Feds face limited options for Meltdown, Spectre bugs
Patches can mitigate some of the vulnerabilities found in virtually every processor, but a DHS spokesperson said decisions on hardware replacement will be left up to individual agencies and CIOs.
Like any other large enterprise, the federal government is scrambling to protect its systems and networks in the wake of the Jan. 3 announcement that two newly-discovered vulnerabilities, nicknamed Meltdown and Spectre, exist in the processor chips of virtually all computers and mobile devices.
The two bugs both allow for side-channel exploitations of kernel memory, potentially allowing someone to steal data on a device as it is being processed. In a statement, the Department of Homeland Security said it was not aware of any instances where the bugs have been actively exploited.
However, one of the information security teams that discovered the flaws noted that it was "probably not" possible to detect whether your device has been breached using the methods.
"The exploitation does not leave any traces in traditional log files," the researchers write.
The announcement set off a round of alarm among members of the information security community about the potentially all-encompassing nature of the flaws. One cybersecurity-focused member of Congress took a fatalistic view of the disclosures.
"As a recovering computer science major, I have concluded that the safest course of action is to plan your life as if hackers already have all your passwords," said Rep. Ted Lieu (D-Calif.) on Twitter.
The CERT division of the Software Engineering Institute at Carnegie Mellon University published a notice Jan. 3 initially recommending replacement of the affected CPU hardware as the only way to fully protect devices against the vulnerabilities. That recommendation was later changed to "add updates," after the institute came under criticism that the full-scale CPU replacement was not a practical option.
"Yeah, that would be a non-starter for most organizations from a cost and resource perspective," said Curtis Dukes, executive vice president at the Center for Internet Security and a former director of the National Security Agency's Information Assurance Directorate.
Former federal CISO and retired Air Force Brig. Gen. Greg Touhill concurred, also citing patching as the only viable option until vendors roll out redesigned chips.
"We're all in the same lifeboat," said Touhill. "Both the public and private sector rely on the same technology base."
He thinks rolling out new compensating controls such as software defined perimeters to better control access to devices and information may also help. That's particularly true for Meltdown, because an attacker would first need physical access to the device to exploit the vulnerability.
Widespread hardware replacement is not a viable option "for almost everybody," he said.
"Because frankly, what's to say that the next device that you buy doesn't have vulnerability that hasn't been discovered yet? What are you going to do, every time there's a vulnerability you're going to forklift replace it out?" said Touhill.
Vendors have been working feverishly to put out patches throughout the past two days. Dukes said the two vulnerabilities each require a separate response.
"The good news, a patch exists for Meltdown but users will endure a performance hit that could impact mission applications. It may also affect host-based security applications," said Dukes, in an emailed response to questions. "For Spectre, you have two options: disable JavaScript and load each site in a separate browser window. Disabling JavaScript is unmanageable given its use by most web sites."
Still, most security experts inside and outside of government believe that patching will not fully mitigate the vulnerabilities, which will likely continue to persist in some form as long as government agencies are using the processor chips. This is particularly true for federal networks, which are already probed millions of times each day by hackers and nation-states looking for weaknesses to exploit.
The National Cybersecurity and Communications Integration Center (NCCIC) put out an alert Jan. 4 offering guidance and a list of patches from 23 of the top vendors affected, including Intel, AMD, Android and Google. However, the center warned that patching may diminish device performance by up to 30 percent and acknowledged that it represented only a partial solution.
"Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases," reads the notice.
The Department of Homeland Security is coordinating much of the government's response to Spectre and Meltdown. Spokesperson Scott McConnell indicated the department would not be advising agencies to install new processor chips or buy new equipment, telling FCW that "as far as replacing hardware, that would be a question for each agency's CIO, not DHS."
The Defense Information Systems Agency said it "constantly monitors and evaluates the security posture of all its systems and networks," but otherwise declined to elaborate further on DISA's role mitigating the two vulnerabilities, citing security reasons.
"We will not comment on specific products, nor the tactics, techniques, and procedures as such information could be used to undermine the DOD's information networks," said a DISA spokesperson.