July 13, 2018

WIRED: Senators Fear Meltdown and Spectre Disclosure Gave China An Edge

WASHINGTON – In case you missed it, Senator Maggie Hassan participated in a Commerce, Science, and Transportation Committee hearing earlier this week, where she emphasized the importance of addressing cyber vulnerabilities and bolstering cybersecurity particularly in the wake of the cyber vulnerabilities “Spectre” and “Meltdown” that were found in processing chips by Intel, ARM, and AMD. 

Senator Hassan has consistently pushed the federal government to implement steps to strengthen our nation’s cybersecurity, and as part of those efforts she introduced the bipartisan Hack DHS Act with Senator Rob Portman (R-OH). The bipartisan bill would strengthen cyber defenses at the Department of Homeland Security (DHS) by establishing a bug bounty program. The bill unanimously passed the Senate earlier this year and a companion bill has been introduced in the House of Representatives. The Senator also cosponsored the Internet of Things Cybersecurity Improvement Act, which was introduced by Senator Mark Warner (D-VA), to help ensure that internet-connected devices purchased by the government are equipped with sufficient cyber defenses.

See below for highlights of coverage of Senator Hassan at the Commerce, Science, and Transportation Hearing on “Spectre” and “Meltdown”:

WIRED: Senators Fear Meltdown and Spectre Disclosure Gave China An Edge

… the Senate Committee on Commerce, Science, and Transportation also raised an important practical concern: No one informed the US government about the flaws until they were publicly disclosed at the beginning of January. As a result, the government couldn't assess the national security implications of or start defending federal systems during the months that researchers and private companies secretly grappled with the crisis. 

“It's really troubling and concerning that many if not all computers used by the government contain a processor vulnerability that could allow hostile nations to steal key data sets and information,” New Hampshire senator Maggie Hassan said during the hearing. “It's even more troubling that these processor companies knew about these vulnerabilities for six months before notifying [the Department of Homeland Security]."

CyberScoop: Senators question vulnerability disclosure process after Spectre and Meltdown stumbles

Shortcomings in the industry-led process for disclosing software and hardware bugs could rear their heads again, U.S. senators said Wednesday at a hearing on the Spectre and Meltdown chip flaws.

… Lawmakers are pondering what can be done to improve the complex vulnerabilities disclosure process, which involves spreading enough word among vendors to address a bug but not so much as to risk leaking information before patches are ready. 

“We need to consider additional ways to require the federal government’s equipment suppliers to promptly notify [the Department of Homeland Security] of potential breaches or vulnerabilities that could weaken our federal systems,” Sen. Maggie Hassan, D-N.H., said at the hearing.

The worry is always that foreign governments could find out about critical vulnerabilities before Washington does, leaving U.S. computer systems exposed to cyber-espionage or hacking. The case of Spectre and Meltdown, two vulnerabilities made public in January that affected virtually all modern computer chips, offers a prime example. 

… Hassan said she wants to know how many government computers are still plagued by the dual chip flaws.

“I would like to know how many of our government computers still have this vulnerability and whether all of them have received the mitigation updates that would make it more difficult for a foreign actor to try to exploit these government computers,” the New Hampshire senator said at the hearing. 

###