Status emit COMMITTEF ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 3125 WE BSI 1 February 15 2018 Mr Jeffrey P Bezos President Chief Executive Of cer and Chairman of the Board Amazon com Inc 410 Terry Avenue North Seattle WA 98109 Dear Mr Bezos Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processors that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N IST within the US Department of Commerce has been concerned with such sidetchannel attacks and their impact on In 2011 NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 3 Nat l of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable lv eri able Computing 11 and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side Channel January 3 2018 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Grass Thomas Prescher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2018 Galowicz Jacek Cyberus Technology Meltdown January 3 2018 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and Detail January 4 2013 5 Alert TA 1304A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 I 8-004A Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 31 2013 BO Mr Jeffrey P Bezos February 15 2018 Page2 of 3 International Organization for Standardization These types of novel hardWare Vulnerabilities may represent the future of the potential cybersecur'ity risks we face 3 They have few countermeasiires and the Scope of these Vulnerabilities is unprecedented number of organizations and products affected While we recognize industry 3 coordinated response to this ubiquitous complex problem some security experts have been critical of the process to disclose and mitigate these Vulnerabilities9 Although security researchers initially informed certain companies of the vulnerabilities in June of 2017 the vulnerabilities were not widely disclosed until January of2018 1n addition a handtul of Chinese customers but not the United States government were initially informed as part of the coordinated response raising questitms as to' whether 'a for e1gn goVernment or malicious actors could have exploited the winerabilities 111 As such the full picture of the impact of these Vulnerabilities includingwho isaffec'ted when they knew with whom they communicated and-what steps they 'haVe taken in response is far from clear The Senate Commerce Committee has preVious1y sought to reduce cybersecurity risks through the encouragement of public-pr-iVate partnerships to share cyber threat information and best practices and the promotion o1 research and standards development Cybersecurity remains a priority for the Committee and We request written reaponses to the following questions as the'Committee looks forlessons and recommendations- to be better prepared to' address c-ybe'rsecurity risks-associated with these Vulnerabilitiesin the future 1 Whenand how did you rst become aware of these vulnerabilities 2 Which ofyour products are affected by these VulnerabiIi'ties and how are tliey'affecte'd Did you communicate with any entity outside your company including any U S or foreign gavernrnent agencies regarding these vulnerabilities prior to the date the Vulnerabilities were publicly disclosed If so please identify each such entity and when you communicated with them Nat l and Tech Compate-r Security Resource Center Won lnvasive Attack Testing Workshop Updated August 17 2011 available at http's' nist goWEvents l ifNon-anasive- At tacku l' e'sting- Workshop International Organization for Standardisation 12825 2 1116 Information Technology Security Techniques Testing Methods for the Mitigation of Non-Invaswe Attack - Classes against Modules January 2016 International Organization for Standardization 1 32521116 Information Technology Security Techniques Testing Methods for the Mitigation ofNonn Invasive Attack Classes against Modules January 211 i 6 1111111111 1111111 3 Schneier Bruce The New Way Your Computer Can Be Attacked 12191411611111 1 anuaiy 22 21118 accessed February 01 2018 11an theatlantic coinltechnologyiarchive l 8711 - spectre meltdown- cybersecurityf ll 471 9' Newman Lily Hay - Meltdown and Spectre Patching has been a Total Train Wreck Wit ed January 23 20 18 accessed February 1 21118 1111113 wired coinfstoiya meltdown- spectre-patching -1otal-1rain-wreck1 9 McMillan Robert and Liza Lin Intei Wamed Chinese Companies of Chip Flaws before 113 Gorermnent January- 28 21113 accessed February 1 20 18 71111111111 condaniciesfintel- warned- c hinese-ccmpanies-of- 517157430 Mr Jeffrey P Bezos February 15 2018 Page 3 of 3 4 10 If you communicated with a U S government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication What steps have you taken to mitigate or patch these vulnerabilities What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches Can you detect if these vulnerabilities have been exploited and if so have any such cxploitations occurred to the best of your knowledge To what degree are you coordinating your response with other companies Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March I 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member Ir 1r letui butts smart COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 6125 WE February 15 2018 Mr Tim Cook Chief Executive Of cer Apple Inc 1 In nite Loop Cupertino CA 95014 Dear Mr Cook Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 6 while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology NIST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 201 l NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 20l8 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gross Thomas Preacher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuva Yarom and Mike Hamburg Meltdown January 03 2018 Galowicz Jacek Cyberus Technology Meltdown January 3 2018 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail eve-2m 7-5133 Detail and Detail January 4 2013 5 Alert TA 1804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 8-004A 5 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 3 l 2018 BO Mr Tim Cook February 15 2018 Page 2- of 3 International Organization for Standardization These types of novel hardware vulnerabilities may represent the future of the potential cybersecurity 1isks We faces They have few countermeasures and the scope of these vulnerabilities 1s unprecedented given the number of organizations and products affected While We 'recdgnize industry 5 coordinated response to this ubiquitous complex problem some security experts have been critical of the process to disclose and mm gate these vulnerabilitiesg Although security researchers initially informed certain companies of the vulnerabilities 1n June- of 2017 the valnerabilities were not Widely diSc-losed until January of' 201'3 In addition a handful of Chinese customers but not the United States government were initially informed as part of' the coordinated response raising questions as to Whether a foreign government or malicious actors could have exploited the vulnerabilities As Such the hill picture of the impact of these vulnerabilities including Who 1s waffected when they kneW With whom they and What steps they have taken' in response is - far from clear The Senate Commerce Committee has previously sought-toreduce cybersecurity risks through the encouragement- of public-private partnerships to share cybei' threat infomatio'n'and best practices and the promotion of cybIer-security research and standards development Cybersecurity remains a priority for'the Committee and We request Written responses to the following questions as the Committee looks for lessons and recommendations to he better prepared to address cyhersecurity risks assoc1 ated With these vulnerabilities in the future 1 When and how did you rst become aware'of these vulnerabilities 2 Which of your products are affected by these vulnerabilities and how are they affected 3 Did you communicate with any entity outsi'de'y'our company including any US or foreign government agencies regarding these-vulnerabilities prior to the date the vulnerabilities were publicly disclosed 'IIf'so pleaseidentify eachsuch entity and when you communicated with thorn Nat Inst of Standards and Tech Computer Security Resource Center Non Invasive Attack Testing Workshop Updated August 17 ava ilabie at ffesrc nist goviEvents OI International Organization for Standardization 17825 2016 Infonnation Technoiogy- 'Security Techniques -- Testing Methods 1 o1 the Mitigation of Non- Invasive Attack Classes against Modules January 2016 htmI International Organization for Standardization 17325 Information Technology Security Techniques Testing Methods for the Mitigation of Non invasive Attack Classes against Modules January 20 i 6 12' htmi 3' seamed I Bruce he New Way Your Computer Can Be Attacked TheArtonti c January 22 2018 accessed February 2013 wwW theatlantic comftec'hnoIogytarehivef ll meltdown cybersecurityf 1471 9 Newman Lily Hay Meltdown and Spectre Patching has been a Total Train Wreck Wired January 23 accessed February '1 2-313 hops Wired trainnwrecld- 0 McMillan RobertI and Liza Lin W Intel warned Chinese Companies of Chip FlaWs before it IS January 28 2018 accessed FebruaIIry II 20 13 chip- - aws- -before- -11- s government-1517157430 Mr Tim Cook February 15 2018 Page 3 of 3 4 10 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication What steps have you taken to mitigate or patch these vulnerabilities What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge To what degree are you coordinating your response with other companies Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member 11mm Starts Smart COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 6125 WE BSITEI httn commoreosonategov February 15 2018 Mr Jensen Huang President and Chief Executive Of cer NVIDIA Corporation 2783 San Tomas Expressway Santa Clara CA 95051 Dear Mr Huang Academic and independent security researchers ' some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 6 while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology NIST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 2011 NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l Instl of Standards and Tech 1 5H328 Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Grass Thomas Prescher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuva Yarom and Mike Hamburg Meltdown January 03 2013 Galowicz acek Cyberus Technology Meltdown January 3 2013 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and Detail January 4 2018 5 Alert TA 1804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 - us-c ert govfncasfalertsf l A 1 8-0 04A 6 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 3 l 2013 ES 1 BO Mr Jensen Huang February 15 2-018 Page 2' of 3 International Organization for Standardization ISO 7' These types of novel hardWare vulnerabilities may represent the future of the potential cyber-securit risks we face-9 They have few countermeasures and the soope of these vulnerabilities is unprecedented given the number of organizations and products affected While we recognize industry s-coordinated response to this ubiquitous complex problem Some security experts have been critical of the process to disclose and mitigate these inilnerabilities' 9 Although security researchers initially informed ce'rtain'companies of the vulnerabilities in June of 201 the vulnerabilities were not widely disclosed until January of 2018 111 - additio'11' a handful of Chinese customers but not the United States government were initially informed as part of the coordinated reaperntse raising questions as to whether a ferei'g'n government or malicious actors could have exploited the vulnerahilities l9 As such thefuil picture of the impaCt of these Vulnerabilities including who is affected when they knew with whom they communicated and what stepsithey have-taken in response is far from clear T he Senate Commerce Committee has previously sought to reduce cybers'ecurity risks through the encouragement of public private partnerships to share cyber threat information and best practices and the promotion of cybersecurity research and standards development _Cyhersecurity remains-a priority for the Committee and we request written responses to the following questions as the Committee tricks for lessons and recommendations to he better prepared to address cybersecurity risks'a'ssociated with these vulnerabilities in the iture 1 When'and how did you rst become aware of these vulnerabilities Which of your-products are affected by these vulnerabilities 3 Did you communicate'with anyentity outside your company including any US or foreign government agencies regarding these vulnerabilities prior to the date the winerabilities 1Were publicly disclosed If 'so 'p1ease identify each such entity and when you with them 9 Nat- 1 111111 of Standards and Tech Compute1' Security Resource Center Non-Invasive Attack Testing Updated August 2011 available at 11115115 ni st _govi EventszO'l ifNon- lnvasive- AttackuTesting-Workshop International Organization for Statidardiz'atidn 17825 20i6 Information Techn'h ology Security Techniques Testing Methods for the M111 gatlon of Non- Invasive Attack Classes against Mowdules Januaryw2016 orgistandarcl1 52906' htn1 International Organization for Standardization 171825 21116 Information Technology Security Techniques Testing Methods for the Mitigation of Non- Invasive Attack Classes against Modules January 21 '16 hops f ww'wI 1s'o 'orgista'ndardf dl 2 htrn 3 Schneirir Bruce The New Way' Your -'Co1npute'r Can Be Attacked The Atlantic January 22 2018 accessed February 01 2018 cybers'eeurityf s '1 1472 9 Newman Lily 'i-I'ay - Meltdown and Spectre Patching has been a Total Train Wreck W11 ed January 23 2018 - accessed February 1 9 and Liza Lin Intel Warned Chinese Companies of Chip Flaws before ll 8 Gwovemment January 28 2018 1icc'essed Febrdary 1 201 8 11111151611111 1111 chip- aws- -before-11 -s governrnent-15 12157430 Mr Jensen Huang February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches 3 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2013 Thank you for your consideration of this request Sincerely JOHN THUNE BILL NELSON Chairman Ranking Member united Starts tnatt COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 213510 6125 February 15 2018 Mr Brian M Krzanich Chief Executive Of cer Intel Corporation 2200 Mission College Boulevard Santa Clara CA 95054 Dear Mr Krzanich Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side channel vulnerabilitiesf which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 5 while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology NIST within the US Department of Commerce has been concerned with such side channel attacks and their impact on In 201 1 NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat i nstl of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2013 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Preacher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2018 Galowicz Jacek Cyberus Technology Meltdown January 3 2018 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and Detail January 4 2013 5 Alert TA Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2013 8-004A 5 Busvine Douglas and Stephen Nellie Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 3 l 2018 1 E81 BO Mr BrianM Krzanich February 15 2018 Page 2 of 3 International OrganiZatio'n- for Standardization These types of novel hardware vulnerabilities may represent the future of the potential eybersecurity-risks we face 8 They have few and the scope of these is unprecedented given the number of organizations and products affected While we recognize industry s coordinated response to this ubiquitous complex problem some security experts have'been critical of the process to disclose and mitigate these vulnerabilities Although security researchers-initially informed certain companies of the vulnerabilities-in June of 2017 - the vulnerabilities were not 1 1111111err disclosed-until January of 2 018 In addition a handful of Chinese customers but not the United States government were initially informed as part of the coordinated response rais1ng questions as to whether a foreign government or malicious actors could have exploited the wtlnerabilitiesi 111 As such the full picture of the impact of these vulnerabilities inciuding who 1s affected when they knew with whom they communicated and what steps they have taken in response is-far from clear The Senate Commerce Committee has previously sought to reduce 'cyhe rseCurity' risks through the encouragement of public private partnerships to share cyber threat information and best practices and the promotion of cyberseetuity research and standards development Cyberseourity remains at primity for the Committee and we request written responses to the foliondn'g questions as the Committee looks for lessons and recommendations to he better prepared to address cyberseCHrity risks associated with these vulnerabilities in the future 1- When and how did you rSt become aware of these vulnerabilities Which of your products are affected by these vulnerabilities and'how are they affected- iI 3 Did you communicate with any entity outside-your company including any or foreign government agenciesi re garding these vulnerabilities prior to the date-the WlnerabilitieS were publicly discloSed if'so please-identify each Such entity and when youcommunicated with them iNat l Teen Computer Security Resource Center Now-Invasive Attack Tasting Workshop Updated August 17' 201 1 available-at Intemationai Organization for Standardization 17825 2016 Information Technology Security Techniques 1 Testing Methods for the Mitigation ofNon Invasive Attack Ciasses against Modules - January 2016 iso International Organization for Standardization 173259015 Information Technology Security Techniques - Testing Methods tor the Mitigation of Non-Invasive Attack-Classes Modules January-21116 -3 'Schneier Bruce The New Way Your Compote-r Can 'Be Attacked rename January 1 actessed Febrilary 1 20 8 1831 itspectreumeltdown- 1 471 9 Newman Lily Hay and Spectre Patching has been H'Total Train Wreck 11 111111 January 23 2013 accessed eoru'ary 11 211135 1 McMillan Robert and Liza Lin Intel Warned ChineseCompanies of-Chip Flaws before Goremment January 23 211 1 8 accessed February 2018 1 7157430 Mr Brian M Krzanich February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches 7 Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches 3 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member 4 'Ir butts brnatr COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 90510 6125 WI February 15 2018 Mr Satya Nadella Chief Executive Of cer Microsoft Corporation One Microsoft Way Redmond WA 98052 Dear Mr Nadella Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology NIST within the us Department of Commerce has been concerned with such side-channel attacks and their impact on In 2011 NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l Instl of Standards and Tech I 5H323 Provable Security for Next-Generation Nat Sci Found Award 151426 TWC Medium Apollo An Architecture for Scalable Verifiable lComputing and Nat'l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Danie Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Prescher Werner Haas Stefan Mangard Paul Koeher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2013 Galowicz Jacek Cyberus Technology Meltdown January 3 2018 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and 7-5715 Detail January 4 2018 5 Alert TA 1304A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 1 8-004A '5 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 31 2013 1E3 1 BO Mr Satya N-adella February '15 201 8 Page 2 of 3 International Organization for These types of novel 'Ihardvvare vulnerabilitiesmay represIe-nt'the futureof the potential cybersecurityriskswe face 3 They have few countermeasures and the scope of these vulnerabilities is unprecedented-given the number of organizations and products affected While We recognize industry 3 coordinated respoHSe to this ubiquitous complex problem some security experts have been critical of the process to disclose and mitigate these vulnerabilitiepgs Although secui 11y researchersinitialiy informed certain companies of the vulnerabilitiesin Jone of 20 l the vulnerabilities were not widely disclosed until January of 201 8 In addition a handful of Chinese customers but not the United States government were initially informed as part- of the coordinated response raising questions as to whether a foreign government or malicious actors could have esploited the vulnerabilitiesm As such the illpicnn e of the impact of these vulnerabilities including whois affected when they knew with whom they communicated andwhat steps they have-taken in res'ponSe is far from Clear The Senate Commerce Committee has previously sought to reduce cybersecurity risks through the encouragement of Ipublicsprivate partnerships to share cyber threat information and best practices and the promotion of cybersecurity research and standards development Cybersecurity remains a priority forthe Committee and We request Written responses to the following questions as the Committee looks for lessons and recommendations to he betterprepared to- address cybersecurity risks associated with these winerabilities in the future 1 When and how did you rst become aware of these m1'1'1erahilities I2 Which of your products are-affected by these vulnerabilities-and how-arethey affected Did you communicate with any entity outside your Company including any US or foreign government agencies - regarding these Vulnerabilities prior to the date the Vulnerabilities were Ipubli ciy disciosed If so please identity each such entity and when you communicated with them T'Nat 111151 01 Standards and Tech Computer Security- Resource Center Non lrivasive Attack Testing Workshop Updated August 1 7 2'01 l availab1e at nist IgovaventsiZD ifNon-Invasive- Attackn Peering-Workshop International Organization for Standardization 1 7825 2016 information Technology Security Techniques Testing Methods for the Mitigation of Non-invaswe Attack Classes against C1yptographic Moduies January 2016' international Organization for Standaidization 1282521116 information Technology Security Techniques TestingMethoIds for the Mitigation of Non-Invasine Attack Classes against Modulus January 2016 11ttps ff r t WW iso 12- 3 Selineiger Bruce The New Way Your Compiite'r Can Be Attaeked TheA unric January 22 2018 accessed February 11 201 8' theatlantic cybersecuritye 5 '1 111 7 '9 Newman - Lily Hay MeltdoWn and Spectre Patching has been a Total Train Wreck Wired January 23 21118 accessed February 1 20 1'8 wired comfstoryr meltdomi spectre- patching totahtrain-wreekf McMillan Rohert and Lisa Lin Intel Warned Chinese Companies of Flaws before S Government January 28 21118 accessed Februalj r 1 21318 1111135 wsj co1nfartic1esiintcl- warned-chinese-companies-of Mr Satya Nadella February 15 2018 Page 3 of 3 4 10 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication What steps have you taken to mitigate or patch these vulnerabilities What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge To what degree are you coordinating your response with other companies Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member r letrtl otatrs carnatr COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 5125 Wt February 15 2018 Mr Sundar Pichai Chief Executive Of cer Google LLC 1600 Amphitheatre Parkway Mountain View CA 94043 Dear Mr Pichai Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processors that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found El while Spectre although arguably more difficult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N IST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 201 1 NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l Inst of Standards and Tech H328 Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Preacher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Prescher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2018 Galowicz Jacek Cyberus Technology Meltdown January 3 2018 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and Detail January 4 2018 5 Alert TA 1804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 1 8-004A 5 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 31 2018 phones-computers-at-ris 1 BO Mr Sunder Pichai February 15' 2018 Page 2 of 3 'I'nrematianal Organization-for Standardisation These types'of novel hardware vulnerabilities may represent the future of the potential cyberse'curity risks we face 3 They have few Countermeasures and the scope of these vulnerabilities 15 unprecedented given the number of organizations and products affected While we mecognize- industry '5 coordinated response to this ubiquitous complex problem some security experts have been criticai of the process to disc-lose and mitigate these vulnerabilities Although security researchers initially informed certain companies of the vulnerabilities 1n June of 20-1 7 the vulnerabilities were not'widely disclosed until 1 anuary' of 2018 In addition a handful of Chinese customers but not the'United States were initially informed as part of the coordinated teaponSE raising questions as to 1Whether a foreign government or- malicious actors 'eoulr'i have exploited the-vulnerabilitiesm As-such the full picture of the- impaot of these vulnerabilities including'ivho is-affected when they knew with whom they communicated and whatsteps they have taken in response is far from c1 ear The Senate Commerce Coimnitieehas previously sought'to reduce cybersecurity risks through the encouragement of public-private partnerships to share cyber threat information and best praet'ices and the promotion of oybe rsecurity research and standards development Cybersecurity remains a priority for the Committee and werequest written responses to the following questions as the Committee'loo'ks for lessons and recommendations to he better prepared to address cybersecurity risks associated with these vulnerabilities in the 1 'When and how-did you rst become aware of these vulnerabilities 2 Which of your products are affected by these vulnerabilities and how are they affected 3 Did with any entity outside year company including any U S or foreign government agencies regarding these vulnerabilities prior to the date the vulnerabilities Were publicly disclosed I If so please identify each such entity and When you communicated with them 7' Nat 1 111111 of Standards and Tech Computer Security Resource Center Non- invasive Attack Testing Workshop Updated August 1-2 2111 avaiiabl'e at 111st lr Non- Invasive A1tack 7Testii1g-Worksh0p International Organisation for Standardization 171125 21116 Information Technology Security Techniques Te'sting Methods for 1111-1 Mitigation of Non Invasive Attack Ciasa'es against l'irodules h January 201 6 html International Organization for Standardization 12825 21116 Information Technology Security echniques Testing Methods for the Miligation of Non Invasive Attack Classes against Modules January 2616 11111111 iso orgistandardf6 6l2 1111111 3 Schneier Bruce The New Way Your Computer Can' Be Attacked The A 1111-1111 anuary 22 21' 18 accessed February cybersecurity S l 1472 9 Newman Lily Hay Meitdown and Spectre Patching has been a Total Train Wreck W11 ed January 23 2018 accessed February 1 2 11 8 flaw McMilian Robert and Liza Lin Intel Warned Chinese Companies of Chip Flaws befole 51 Government January 2 8 21118 accessed February 1 2018- chipu aws-before- s- government-1517157430 Mr Sundar Pichai February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches 7 Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches 8 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March I 2018 Thank you for your consideration of this request Sincerely 96% Hm JOHN THUNE BILL NELSON Chairman Ranking Member - letut Starts Smart ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 5125 Wt I I February 15 2018 Mr Chuck Robbins Chairman and Chief Executive Of cer Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 Dear Mr Robbins Academic and independent security researchers l some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 6 while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N IST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 201 I NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 3 Nat I of Standards and Tech 5H323 Provable Security for Next-Generation Nat l Sci Found Award IS 14261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Net Sci Found Award 552259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Preacher Michael Schwarz and Yuval Yarom Spectre Attacks Eproiting Speculative Execution January 03 20 8 Lipp Moritz Michael Schwarz Danie Gruss Thomas Preacher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdovm January 03 2013 Galowicz Jacek Cyberus Technology Meltdown January 3 2018 4 Nat I Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and I 5 Detail January 4 2018 5 Alert TA l804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 asr alerts TA B- clA 5 Busvine Douglas and Stephen NeIIis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 2018 ph ones-computers-at-risk-idUSKBN 1 ES 1 BO Mr Chuck Robbins February-'15 2018 Page 111' 3 International Organization for Standardization These types of novel hardware vulnerabilities may represent the future of the potential cybersecurit-y riskswe face g They have few countenneasures- -and the scope of these vulnerabilities is unprecedented given the number of organizations and productsaffected While We recognize industry 3 coordinated resPonse to this ubiquitous complex problem some security experts have been critical of the process to disclose and mitigate these vulnerabilities g Although Security researchers initially informed certain companies of the vulnerabthucs 1n June of 20-17 the vulnerabilities'were not widely disclosed until January of 2018' 111 additibn a handful of Chinese customers but not the United States government were initially informed as part of the coordinated response raising questions as to whether a foreign gove111111ent or malicious actors could have exploited the vulnerabilities 0 As such the ll picture of- the impact of these Vulnerabilities including who is affeCted when they knew With whom they commtmic'ated and what steps they-have taken in response 'is-far from clear The Senate Commerce Committee has previously sought to reduce Cybersecurity risks through the encouragement of public private partnerships to share cyber threat information and best practices and the promotion of cybersecurity research and standards development C-ybersecuri1y remains a priority for the Cor1-11111ttee and we -req11est written responses to the foliowm questions as the Committee looks for lessons and recommendations to be better prepared to address yloersecurit r risks associated the future 1 Whenand how did you first become aware-of these vulnerabilities 2 Which of yourproducts- are affected by these vulnerabilities and how are they affected 3 Did you'communicate with any-entity outside-your company including any ILLS or foreign government agencies regarding these vulnerabilities prior to the date the tiuhierabilities were publicly disclosed I'f'so please identify eachjsuchentity and when you communicated with them Nat l Inst of Standards and Tech Computer Security Recourse Center No'n-inVasive Testingworkshop Updated August-'17 20 1 availab1c InternationalOrganization for Standardization 1782591116 'lnt onnation Technology r Security Techniques Testing Methods for the Mitigationof Non-instasive Attack Classes Modules - January-21116 international Organisation for Standardisatmn 17182512016 lnfonnat'ion Technology Testing Mediods for the Mitigationcf'Non invasive Attack Classes against Modules 1 anuary' 201 6 Bruce The New Waf i our Computer Can-Be Attacked 1112 Atlantic anuary 22 20133 accessed February 01 201-8 ers 1 1471 9' Newman Lily Hay 'MeltdoWn and Spectre Patching has tie-111131111111 Train Wreck Wired anuary 23 2111 8 encased-February 1 2018 1 McMillan Liza Lin Intel Warned Chinese Companies - of 1311111 Flaws Government 28 2018 assess-ed Februarj r 1 211 18 51 1 574311 Mr Chuck Robbins February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches 3 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member - lettd btatts Smart COMMITTEE ON COMMERCE SCIENCE AND DC P0510 6195 WI HERE http February 15 2018 Ms Virginia M Rometty Chairman President and Chief Executive Of cer International Business Machines Corporation 1 New Orchard Road Armonk NY 10504 Dear Ms Rometty Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processors that have existed for more than two decades 3 These side-channel vulnerabilities which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 6 while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N IST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 2011 NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 552259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Daniel Gross Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 20 8 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Preacher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuvai Yarom and Mike Hamburg Meltdown January 03 2018 Galowicz Jacek Cyberus Technology Meltdown January 3 2013 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database 15754 Detail Detail and 7-5715 Detail January 4 2018 5 Alert TA 1304A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2013 8-004A 5 Busvine Douglas and Stephen Nellie Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 3 l 2018 phones-computers-at-ris 1 ES 1 BO Ms Virginia M Rometty February '15 2 013 Page 2-'of 3 International Organisatmn for StandardiZation- These types of novel h ardinare vulnerabilities may represent the future of the potential c-yhersecurity risks we faces- They have few countermeasures and the scope of these vulnerabilities 'is unprecedented given the number of organizations and products affected While we re'co gnize industry coordinated response to this ubiquitous complex problem some security experts have been critical of the process to disclose and mitigate these vulnerabilities Although security researchers 1mt1ally informed certain companies of the vulnerabilitiesin une of 20 1 the vuhnerabilities were not widelyr disclosed until January of'ZD 18 111- addition a handful of Chinese customers but not the United States govertunent were initially informed as part of the coordinated response raising questions as to whether a foreign government or malicious actors could have exploited the vulnerabilities As such the full picture of the impact of these Vulnerabilities including who-is affected when they knew with whom they and what isteps they have taken in response is far from clear The Senate Cemmerce committee has previously sought to reduce 'cybersecurity risks through the encouragement of public private partnerships to-share cyber threat information and best- pra'ctiCes and the promotion ofcybers'ecurity research and standards development Cyloersecuritgyr remains a priority for the Committee and We request written responsies to the following questions as the Committee looks for lesson-s and recommendations to be better prepared to address cybersecuri'ty risks associated with these 1ruiner'alziilities 1n the future 1 Whenand how did you rst beCome aware of these vulnerabilities 2 Which of your products are affected by these vulnerabilities and howarethey affected 3 Did you communicate with-any entity outside your company including any US 'or foreign goVernment agencies _iregard_ing these vulnerabilities prior to the date the udnerabilities were publicly disclosed Ifs'o please identify each sueh entity and when you communicated with them 3 Nat Inst of Standards and Tech Computer Security Resource Canter Nola invasive- Attack Testing Workshop Updated August 20 1 available at liesrc nist goWErents i' UN on -Invasive-'Attack '1 estingsWorkshop International Organizati'oii for Standardization i 7825 20 6 Intorinatio'n Toolinology security Techniques Testing Methods for the Mitigationof Non- Invasive Attack Classes against January 2016 International Organization for Standardization lnfonnation- Technology Security Techniques Testing Methods for the Mitigation of Nonrinvasive Attack Classes against Modules an'uary' '20 I 2 111111 3 Schneier Bruce The New way Your Computer Can Be Attacked TiraArIantie January 2'2 2013 accessed February- 0'1 8ft nape et'rermelt'do wa- l 1471 i Newman Lily Hay Meltdown and Spectre Patching has heenfa Total Train Wreck Wire'd anuary 23 2013 accessele- ebruary I 2013 Robert-anti Liza Lin Intel Warned Chinese Companies of Chip Flaws-before US Government anua ry 28 203 8 acCess-ed February I 20 18 1'5 171 5743i Ms Virginia M Rometty February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches 7 Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not illy mitigated by current patches 3 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request Sincerely JOHN THUNE BILL NELSON Chairman Ranking Member letul butts btnatt COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 2051i 6125 Wt rE February 15 2013 Mr Simon Segars Chief Executive Of cer ARM Holdings PLC 150 Rose Orchard Way San Jose CA 95134 Dear Mr Segars Academic and independent security researchers I some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side channel vulnerabilities which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 6 while Spectre although arguably more dif cult to exploit presents more significant challenges to mitigate or patch For years the National Institute of Standards and Technology NIST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 201 l NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l Inst of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Danie Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Prescher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2018 Galowicz acek Cyberus Technology Meltdown January 3 2013 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database 15754 Detail Detail and 7-5715 Detail January 4 2018 5 Alert TA 1804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2013 ert govlncaslalertszA 8-004A Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 3 I 2018 phones-computers-at-risk-idUSK BN1 BO Mr Simon Segars February 15 201-8 Page 2 01 3 International Organization for Standardization These type'si oi novel h'ardW'are vulnerabilities may represent the future of the potential eybersecurity risks we face 8 They have feW connternteasures' and the soope of these vulnerabilities ts unprecedented given the number- of organizations and-products affetn d While we recognize industry coordinated response to this ubiquitous complex problem_ some security experts have been critical of the process to disclose and mitigate these wlnerabilities ' Although security researchers initially informed certain companies of the vulnerabilities in June 121172017 the vulnerabilities were not Widely disclosed until January 0172018 In addition a handful of Chinese customers but not the United States government were initially informed as part of the coordinated resp' onse raising questions as to whether a foreign government or malicious actors could have exploited the vulnerabilities 7 As such the full picture of the impact of these vulnerabilities including Who is affected When they kneW Whom they communicated and What steps they have taken in response is far from clear The Senate Commerce Committee has previously sought to reduce cybersecttrity risks through- the encouragement of public -'private partnerships to share cyber threat information and best practices and the promotion of cybe'rSecurity research and standards development Cybersecurity remains a priority for the Committee and We request written responses to the folloWin'g questions as the Committee look-s 'fot lessons and recommendations to be better prepared to address cybersecu'rity risks associated With these vu1nerabili't'ies 1n the future When and hoW did you rst become aware-of these vulnerabilities 2 Which of your products are affected by these vulnerabilities and hoW'are they affected 3 Did you communicate with-any entity outside your company includin'g'any U S or foreign government these vulnerabilities prior to the date the vulnerabilities were publicly disclosed if so pleaSe identify each Such entity and When you communicated With them 7' Nat Inst of Standards and Tech Computer Seourity' Resource Center Non-Invasive Attack Testing workshop Updated August 21 011 available at 'Ifesrc nist gov'iEventSJ ZOI- IfNon- invasive- JAttack-Testing- -Work'shop Internationai Organization for Standardization 1307150 17825 2016 Information TeChnoIogy Security Techniques Testing Methods for the Mitigation of Non Invasive Attack Classes against Modules January 201 6- 7 iso International Organization for Standardization 178259016 Information Technology Security Techniques -- Testing Methods for the Mitigation 01 Non- Invasive Attack Classes against 10611105 January 2010 731211110 le Bruce The New Way Your Computer can Be Attacked The Atlantic anuary 22 2018 accessed February 01 20 18 Bf lfspectre-meltdonn cybersecurityf 1471 7 -NeWntan Lily Hay MeltdoWn and Spectre Patching has been a Total Train wreak Wt'ree' January 23 - 2018' 'ac'ceSsed'February I Wired MeMillan Robert- and Lisa Lin - Intel Warned Chinese companies of Chip Flaws before 11 3 Government Jamaal-1128 2018 accessed February I 2018 wsj connartielesfintel- warned chinese- c-otnpa'nies- chip- -i latvs- before- govemment- 1517157430 Mr Simon Segars February 15 2018 Page 3 of 3 4 10 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication What steps have you taken to mitigate or patch these vulnerabilities What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge To what degree are you coordinating your response with other companies Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Goverrunent should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request Sincerely 529 6 dam JOHN THUNE BILL NELSON Chairman Ranking Member Starts Smart ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 6125 February 15 2018 Dr Lisa Su President and Chief Executive Of cer Advanced Micro Devices Inc 2485 Augustine Drive Santa Clara CA 95054 Dear Dr Su Academic and independent security researchers some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processors that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 2011 MIST held a testing workshop and coauthored standards in cooperation and accordance with the Affiliated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 2 Nat l of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 2018 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Prescher Werner Haas Stefan Mangard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2018 Galowiez Jacek Cyberus Technology Meltdown January 3 2018 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and 7-5715 Detail January 4 2018 5 Alert TA 1804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2018 A 8-004A 5 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January BO Dr I -isa Su February15 201 8' Page 2 of '3 International Organization for Standardization ISO These types of novel hardware Vulnerabilities mayrepresent'the future of the potential cybersccurity risks we face-lE They have few countermeasures and the scope of thesew'lnerabilities is unprecedented giventhe number of organi'Zations and products affected While we coordinated response-to this ubiquitous complex problem some- scCurity experts have been critical of the process to disc-1 o'se and mitigate these vulnerabilitiesg Although security researchers initiallyinformcd certain companies of the Vulnerabilities in June of 20 7 the vulnerabilities were not widely diaciosed Until January of'2018 In addition a handful of Chinese customers but not the United States government were initially informed 'as' part o'f'thc coordinated response raising queS'tions as to whether a foreign goyermnent or malicious actors could have exploited the'wlnerabilities m As Such the full pieture-of- the impact of these vulnerabilities including who is affected when they knew with whomthey communicated and What steps they haye taken'in response is far from clear The Senate Commerce Conunittee has previouslysought to reduce cybersecurity- risk-s through the encouragement of public private partnerships to sh areicyber threat information and best practices and the promotion '_of cybersecurity research'and standards development Cybersecurity remains a priority for the Committee and we request written responscs to the following questions as the Committee looks for leasions and to be better prepared to address cybersecur-ity risks associated with these vulnerabilities inlthe itm'e 1 When and how did you rst become aware of these vulnerabilities 2 Which of your prod'uctsiare affected by iese wlnerabilities and how are they affected-'2' 3 Did you communicate with any entity ontside your company including any US or foreign government agencies regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed It so please identify-each and' when you Communicated with them 7 Nat l 111th of Standards and Tech Computcr Security Resource Center Non Invasive Attack Testing Workshop Updated August 17 2111 l available at nist IfNon invasive-Attack-Tesung- Workshop 1ntemationa1 Organization for Standardization 1282521116 infermation Technology-m Security Techniques Testing Methods for the Mitigation of Nonulnvasive Attack Classes against Modules January 2016 11W iso org standard1 52906 html International Organization for Standardization 1232522016 Information Technology-m Security Techniques Testing Methods for the Mitigation of Nonninvasive Attack Classes against Modu_ 1es January 3 Bruce The New Way 1Your Computer Can Be Attacked The diatomic January 22 21113 accessed February 11 261 8 theatlantie 3111 ifs'pectre-melUtdown-n cybel secul 1ty1 551 1421 9 Newman Liiy Hay Meltdown and Spectre Patching has been a Tota'i Train Wreck Wired January 23 20111 accessed February 1 20-18 11 McMillan Robert and Liza'Lin Intel Warned Chinese Companies of Chip Flaws before S Governwment January 28 21118 accessed February chipe aws- -bcfo_rc_-u- --s government-1 517152430 Dr Lisa Su February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches 7 Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches 3 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the U S Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member lettd Starts gamut COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 6125 Wu It lr February 15 2018 Mr Yang Yuanqing Chairman and Chief Executive Of cer Lenovo Group Limited 1009 Think Place Morrisville NC 27560 Dear Mr Yuanqing Academic and independent security researchers 1 some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sophisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N IST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 2011 NIST held a testing workshop and coauthored standards in cooperation and accordance with the I Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 3 Nat l Inst of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side-Channel January 3 20 8 Kocher Paul Daniel Genkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Preacher Werner Haas Stefan Mangard Paul Kocher Danie Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2013 Galowicz Jacek Cyberus Technology Meltdown January 3 2013 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and 7-57 5 Detail January 4 2018 5 Alert TA 1304A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2013 8-004A 5 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 20 8 Accessed January 31 2018 ES 1 BO Mr Yang YUanqing Febr daty 15 2018- Page- 2 off3 International Organization for Standardization- These types of novel hardware vulnerabilities may represent the future of the potential cyberseeuritjtr risks are-face -8 They-have few countermeasures and the soope' of these vulnerabilities is unprecedented given the-number of organizations and-products affected While we recognize industry s coordinated response to this ubiquitous complex pro blem some security experts have been critical of the process to disclose and mitigate theSe vulnerabilities 9' Although security researchers initially informed certain companies of the vulnerabilities 1n June of 2017 the vulnerabilities Were not widely diSelosed until January of 20 8 In addition a handful of Chinese customers but not the United States government were initially informed as part'of the coordinated response raising questions-as to whether a foreign government or malicious actors could have'exploited 111 As such the full picture of the impact of these vulnerabilities including who 5 affected when they knew w1th whom they Communicated and what stops they have taken 1n response is far from clear The senate-Commerce Committee has pr'eviousI-y'sougiit to redhce cybersecurity the encouragement of publiceprivate partnerships to share-cyber threat information and be'st practices and the'prornotion of cybersecurity research and standards development Cybersecurit r remains a priority for the Committee and we 1eques t written reaponses to the tollovving quesnons as the Committee looks for lessons and recommendations to be better prepared to address cybersecuiity risks associated with theSe vulne1ab111t1es 1n the future 1 When and how-did you rst become aware-of thesevulnerabilities 2 Which of'your products are affected by these vulnerabilities and how are they affected 3 Did youcommunicate with any entity outside your company including any foreign government agencies regarding these vulnerabilities prior tethedate the vulnerabilities were publicly diaclosed If so please identify- each such entity-end when you communicated with them 7' Nat I lost of Standards and Tech Computer Security Resource Center Non-l'nvas'ive Attack Testing workshop Updated August i2 201% available at _i1ttps f1esrc nist govaventsf20l International Organization for Standardization 17825 2016 Information Technology Security Techniques Testing Methods for the Mitigation of Non Invasive Attack Cias'ses against - Modules January 20' 6 International Organization'for Standardization - 1232512016 Information Technology Security Techniques Testing Methods for the Mitigation of Non-Invasive Attack Classes-against Modules Jannary 201 6 i Schnei'er Bruce - Tlie New- Way Your Computer Can Be Attacked The Atlantic January 22 February 11 2018 'cvberSecurityIS 5 i 47 9 Newman Lily Hay Meltdotvn and Spectre Patchingh as-heen a Total Train Wreck Wired musty-23 2013 accessed February 1 2G 1 8 etching-totalrtrain-wre olcI 1 McMillan Robert 7and Warned C hineSe Companies of Chip laws before Government January 28' 2018 accessed February 1 2018 Mr Yang Yuanqing February 15 2013 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches 7 Do you believe the patches that have been released fully mitigate the Tnrulnerabilities If not please identify any issues that are not fully mitigated by current patches 8 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the US Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request JOHN THUNE BILL NELSON Chairman Ranking Member - - a blatt brnatr COMMITTEE ON SCIENCE AND TRANSPORTATION WASHINGTON DC 20510 6125 Warm February 15 2018 Mr Ren Zhengfei Deputy Chairman of the Board and Chief Executive Of cer Huawei Technologies Co Ltd cfo Huawei Technologies USA 5700 Tennyson Parkway Suite 500 Plano TX 75024 Dear Mr Zhengfei Academic and independent security researchers 1 some of whom were federally-funded 2 recently discovered three vulnerabilities in modern computer processers that have existed for more than two decades 3 These side-channel vulnerabilities 4 which researchers have named Meltdown and Spectre could allow sephisticated hackers access to stored passwords keys and other highly sensitive information 5 According to one of the researchers the Meltdown vulnerability is probably one of the worst CPU central processing unit bugs ever found 6 while Spectre although arguably more dif cult to exploit presents more signi cant challenges to mitigate or patch For years the National Institute of Standards and Technology N IST within the US Department of Commerce has been concerned with such side-channel attacks and their impact on In 201 l NIST held a testing workshop and coauthored standards in cooperation and accordance with the Af liated with Google s Project Zero Graz University of Technology University of University of Maryland University of Adelaide Cyberus and Rambus 3 Nat l of Standards and Tech Provable Security for Next-Generation Nat l Sci Found Award 1514261 TWC Medium Apollo An Architecture for Scalable Veri able Computing and Nat l Sci Found Award 1652259 CAREER Towards Practical Systems for Trustworthy Cloud Computing 3 Horn Jann Reading Privileged Memory with a Side Channel January 3 2013 Kocher Paul Daniel Gcnkin Daniel Gruss Werner Haas Mike Hamburg Moritz Lipp Stefan Mangard Thomas Prescher Michael Schwarz and Yuval Yarom Spectre Attacks Exploiting Speculative Execution January 03 2018 Lipp Moritz Michael Schwarz Daniel Gruss Thomas Prescher Werner Haas Stefan Man gard Paul Kocher Daniel Genkin Yuval Yarom and Mike Hamburg Meltdown January 03 2013 Galowicz acek Cyberus Technology Meltdown January 3 2018 4 Nat l Inst of Standards and Tech Nat l Vulnerability Database Detail Detail and 5 Detail January 4 2018 5 Alert TA 1804A Meltdown and Spectre Side-Channel Vulnerability Guidance January 4 2013 ert govfncasfalertszA 8-004A 5 Busvine Douglas and Stephen Nellis Security Flaws Put Virtually All Phones Computers at Risk January 04 2018 Accessed January 3 l 201 8 phones-computerS-at-risk-idU SKBN 1 ES BO Mr Ron Zhengfei February 2013 Page 2 of 3 International Organization for Standardization These types cf'novei hardWare' vulnerabilities may represent the future of the potential cybersecur y risks hey-have few countermeasures andthe Scope cf'these vulnerabilities is unprecedented given the-number of organizations and products affected While we recognize industry s coordinated'respons'ie to this ubiquitous compiea problem some sedurity experts have been critical-of'the-process to disclose and mitigate these vulnerabilities Although security initially informed certain companies of the vulnerabilities in-lune 61320137 the vulnerabilitieswere not widely disclosed until January of2018 In addition a handful of Chinese customers but not the United States government were initially informedas- part of the coordinated response _raising questions as to whether a foreign government or malicious actorsconld have exploited the vulnerabilities ml As such the full picture of the impact of these whierabilities including who is affected when they know with whom they Communicated and what steps they have taken in response is far from clear The Senate-Commerce Cemmittee has previ'oiisl'y sought to reduce Cybe'rSccurity risks through the encouragement of public-private partnerships to share cyber threatinformation and best practices and the promotion of'cyber'secnrity research and standards development 'Cybersecurity remains a priority fer the Committee and we request written responses to the following questions as the Committee looks for lessons and recommendations to be better prepared to address cyberSecurity risks aSsoc iated with these vulnerabilities 1n the-future 1 When and how did you rst become aware ofthesevninerabilities Which of your products-are affected by these vulnerabilities-and how are they affected 3 Did you communicate with anyentity outside your company includinglian-y US or foreign government agencies regarding these vulnerabilities prior to the date the vulnerabilities were_'public1y disclosed If so please identify each such entity and when you-Communicated with them I Nat l 1 1151 of Standards and Tech Cempuier Security Resource Center Non- invasive Attack Testing Workshop Updated August 201 1 available at International Organization for Standardization ISOIIEC 17825 2016 information Technologyw Security Techniques Testing Methods for the Mitigation ofNonulnv'asive Attack Classes against Modules January-2016' internationalOrganization for Standardization 123252016 Infortnation'Teehnolo'gy Security Techniques Testing Methods for the Mitigation of Non-Invasive Attack Classes against J'Moduies January 201 6 or'gIstandardI60612 '3 schneier Bruce The New Way Your Computer Can Be Attacked The Adriatic January 22 2 1113 accessed February 01 201 8 theatlantic comftechnologyl cybersecurityISSI 1471 9 Newman Lily Hay Meltdown and Spectre Patching has been a Total Train Wired January 23 2018 accessed February 1 201 8 wired eoniIstoryImeltdown-spectre- -patching-tot-a -train- wreckI 1 McMillan Robert and Liza Lin Intel Warned Chinese Companies of Chip Flaws before U 8 Government January 23 2018 accessed February I M2013 ivsj connarticieinntel-wamed- chinese- -companies- -of chip- aws-before-u-ssgovemm eat 15 1215 243 0 Mr Ren Zhengfei February 15 2018 Page 3 of 3 4 If you communicated with a US government entity regarding these vulnerabilities prior to the date the vulnerabilities were publicly disclosed what was the result of your communication 5 What steps have you taken to mitigate or patch these vulnerabilities 6 What is the status of user implementation of the steps you have taken or recommended to mitigate or patch these vulnerabilities in your products Have you seen performance impacts associated with any patches Do you believe the patches that have been released fully mitigate the vulnerabilities If not please identify any issues that are not fully mitigated by current patches 3 Can you detect if these vulnerabilities have been exploited and if so have any such exploitations occurred to the best of your knowledge 9 To what degree are you coordinating your response with other companies 10 Do you have recommendations for further or future steps to be taken to reduce cybersecurity risks stemming from hardware vulnerabilities What role if any do you think the U S Government should take in addressing hardware vulnerabilities or in response to their discovery We look forward to receiving your written response as soon as possible but by no later than March 1 2018 Thank you for your consideration of this request Sincerely i i m JOHN THUNE BILL NELSON Chairman Ranking Member