GREG WALDEN, OREGON FRANK PALLONE, JR. NEW JERSEY
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

(tongues of the (?atten ?tates

Entrust of 
COMMITTEE ON ENERGY AND COMMERCE

2125 RAYBURN HOUSE OFFICE BUILDING
WASHINGTON, DC 20515?6115

I?u?II-ljtirilirII i202} ?25 29??
Minontv 12021225?3541

January 24, 2013

Mr. Tim Cook

Chief Executive Of?cer
Apple, Inc.

1 In?nite Loop
Cupertino, CA 95014

Dear Mr. Cook:

On Januar}r 4, 2018, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.1 These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptops, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated response.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 2017, when researchers from Google?s Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily-impacted

 

Intei Responds to Security Research Findings, INTEL (J an. 3, 2018), 
An Update an AMD Processor Security, AMD,
ofSpecuiative Processors to Cache Timing
Side-Channei Mechanism, ARM (Jan. 3, 2013), About
specuiative execution in ARM-based and intei CPUs, APPLE (Jan, 5, 2018),
Guidance for mitigating specuiative execution sia'e-channetr
MICROSOFT (Jan. 5, 2013}, 

machincs-"windowsim itigatc-se; Processor Speculative Execution Research Disciosure, AMAZON WEB SERVICES
(Jan. 7, 2013), 1M330 I 8-0 13 Googie 's Mitigations Against
CPU specuiative Execution Attack Methods, GOOGLE (JanPeter Bright, Meltdown and Spectre: Here ?5 what intei, Appie, Microsoft, others are doing about it. ARS 
(Jan. 5, 2013), ica.com 1 8:0 I icrosoft-


 

Letter to Mr. Cook
Page 2

companies about the vulnerabilities.3 Since that time, these companies have released staggered
updates to their various products to mitigate the effects.4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry response and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from June 2017 to January 9, 2013, when most of the
mitigations would be distributed, and a public announcement was planned.

However, for various reasons, information regarding both Meltdown and Spectre
vulnerabilities began to leak into the public Sphere prior to this planned announcement. This
information including proof-of-concept exploit code was sufficient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adj ustrnent has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 201'? disclosure, and who were caught off- guard
by the January 4 announcement.

For example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original June 2017 disclosure to protect their own
products and users, compared to those companies that were included. One such company, for
example, stated the following, ?[u]nfortunately, the strict embargo placed by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact."6 In addition, some users and companies are now reporting that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti-virus products? As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 Id.

4 See supra note 1.

5 See supra note 2.

?3 Josh Feinblum, A Message About hire! Security Findings, DIGITALOCEAN (J an. 5, 2018),


7 Eric Auchard Supantha Mukherjee, Microso? says security patches slowing down PCs. servers, REUTERS (Jan.
9, 2013), icr_o_sofl-sa\ s?securitv unarches-slowing?down;
I 1in 

 

 

Letter to Mr. Cook
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multi?party coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cybersecurity is a collective responsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide Suf?cient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed from one another. This reality raises serious questions
about not just the embargo imposed on information regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you respond to the following questions as soon as possible, but by no later than
February 7, 2018:

1. Why was an information embargo related to the Meltdown and Spectre vulnerabilities
imposed?

2. What company or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team (US-CERT)
informed of the vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center (CERTICC)
informed of the vulnerabilities?

5. Did your- company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. If so, what were the results?

b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

b. If no, why not?

 

Letter to Mr. Cook
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company?s experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosure?

a. What are they?
Please also arrange to provide a brie?ng on these issues to Committee staff by February
7, 2018. We appreciate your assistance with this request. If you should have any questions,
please contact Jessica Wilkerson or John 0th of the Majority Committee staff at (202) 225?
2927.

Sincerely,

@004? Wm/

Gre alden MWlackburn

 

 

 

Chairman Chairman
Subcommittee on Communications
and Technology
Robert?EW Latta Gregg Harp
Chairman Chairman
Subcommittee on Digital Commerce Subcommittee on Oversight

and Consumer Protection and Investigations

 

GREG WALDEN. OREGON FRANK PALLONE, JR.. NEW 
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

(increase at the (linden ?tates

amuse of 

COMMITTEE ON ENERGY AND COMMERCE

2125 RAYBURN House OFFICE BUILDING
WASHINGTON, DC 20515?6115

MaonIty 225?292?
Minonrv 0021225 38M

January 24, 2018

Mr. Jeff Bezos

Chairman, President, and Chief Executive Of?cer
Amazon

410 Terry Ave. North

Seattle, WA 98109

Dear Mr. Bezos:

On January 4, 2018, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.1 These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptops, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated response.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 2017, when researchers from Google?s Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily-impacted

 

Intel Responds to Security Research Findings, INTEL (Jan. 3, 2018), 
An Update on AMD Processor Securing AMD,
Vulnerability of Speculative Processors to Cache Timing
Side-Channel Mechanism, ARM (Jan. 3, 2018), -updalc; About
speculative execution vulnerabilities in ARM-based and intel CPUs, APPLE (Jan. 5, 2018),
Guidance for mitigating speculative execution side-channel
vulnerabilities, MICROSOFT (Jan. 5, 2018), 
Processor Speculative Execution Research Disclosure, AMAZON WEB SERVICES
(Jan. 7, 2018), I 84) I Google ?s Mitigations Against
CPU speculative Execution Attack Methods, GDOGLE (Jan. 3, 2013),

I 38.

2 Peter Bright, Meltdown and Spectre: Here is what lntel, Apple, Microso?, others are doing about it, ARS TECHNICA
(Jan. 5, 2018), 
others-are-doing-about-itl.

 

 

Letter to Mr. Bezos
Page 2

companies about the vulnerabilities.3 Since that time, these companies have released staggered
updates to their various products to mitigate the effects.4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry response and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from June 2017 to January 9, 2013, when most of the
mitigations would be distributed, and a public announcement was planned.

However, for various reasons, infonnation regarding both Meltdown and Spectre
vulnerabilities began to leak into the public sphere prior to this planned announcement. This
information including proof-of-concept exploit code was suf?cient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adjustment has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 2017' disclosure, and who were caught off-guard
by the January 4 announcement.

For example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original June 2017' disclosure to protect their own
products and users, compared to those companies that were included. One such company, for
example, stated the following, "[u]nfortunately, the strict embargo placed by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact."6 In addition, some users and companies are now reporting that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti?virus products.T As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 Id.

See supra note 1.

5 See supra note 2.

?5 Josh Feinblum, A Message About Intel Security Findings, DIGITALOCEAN (Jan. 5, 2018),

hit 

Eric Auchard Supantha Mukherjce, Microro? says securig: patches slowing down PCs, servers, REUTERS (Jan.
9, 2018), lug-down-
pcs-servers-idUSKBN Eifli?.

 

 

 

 

Letter to Mr. Bezos
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multi?party coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cybersecurity is a collective responsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide suf?cient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed from one another. This reality raises serious questions
about not just the embargo imposed on information regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you respond to the following questions as soon as possible, but by no later than
February 2013:

1. Why was an information embargo related to the Meltdovm and Spectre vulnerabilities
imposed?

2. What company or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team (US-CERT)
informed of the vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center CC)
informed of the vulnerabilities?

5. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. If so, what were the results?
b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

b. If no, Why not?

 

Letter to Mr. Bezos
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company's experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosure?

a. What are they?

Please also arrange to provide a brie?ng on these issues to Committee staff by February
7, 2013. We appreciate your assistance with this request. If you should have any questions,
please contact Jessica Wilkerson or John Ohly of the Majority Committee staff at (202) 22 5 -
292?.

Sincerely,

W2

Greg Mean 

Chairman Chairman
Subcommittee on Communications
and Technology



 

Robert?E. Latta Gregg 
Chairman Chairman
Subcommittee on Digital Commerce Subcommittee on Oversight

and Consumer Protection and Investigations

 

GREG WALDEN, OREGON FRANK PALLONE. JR., 
RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

at the @Hniteh ?tates

locus: of iRtpresmItatihes
COMMITTEE ON ENERGY AND COMMERCE

2125 RAYBURN HOUSE OFFICE BUILDING

WASHINGTON, DC 20515?5115
Majmilv 
Mrnontv 3841

January 24, 2018

Ms. Lisa T. Su

Chief Executive Of?cer and President
Advanced Micro Devices, Inc.

2485 Augustine Drive

Santa Clara, CA 95054

Dear Ms. Su:

On January 4, 2018, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.1 These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptops, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated response.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 2017, when researchers from Google's Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily-impacted

 

intei Responds to Security Research Findings, INTEL (Jan. 3, 2013), 
An Update on AMD Processor Securigx, AMD,
Vulnerability of Speculative Processors to Cache Timing
Side-Channei Mechanism, ARM (Jan. 3, 2013), About
speculative execution vulnerabilities in A RM-oasea' ana' iniei CPUs, APPLE (Jan. 5, 2018),
Guidance for mitigating specuiative execution side-channei
MICROSOFT (Jan. 5, 2018), -'virtua1-
Processor Specuiative Execution Research Disciosure, AMAZON WEB SERVICES

(J an, 2018), 8?0 13 Googie ?s Mitigations Against
CPU speculative Execution Attack Methods, GOOGLE (Jan. 3, 2013),

buns uDDort. googlc. com-Tan 3 8.

2 Peter Bright, Meltdown and Spectre: Here ?5 what intei, Apple, Microsoft, others are doing about it, ARS TECHNICA
(Jan. 5, 2018), sets-"20 3.90 


 

 

 

 

 

 

 

 

Letter to Ms. Su
Page 2

companies about the vulnerabilities.3 Since that time, these companies have released staggered
updates to their various products to mitigate the effects.?4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry response and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from one 2017 to January 9, 2018, when most of the
mitigations would be distributed, and a public armouncement was planned.

However, for various reasons, information regarding both Meltdown and Spectre
vulnerabilities began to leak into the public Sphere prior to this planned announcement. This
information including proof-of?concept exploit code was suf?cient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adjustment has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 2017 disclosure, and who were caught off-guard
by the January 4 announcement.

For example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original une 2017 disclosure to protect their own
products and users, compared to those companies that were included. One such company, for
example, stated the following, "[u]nfortunately, the strict embargo placed by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact)?5 In addition, some users and companies are now reportng that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti-virus products.T As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 Id.

4 See supra note 1.

5 See Supra note 2.

6 Josh Feinblum, A Message About Intel Socorro; Findings, DIGITALOCEAN (Jan. 5, 2018),


7 Eric Auchard Supantha Mukherjee, Microso? 3qu security patches slowing down PCs, servers, REUTERS (J an.
9, 2018), renters. con_i jar_ti_c ips-amd: icrosofl-sa?, s-sccuritv-natches-slow in a-tlown-
pcs-servers-idLESKBN EYE.

 

 

 

 

Letter to Ms. Su
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multi-party coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cyberseeurity is a collective responsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide suf?cient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed from one another. This reality raises serious questions
about not just the embargo imposed on information regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersewrity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you respond to the following questions as soon as possible, but by no later than
February 7, 2018:

1. Why was an information embargo related to the Meltdown and Spectre vulnerabilities
imposed?

2. What company or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team (US-CERT)
informed of the vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center 
informed of the vulnerabilities?

5. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. if so, what were the results?
b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

b. If no, why not?

 

Letter to Ms. Su
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company?s experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosure?

a. What are they?

Please also arrange to provide a brie?ng on these issues to Committee staff by February
7, 2013. We appreciate your assistance with this request. If you should have any questions,
please contact Jessica Wilkerson or John Ohly of the Majority Committee staff at (202) 225-
2927.

Sincerely,

4,04%, W4

Greg lden Mchbum

Chai an Chairman
Subcommittee on Communications
and Technology

Robert E. Latta 

Chairman Chairman

Subcommittee on Digital Commerce Subcommittee on Oversight
and Consumer Protection and Investigations

 

 WALDEN, OREGON FRANK PALLONE. JR., NEW JERSEY
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

(tongues of the ?annel] ?tatee

ilpuuse at isrpresmtatihre

COMMITTEE ON ENERGY AND COMMERCE

2125 HAYBUFIN Houss OFFICE BUILDING
WASHINGTON, DC 20515?6115

Maitiritv (2621225292?
Minoritv ?20231 NS 3641

January 24, 2018

Mr. Simon Segars
Chief Executive Of?cer
ARM Holdings, PLC
150 Rose Orchard Way
San Jose, CA 95134

Dear Mr. Segars:

On January 4, 2018, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.l These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptops, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated response.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 2017, when researchers from Goo gie's Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily-impacted

 

 

lntei Responds to Security Research Findings, INTEL (Jan. 3, 2018), 
An Update an AMD Processor Security, AMD,
Vulnerability of Speculative Processors to Cache Timing
Side-Channel Mechanism, ARM (Jan. 3, 2013), About
speculative execution vulnerabilities in ARM-based and lntel CPUs, APPLE (Jan. 5, 2018),
Guidance for mitigating speculative execution side-channel
vulnerabilities, MICROSOFT (Jan. 5, 2013), "virtual-
machineslwindowsimitiaate-se; Processor Speculative Execution Research Disclosure, AMAZON WEB SERVICES
(Jan, 7, 2018), 18-013"; Google ?s Mitigations Against
CPU speculative Execution Attack Methods, GOOGLE (Jan. 3, 2018},

support. I 38.

2 Peter Bright, Meltdown and Spectre: Here ?s what lntel. Apple, Microso?, others are doing about it, ARS TECHNICA
(Jan. 5, 2013), 


 

Letter to Mr. Segars
Page 2

companies about the vulnerabilities.3 Since that time, these companies have released staggered
updates to their various products to mitigate the effects.4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry response and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from June 2017 to January 9, 2018, when most of the
mitigations would be distributed, and a public announcement was planned.

However, for various reasons, information regarding both Meltdown and Spectre
vulnerabilities began to leak into the public sphere prior to this planned announcement. This
information including proof-of?concept exploit code was suf?cient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adjustment has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 2017 disclosure, and who were caught off-guard
by the January 4 announcement.

Fer example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original June 2017 disclosure to protect their own
products and users, compared to those companies that were included. One Such company, for
example, stated the following, "[u]nfortunate1y, the strict embargo placed by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact."6 In addition, some users and companies are now reporting that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti-virus products? As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 10'.

See supra note 1.

5 See supra note 2.

?5 Josh Feinblum, A Message About lure! Security Findings, DIGITALOCEAN (Jan. 5, 2018),


7 Eric Auchard Supantha Mukherjee, Microsoft saga security patches slowing down PCs, servers, REUTERS (Jan.
9, 2018), 
pcs-servers-id??l??i 1191' I 7X.

 

 

 

Letter to Mr. Segars
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multiparty coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cybersecurity is a collective responsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide sufficient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed from one another. This reality raises serious questions
about not just the embargo imposed on information regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you respond to the following questions as soon as possible, but by no later than
February 2018:

1. Why was an information embargo related to the Meltdown and Spectre vulnerabilities
imposed?

2. What company or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team 
informed of the vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center (CERTICC)
informed of the vulnerabilities?

5. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. If so, what were the results?
b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

b. If no, why not?

 

Letter to Mr. Segars
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company?s experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosure?

a. What are they?
Please also arrange to provide a brie?ng on these issues to Committee staff by February
7, 2018. We appreciate your assistance with this request. If you should have any questions,

please contact Jessica Wilkerson or John 0th of the Majority Committee staff at (202) 225-
2927.

Sincerely,

@ma/M, 

oregw 

 

Chairmande Chairman
Subcommittee on Communications
and Technology
Robert E. Latta Gregg 
Chairman Chairman
Subcommittee on Digital Commerce Subcommittee on Oversight

and Consumer Protection and Investigations

 

GREG WALDEN, OREGON FRANK PALLUNE, JR, NEW JERSEY
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

at the ?tatts

locust at 

COMMITTEE ON ENERGY AND COMMERCE

2125 RAYBURN House OFFICE BUILDING
WASHINGTON, DC 20515?6115

Motority (202] 225-297}?
Minorltv (202] 225?3541

January 24, 2018

Mr. Sundar Pichai

Chief Executive Of?cer
Google, Inc.

1600 Amphitheatre Parkway
Mountain View, CA 94043

Dear Mr. Pichai:

On January 4, 2018, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.1 These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptops, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated reSponse.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 2017, when researchers from Google's Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily?impacted

 

lntei Responds to Security Research Findings, INTEL (Jan. 3, 2013), 
as"; An Update on AMD Processor Security, AMD,
Vulnerability of Speculative Processors to Cache Timing
Side-Channel Mechanism, ARM (Jan. 3, 2018), About
speculative execution vulnerabilities in ARM-based and tntel CPUs, APPLE (Jan. 5, 2018),
Guidance for mitigating speculative execution side-channel
vulnerabilities, MICROSOFT (Jan. 5, 2018), 
machmes-"windowsimitiaate-sc; Processor Speculative Execution Research Disclosure, AMAZON WEB SERVICES

an. 7, 2018), I 8-0 I 3 Google ?s Mitigations Against
CPU speculative Execution Attack Methods, GOGGLE (Jan. 3, 2018),


3 Peter Bright, Meltdown and Spectre: Here ?s what lntei. Apple, Microso?, others are doing about it, ARS TECHNICA
(Jan. 5, 2018), Bit] 1 
others-arc-doing-about-it".

 

 

Letter to Mr. Pichai
Page 2

companies about the vulnerabilities? Since that time, these companies have released staggered
updates to their various products to mitigate the effects.4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry response and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from June 201? to January 9, 2018, when most of the
mitigations would be distributed, and a public announcement was planned.

However, for various reasons, information regarding both Meltdown and Spectre
vulnerabilities began to leak into the public sphere prior to this planned announcement. This
information including proof-of-concept exploit code was sufficient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adjustment has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 2017 disclosure, and who were caught off-guard
by the January 4 announcement.

For example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original June 2017 disclosure to protect their own
products and users, compared to those companies that were included. One such company, for
example, stated the following, "[u]nfortunately, the strict embargo placed by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact.? In addition, some users and companies are now reporting that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti-virus products?" As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 Id.

4 See supra note I.

5 See supra note 2.

5 Josh Feinblum, A Message About fare! Security Findings, DIGITALOCEAN (Jan. 5, 2018),


7 Eric Auchard Supantha Mukherjee, Microso? says security patches slowing down PCs, servers, REUTERS (Jan.
9, 2013), 
IEY 1 7X.

 

 

Letter to Mr. Pichai
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multi?party coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cybersecurity is a collective responsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide sufficient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed from one another. This reality raises serious questions
about not just the embargo imposed on information regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you reSpond to the following questions as soon as possible, but by no later than
February 7, 2013:

1. Why was an information embargo related to the Meltdown and Spectre vulnerabilities
imposed?

2. What company or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team (US-CERT)
informed of the vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center 
informed of the vulnerabilities?

5. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. If so, what were the results?

b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

13. If no, why not?

 

Letter to Mr. Pichai
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company's experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosure?

3.. What are they?

Please also arrange to provide a brie?ng on these issues to Committee staff by February
2018. We appreciate your assistance with this request. If you should have any questions,
please contact Jessica Wilkerson or John 0th of the Majority Conunittee staff at (202) 225-
2927.

Sincerely,

$511 Wu

den MWackbm-n

Chairman Chainnan
Subcommittee on Communications
and Technology

7655

 



Robert E. Latte. Gregg Harp
Chairman Chairman
Subcommittee on Digital Commerce Subcommittee on Oversight

and Consumer Protection and Investigations

 

GREG WALDEN, OREGON FRANK PALLONE. NEW JERSEY
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

(Empress at the ?rms

locus]: of 

COMMITTEE ON ENERGY AND COMMERCE

2125 RAYBLIRN HOUSE OFFICE BUILDING
WASHINGTON, DC 20515?6115

Majoritv {2021'225-7'92?
Minority [202) 225?3641

January 24, 2013

Mr. Brian Krzanich

Chief Executive Officer
Intel Corporation

2200 Mission College 
Santa Clara, CA 95054

Dear Mr. Krzanich:

On January 4, 2013, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.' These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptOps, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated response.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 201?, when researchers from Google's Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily-impacted

 

lntel Responds to Security Research Findings, INTEL (Jan. 3, 2018), 
An Update an AMD Processor Securing AMD,
Vulnerability of Speculative Processors to Cache Timing
Side-Channel Mechanism, ARM (J an, 3, 2018), -update; About
speculative execution vulnerabilities in ARM-based and Intel CPUs, APPLE (Jan. 5, 2013),
Guidance for mitigating speculative execution side-channel
vulnerabilities, MICROSOFT (Jan. 5, 2013), 
Processor Speculative Execution Research Disclosure, AMAZON WEB SERVICES
(Jan. 7, 2018}, Google ?3 Mitigations Against
CPU speculative Execution Attack Methods, GOGGLE (Jan. 3, 2018),

I33.

2 Peter Bright, Meltdown and Spectre: Here ?s what lntel, Apple, Microso?, others are doing about it. ARS TECHNICA
(Jan. 5, 2013), Still "meltdown-and-s ectre-heres?wh at-inteI-a ie?microsc?


     

 

Letter to Mr. Krzanich
Page 2

companies about the vulnerabilities.3 Since that time, these companies have released staggered
updates to their various products to mitigate the effects.4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry response and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017'. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from June 2017 to January 9, 2018, when most of the
mitigations would be distributed, and a public announcement was planned.

However, for various reasons, information regarding both Meltdown and Spectre
vulnerabilities began to leak into the public sphere prior to this planned armouncement. This
information including proof-of-concept exploit code was suf?cient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adjustment has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 2017 disclosure, and who were caught off-guard
by the January 4 atmouncement.

For example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original June 2017 disclosure to protect their own
products and users, compared to those companies that were included. One such company, for
example, stated the following, "[u]nfortunately, the strict embargo placed by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact."6 In addition, some users and companies are now reporting that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti-virus products.1f As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 hi

4 See supra note 1.

5 See supra note 2.

5 Josh Feinblum, A Message About Intel Security Findings, DIGITALOCEAN (Jan. 5, 2013),


7 Eric Auchard Supantha Mukherjee, Microso? says security patches slowing down PCS, servers, REUTERS (Jan.
9, 2013), 
1 EYE.

 

 

Letter to Mr. Krzanich
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multi-party coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cybersecurity is a collective reSponsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide suf?cient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed? from one another. This reality raises serious questions
about not just the embargo imposed on infonnation regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you respond to the following questions as soon as possible, but by no later than
February 2018:

1. Why was an information embargo related to the Meltdovm and Spectre vulnerabilities
imposed?

2. Whatcompany or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team (US-CERT)
informed of the. vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center CC)
informed of the vulnerabilities?

5. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. If so, what were the results?
b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

If no, why not?

 

Letter to Mr. Krzanich
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company?s experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosme?

a. What are they?

Please also arrange to provide a brie?ng on these issues to Committee staff by February
7, 2018. We appreciate your assistance with this request. If you should have any questions,
please contact Jessica Wilkerson or John 0th of the Majority Committee staff at (202) 225-
2927.

Sincerely,

GrEg lden Mama-whom

Chai an Chairman
Subcommittee on Communications
and Technology

Robert E. Latta

Chairman Chairman

Subcommittee on Digital Commerce Subcommittee on Oversight
and Consumer Protection and Investigations

 

GREG OREGON FRANK PALLONE. JR.. NEW 
CHAIRMAN RANKING MEMBER

ONE HUNDRED FIFTEENTH CONGRESS

diameters of the ??ntteh ?tates

ignites at Representatihes

ON ENERGY AND COMMERCE

2125 Ravauam House OFFICE 
WASHINGTON, DC 20515?6115

Maioruv IIZUZI 225?292?
Minurity' 1.202] 3541

January 24, 2018

Mr. Satya Nadella
Chief Executive Of?cer
Microsoft Corporation
One Microsoft Way
Redmond, WA 93052

Dear Mr. Nadella:

On January 4, 2018, several companies across the information technology sector released
statements addressing researchers? discovery of two serious cybersecurity vulnerabilities
affecting the companies? products.1 These vulnerabilities dubbed ?Meltdown? and ?Spectre? 
enable unauthorized access to information on systems using the affected processors, potentially
facilitating the theft of sensitive data.2 Considering that nearly all modern computing systems 
including phones, laptops, and cloud services rely on vulnerable chipsets, Meltdown and
Spectre are serious vulnerabilities requiring a coordinated response.

Commendably, that coordinated response has already occurred. Affected companies
began collaborating in June 2017, when researchers from Google's Project Zero a team
dedicated to ?nding critical vulnerabilities such as these informed the most heavily-impacted

 

lntei Responds to Security Research Findings, INTEL (Jan. 3, 2018), iuteLoom-"newsfinlcl-
An Update on AMD Processor Security, AMD,
Vulnerability of Speculative Processors to Cache Timing
Side?Channel Mechanism, ARM (Jan. 3, 2018), About
speculative execution vulnerabilities in ARM-based and lntei CPUs, APPLE (Jan. 5, 2013),

Guidance for mitigating speculative execution side-channel
vulnerabilities, MICROSOFT (Jan. 5, 2018), 
Processor Speculative Execution Research Disclosure, AMAZON WEB SERVICES
(Jan. 2018), 8-011"; Google ?s Mitigations Against
CPU speculative Execution Attack Methods, GOGGLE (Jan. 3, 2018),

38.

2 Peter Bright, Meltdown and Spectre: Here ?s what intei, Apple. Microso?, others are doing about it, ARS TECHNICA
(Jan. 5, 2013), 


 

Letter to Mr. Nadella
Page 2

companies about the vulnerabilities.3 Since that time, these companies have released staggered
updates to their various products to mitigate the effects.4 More work remains to be done,
however, because the vulnerabilities stem from a common and previously accepted computer
engineering method. As such, full mitigation will require the rearchitecting of many chipsets.
This is not a trivial problem, and will take some time to address.

We applaud the industry reaponse and appreciate the efforts of affected companies to
protect their products and users. The general consensus seems to agree that these initial efforts
have mitigated the worst of the danger.5 Some members of the industry, however, have raised
concerns about one major aspect of the response, namely the information embargo instituted by
the limited number of companies originally informed about the vulnerabilities in June 2017. This
embargo restricted the dissemination of information related to the vulnerabilities outside of these
companies, and was meant to last from une 2017 to January 9, 2018, when most of the
mitigations would be distributed, and a public announcement was plarmed.

However, for various reasons, information regarding both Meltdown and Spectre
vulnerabilities began to leak into the public sphere prior to this planned announcement. This
information including proof-of-concept exploit code was suf?cient enough to force the
companies to accelerate the termination of the embargo and move up their announcement by a
week. Though this schedule adjustment has not seemed to overly impact the effectiveness of the
response, it does raise questions related to the effects and appropriateness of the embargo on
companies not originally included in the June 201? disclosure, and who were caught off-guard
by the January 4 announcement.

For example, some observers have raised questions about the effect of the embargo on
the ability of companies not included in the original June 2017 disclosure to protect their own
products and users, compared to those companies that were included. One such company, for
example, stated the following, "[u]nfortunately, the strict embargo pIaced by Intel has
signi?cantly limited our ability to establish a comprehensive understanding of the potential
impact.?? In addition, some users and companies are now reporting that some of the patches
offered to address the vulnerabilities are themselves creating new problems, such as freezing
patched computers or interfering with anti-virus products? As nearly all modern technology
companies are impacted by these vulnerabilities, and less than ten companies were included in
the original June 2017 disclosure, it is reasonable to assume that additional companies have been
negatively impacted by the embargo.

While we acknowledge that critical vulnerabilities such as these create challenging trade-
offs between disclosure and secrecy, as premature disclosure may give malicious actors time to

 

3 Id.

4 See supra note 1.

5 See supra note 2.

'5 Josh Feinblum, A Message About Intel Security Findings, DIGITALOCEAN (Jan. 5, 2018),


7 Eric Auchard Supantha Mukherjee, Microso? says security patches slowing down PCs, servers, REUTERS (Jan.
9, 2018), 

EY 7X.

 

   

 

Letter to Mr. Nadella
Page 3

exploit the vulnerabilities before mitigations are developed and deployed, we believe that this
situation has shown the need for additional scrutiny regarding multi-party coordinated
vulnerability disclosures. As demonstrated by numerous incidents over the past several years,
cybersecurity is a collective responsibility. Further, it is a responsibility that is no longer limited
solely to the information technology sector; connected products exist in electric grids, hospitals,
manufacturing equipment, and in innumerable other sectors.

As more products and services become connected, no one company, or even one sector,
working in isolation can provide sufficient protection for their products and users. Today,
effective responses require extensive collaboration not only between individual companies, but
also across sectors traditionally siloed from one another. This reality raises serious questions
about not just the embargo imposed on information regarding the Meltdown and Spectre
vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.

Therefore, and pursuant to Rules and XI of the United States House of Representatives,
we ask that you respond to the following questions as soon as possible, but by no later than
February 7, 2018:

1. Why was an information embargo related to the Meltdown and Spectre vulnerabilities
imposed?

2. What company or combination of companies proposed the embargo?

3. When was the United States Computer Emergency Readiness Team (US-CERT)
informed of the vulnerabilities?

4. When was the Computer Emergency Readiness Team Coordination Center 
informed of the vulnerabilities?

5. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on critical infrastructure sectors such as healthcare and energy that
rely on affected products?

a. If so, what were the results?
b. If no, why not?

6. Did your company perform any analyses to determine whether the embargo could have
any negative impacts on other information technology companies that rely on affected
products?

a. If so, what were the results?

b. If no, why not?

 

Letter to Mr. Nadella
Page 4

7. What resources or best practices did your company use in deciding to implement the
embargo?

8. What resources or best practices did your company use in implementing the embargo
itself?

9. Based on your company's experience during this process, has your company established
lessons learned relating to multi-party coordinated vulnerability disclosure?

a. What are they?

Please also arrange to provide a brie?ng on these issues to Committee staff by February
7, 2018. We appreciate your assistance with this request. If you should have any questions,
please contact Jessica Wilkerson or John 0th of the Majority Committee staff at (202) 225-
2927.

 

 

 

 

Sincerely,
Greg \lalden Mksha Blackburn
Chairman Chairman
Subcommittee on Communications
and Technology
Robert E. Latta Gregg 
Chairman Chairman
Subcommittee on Digital Commerce Subcommittee on Oversight

and Consumer Protection and Investigations