As per the report, initial
disclosures about the vulnerabilities were made to select large
customers that included U.S. companies such as Microsoft and Amazon, but
also foreign companies such as ARM Holdings in the U.K., along with
Lenovo and Alibaba in China.
Due to the severity of the
flaws, Intel’s decision to warn select customers in advance, and leaving
out the U.S. Government, has been met with concerns of the information
being misused. The report states that, while there is no certain proof,
sources believe it is possible that the Chinese government was aware of
the communications between Intel and the Chinese tech giants, as such
communications are routinely monitored by the authorities. However, an
Alibaba spokesperson declined the speculation that any information was
shared with the authorities. The other companies reportedly did not
share information with the U.S. Government owing to a non-disclosure
agreement.
An official at the Department
of Homeland Security said that the staffers learned of the flaws on
January
3 from news reports and not from Intel in advance, explaining
the hastily-provided
mitigation for
the problem. The United States Computer Emergency Readiness Team
(US-CERT), an organization within the Department of Homeland Security’s
National Protection and Programs Directorate, is often informed of such
discoveries, which then handles how the information is addressed. White
House cyber security coordinator Rob Joyce
tweeted earlier this monthrevealing that the NSA
wasn't privy to the information as well.
According to the report, an
Intel spokesperson declined to list the companies that were informed
before the scheduled announcement, however, noted that the company
couldn't inform all the intended parties - including the U.S. Government
- as the news was revealed earlier than planned. Intel’s
disclosure policy has already
been questioned by
the U.S. Congress and the
company is being sued for
the processor vulnerabilities.