By Robert McMillan in San Francisco and Liza Lin in Shanghai
In initial disclosures about critical security flaws discovered
in its processors, Intel Corp. notified a small group of customers,
including Chinese technology companies, but left out the U.S.
government, according to people familiar with the matter and some
of the companies involved.
The decision raises concerns, security researchers said, as it
potentially could have allowed information about the chip flaws,
dubbed Spectre and Meltdown, to fall into the hands of the Chinese
government before being publicly divulged. There is no evidence any
information was misused, the researchers said.
Weeks after word of the flaws first surfaced, Intel's choices
about whom would receive advance warning continue to ripple through
the security and tech industries.
The flaws were first identified in June by a member of Google's
Project Zero security team. Intel had planned to make the discovery
public on Jan. 9 -- people working to protect systems from hacks
often hold off on announcements while fixes are devised -- but sped
up its timetable when the news became widely known on Jan. 3, a day
after U.K. website the Register wrote about the flaws.
Because the flaws can be leveraged to sneak sensitive data out
of the cloud, information about them would be of great interest to
any intelligence-gathering agency, said Jake Williams, president of
the security company Rendition Infosec LLC and a former National
Security Agency employee. In the past, Chinese state-linked hackers
have exploited software vulnerabilities to get leverage on their
targets or expand surveillance.
It is a "near certainty" Beijing was aware of the conversations
between Intel and its Chinese tech partners, because authorities
there routinely monitor all such communications, Mr. Williams
said.
Representatives from China's ministry in charge of information
technology didn't respond to requests for comment. The country's
foreign ministry has in the past said it is "resolutely opposed" to
cyberhacking in any form.
An Intel spokesman declined to identify the companies it briefed
before the scheduled Jan. 9 announcement. The company wasn't able
to tell everyone it had planned to, including the U.S. government,
because the news was made public earlier than expected, he
said.
Intel's tricky path -- inform enough big customers to head off
significant damage while keeping the information as contained as
possible to limit potential leaks -- continues to weigh on smaller
companies that weren't given an early nod.
Joyent Inc., a U.S.-based cloud-services provider owned by
Samsung Electronics Co., is still playing catch-up, said Bryan
Cantrill, the company's chief technology officer.
"Other folks had a six-month head start," he said. "We're
scrambling."
In the months before the flaws were publicly disclosed, Intel
worked on fixes with Alphabet Inc.'s Google unit as well as "key"
computer makers and cloud-computing companies, Intel said in an
emailed statement to The Wall Street Journal.
An official at the Department of Homeland Security said staffers
learned of the chip flaws from the Jan. 3 news reports. The
department is often informed of bug discoveries in advance of the
public, and it acts as an authoritative source for information on
how to address them.
"We certainly would have liked to have been notified of this,"
the official said.
The NSA was similarly in the dark, according to Rob Joyce, the
White House's top cybersecurity official. In a message posted Jan.
13 to Twitter, he said the NSA "did not know about these flaws." A
White House spokesman declined to comment further, referring
instead to the tweet.
Chinese computer maker Lenovo Group Ltd. was among the large
tech companies, including Microsoft Corp., Amazon.com Inc. and ARM
Holdings in the U.K., that were notified of the flaws
beforehand.
Lenovo was able to issue a statement Jan. 3 advising customers
on the flaws because of "the work we'd done ahead of that date with
industry processor and operating system partners," a spokeswoman
said in an email.
Alibaba Group Holding Ltd., China's top seller of
cloud-computing services, also was notified ahead of time,
according to a person familiar with the company.
A spokeswoman for Alibaba's cloud unit declined to comment on
when the company was informed. She said any idea that the company
might have shared information with Chinese authorities was
"speculative and baseless."
A Lenovo spokeswoman said Intel's information was protected by a
nondisclosure agreement.
Despite the security concerns, an early heads up to a select
number of large global companies made sense, said Dave Aitel, chief
executive of Immunity Inc., a company that sells security services.
"They're going to tell as few people as possible" to contain
possible leaks, he said.
Because they had early warning, Microsoft, Google and Amazon
were able to r elease statements soon after news of the flaws
leaked out saying their cloud-computing customers were largely
protected.
Smaller competitors, though, continue to struggle. DigitalOcean
Inc., a cloud-services seller, said Jan. 19 it was still testing a
fix for its customers. Rackspace Inc. said last Wednesday it has
several teams working on a fix. The cloud company earlier in
January told customers it understood the situation "can be
frustrating."
The DHS also stumbled with its initial guidance. The agency's
Computer Emergency Response Team first linked to an advisory
stating the only way to "fully remove" the flaws was by replacing
the chip. CERT now advises users instead to patch their
systems.
The DHS should have been looped in early on to help coordinate
the flaws' disclosure, Joyent's Mr. Cantrill said. "I don't
understand why CERT would not be your first stop," he said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Liza Lin
at Liza.Lin@wsj.com
(END) Dow Jones Newswires
January 28, 2018 07:14 ET (12:14 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Lenovo (PK) (USOTC:LNVGY)
Historical Stock Chart
Von Dez 2024 bis Jan 2025
Lenovo (PK) (USOTC:LNVGY)
Historical Stock Chart
Von Jan 2024 bis Jan 2025
