One of the things I love most about panel discussions at our SecureWorld cybersecurity conferences is that you often hear the unexpected—that angle you didn't see coming.
That same thing happened at RSAC this week while I was watching a cryptography panel.
Paul Kocher, who co-discovered the Spectre chip vulnerability, told us we have a collective problem that can help bad actors.
Humans have trouble keeping hardware bugs a secret long enough for a fix to be created.
"The embargo process for hardware bugs is something we don't know how to do," according to Kocher.
He says that became apparent when news of the Spectre vulnerability broke—a problem chip manufacturers knew about and were working on but were not ready to announce to the world. The information was being shared under an embargo, which is code for not publicly sharing the information until the embargo is lifted.
"Through the process, more people were told
And the way things came out, that is exactly what happened. It was a complicated scenario with a problem that stretched from hundreds of chip makers to thousands of device makers, cloud providers, and customers around the world.
So while this kind of embargo process seems to work reasonably well when things like software vulnerabilities are discovered, what can we do about hardware bugs to protect us, from us.
Says Kocher, "I think we need some ethicists thinking about how to handle these things now. Because there are going to be more of these things. There are a lot of problems we have in systems that can't be updated easily. And as these issues come up, we need a roadmap on what to do."
A roadmap that helps us avoid the spectacle that ensued after Spectre and Meltdown vulnerabilities were revealed to the planet.
