An
Intel spokesman wouldn't detail who the company had
informed, but said that the company couldn't notify
everyone (including US officials) in time because Meltdown
and Spectre had been revealed
early. Lenovo said the information was protected by
a non-disclosure agreement. Alibaba has suggested that any
accusasions of sharing info with the Chinese government
was "speculative and baseless," but this doesn't rule out
officials intercepting details without Alibaba's
knowledge.
There's
no immediate evidence to suggest that China has taken
advantage of the flaws, but that's not the point -- it's
that the US government could have helped coordinate
disclosures to ensure that enough companies had fixes in
place. Big names like Apple, Amazon, Google and Microsoft
were ready relatively quickly, but most everyone else was
left racing to fix or mitigate the flaws. That could have
led to attacks on vendors that weren't in the early list,
but were still running critical systems.
Intel
is between a rock and a hard place in situations like
this. There's no question that it has to notify partners,
but it also has to limit those notifications to minimize
leaks before patches are ready. The issue, as you might
guess, is that the company didn't appear to have accounted
for the cyberwarfare implications of who it notified
first.