Critical computer flaws set up security challenge in Washington

Two critical vulnerabilities that affect modern computer processing chips are about to become a huge headache for governments worldwide.

The vulnerabilities could allow hackers to pilfer sensitive data from virtually all modern computing devices, ranging from computers to smartphones to cloud infrastructure. Experts believe that they may be the most dangerous computer processor flaws to date.

The Department of Homeland Security issued guidance on the matter late Wednesday, noting that while operating system updates could help mitigate the issues, the only true solution would be to replace computer processing units’ hardware.

This means that mitigating the flaws will likely cost federal, state and local governments a significant amount of time, money and effort. {mosads}

The cyber-flaws, which were originally believed to only be in Intel chips, affect an array of chip vendors including AMD, Google, Microsoft and Apple, and impact millions of modern computing systems developed over the last decade.

“These processors are used in most government systems around the globe and are likely vulnerable,” said Tony Cole, vice president and global government chief technology officer at FireEye.

The discovery, which came from months of work by computer researchers, has sent programmers at major companies scrambling to issue patches to prevent possible hacks. 

The researchers had planned to go public with the details later in January after notifying affected companies, but some details about the flaws leaked to the media on Tuesday.

Now that the vulnerabilities have been made public, the clock is ticking for organizations to take steps to guard their systems.

“The vulnerabilities and sample exploit code are now in the wild, so we should expect that criminals and nation-state actors are using them,” said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon.

The revelations have caused a stir on Capitol Hill.

Sen. Mark Warner (D-Va.) the top Democrat on the Senate Intelligence Committee, said the flaws are just the latest example in a string of exploitable digital vulnerabilities. 

“Once again [it] highlights the impact of vulnerabilities in widely-adopted components and protocols, and illustrates the importance of adopting basic hygiene requirements for the rapidly proliferating Internet of Things,” Warner said.

Other offices, including Rep. Will Hurd’s (R-Texas), say that they’re also looking into the matter.

The two vulnerabilities, dubbed “Meltdown” and “Spectre,” are flaws in hardware that cybersecurity experts say could be used by hackers to steal sensitive information in a computer’s memory, such as passwords and encryption keys.

“Meltdown” can be mitigated by software patches. Microsoft and Google have already issued emergency patches for their systems, though experts say the patches could degrade the performance of devices by 20 to 30 percent when applied.

“This is a very large and urgent project for federal IT staff to complete within short timelines,” said Paul Kocher, senior technology adviser at Rambus and one of the researchers who discovered the vulnerabilities.

Fully mitigating Spectre is more daunting, with experts saying it may ultimately warrant a redesign of the hardware.

“As a longer-term outcome, computing devices need to be engineered differently for security vs. performance,” Kocher said. “Government may play a significant role in this as well, both by supporting continued security research as well as setting procurement requirements.”

Government organizations may have to entirely replace systems in the future, a pricey task that may not fit into some agencies’ budgets.

“We’re talking about an average $1,000-per-computer [fix] vs. a free software patch,” said Devon Ackerman, associate managing director of the cybersecurity and investigations practice at risk mitigation firm Kroll. “Basically, I am replacing the entire computer with something that is a newer generation, something that is no longer susceptible to this exploit at a hardware level.”

Despite the complications, some experts see a silver lining in the flaws: better cybersecurity practices in the government.

“My hope is that this will be an impetus to move to a cloud-based solution,” said Joe Stuntz, vice president of cybersecurity at One World Identity.

Many government agencies are in the process of moving data from legacy systems to cloud-based systems, something Stuntz and other experts say shifts the financial risk away from the government to tech companies and would save money in the long term.

“If you ask government IT people, a lot of them know what they need to do, which is getting off legacy and onto the cloud,” Stuntz, who previously worked for the Office of Management and Budget’s Cyber and National Security Unit at the White House, said. “This will be something that they will use in their budget justifications.”

Intel, Amazon and other firms whose hardware is affected are working to issue software and firmware to mitigate the vulnerabilities.

Currently, no code that exploits the vulnerabilities has been publicly revealed, but security experts warn that hackers often use these types of known flaws to develop new cyber weapons.

The hacking tool used to carry out the massive WannaCry cyberattack in June was released by the hacker group Shadow Brokers in April. The group alleges the tool was stolen from the National Security Agency.

At the time, Microsoft had patched the vulnerability leveraged in WannaCry, but systems worldwide had not yet been updated and hackers wreaked havoc at a number of private and public organizations, including Britain’s national health system. The Trump administration has publicly blamed North Korea for the global attack.

Experts warn that while the U.S. updated in time to avoid being hit by WannaCry, the government must keep up with patching vulnerabilities open to hackers.

“If exploit code is developed, this could be catastrophic for [governments]. Another downside is that governments don’t typically update their technology very quickly which means that their processors may already have challenges keeping up with requirements from the latest operating systems and bloated applications,” said Cole.

“Add to that mix a vendor patch that’s expected to slow down a system as much as thirty percent and you could have a number of challenges for governments that do implement the patch quickly, with crashing computers or systems that run too slow to accomplish their tasks,” Cole continued.

Both the U.S. Department of Homeland Security and Britain’s National Cyber Security Centre are monitoring the developments but say they have seen no evidence that the vulnerabilities are being maliciously exploited.

“Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information,” Homeland Security warned.

Still, research shows that exploiting the vulnerabilities themselves leave virtually no clues, which Ackerman called “haunting.”

“There would be nothing or little to nothing for me to say this bad guy took data,” said Ackerman, a former FBI forensics examiner who worked on cyber crime cases.

The situation is fluid, and researchers, vendors and the cybersecurity industry are still working to understand the full picture of the threat.