The two recently-discovered CPU flaws, ‘Meltdown’ and ‘Spectre’, have troubled chip-maker Intel, which is now facing 32 lawsuits. Intel was first informed of these potential architecture defects back in 1995 by the National Security Agency, but it chose to not warn the public. These faults revealed issues with the flawed processors produced in the past decade that allow third party applications to access private and personal data. Both Meltdown and Spectre affect personal computers, mobile devices and the cloud.
• Should Intel have told the public about this hardware flaw?
| The Cat is out of the bag
Google’s Project Zero (GPZ) team unearthed the existence of these flaws and reported them to Intel in June 2017. In the security world, whenever researchers find a bug, the convention is to give companies a few months to fix the problem before disclosing it to the public. The GPZ team granted Intel 90 days to fix the problems with a further two deadline extensions, but after a lack of action, the problem was leaked to the public. In order to completely fix the defects, new processor designs are required, which would impose a significant performance decrease.
You only know what you need to know
| Actions speak louder than words
When Intel was first warned about the potential flaw in 1995, the decision was made internally was to maintain the original processor design. This was to complement the digital revolution with the popularity of the internet and the need for higher computing power, instead of fixing an extremely small problem which had a minuscule possibility of causing high damage. Or so they thought!
Ever since Intel was made aware of these issues in 2017, the company has been working on an industry-wide approach to resolve these issues. Software and firmware updates were provided to alleviate these issues once made available. Intel has confirmed that for the average computer user, the performance impacts should not be significant (Table 1) and will become less pronounced over time. The company is working to provide the best solution to everybody.
|Benchmark||8th Generation Desktop Intel Core i7 8700K Processor||7th Generation Mobile Intel Core i7 7920HQ Processor||6th Generation Desktop Intel Core i7 6700K Processor|
|Introduction Date||Q4 ’ 17||Q1 ’ 17||Q3 ’ 15|
|SYSMark 2014 SE Overall||94%||93%||92%|
|PCMark 10 – Overall||96%||97%||96%|
|W10 Edge Browser||92%||93%||90%|
Source: Intel; Note: The data above is based on multiple runs and expected system benchmark variation is assumed to be +/- 3%
| We’ll cross that bridge when we come to it
Intel did not report the flaws to the US authorities after the warning because The National Cyber Security Centre had stated that there was no evidence that hackers had exploited these vulnerabilities. Intel is committed to a responsible disclosure of potential security issues, which is why the company had planned to disclose these issues a week after it was leaked. They had planned to make software updates available by then. In other words, Intel dealt with this problem from a utilitarian perspective and was trying to avoid unnecessary panic by not publicising problems before fixes were ready to the public.
Intel, Ain’ Tell?
| Lucky if you are the chosen one
It is of every end users’ interests to know the performance, safety and security of their purchased devices. They are entitled to the rights to be informed of any design flaw if it is related to their own information security and confidentiality. Instead of protecting all clients, Intel chose to only share the information with a handful of companies such as Apple, Google, Alibaba and Lenovo while withholding it from vast majority. Intel even failed to inform the U.S. government about the vulnerability, let alone majority of its corporate clients and average users.
A customer-oriented approach could have been adopted by Intel. It should have revealed the chip design flaw to the public, at the proper time, by itself. The disclosure of the security defect could have been done in a delicately worded statement, in which the true security flaw is not exposed for hackers to exploit, yet informative enough to let customers know that their confidential information is at risk and their devices may be compromised.
In this way, Intel would have fulfilled its ethical responsibility of disseminating vital security information to customers and retain its reputation. Customers could also have benefited from knowing such flaw exists along with the choices of making their own decisions on how to protect their own information. Additionally, Intel could have avoided these problems back in 1995, by re-evaluating the processor designs. This would probably have affected the company in the 90s, but they could have dodged this bullet now.
| Yesterday Once More? Intel could have done something different this time!
Hiding facts which may elicit greater damages to customers at a later date is definitely not the fairest approach a company can take. Moreover, the intuitivist approach to solving problems would be to admit them early on. When enough awareness is given, problems can be addressed in a more efficient manner. Without admitting the design flaw and informing customers about it at first place, no productive resolutions could be expected. Last but not least, common sense! Customers should be treated equally as it is every customer’s trust that made Intel what it is today. Losing trust from the majority is the very last thing Intel should consider.
When all is said and done
The fundamental design flaws already exist in the majority of modern chips. By revealing such facts to the public without comprehensive evaluations and feasible solutions, it may lead to a catastrophic disaster. Furthermore, to date, there have been no reports of any system being compromised due to this design flaw. For a greater good, not revealing the defect until it was discovered is acceptable. Therefore, the ethical choice was to not reveal to the public.
| Now the ball is in your court, what are your thoughts?