Congress is starting to ask hard questions about the fallout from the Meltdown and Spectre vulnerabilities. Today, Rep. Jerry McNerney (D-CA) sent a letter requesting a briefing from Intel, AMD, and ARM about the vulnerabilities’ impact on consumers. Embedded below, the letter indicates a newfound interest from Congress in the industry’s response to the bugs, and a potentially ominous sign if lawmakers aren’t satisfied with the companies’ answers.
The two vulnerabilities are “glaring warning signs that we must take cybersecurity more seriously,” McNerney argues in the letter. “Should the vulnerabilities be exploited, the effects on consumers’ privacy and our nation’s economy and security would be absolutely devastating.”
Privately disclosed to chipmakers in June of 2017, the Meltdown and Spectre bugs became public after a haphazard series of leaks earlier this month. In the aftermath, there have been significant patching problems, including an AMD patch that briefly prevented Windows computers from booting up. Intel in particular has come under fire for inconsistent statements about the impact of the bugs, and currently faces a string of proposed class-action lawsuits relating to the bugs.
Meltdown can be fixed through a relatively straightforward operating-system level patch, but Spectre has proven more difficult, and there have been significant patching problems in the aftermath. The most promising news has been Google’s Retpoline approach, which the company says can protect against the trickiest Spectre variant with little negative performance impact.
Reached by The Verge, AMD confirmed it had received Rep. McNerny’s letter and are “in contact with his office regarding his request.” ARM has also responded to the letter, and “looks forward to a dialogue on our mutual goal of creating more secure devices.”
“We share Congressman McNerney’s interest in these important issues,” an Intel representative said, “and will continue to engage with a variety of Congressional and Executive Branch officials to address how the industry can best respond.”
Jan 17th, 9:17AM ET: Updated to include comment from Intel, AMD and ARM.