By Audrey Plonk, Senior Director, Public Policy, Intel Product Assurance and Security Group
Working with the Center for Cybersecurity Law and Policy to Advance Coordinated Disclosure Policy and Practice
Having been intimately involved from day one in Intel’s response to the Spectre and Meltdown vulnerabilities, I am also deeply familiar with – and committed to – Intel’s Security First Pledge. As Intel progressed through the release of production microcode updates for Spectre Variant #2, I have refocused my attention on advancing the spirit and letter of the Pledge consistent with our policies announced last week and through our global cybersecurity public policy efforts.
I first started working on cybersecurity policy in 2003. At the time, industry and government were primarily concerned about distributed denial of service attacks and operating system vulnerabilities. A few years later, in 2007 – when I went to the Organisation of Economic Cooperation and Development to write cybersecurity policy recommendations for governments – hackers were primarily hobbyists, and cybersecurity companies were in their infancy. Even then however, signs of the future were starting to emerge. It was that same year that cyberattacks against Estonia forced them to restrict incoming Internet traffic from overseas locations. A year later, I joined Intel and began learning about the industry’s history and challenges in cybersecurity technology and policy. Many things are different now than in 2003 – growth in the cyberarsenals of nation-states and criminal syndicates, and increasingly commonplace reports of vulnerabilities potentially affecting hardware, not just software – to name just a few. Throughout this time, however, Intel’s security policy leadership has remained steady. Our Meltdown and Spectre response was built on the foundation of decades of leadership in hardware security and cybersecurity and privacy public policy.
Intel knows that lasting change comes from the difficult work of aligning stakeholders from industry, government, civil society and academia. In anticipation of this year’s RSA conference, I’m pleased to announce today that Intel has asked the Center for Cybersecurity Policy and Law to engage broadly with other technology companies to examine coordinated hardware-specific vulnerability disclosure policy and processes. The goal is to identify the specific needs and circumstances of the hardware ecosystem, opportunities to advance disclosure policy and practice, and options for future improvements. The Center has agreed to direct this project and it is well qualified to do so, as it brings together key stakeholders from across the technology sector, and the Center’s Coordinator, Ari Schwartz. Before entering the private sector, Ari was a member of the White House National Security Council, where he served as Special Assistant to the President and Senior Director for Cybersecurity.
Time passes all too quickly and it is hard to believe that I’ve been working on cybersecurity policy for fifteen years. Many things have changed, but my desire to work on solving difficult problems to improve cybersecurity and privacy has remained a constant. We have some challenging issues ahead, including coordinated vulnerability disclosure policy, advancing norms and behaviors for cyberspace, and the security assurance of commercial products and services. Consistent with our Security First Pledge, I am committed to advancing cybersecurity public policy in cooperation with our colleagues and partners in industry, academia and government.