U.S. Sen. John Thune (R-S.D.), chairman of the Committee on Commerce, Science, and Transportation, will convene a hearing entitled, “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown,” at 10:00 a.m. on Wednesday, July 11, 2018. The hearing will review cybersecurity issues raised in response to the Spectre and Meltdown vulnerabilities, such as challenges with conducting complex coordinated vulnerability disclosure and supply chain cybersecurity, and how best to coordinate cybersecurity efforts going forward. This hearing follows a letter sent by Sens. John Thune (R-S.D.) and Bill Nelson (D-Fla.) to 12 organizations about the Spectre and Meltdown vulnerabilities and the steps taken to mitigate these vulnerabilities.
- Ms. Donna Dodson, Chief Cybersecurity Advisor and Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology, U.S. Department of Commerce
- Dr. José-Marie Griffiths, President, Dakota State University
- Ms. Joyce Kim, Chief Marketing Officer, ARM
- Mr. Art Manion, Senior Vulnerability Analyst, CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University
- Mr. Sri Sridharan, Managing Director, Florida Center for Cybersecurity, University of South Florida
Wednesday, July 11, 2018
This hearing will take place in Russell Senate Office Building, Room 253. Witness testimony, opening statements, and a live video of the hearing will be available on www.commerce.senate.gov.
Dr. José-Marie GriffithsPresidentDakota State University
Chairman John Thune
We know that cybercriminals and rogue nation states aim to steal vast amounts of personal and proprietary information and access our critical infrastructure networks.
Cybersecurity vulnerabilities found in computer hardware – like the creatively-named Spectre and Meltdown vulnerabilities – present new pathways for bad actors to cause significant damage and exemplify the ever-changing landscape of cybersecurity risks we face.
Fortunately, these hardware vulnerabilities were discovered by the good guys – the “White Hat” security researchers.
Of critical importance, however, these vulnerabilities, which existed unnoticed for decades, have an unprecedented scope and required a coordinated response across the chip manufacturers like Arm(“arm”), AMD (“A-M-D”), and Intel and the entire tech industry.
In February, Senator Nelson and I sent letters to 12 companies to discuss the steps taken in response to these vulnerabilities. We asked questions about the level of coordination with other companies and with the U.S. government, efforts to patch the vulnerabilities, and recommendations for future steps to reduce risks stemming from hardware vulnerabilities.
Our oversight identified several issues:
First, although security researchers initially informed certain companies of the vulnerabilities in June of 2017, the vulnerabilities were not widely disclosed until January 2018 in order to allow time to remediate the vulnerabilities. Afterwards, other related vulnerabilities continued to be disclosed.
These processes raise questions about how a coordinated vulnerability disclosure process should be carried out to ensure that companies have enough time to test and implement patches. It’s not enough just to develop patches; they also need to be tested and applied so that consumers don’t have a false sense of security about whether solutions are really in place.
The other thing we confirmed is that some Chinese manufacturers, including Huawei (“Wah-Way”), were informed of the vulnerability prior to public disclosure. Given their close ties to the Chinese government, Huawei’s involvement in the coordinated vulnerability disclosure—while perhaps necessary—raises additional questions about supply chain cybersecurity.
Finally, only one company – IBM – reported that it contacted the U.S. government prior to the January 3, 2018, public disclosure. And no vendor engaged CERT-CC (“CERT-C-C”) to assist
in coordinating the vulnerability disclosure or response. Even the largest affected chip manufacturer, Intel, did not provide advance notice.
Some companies, including Intel, explained that notice to the U.S. government was supposed to occur prior to public disclosure, but these plans were frustrated by a premature leak. Nevertheless, this is truly disappointing, since greater coordination earlier in the process could have reduced confusion and provided enhanced security. After additional conversations with this Committee, when newer variants were discovered, a few of the companies did provide significant notice – some up to one month – in advance of public disclosure.
The U.S. government is responsible for the protection of federal IT and critical infrastructure. It is also a significant customer in the supply chain.
Overall, this hearing is a reminder of the importance of public-private partnerships in cybersecurity. Cybersecurity standards should be industry-led and remain voluntary, but the cybersecurity risks that threaten our nation are too great to be handled solely by the government or by industry.
That is why this Committee has prioritized fostering public-private partnerships in cybersecurity risk management. We’ve enacted laws like the Cybersecurity Enhancement Act to provide for the development of the NIST Framework for Critical Infrastructure. Similarly, the Cybersecurity Information Sharing Act sought to incentivize greater cyber information sharing and the Cybersecurity Scholarship Opportunities Act increased the government’s role in workforce development.
We are also working to enact legislation to strengthen cybersecurity for self-driving vehicles, aircraft, and small businesses.
Some have privately expressed concern that this Committee should avoid public discussion of these vulnerabilities and the government’s role. Now that the information on these vulnerabilities is publicly available, I believe we can have a responsible discussion of lessons learned to improve vulnerability disclosure and cyber resiliency, which are fundamental to cybersecurity.
With growing connectivity, the Internet of Things, and new risks posed by hardware vulnerabilities, examining and updating best practices now can help us avoid bigger problems down the road.
I want to thank all of our witnesses for being here today. It’s especially good to see Dr. Griffiths, who traveled to be here today from South Dakota. She was an integral part of our cybersecurity roundtable last year, which highlighted the important role that South Dakota plays in cybersecurity research and education. I will now turn to Senator Nelson for his opening remarks.
Witness Panel 1
Ms. Donna DodsonChief Cybersecurity Advisor and Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology,U.S. Department of Commerce
Dr. José-Marie GriffithsPresidentDakota State University
Ms. Joyce KimChief Marketing OfficerARM
Mr. Art ManionSenior Vulnerability AnalystCERT Coordination Center, Software Engineering Institute, Carnegie Mellon University
Mr. Sri SridharanManaging DirectorFlorida Center for Cybersecurity, University of South Florida