Senate Commerce Looks for Solutions to Emerging Cyberthreats
Senate Commerce Committee members Wednesday will weigh two newly discovered computer processor design flaws, one of which a researcher described as “probably one of the worst CPU [central processing unit] bugs ever found” (see 1807060015 and 1801260009).“I don’t think there are any solutions right now for what we’re going to be talking about,” Sen. Jon Tester, D-Mont., told us when asked about Wednesday’s hearing on Spectre and Meltdown vulnerabilities. “Hopefully, we’ll come up with some solutions. ... Maybe some of the professors can come up with something.”
Tester said he’s not highly knowledgeable about the topic, so there was a lot of work to do to prepare. Ranking member Bill Nelson, D-Fla., said he wanted to complete the hearing before offering any comment. “It’s so complex with so many issues,” said Sen. Ron Johnson, R-Wis.
Nelson and Chairman John Thune, R-S.D., in February sent a letter to executives at Amazon, Apple, Intel, Microsoft, Google, Lenovo, Cisco, Huawei and four other companies. The list included Arm, a mobile device processor designer that is sending Chief Marketing Officer Joyce Kim to testify. Arm processor technology is widely deployed for smart devices. Academics and researchers discovered the computer processor vulnerabilities, which have existed for more than 20 years, in June 2017, but they were not “widely disclosed” until January, said the letter. Meltdown and Spectre let hackers access passwords, encryption keys and other sensitive information through design flaws. While Meltdown has been identified as a critical CPU threat, researchers said Spectre is more difficult for hackers to exploit, according to the letter. The National Institute of Standards and Technology, to also testify, warned against the impact on cryptography. NIST declined to offer prepared testimony for Chief Cybersecurity Adviser and Director-National Cybersecurity Center of Excellence Donna Dodson.
Dakota State University President José-Marie Griffiths said NIST guidelines on the bugs were “far more effective” than industry’s response. She described it as “corporations circling the wagons, hiding what was going on and trying to fix it by themselves.”
Kim argued her chip company “responded thoroughly” to the vulnerabilities in June 2017 by developing strategies for mitigating the threats. After the issue was widely reported in January, Arm then engaged with the U.S. government and the Department of Homeland Security, she said. She noted that Arm’s exposure to the vulnerabilities in question was “relatively limited,” given the attacks depend on malware running locally.
Griffiths said the U.S. needs articulated standards, guidelines and best practices, and policymakers should leverage “intellectual assets, especially the human capital in U.S. universities” like Dakota State. The U.S. has the “potentials and properties” to fix it, she said: “There have been prophets in our midst for decades warning of this technological tsunami.”