You can browse directly to the debacle
here. Everything from beginning to end of this was a nightmarish pile of people grandstanding about the wrong things.
Let's start with the point that if you're going to get upset about a bug, Meltdown and Spectre are SUPER COOL but that does not make them SUPER IMPORTANT. In the time it took Immunity to write up a really good version of and exploit for this, maybe fifty other local privilege escalation bugs have come out for basically any platform they affected. And they are hardly the first new bugclass to come along. I guarantee you every major consulting company out there has a half dozen private bugclasses. People always say "You need to be able to handle an 0day on any resilient system" and the same thing is true for bugclasses.
I'm going to quote the
National Journal here.
Chairman John Thune said he “hesitates” to craft legislation that would require U.S. companies to promptly hand over information on new cyber-vulnerabilities to the government, or to deny that same information to Chinese firms.
“You’d like to see that happen sort of organically, which is what we tried to suggest today and which many of the panelists indicated is happening in a better way, a more structured way,” Thune told reporters after the hearing.
Nearly every part of this not-veiled threat is a bad idea. Assuming they could come up with a definition of "cyber-vulnerability", the companies involved do most of this work overseas. They would no doubt make sure to give this information to every government at the same time. Now we are in a race to see who can take advantage of it first?
There's a reason Intel didn't even bother to show up to this hearing. One of them is they can't afford to be seen taking sides with the USG in public. Which is precisely why this conversation happens over beers in bar somewhere instead of us counter-productively trying to browbeat them on live TV for no good reason. And we have to deal with the fact that sometimes we don't get what we want.
Here's a list of things we could have learned:
- Bugs that private companies discover are not classified information protected and owned by the USG
- There are consequences to our adversarial relationship with the community and with industry
- No matter how much we blather on about coordinated disclosure systems and public private partnerships, companies have other competing interests they are not going to sacrifice just because it would be nice for the USG