Intel Corporation warned a handful of customers, including several Chinese technology firms, about security flaws within its processor chips before the U.S. government, The Wall Street Journal reported Sunday.
Security experts told the newspaper that the decision could have allowed Chinese tech companies to flag the vulnerabilities to Beijing, giving the Chinese government an opportunity to exploit them.
Jake Williams, head of the security company Rendition Infosec and a former National Security Agency (NSA) employee, told the Journal that it is a “near certainty” the Chinese government knew about the flaws from the Intel correspondence with Chinese tech companies, as Beijing keeps tabs on such communications.
The Journal reported that Alibaba Group, a top-selling Chinese e-commerce company, was among the firms notified of the flaw early on.
A spokeswoman for Alibaba’s cloud computing unit declined to tell the newspaper when Intel notified them of the flaws, stating that any suggestion that the company shared information with the Chinese government was “speculative and baseless.”
China's foreign ministry has previously said it is “resolutely opposed” to any form of hacking.
The Lenovo Group, a Chinese computer manufacturer, was also reportedly notified in the early stages. A Lenovo spokeswoman told the newspaper that a nondisclosure agreement protected Intel’s information from being made public.
Experts who spoke to the Journal noted they had seen no evidence to suggest the information given to the companies in question was misused.
Representatives from China’s ministry in charge of information technology didn’t respond to the newspaper's requests for comment. Hackers linked to the Chinese government have been known to exploit software vulnerabilities for surveillance or possible leverage, according to the report.
“The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure," an Intel spokesperson said in a statement.
News about the flaws broke on Jan. 3, just a few days before Intel planned to publicly announce the chip flaw discovery. The date of the planned announcement, however, came months after a member of Google’s Project Zero security team first detected the flaws in June of last year — a delay that would allow the companies to come up with a fix.
"Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others,” an Intel spokesperson told The Hill.
Intel's damage control strategy of providing an early warning aimed to soften the blow for several of its big customers who could prepare fixes before the news became public. The decision to tell a limited number of companies was meant to help prevent the news from leaking, according to the Journal report.
A Department of Homeland Security (DHS) official told the Journal that the department learned about the chip flaws on the day the news broke. This delay blindsided DHS, which regularly provides guidance of how to address such vulnerabilities.
The NSA also "did not know about [these] flaws," according to a Jan. 13 tweet by Rob Joyce, the top cybersecurity official at the White House.
Large tech firms such as Microsoft, Google and Amazon, among others, received advanced warnings.
The firms were prepared as a result of the early warning, releasing statements shortly after the news broke that the customers using their cloud computing systems were largely protected.
Updated: 9:18 p.m.