McKay | 2

US Government and Private Sector Unity Center for Anticipatory Necessary to Protect Americans from Intelligence Student Spectre Cyberattack Research Reports

Robert McKay December 2018

Executive Summary

To safeguard Americans and critical government entities from the Spectre cyberattack and its variants, the United States Government (USG) will need to effectively collaborate with private sector companies to create an improved framework for communication between the private sector and the USG that provides a medium for essential cybersecurity coordination. Spectre is a devastating cyberattack that leverages the latest-discovered hardware vulnerabilities in modern computer processing units (CPUs).1 In the current state of play, at least three billion chips are vulnerable to Spectre attacks.2 As new ideas and exploitations emerge, Spectre attacks will become more threatening and difficult to mitigate.3 High-profile targets are reasonable choices by malicious actors for Spectre attacks, and since secure programming practices actually increase Spectre vulnerability, cybersecurity organizations are likely targets.4 The National Security Agency Central Security Service (NSA/CSS), the National Cybersecurity and Communications Integration Center (NCCIC), and In-Q-Tel are three of the best-equipped organizations to handle the Spectre threat. The NSA/CSS is on the cutting edge of cybersecurity technologies; the NCCIC has the responsibility of communicating with private sector entities and conveying emergency information to the public through the US Computer Emergency Response Team Coordination Center (US-CERT/CC);5 and In-Q-Tel has unique startup company scouting abilities that may also support a solution. Unifying the efforts of the private sector, the NSA/CSS, and the NCCIC could make significant strides in keeping US citizens and government entities secure against Spectre attacks in the near and long term. A coordination strategy, co-drafted by government and private parties, could ensure fluid and timely intelligence sharing in the best interests of national security and profits. Establishing a framework for professional communication between federal and private entities, with incentives in place for both parties, could greatly benefit the American people by providing safer products and improved national security.

* * *

McKay | 3

US Government and Private Sector Unity Necessary to Protect Americans from Spectre Cyberattack and its Variants

Spectre is a cyberattack that exploits a hardware vulnerability in modern computer processing units (CPUs).6 Spectre is a threat to all devices running Intel, Advanced Micro Devices (AMD), and ARM processors manufactured from around 2000 to late 2018.7 The Spectre cyberattack and its variations are dangerous because they allow protected memory on a device to be accessed by a hacker.8 Of primary concern are encrypted passwords that can be accessed from a side channel unbeknownst to the user.9 Spectre attacks exploit three common things: branch prediction, speculative execution, and side channel timings. At the microarchitectural level, branch prediction allows the machine to perform faster by guessing which instructions need to be executed next. The machine then uses downtime between pipeline instructions to execute those guessed actions; this process is called speculative execution.10 In computer architecture, the pipeline is like an assembly line–– one piece moves from station to station until production is completed, just like an instruction in a pipeline.11 On a conditional branch, production pauses while the location for the part in front is calculated. Speculative execution occurs during this waiting period, guessing where the part should go and sending it there while continuing production of the other parts.12 Sometimes, the guess is wrong, and the parts (or instructions) get pushed back to where they were before the speculative execution.13 Whether the branch prediction is correct, the memory accessed by the speculative execution is not completely undone in order to save processing time––in fact, it is left in the cache, a place in memory that can be accessed quickly by any program.14 A Spectre attack measures the time it takes for the native process to branch: if the branch was correct, a short time will be measured, but if incorrect, a longer time will be measured.15 The art behind a Spectre attack is how it tricks the branch predictor into incorrectly guessing the information in protected memory that the attacker wants to know.16 When this information is placed in the cache (or another side channel), the shared memory becomes public to other processes and can be accessed by the attacker.17 Spectre attacks are untraceable because they exploit the system's normal operating behavior.18 Not knowing when or if a system has been attacked significantly inhibits defense. Suppose a victim of identity theft knows his or her information has been stolen––then at least he or she can act on that information and change passwords, lock bank accounts, and so forth. Compare this with a Spectre victim who continues to use the same accounts and same passwords after being unwittingly compromised. This characteristic of Spectre perpetuates the vulnerability of victims because an attacker can access new information again and again through the same attack.19 Many government and private systems may be vulnerable to Spectre. According to the Computer Emergency Response Team Coordination Center (CERT/CC), 36 major companies, including Apple, Amazon, and , are vulnerable to Spectre attacks.20 Additionally, 90% of personal computers use Intel chips, which is unsettling if even a fraction of those are used in government networks.21 McKay | 4

Even the most secure organizations are vulnerable; in fact, because of secure programming practices, they may be even more susceptible.22 Spectre attacks break program isolation by accessing memory from a side channel through a series of conditional branches.23 Program isolation is what keeps memory protected by ensuring only the intended program can access that memory.24 When speculative execution places memory in the cache, it allows other programs to access that memory, breaking the isolation.25 Secure programming practices increase the likelihood of conditional branches because of the added safety checks of code verification. This increases the vulnerability of a system because the more conditional branches there are, the easier it is to exploit branch prediction.26 One area where this unintended effect can be seen is the case of In-Q-Tel, a talent scout for cutting-edge technologies for the US Intelligence Community. In-Q-Tel advocates secure programming practices and encourages private sector partners to adopt them as well27––but in shoring up their defenses against certain vulnerabilities, organizations have made themselves more vulnerable to Spectre attacks. Spectre is a significant national security threat. When Google's Jann Horn discovered Spectre in June 2017, he reported his findings to Intel, ARM, and AMD.28 In turn, Intel told Lenovo and Alibaba––two Chinese companies who informed their government months before at least portions of the USG knew about Spectre.29 US-CERT was not notified until the public release of the attack in January 2018.30 It is estimated the NSA/CSS knows about one-third of zero-day cyberattacks before they happen, so whether Spectre was a surprise to all sectors of the USG is still a question.31 Even if the NSA/CSS did anticipate Spectre, they likely still share the problems that others do with hardware vulnerabilities because so many personal and government computers are affected and it is unlikely that all NSA personnel had need-to-know access to Spectre.32 At the public release of Spectre, Intel claimed there had been no reports of a Spectre attack up to that point; however, because Spectre attacks are untraceable, it is not clear how a victim would know about the attack to report it.33 Since the Chinese government might have known about Spectre much earlier than the US, it is not out of the realm of possibility that China has leveraged this attack against US public or private sector systems.34 Additionally, Spectre has spawned many new and dangerous variants.35 One variation of Spectre, BranchScope, exploits branch prediction by systematically determining what the branch predictor guessed, and based on that information, what it will guess on the next conditional branch.36 Then, the memory changes in the cache are measured to extract data.37 BranchScope is significant because it circumvents certain Spectre mitigation efforts such as changing the timing of branches.38 As Spectre attacks become more advanced, they are also moving to attacking networks. Another new variant of Spectre, NetSpectre, has been shown to function over a network with remote access to steal protected passwords.39 This is especially concerning because a network encompasses a large attack surface, or number of entry points that attackers can use to get into a system.40 Cloud memory services are likely targets for NetSpectre due to the size of the networks and the value of the data within––bank accounts, passwords, and other personal information.41 Spectre Next Generation, or Spectre-NG, was unveiled in August and has the potential to take control of a machine on a server and, like a virus, use it to attack all machines on the server.42 Seven other Spectre variants were also publicized in the same release. In the future, similar cyberattacks to Spectre may not only access data, they may corrupt it.43 This is of McKay | 5 primary concern to national security since the ability to alter system functionality of critical USG systems could have fatal consequences.44 Although Spectre attacks are potent, there are a number of challenges associated with launching a Spectre attack. First, due to the high degree of sophistication involved in a Spectre attack, it would take an attacker with a thorough understanding of the software and hardware architecture of the target to execute the attack successfully.45 Furthermore, Spectre does not extract data quickly, especially over a network. Researchers who first demonstrated NetSpectre found maximum extraction rates as slow as 15 bits per hour in certain cases. Supposing a character is 8 bits, it would take about two years to extract this paper. Nonetheless, such slow speeds may be practical for attacking single high-profile targets for specific passwords.46 Target examples may include banks, nuclear facilities, aircraft carriers, airplanes, or autonomous vehicles. The Department of Defense (DoD) would be a particularly likely organization to be targeted because of its size and high-profile nature; despite the DoD housing the NSA/CSS, the nature of Spectre exploiting a hardware problem negates any expertise advantage––new, improved chips are required to defend effectively against the attack.47 As long as old hardware persists, Spectre attacks and variants will remain a persistent threat.48 The latest CPUs (made in mid- to late 2018) are invulnerable to some of the publicized Spectre attacks, but the cost of replacing machines for large companies and organizations could sway them to continue trying software patches and firmware updates.49 Neither software patches nor firmware updates guarantee protection against Spectre attacks––they are similar to covering a gaping hole in a tank with paper and painting camouflage over it. The only sure way to protect against Spectre is with new, revised hardware; however, even this is no guarantee against future Spectre-related attacks that may leverage weaknesses in different parts of the hardware.50 There are several USG organizations with tools to facilitate mitigation and management of Spectre attacks. The NCCIC is the federal civilian interface for cybersecurity risks,51 and US- CERT is a sub-agency in the NCCIC with jurisdiction to publicize cybersecurity threats and supplement mitigation efforts.52 Since the NCCIC is housed under the Department of Homeland Security (DHS), it also has access to business partners and may be able to find outreach in the private sector.53 Next, the NSA/CSS is the USG's leader in cybersecurity and technology and might have discovered Spectre first.54 Whether or not this is so, the expertise offered by NSA/CSS is likely to be invaluable in determining solutions to the Spectre threat. One of the major challenges the NSA/CSS may face is public image––in order for the NSA/CSS to help, it would likely need to work with the private sector, a challenge made more difficult in the wake of Edward Snowden’s 2013 leaks.55 From a company’s point of view, it may not trust the NSA/CSS to preserve the company’s .56 A company may also be wary of publicizing a joint venture with the NSA/CSS for sales and public relations reasons.57 In-Q-Tel may also play a vital role in an indirect way by continuing to seek cybersecurity ventures; it is possible a startup CPU company could develop an architecture to avoid Spectre attacks. The solution to future Spectre attacks will need to come through a design before it will come through mass production. This levels the playing field for startup companies to contribute to a solution; nonetheless, the USG should not put all its hopes on one venture for the right McKay | 6 startup company to solve the Spectre problem, so other measures should be taken. While In-Q- Tel searches for startups, it is imperative for the NCCIC to be adequately briefed and knowledgeable of zero-day threats to organize security measures and damage control efforts for cyberattacks. Presently, many of the top minds in cybersecurity are working for companies that do not inform the USG (Intel, Apple, and others) of key security findings.58 Ego, mistrust, and the incentive structure of capitalism may play a role in the lack of corporate-USG communication. A company that learns of its weakness may do its best to mask them until it has a solution. Revealing security problems has had disastrous effects for tech companies in the past. When Sony was hacked in 2014, for example, shares plummeted.59 Target encountered significant problems in 2017 when it announced that their customers' information was stolen.60 Chinese hackers that compromised the identity of Marriott customers in 2018 caused similar losses.61 Both USG organizations and private sector companies advocate intercommunication and collaboration and have done so on occasion, such as when Amazon agreed to build a secure cloud for the DoD.62 Despite this, when crises arise, there has been a severe lack of intelligence sharing. When the US Senate was informed that Intel shared knowledge of Spectre with Chinese companies before telling the USG, the Senate demanded a hearing.63 Intel failed to send a representative.64 When the FBI wanted Apple to manufacture code to facilitate accessing the phone of a terrorist to determine co-conspirators, Apple “flat-out refused”; however, Apple contacted the FBI after the Texas shooting to offer other means of aid to get into the iPhone possessed by the shooter, which the FBI did not accept.65 This historical precedent for lack of cooperation does not bode well for future public-private cooperation and intelligence sharing. There is little incentive for a company to go to the NCCIC with a national security threat concerning one of their products because, despite the promise of a secure channel provided by the NCCIC, companies may be fearful of the responsibility of the NCCIC to inform the American people.66 The NCCIC could inform the public that the company’s products are not secure or relay information to the NSA to exploit the threat against enemies of the US. Either scenario could decrease sales. Furthermore, if the USG did not know about the threat until the company told them, it is unlikely that the company will receive any immediate technical assistance to solve the issue, which is a further disincentive to communicate with the USG. Companies are likely to lose money when they look weak or incapable of protecting their customers, but if they solve their own problem, they may stand to make more money by marketing the solution. This is especially true for something like Spectre that affects microprocessors manufactured by multiple companies––if Intel is the first to market the solution, they would stand to profit considerably.67 Demonstrating the perverse incentives at play, if Intel were to instead communicate the issue to the NCCIC, competitors could have access to the solution. This may be seen by corporate leadership and shareholders as a waste of resources, since Intel did nothing to make itself more profitable than its competitors. Spectre may be a deeper problem than originally perceived because it continues to give rise to new hardware manipulations and exploitations. These problems are not entirely solved by throwing a new Spectre-proof processor into the market. As these problems crop up, there still is not a framework of incentive for companies to approach the NCCIC, as is evidenced by companies recently declining to do so.68 This perpetuates the difficulty in federally managing McKay | 7

Spectre variants and further distances ties between the USG and the private sector. The more disconnected the USG is from the private sector, the more national security is at risk because some of the top minds of cybersecurity are employed by major tech companies.69 There are also few incentives for the government to communicate with the private sector. As mentioned, it is possible the NSA/CSS knew about Spectre, and perhaps its variants, before major companies or China.70 If this were the case, private companies were not informed about the vulnerability by the USG. A potential reason for the lack of communication could be that the NSA/CSS was using Spectre against US adversaries,71 but it also could be seen as an abuse of government power for the NSA/CSS to inform Intel, ARM, or AMD because it would disrupt the market cycle by keeping those companies at the top. Furthermore, for the NSA/CSS to implement a solution to Spectre, it may be safer to contract interagency solutions rather than risk information of the attack leaking, which would disclose the cyberattack. A proposed solution to the lack of intelligence sharing between the public and private sectors is to establish an agreement between the USG and private sector about cybersecurity strategy. When a threat is discovered that impacts Americans, an uninformed entity is unlikely to contribute a solution. When the conversation is closed between the NCCIC and private companies regarding product security, progress becomes stifled, and threats proliferate. A coordinated strategy would enable companies whose products are vulnerable to have a confidential and protected conversation with the government to form solutions. Citizens may be suspicious of a government-business alliance to discuss secrets because it could be confused with big-money lobbying;72 supplying information about a concerted effort to stop cyberattacks in the name of national security for citizens may serve to combat this perception. An alternative to a secretive team effort is to publish details about cyberattacks without solutions, but this could compromise national security as nefarious attackers could leverage them at will. It could also destroy companies with product defects by costing them their consumers. In that situation, there are no winners, and citizens could become less safe. But while thoughtlessly publicizing cyberattacks makes citizens, businesses, and government more vulnerable, keeping threats localized to the government or the private sector alone leaves serious gaps in protecting citizens and entities, as is the present case with Spectre. Therefore, opening a clearly established line of confidential communication between companies and the USG may be a logical course of action. With Congressional oversight and responsible leaders, efforts to provide secure hardware could become a reality through government-corporate cooperation. If this meeting of interests were on mutual terms, then there could be reason for each entity to benefit. If this cooperation produces safer products, then enhanced national and citizen security could result. The strength of the NCCIC lies in its jurisdiction to facilitate government communication with the private sector, but the lack of a framework that incentivizes this alliance in the name of national security jeopardizes security for all stakeholders involved. Promises and guarantees that everyone benefits from collaborative outcomes in the best interest of safeguarding Americans should be the goal of the strategy and partnership between business and government. Through this plan, the USG can teach and learn from leaders in industry. Spectre and its variants may pose significant threats to our nation, government, companies, and citizens, but through a concerted effort the threat can be significantly mitigated. McKay | 8

Endnotes

1 “Meltdown and Spectre Side-Channel Vulnerability Guidance,” Department of Homeland Security, 4 January 2018, accessed 12 December 2018, https://www.us-cert.gov/ncas/alerts/TA18-004A. 2 Giles, Martin, “At Least Three Billion Computer Chips Have the Spectre Security Hole,” MIT Technology Review, 5 January 2018, accessed 12 December 2018, https://www.technologyreview.com/s/609891/at-least-3-billion- computer-chips-have-the-spectre-security-hole/. 3 Schneier, Bruce, “More Spectre/Meltdown-Like Attacks,” Schneier on Security (blog), 14 November 2018, accessed 12 December 2018, https://www.schneier.com/blog/archives/2018/11/more_spectremel.html. 4 Sheridan, Kelly, “Former CIA CTO Talks Meltdown and Spectre Cost, Federal Threats,” DARKReading, 26 January 2018, accessed 12 December 2018, https://www.darkreading.com/vulnerabilities---threats/former-cia-cto-talks- meltdown-and-spectre-cost-federal-threats/d/d-id/1330923. 5 “About Us,” US-CERT, accessed 12 December 2018, https://www.us-cert.gov/about-us; “Cybersecurity,” National Security Agency, accessed 12 December 2018, https://www.nsa.gov/What-We-Do/Cybersecurity/. 6 Fruhlinger, Josh, “Spectre and Meltdown explained: What they are, how they work, what’s at risk,” IDG Communications, 15 January 2018, accessed 12 December 2018, https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how- they-work-whats-at-risk.html. 7 Fruhlinger, Josh, “Spectre and Meltdown explained: What they are, how they work, what’s at risk”; Dumi, Almi, “Meltdown and Spectre: 2018’s Newest Security Threat,” {e}mazzanti technologies, 7 January 2018, accessed 12 December 2018, https://www.emazzanti.net/meltdown-spectre-cybersecurity-threat/; McKay, Tom, “Report: All Intel Processors Made in the Last Decade Might Have a Massive Security Flaw [Updated],” Gizmodo, 3 January 2018, accessed 12 December 2018, https://gizmodo.com/report-all-intel-processors-made-in-the-last-decade-mi- 1821728240. 8 Paul Kocher et al., “Spectre Attacks: Exploiting Speculative Execution,” Graz University of Technology, accessed 1 November 2018, https://spectreattack.com/spectre.pdf. 9 Anslinger, Joe, “Spectre, Meltdown, and Protecting Your Passwords,” Lieberman Technologies, 6 February 2018, accessed 11 December 2018, https://www.ltnow.com/spectre-meltdown-protecting-passwords/. 10 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 11 Sharma, Saurabh, “Computer Organization and Architecture | Pipelining | Set 1 (Execution, Stages, and Throughput),” GeeksforGeeks, accessed 11 December 2018, https://www.geeksforgeeks.org/computer- organization-and-architecture-pipelining-set-1-execution-stages-and-throughput/. 12 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 13 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 14 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution”; “Definition of: cache,” PCmag, accessed 11 December 2018, https://www.pcmag.com/encyclopedia/term/39177/cache. 15 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 16 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 17 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 18 Coos, Andrada, “What Meltdown and Spectre mean for CPU Security,” Endpoint Protector (blog), 9 January 2018, accessed 12 December 2018, https://www.endpointprotector.com/blog/what-meltdown-and-spectre-mean-for- cpu-security/. 19 Dumi, Almi, “Meltdown and Spectre: 2018’s Newest Security Threat,” {e}mazzanti technologies, 7 January 2018, accessed 12 December 2018, https://www.emazzanti.net/meltdown-spectre-cybersecurity-threat/. 20 “CPU hardware vulnerable to side-channel attacks,” Carnegie Mellon University, sponsored by Department of Homeland Security Office of Cybersecurity and Communications, revised 3 July 2018, accessed 12 December 2018, https://www.kb.cert.org/vuls/id/584653/. 21 “Intel, ARM, and AMD chip scare: What you need to know,” BBC, 4 January 2018, accessed 12 December 2018, https://www.bbc.com/news/technology-42562303. McKay | 9

22 Boose, Shelley, “How to Prevent Meltdown and Spectre from Compromising Machine Identities,” Venafi (blog), 17 January 2018, accessed 12 December 2018, https://www.venafi.com/blog/how-prevent-meltdown-and-spectre- compromising-machine-identities. 23 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 24 Wai Chan et al., “Operating System Privilege: Protection and Isolation,” notes for 4 May 2005, accessed 12 December 2018, https://read.seas.harvard.edu/~kohler/class/05s-osp/notes/notes9.html. 25 Boose, Shelley, “How to Prevent Meltdown and Spectre from Compromising Machine Identities.” 26 Paul Kochler et al., “Spectre Attacks: Exploiting Speculative Execution.” 27 Prafullchandra, Hemma, “A Look Inside: Cloudy With a Chance of Computing,” IQT Quarterly Vol. 5 No. 4, Spring 2014, accessed 12 December 2018, https://www.iqt.org/wp-content/uploads/iqt- quarterlies/IQT%20Quarterly_Spring%202014_Cloudy%20With%20a%20Chance%20of%20Computing.pdf. 28 Jeremy Kahn, Alex Webb, and Mara Bernath, “How a 22-Year-Old Discovered the Worst Chip Flaws in History,” Bloomberg, 17 January 2018, accessed 12 December 2018, https://www.bloomberg.com/news/articles/2018-01- 17/how-a-22-year-old-discovered-the-worst-chip-flaws-in-history. 29 Robert McMillan and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws Before U.S. Government,” The Wall Street Journal, 28 January 2018, accessed 12 December 2018, https://www.wsj.com/articles/intel-warned-chinese- companies-of-chip-flaws-before-u-s-government-1517157430. 30 Sam Schechner and Stu Woo, “Tech Giants Race to Address Chip Flaws With a Potentially Vast Impact,” The Wall Street Journal, 4 January 2018, accessed 12 December 2018, https://www.wsj.com/articles/tech-giants-race-to- address-widespread-chip-flaws-1515070427. 31 Marks, Joseph, “The Chinese Government Likely Knew about Spectre and Meltdown Bugs Before the U.S.,” Nextgov, 11 July 2018, accessed 12 December 2018, https://www.nextgov.com/cybersecurity/2018/07/chinese- government-likely-knew-about-spectre-and-meltdown-bugs-us/149647/; Trey Herr and Bruce Schneier, “Rediscovering Vulnerabilities,” Lawfare, 21 July 2017, accessed 12 December 2018, https://www.lawfareblog.com/rediscovering-vulnerabilities. 32 “Intel, ARM, and AMD chip scare: What you need to know.” 33 Coos, Andrada, “What Meltdown and Spectre mean for CPU Security.” 34 Marks, Joseph, “The Chinese Government Likely Knew about Spectre and Meltdown Bugs Before the U.S.” 35 Franklin, Curtis Jr., “Spectre Returns with 8 New Variants,” DARKReading, 4 May 2018, accessed 12 December 2018, https://www.darkreading.com/vulnerabilities---threats/spectre-returns-with-8-new-variants/d/d-id/1331723. 36 Bright, Peter, “As predicted, more branch prediction processor attacks are discovered,” Ars Technica, 26 March 2018, accessed 12 December 2018, https://arstechnica.com/gadgets/2018/03/its-not-just-spectre-researchers- reveal-more-branch-prediction-attacks/. 37 Bright, Peter, “As predicted, more branch prediction processor attacks are discovered.” 38 Reis, Charlie, “Mitigating Spectre with Site Isolation in Chrome,” Google, 11 July 2018, accessed 12 December 2018, https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html. 39 Bright, Peter, "New Spectre Attack Enables Secrets to Be Leaked over a Network," Ars Technica, 26 July 2018, accessed 1 November 2018, https://arstechnica.com/gadgets/2018/07/new-spectre-attack-enables-secrets-to-be- leaked-over-a-network/. 40 Newman, Lily Hay, “Hacker Lexicon: What is an Attack Surface?” Wired, 12 March 2017, accessed 12 December 2018, https://www.wired.com/2017/03/hacker-lexicon-attack-surface/. 41 Bright, Peter, "New Spectre Attack Enables Secrets to Be Leaked over a Network." 42 Franklin, Curtis Jr., “Spectre Returns with 8 New Variants.” 43 Schneier, Bruce, “More Spectre/Meltdown-Like Attacks.” 44 Schneier, Bruce, “More Spectre/Meltdown-Like Attacks.” 45 “Two major flaws in computer chips could leave a huge number of computers and smartphones vulnerable to security concerns, researchers revealed Wednesday,” ParaTech, 5 January 2018, accessed 12 December 2018, https://ptechllc.com/2018/01/05/spectre-and-meltdown-risks/. 46 Bright, Peter, "New Spectre Attack Enables Secrets to Be Leaked over a Network." 47 Brad Chacos and Michael Simon, “Meltdown and Spectre FAQ: How the critical CPU flaws affect PCs and Macs,” PCWorld, 22 February 2018, accessed 12 December 2018, https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html. 48 Brad Chacos and Michael Simon, “Meltdown and Spectre FAQ: How the critical CPU flaws affect PCs and Macs.” McKay | 10

49 Wagner, Jayce, “Did I do that? Intel is going to make a killing fixing its own Meltdown,” Digital Trends, 22 February 2018, accessed 12 December 2018, https://www.digitaltrends.com/computing/intel-could-make-billioins-off- meltown-specture/; Castle, Katharine, “Intel’s new 8th Gen Coffee Lake CPUs will have built-in Spectre and Meltdown hardware fixes,” Rock Paper Shotgun, 16 March 2018, accessed 12 December 2018, https://www.rockpapershotgun.com/2018/03/16/intel-spectre-meltdown-cpu-fix-coffee-lake/. 50 Brad Chacos and Michael Simon, “Meltdown and Spectre FAQ: How the critical CPU flaws affect PCs and Macs.” 51 “Cybersecurity: DHS’s National Integration Center Generally Performs Required Functions but Needs to Evaluate Its Activities More Completely,” U.S. Government Accountability Office, 1 February 2017, accessed 12 December 2018, https://www.gao.gov/products/GAO-17-163. 52 “About Us,” US-CERT, accessed 12 December 2018, https://www.us-cert.gov/about-us. 53 “Cybersecurity: DHS’s National Integration Center Generally Performs Required Functions but Needs to Evaluate Its Activities More Completely.” 54 Trey Herr and Bruce Schneier, “Rediscovering Vulnerabilities.” 55 Benkler, Yochai, “We cannot trust our government, so we must trust the technology,” The Guardian, 22 February 2018, accessed 12 December 2018, https://www.theguardian.com/us-news/2016/feb/22/snowden-government- trust-encryption-apple-fbi. 56 Benkler, Yochai, “We cannot trust our government, so we must trust the technology.” 57 Benkler, Yochai, “We cannot trust our government, so we must trust the technology.” 58 “Confronting the Cybersecurity Challenge,” National Security Agency, 25 February 2017, accessed 12 December 2018, https://www.nsa.gov/news-features/speeches-testimonies/Article/1619236/confronting-the-cybersecurity- challenge-keynote-address/. 59 La Monica, Paul R., “Sony hack sends stock down 10% in past week,” CNN, 15 December 2014, accessed 12 December 2018, https://money.cnn.com/2014/12/15/investing/sony-stock-hack/index.html. 60 Abrams, Rachel, “Target to Pay $18.5 Million to 47 States in Security Breach Settlement,” The Times, 23 May 2017, accessed 12 December 2018. 61 David E. Sanger et al., “Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing,” The New York Times, 11 December 2018, accessed 12 December 2018, https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html. 62 Goldstein, Phil, “The Intelligence Community Balances New Tech with New Threats,” FedTech Magazine, 23 September 2016, accessed 12 December 2018, https://fedtechmagazine.com/article/2016/09/intelligence- community-balances-new-tech-new-threats; Ferran, Lee, “Will the Meltdown and Spectre Cyber Flaws Really Crash the World?” RealClear | Life, January 2018, accessed 12 December 2018, http://www.realclearlife.com/technology/computer-chip-security-crisis-spectre-meltdown/. 63 Newman, Lily Hay, “Senators Fear Meltdown and Spectre Disclosure Gave China an Edge,” 11 July 2018, accessed 12 December 2018, https://www.wired.com/story/meltdown-and-spectre-intel-china-disclosure/. 64 Newman, Lily Hay, “Senators Fear Meltdown and Spectre Disclosure Gave China an Edge.” 65 Allen, Karma, “Apple says it reached out to FBI to assist with Texas shooter’s phone,” ABC News, 9 November 2017, accessed 12 December 2018, https://abcnews.go.com/US/apple-reached-fbi-assist-texas-shooters- phone/story?id=51033326; Eric Lichtblau and Katie Benner, “Apple Fights Order to Unlock San Bernardino Gunman’s iPhone,” The New York Times, 17 February 2016, accessed 12 December 2018, https://www.nytimes.com/2016/02/18/technology/apple-timothy-cook-fbi-san-bernardino.html. 66 “Cybersecurity: DHS’s National Integration Center Generally Performs Required Functions but Needs to Evaluate Its Activities More Completely.” 67 Wagner, Jayce, “Did I do that? Intel is going to make a killing fixing its own Meltdown.” 68 Marks, Joseph, “The Chinese Government Likely Knew about Spectre and Meltdown Bugs Before the U.S.” 69 “Confronting the Cybersecurity Challenge.” 70 Trey Herr and Bruce Schneier, “Rediscovering Vulnerabilities.” 71 Giles, Martin, “At Least Three Billion Computer Chips Have the Spectre Security Hole.” 72 Tasmasin Cave and Andy Rowell, “The truth about lobbying: 10 ways big business controls government,” The Guardian, 12 March 2014, accessed 12 December 2018, https://www.theguardian.com/politics/2014/mar/12/lobbying-10-ways-corprations-influence-government.