While the public discussion on Spectre and Meltdown and daily stories have died down, for now, I wanted to pull back the lens and talk about some broader perspectives I have been thinking about. The reason I think it is important to analyze some of the broader areas is that Spectre and Meltdown are only the first of what I predict to be many architecture-based exploits that the industry will face in the future. This isn’t a “one and done” situation. Now is a good time to look back at how it was handled industry-wide, see what was done well, not so well and what can be learned from, repeated or improved upon for next time.
One thing that has been bugging me is the lack of understanding around the tremendous coordination that was required across the industry to understand the issues and work towards mitigations. It appears to me that Intel played a critical role in this space, and I wanted to explore that. Going forward I think we should be applauding companies for their detailed disclosures, not going after them and punishing them for it.
From my vantage point, the silicon disclosures started off with Arm, Advanced Micro Devices, and Intel, but the press very quickly took their ire out on Intel as if the security issues were created by Intel. At the time I was not surprised given all Intel’s products to use speculative architecture, it has 90% PC share and 98% server share. The irony is that I believe Intel ended up being the de-facto industry leader with the highest level of transparency and industry alignment I have ever seen on a security exploit.
On the other hand, we saw Intel CEO Brian Krzanich getting on CNBC, publishing blogs, and getting on CES stage to talk Spectre and Meltdown. Blogs seemingly appeared from Intel weekly, and after a while, I was thinking that Intel just kept firing up the news cycle like someone pouring gasoline onto a smoldering fire. The news seemed to die down, Intel would publish a blog, and a new set of stories emerged, so Intel was keeping the story alive by providing more information versus dribbling only enough when they had to.
Intel even setup a special page documenting every move here on Intel’s own website. Net-net, Intel prioritized transparency over and above taking shots and should be commended.
As the Spectre and Meltdown situation unfolded, I remember attending an Intel-hosted call with companies who I never thought I would be on with at the same time- Arm, Advanced Micro Devices, and Intel. The companies took me through the exploits, the mitigations, and a rough timeline of what would happen when. It was nice to see three competitors laying down their swords to come together to fix this very large problem.
Since that first call, I have come to realize was that Intel was not just working with Arm and AMD, they were working very closely with software companies, system vendors, cloud service providers, and security researchers in parallel. Aside from updates from processor companies, I personally received status emails after a few weeks from Microsoft Azure and Windows, Amazon.com AWS, Red Hat, RSA, and VMWare.
By January 4, Intel reported it had already issued software and firmware patches for the majority of processors released in the past five years and that by the end of that week was expected to release updates to 90% of processors introduced over that time period. While the firmware did cause some reboot issues, I cannot tell you how monumental the 90% number was. I worked nearly ten years at system OEMs and over ten years at a processor manufacturer and cannot imagine just how much work this must have been.
Five days later on the 9th, Intel reported new information on Red Hat, Microsoft Windows, and Google’s Retpoline solution. While I would have liked the Microsoft Windows messaging to have been more consistent between Microsoft and Intel, and based on that feedback, a day later, Intel provided a tremendous amount of very specific Windows client computing performance data. Eight days later on the 17th, Intel provided benchmarks for its datacenter products. While I believe it would have been better if more benchmarks were shown, benchmarking servers is monumentally more difficult and time-consuming than client systems.
I believe based on how transparent and collaborative Intel was, the company deserves kudos, not scorn, for how it handled everything. Intel very easily could have limited the amount of information or just talked about itself, but it chose to keep providing details that kept the story alive, even when the update was not all flattering.
Spectre and Meltdown are just the beginning of a new crop of sophisticated, architectural exploits, and we will again need a coordinated, industry-wide approach with very transparent communications. Based on Intel’s “Security First Pledge,” I hope – and expect — to see the company continue to step up and bring everyone together to find a solution. And when this happens again, it should be commended, not criticized.