Feds Must Rely on Industry in Wake of Meltdown and Spectre

Agencies have limited options but can take steps to patch their systems to respond to the processor vulnerabilities.

Nearly a week after the disclosure of vulnerabilities in the processors that run much of the world’s computing equipment, federal agencies are reliant on industry solutions to help them secure their systems.

The bugs, known as Meltdown and Spectre, forced chipset makers and technology companies to scramble to issue patches for IntelAMD and ARM Holdings processors. If attackers exploit the vulnerabilities, they could get access to sensitive information. Meltdown is easier to fix via software patches. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate since the vulnerability is embedded in chipset architecture.

Intel CEO Brian Krzanich said on Jan. 8 at the Consumer Electronics Show in Las Vegas that, “for our processors and products introduced in the past five years, Intel expects to issue updates for more than 90 percent within a week, and the remaining by the end of January,” The Verge reports.

Apple has issued fresh patches for its iOS and Mac OS operating systems. However, Microsoft has paused distributing its Meltdown and Spectre security updates for machines running on AMD processors after reports of PCs not booting, The Verge adds.  

The Department of Homeland Security’s National Cybersecurity and Communications Integration Center says in a statement that it “encourages users and administrators to refer to their OS vendors for the most recent information,” and provides updates on available patches.  

“Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases,” the NCCIC says.

“After patching, performance may be diminished by up to 30 percent,” the statement adds. “Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect if possible.”

Patches may also impact the ability to access cloud service providers, so the NCCIC says “users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.”

Federal cybersecurity experts say it is not practical at this point for agencies to replace all of their computing hardware, and that using the patches from their vendor partners is the best route to take. “We’re all in the same lifeboat,” former federal CISO and retired Air Force Brig. Gen. Greg Touhill tells FCW. “Both the public and private sector rely on the same technology base.”

DHS spokesman Scott McConnell says DHS will not be advising agencies to install new processor chipsets or buy new equipment, telling FCW that “as far as replacing hardware, that would be a question for each agency’s CIO, not DHS.”

Jan 09 2018