House E&C Committee leaders question tech companies’ response to Meltdown, Spectre vulnerabilities

Leaders of the House Energy and Commerce Committee asked tech companies on Wednesday to explain their response to vulnerabilities known as Meltdown and Spectre that left devices using the companies’ processors susceptible to data theft.

The CEOs of Apple, Microsoft, Amazon, Google, Intel, AMD, and ARM began collaborating in June after Google researchers uncovered the vulnerabilities. The companies released a series of updates to address the vulnerabilities and went public with the threat on Jan. 4.

U.S. Rep. Greg Walden (R-OR), the chairman of the committee, and subcommittee leaders questioned the companies’ decision to “restrict the dissemination and information related to the vulnerabilities” for nearly six months.

“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the letter stated.

The lawmakers applauded the industry’s response to the vulnerabilities, noting that “the general consensus seems to agree that these initial efforts have mitigated the worst of the danger.”

However, information about Meltdown and Spectre began to leak before the Jan. 4 public announcement, and several companies have reported that patches aimed at addressing the vulnerabilities have created new issues like freezing computers and impacting antivirus products.

“As demonstrated by numerous incidents over the past several years, cybersecurity is a collective responsibility,” the letter stated. “Further, it is a responsibility that is no longer limited solely to the information technology sector; connected products exist in electric grids, hospitals, manufacturing equipment and in innumerable other sectors.”

Response to Meltdown and Spectre demonstrates that no one company or sector working in isolation can protect their products and users from cyber threats, the letter said.