectre and Meltdown chip vulnerabilities was fraught with missed opportunities and may have harmed U.S. critical infrastructure.
Security researchers announced January 3 that Intel microchips could be exploited and a patch was needed. The flaw was discovered in summer 2017, however, and the process by which companies were alerted of the vulnerability raised concerns, according to the lawmakers’ letter to the Massachusetts-based Computer Emergency Readiness Team, or CERT.
The lawmakers said that it was unclear whether companies “had enough time to test and implement patches prior to public disclosure of the vulnerabilities.” They also raised concerns about whether firms were truly prepared to patch the flaw. For companies in the critical infrastructure sector, the time between when a vulnerability is discovered and when it is fully fixed can be essential to security, the lawmakers warned.
They added that the Chinese government likely received the warning before the American government did, raising questions as to whether a foreign actor could have exploited the vulnerability.
The letter asked CERT if the vulnerability disclosure process should be updated after the confusion surrounding the Spectre and Meltdown flaws. Only one company informed CERT of their flaws prior to January 2018, according to the letter, and that was just one month previously. The lawmakers warned that had the government received earlier notification of the vulnerabilities process “perhaps it could have helped to coordinate the process more effectively.”