Senate Committee Probes Vulnerability Disclosure, Eyes Supply Chain Risk
On July 11, 2018, the Senate Commerce, Science, & Transportation Committee convened a hearing entitled “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown.” The hearing reviewed the response to the Spectre and Meltdown vulnerabilities publicly revealed in early 2018. Senators posed questions about how companies managed the vulnerabilities, emphasized emerging and evolving cyber threats, and considered whether greater government involvement is needed.
According to public reports, Google’s Project Zero team in 2017 discovered security issues caused by “speculative execution,” a technique used by most modern processors to optimize performance. The vulnerabilities identified came to be referred to as “Meltdown” and “Spectre,” and could permit attackers to gain unauthorized access to a computer’s memory.
Beginning in June 2017, affected parties were made aware and began verifying the vulnerabilities, researching and testing to determine the potential impact, and developing mitigations. Companies collaborated to resolve the security issue, consistent with “coordinated vulnerability disclosure” (CVD) processes, which balance addressing a discovered flaw against over-disclosure or premature disclosure, which the National Telecommunications and Information Administration’s multistakeholder process on disclosure found “can increase risk to affected users.”
After public disclosure in January 2018, some in Congress wanted to understand the CVD process and the response of companies to Meltdown and Spectre. An exchange of information preceded a hearing before the Senate Committee on Commerce, on July 11, to address the handling of these vulnerabilities and policy implications of the responses.
Witnesses at the hearing included representatives from National Institute of Standards and Technology (NIST), the processor industry, CERT Coordination Center, and two academic institutions.
Chairman Thune underscored the importance of industry-led, voluntary public-private partnerships but also stated that the U.S. government is responsible for federal networks and protecting critical infrastructure. Because the threats to our networks and systems are so pervasive, and neither industry nor government can address them alone—enhanced partnership is essential.
Members of the Committee highlighted expanding cyber threats from nation-states and criminal actors. Several Senators raised questions about the timing of voluntary notice provided to the U.S. government relative to business partners and companies around the world.
The hearing was broad in its scope, venturing into implications for the Internet of Things (IoT). One Senator said it should be called the “Internet of Threats,” and argued that unsecured devices “present a threat to prosperity, privacy, and our Nation’s security.” Another Senator asked whether industry guidance could assist with multi-vendor disclosures. And others emphasized that more proactive efforts are needed from both industry and the government to identify and address vulnerabilities.
While legislation on CVD is far from imminent, government officials are expecting companies impacted by major vulnerabilities to engage—especially where the impact may be felt by government networks and systems. Beyond CVD, issues about supply chain cybersecurity are top-of-mind for members of Congress and the executive branch.
At the hearing, Senators cited several bills, which in their view would reduce the impact of vulnerabilities, supply chain risk, and other cyber threats. These include the: Cyber Shield Act (S.2020); AV START Act (S.1885); IoT Cybersecurity Improvement Act (S.1691); Promoting Good Cyber Hygiene Act (S.1475); and Cyber Scholarship Opportunities Act (S.754), among others. Several members of the Committee are focused on cyber and set on moving legislation forward, which will impact market participants.
Beyond this, executive branch agencies are taking a deep look at cyber risk in the supply chain and expect more transparent engagement from certain sectors, including IoT. As NIST indicated at the hearing, the agency is incorporating supply chain guidance into new documents, this includes: Cybersecurity Framework (Version 1.1), and the next version of Draft NIST SP 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations” (Rev. 5), among others.
DHS is expanding its involvement in this space, as we noted here, the Department is assessing supply chain considerations including the IoT, information sharing structures, engagement with the private sector on incident response and system analysis, and collaboration with international partners. The FCC also opened a proceeding on supply chain risk and stakeholder comments were recently posted.
We appear to be at an inflection point on cybersecurity policy, at which the value of public-private partnerships is being questioned by policymakers. With so many government proceedings underway, the private sector should be vigilant in watching developments and engaging as appropriate.