Intel warned Chinese companies of chip flaw before U.S. Government

In initial disclosures about critical security flaws discovered in its processors, Intel notified a small group of customers, including Chinese technology companies, but left out the U.S. government, according to people familiar with the matter and some of the companies involved.

The decision raises concerns, security researchers said, as it potentially could have allowed information about the chip flaws, dubbed Spectre and Meltdown, to fall into the hands of the Chinese government before being publicly divulged. There is no evidence any information was misused, the researchers said.

Weeks after word of the flaws first surfaced, Intel's choices about whom would receive advance warning continue to ripple through the security and tech industries.

The flaws were first identified in June by a member of Google's Project Zero security team. Intel had planned to make the discovery public on Jan. 9 -- people working to protect systems from hacks often hold off on announcements while fixes are devised -- but sped up its timetable when the news became widely known on Jan. 3, a day after U.K. website the Register wrote about the flaws.

Because the flaws can be leveraged to sneak sensitive data out of the cloud, information about them would be of great interest to any intelligence-gathering agency, said Jake Williams, president of the security company Rendition Infosec LLC and a former National Security Agency employee. In the past, Chinese state-linked hackers have exploited software vulnerabilities to get leverage on their targets or expand surveillance.

It is a "near certainty" Beijing was aware of the conversations between Intel and its Chinese tech partners, because authorities there routinely monitor all such communications, Mr. Williams said.

Representatives from China's ministry in charge of information technology didn't respond to requests for comment. The country's foreign ministry has in the past said it is "resolutely opposed" to cyberhacking in any form.

An Intel spokesman declined to identify the companies it briefed before the scheduled Jan. 9 announcement. The company wasn't able to tell everyone it had planned to, including the U.S. government, because the news was made public earlier than expected, he said.

Intel's tricky path -- inform enough big customers to head off significant damage while keeping the information as contained as possible to limit potential leaks -- continues to weigh on smaller companies that weren't given an early nod.

Joyent Inc., a U.S.-based cloud-services provider owned by Samsung Electronics Co., is still playing catch-up, said Bryan Cantrill, the company's chief technology officer.

"Other folks had a six-month head start," he said. "We're scrambling."

In the months before the flaws were publicly disclosed, Intel worked on fixes with Alphabet Inc.'s Google unit as well as "key" computer makers and cloud-computing companies, Intel said in an emailed statement to The Wall Street Journal.

An official at the Department of Homeland Security said staffers learned of the chip flaws from the Jan. 3 news reports. The department is often informed of bug discoveries in advance of the public, and it acts as an authoritative source for information on how to address them.

"We certainly would have liked to have been notified of this," the official said.

The NSA was similarly in the dark, according to Rob Joyce, the White House's top cybersecurity official. In a message posted Jan. 13 to Twitter, he said the NSA "did not know about these flaws." A White House spokesman declined to comment further, referring instead to the tweet.

Chinese computer maker Lenovo Group Ltd. was among the large tech companies, including Microsoft, Amazon.com  and ARM Holdings in the U.K., that were notified of the flaws beforehand.

Lenovo was able to issue a statement Jan. 3 advising customers on the flaws because of "the work we'd done ahead of that date with industry processor and operating system partners," a spokeswoman said in an email.

Alibaba Group Holding, China's top seller of cloud-computing services, also was notified ahead of time, according to a person familiar with the company.

A spokeswoman for Alibaba's cloud unit declined to comment on when the company was informed. She said any idea that the company might have shared information with Chinese authorities was "speculative and baseless."

A Lenovo spokeswoman said Intel's information was protected by a nondisclosure agreement.

Despite the security concerns, an early heads up to a select number of large global companies made sense, said Dave Aitel, chief executive of Immunity Inc., a company that sells security services. "They're going to tell as few people as possible" to contain possible leaks, he said.

Because they had early warning, Microsoft, Google and Amazon were able to release statements soon after news of the flaws leaked out saying their cloud-computing customers were largely protected.

Smaller competitors, though, continue to struggle. DigitalOcean Inc., a cloud-services seller, said Jan. 19 it was still testing a fix for its customers. Rackspace Inc. said last Wednesday it has several teams working on a fix. The cloud company earlier in January told customers it understood the situation "can be frustrating."

The DHS also stumbled with its initial guidance. The agency's Computer Emergency Response Team first linked to an advisory stating the only way to "fully remove" the flaws was by replacing the chip. CERT now advises users instead to patch their systems.

The DHS should have been looped in early on to help coordinate the flaws' disclosure, Joyent's Mr. Cantrill said. "I don't understand why CERT would not be your first stop," he said.

Write to Robert McMillan at Robert.Mcmillan@wsj.com and Liza Lin at Liza.Lin@wsj.com