In early January 2018, security researchers released their findings about vulnerabilities affecting almost all computer chips that could allow a hacker to access data stored in the memory of the chips. Dubbed “Spectre” and “Meltdown,” the vulnerabilities have caused significant alarm among security researchers and have become a top priority for chief information officers (CIOs) and chief information security officers (CISOs) to address.
For lawyers and executives who manage risk for their companies, below is an overview of the issue, legal consequences, and questions you should be asking your team.
What does this vulnerability allow?
At a high level, the vulnerability would allow a hacker to write software that could access information stored in the memory of computer chips—data previously believed to be inaccessible to such software. Data stored in the memory of chips can include a wide range of information, including usernames and passwords and other sensitive information. You can read more about the vulnerability here and here.
Is this vulnerability being exploited?
So far, researchers are reporting that they have not seen any attempts to exploit the flaw, but security experts are estimating that attackers may be able to weaponize the vulnerability in as few as 30 to 60 days. This gives companies time—albeit a short period—to address this issue.
What is being done?
You should expect multiple rounds of patches to be released to address these vulnerabilities. But as any IT professional will tell you, patching is much easier said than implemented, particularly for companies that have developed custom software or use multiple applications.
- Many major software companies already have begun issuing patches for operating systems, browsers, and other software, which are designed to correct exploits based on the way the software interacts with processors.
- A second round of patches will follow when major chip manufacturers release microcode updates to fix the issues at the hardware level. These fixes will require microcode and firmware updates to hardware, and implementing those changes will be more difficult because they could impact the functionality of networks and other major backbone services.
- A third round of patches may occur when these microcode updates hit equipment manufacturers that will need to produce special code updates for the equipment they produce. It is likely that some manufactures will not be providing fixes for older hardware, so companies that have not been diligent in maintaining modern equipment will be stuck with purchasing new hardware or living with the long-term risk.
What are the legal consequences?
As with all risks, there is an expectation that companies take steps to mitigate them. And while lawsuits or regulatory inquiries about exploitation of these vulnerabilities may be premature, it is highly likely that companies failing to address these issues will ultimately be subject to litigation.
For tech companies whose software or hardware can be exploited by (or used to exploit) these vulnerabilities, it should be a priority to issue patches to ensure that the exploit cannot be used on its products. And for all companies, patching software is necessary to prevent the exploits from being used to steal the confidential information or personal information of customers and employees.
While the day to day management of patching will be handled by companies’ CIOs and CISOs, management should expect to get regular updates on what patches have been issued, whether they have been installed, if there are patches that have not been installed (and why), remaining gaps in patching, and what other measures are being put in place to address the vulnerability while patches are being tested.
Executives should make sure that the responsibility for making high-risk decisions—such as deciding to forgo hardware updates that might be necessary to address the vulnerability—are being made at the right level. And executives should be aware of their companies’ “security debt”—that is, what known or suspected security vulnerabilities have not been addressed and the timeline for addressing them.
If you have questions about Spectre and Meltdown, or any other software and hardware vulnerabilities and their legal risks, please contact Beth George or any member of the privacy and data protection practice at Wilson Sonsini Goodrich & Rosati.
Compliments of Wilson Sonsini Goodrich & Rosati, a member of the EACCNY