Intel told Chinese companies about chip flaw before US gov: report
Intel Corporation initially warned a handful of customers, including several Chinese technology companies, about the discovery of security flaws within its processor chips, but not the U.S. government, The Wall Street Journal reported Sunday.
Security experts told the newspaper that the decision could have allowed Chinese tech companies to flag the vulnerabilities to Beijing, giving the Chinese government opportunity to exploit them.
Jake Williams, head of the security company Rendition Infosec and former National Security Agency (NSA) employee, told the Journal that it is a “near certainty” the Chinese government knew about the flaws from the Intel correspondence with Chinese tech companies, as Beijing keeps tabs on such communications.
The Journal reported that Alibaba Group, a top selling Chinese cloud-computing services company, was among the firms notified of the flaw early on.
A spokeswoman for Alibaba’s cloud unit declined to tell the newspaper when Intel notified them of the flaws, while stating that any suggestion that the company shared information with the Chinese government was “speculative and baseless.”
China's foreign ministry has previously said it is “resolutely opposed” to any form of cyber-hacking.
The Lenovo Group, a Chinese computer maker, was also reportedly notified in the early stages. A Lenovo spokeswoman told the newspaper that a nondisclosure agreement protected Intel’s information from being made public.
Experts who spoke to the Journal noted they had seen no evidence to suggest the information given to the companies in question was misused.
Representatives from China’s ministry in charge of information technology didn’t respond to the newspaper's requests for comment. Hackers linked to the Chinese government have been known to exploit software vulnerabilities for surveillance or possible leverage, according to the report.
The Hill has reached out to Intel for comment.
News about the flaws broke on Jan. 3, just a few days before Intel planned to publicly announce the chip flaw discovery. The date of the planned announcement, however, came months after a member of Google’s Project Zero security team first detected the flaws in June of last year -- a delay that would allow the companies to come up with a fix to such flaws.
Intel's damage control strategy of providing an early warning aimed to soften the blow for several of its big customers who could prepare fixes before the news became public. The decision also limited those who knew, a move that would help prevent the news from leaking, according to the report.
A Department of Homeland Security (DHS) official told the Journal that the department learned about the chip flaws on the day the news broke. This delay blindsided DHS, which regularly provides guidance of how to address such vulnerabilities.
The NSA also "did not know about the flaws," according to a Jan. 13 tweet by Rob Joyce, the top cybersecurity official at the White House.
Large tech firms like Microsoft, Google and Amazon, among others, received advanced warnings.
The firms were prepared as a result of the early warning, releasing statements shortly after the news broke that the customers using their cloud-computing systems were largely protected.
http://thehill.com/policy/cybersecurity/371140-intel-told-chinese-companies-about-chip-flaw-before-notifying-us-gov