The Patriot Files Forums  

Go Back   The Patriot Files Forums > Warfare > Cyber

Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 07-17-2018, 05:43 PM
Boats's Avatar
Boats Boats is offline
Senior Member

Join Date: Jul 2002
Location: Chicago, IL
Posts: 13,354
Arrow Tech vulnerability disclosure process is flawed, lawmakers warn

Tech vulnerability disclosure process is flawed, lawmakers warn
By: Justin Lynch   2 hours ago

The process by which technology companies coordinate and fix vulnerabilities is flawed, according to two lawmakers issuing a warning just months after researchers identified microchip flaws that could impact national security computer systems.

Rep. Greg Walden, R-Ore., and Sen. John Thune, R-S.D., said in a July 17 letter that the recent public disclosure of the Spectre and Meltdown chip vulnerabilities was fraught with missed opportunities and may have harmed U.S. critical infrastructure.

Security researchers announced January 3 that Intel microchips could be exploited and a patch was needed. The flaw was discovered in summer 2017, however, and the process by which companies were alerted of the vulnerability raised concerns, according to the lawmakers’ letter to the Massachusetts-based Computer Emergency Readiness Team, or CERT.

The lawmakers said that it was unclear whether companies “had enough time to test and implement patches prior to public disclosure of the vulnerabilities.” They also raised concerns about whether firms were truly prepared to patch the flaw. For companies in the critical infrastructure sector, the time between when a vulnerability is discovered and when it is fully fixed can be essential to security, the lawmakers warned.

They added that the Chinese government likely received the warning before the American government did, raising questions as to whether a foreign actor could have exploited the vulnerability.

The letter asked CERT if the vulnerability disclosure process should be updated after the confusion surrounding the Spectre and Meltdown flaws. Only one company informed CERT of their flaws prior to January 2018, according to the letter, and that was just one month previously. The lawmakers warned that had the government received earlier notification of the vulnerabilities process “perhaps it could have helped to coordinate the process more effectively.”

O Almighty Lord God, who neither slumberest nor sleepest; Protect and assist, we beseech thee, all those who at home or abroad, by land, by sea, or in the air, are serving this country, that they, being armed with thy defence, may be preserved evermore in all perils; and being filled with wisdom and girded with strength, may do their duty to thy honour and glory; through Jesus Christ our Lord. Amen.

sendpm.gif Reply With Quote
Sponsored Links

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

All times are GMT -7. The time now is 03:27 AM.

Powered by vBulletin, Jelsoft Enterprises Ltd.