Intel CEO Addresses the Industry on Meltdown and Spectre Issues in Open Letter

Brian Krzanich on Thursday published an open letter addressing its partners and customers regarding the aftermath of the Meltdown and Spectre exploits publication. Chief executive of Intel reiterated the company’s plans to release security updates for its recent CPUs by early next week and mentioned the importance of collaborative industry-wide security assurance and responsible disclosures regarding security vulnerabilities going forward.

Intel intends to release software and firmware patches for 90% of its CPUs launched in the past five years by January 15. By the end of the month, Intel plans to issue software updates for the remainder 10% of processors introduced in the same period. After that, Intel will focus on releasing updates for older products based on requests and priorities of its customers. The company confirms that patches have an impact on performance and says that it varies widely based on workloads and mitigation technique. 

Going forward, the world’s largest maker of microprocessors plans to share hardware innovations with the industry to fast-track development of protection against side-channel attacks. In addition, the company intends to increase funding for academic and independent research of security threats. Brian Krzanich expects other industry players to follow similar practices: share security-related hardware innovations and help researchers of security vulnerabilities.

The original letter reads as follows:

An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders

Following announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers’ data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.

As this process unfolds, I want to be clear about Intel’s commitments to our customers.  This is our pledge:

1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.

3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.

We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.

The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve.

— Brian Krzanich

Related Reading:

• Intel Forms Product Assurance and Security Group amid Meltdown and Spectre Fallout
• Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs