China probably knew about Spectre and Meltdown bugs before the U.S.
A Senate Commerce Committee hearing recently detailed a troubling reality of the information sharing “supply chain” in hardware and software vulnerabilities: the Chinese government is better positioned than the U.S. to hear about flaws and vulnerabilities. The hearing described how chipmakers working to repair the Spectre and Meltdown vulnerabilities in 2017 notified a number of Chinese companies during the process. These companies likely passed the information directly to the Chinese government. The U.S. government, however, did not learn about the vulnerabilities until they were publicly disclosed in 2018. This disclosure delay on a vulnerability that impacted almost every computer chip made since 2000 was described by one Senator as “baffling” and “inexcusable.” Adjustments to existing policies following this hearing will likely include improved DHS guidance for reporting similar issues. Attempts to prevent cyber adversary governments from accessing the same information, however, is probably a lost cause, according to one senior analyst at Carnagie Mellon University.