I've been tracking computer security issues, including vulnerabilities for decades, and have never seen anything quite like this. Newly announced vulnerabilities, which were publicly disclosed by the Register on Tuesday, are in almost every modern computer chip. The vulnerability cannot be changed in hardware of course (you would have to buy new hardware that is designed differently), but software patches to operating systems can mitigate the problem. The bad news is the patches will very likely slow down any computer they are installed on.
Here is more background: There is a feature in the architecture of most modern chips, especially Intel and AMD chips, that helps speed up processing and optimize performance. This feature, called "speculative execution", is a benefit to missions and functions across all industries and in systems from those at home and work to large ecommerce sites and of course governments globally.
But security researchers at Google's Project Zero found that this feature, which is designed into the hardware itself, can be exploited in ways that give unauthorized parties an ability to read sensitive information in the system's memory, including passwords and encryption keys. That can open up the entire system to an adversary who seeks to exploit it.
The Google team are community minded players and began working with others soon after their discovery. This means that a larger team of security researchers have been working on this for quite a while. Patches are coming to operating systems to mitigate these risks. However, in most cases these patches are going to reduce the functionality of the computers they are installed on. Imagine having a computer that you bought and paid for now operating at 30% less capability. How much do you feel you should have paid for that computer now?
For some reason I keep thinking of Fred Kaplan's book "Dark Territory." In it Kaplan describes the reaction President Ronald Reagan had after viewing the 1983 movie "WarGames." As you probably recall, the movie starred Matthew Broderick as a teen hacker who gets access into the main command and control computer at NORAD. Reagan enjoyed the movie but started thinking of what might happen if the real systems had vulnerabilities. After sharing a synopsis of the movie with his cabinet he asked the then Chairman of the Joint Chiefs of Staff, General John Vessey, "Could something like this really happen?" After looking into it the General returned to the white house with his report, which started off: "The problem is much worse than you think."
That sums up my view. This is bad. Worse than you might be thinking. We have to take action.
Three considerations for for action:
- Like it or not, you have to patch your systems.
- Collectively we have to figure out how to force companies to deliver more secure hardware, this is foundational (maybe all designers should be asked to read "Dark Territory").
- Humanity also needs to figure out what justice is in this situation. How can we best try to set things right for those whose computers are being slowed due to the fault of hardware designers. Maybe tort law and court cases are the way forward to help answer this question of justice.
There are other things to consider doing as well. For everyone I strongly recommend you sign up for our reporting at the Daily Threat Brief, where we review digital threats and seek to give you the early warning you need to beat threats. For those of you in the military or strategic policymakers in government, we would like to draw your attention to our recent post titled "The American Way of War Is Based On Tech: Don't Let It Be Our Downfall!"