Wait, What Happened?

So what went down? Here’s the gist.

In the summer of last year, researchers at Google found two bugs affecting just about every CPU in every modern computing device. They dubbed these bugs “Meltdown” and “Spectre”.

In the simplest terms, these bugs allow evil-doers to gain access to the very lowest level of your computer (the “kernel”) and to capture (potentially all) sensitive information stored in your computer’s memory, including data that you don’t upload to the internet.

This is a direct result of a specific hardware design approach championed by Intel, AMD, and ARM that allows processors to work faster by “guessing” what you’re going to do next and pre-performing some of that work in anticipation.

While Meltdown reportedly affects only Intel chips, the more wide-reaching Spectre is so severe that it can’t even be fixed entirely without completely redesigned processor hardware. Instead, operating system companies like Microsoft, Apple, and Google had to issue performance-affecting software updates to patch the issue.

All told, it’s an absolute gong-show of a story, but you can read more about that fascinating subject matter anywhere.

Rather, what I find really interesting is the way the major players in the tech space responded to the issue.

Look To The Language

Each of the two biggest players involved, Google and Intel, deployed content to educate and explain. Yet, the language, mediums, and content used are radically different and will radically affect the way consumers, staff, and investors alike look at, relate to, and trust these two companies going forward.

Google

Having found the issue months before it went public, Google was in the fortuitous position of being the owner of the canary but not the coal mine. The company kept this information private at first and quietly fortified its own systems and products while taking its findings to Intel, AMD, and ARM immediately.

As the story began to break, Google posted on its blog a long-form article describing in intimate detail the entire situation. Importantly, Google was the first major player to respond, and the post it published is written carefully.

The post starts plainly but with exacting specificity:

Last year, Google’s Project Zero team discovered serious security flaws caused by “ speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.

In plain terms, Google states immediately that its research team found the issue and provided links to useful information to help readers understand the issue transparently.

As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data.

The usage of words here is deliberate, summoning images of conflict and war. Read carefully. Google is the “defender” who “mobilized” against the “attack” your devices and services could suffer. Heavy-handed? Definitely. Effective? Absolutely.

The post continues:

We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.

Once more, Google reinforces its role as defender, asserting the company is willing to spend capital to defend other companies’ users and the broader web (read: greater good), as well.

The article goes on to list out all of the services affected and to catalogue all of the work Google has done to — you guessed it — defend its users.

It ends as it begins, plainly but with specific intent:

More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.

I’m being deliberately theatrical here, but this piece of content is actually both super useful and incredibly strategic on Google’s part.

A blog post connotes a great deal. A blog is often perceived as a casual medium, something you’d read of a close friend. It’s written by a person, not a PR organization. It’s conversational (if a bit techie, in this case).

The medium, the timing, and the language have been manufactured to represent Google in a certain way, and to that end, the company’s response was flawless. The post provides valuable information, transparently and clearly, and with a candour that further endears itself to the world of developers, investors, and potential customers.

Intel

Contrast that with Intel’s response. As it stands, Intel is entirely responsible for one of the bugs (Meltdown) while greatly affected by the other (Spectre).

This is particularly detrimental to the company, as Intel has long been a brand that has associated with tried-and-true, consumer-friendly computing power.

(N.B., I still remember that, when I was a kid, the “Intel inside” sticker meant that machine was going to play games without issue.)

But in a world where a tweet can represent a nation, the way a company like Intel responds to an issue like this bug has big ramifications on brand perception and subsequently future sales.

So while Google hit the ground running as soon as word breaks with a long, informative post and a deliberate position of ownership, accountability, and good will, what did Intel do?

It issued a press release — a dry press release that does little but shirk responsibility and asserts neither culpability nor responsibility nor humility.

Of the most glaring bits, here’s what stands out:

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Wow. Where do I even start with the language and content here?

While Google is providing deeply-researched white papers and code samples of what the exploit is and how it works, Intel’s trite response is to claim all as hearsay and that not only is the proven bug not a bug at all but that others too are suffering from the not-bug, too.

Intel also doesn’t specifically mention that there are two different bugs, and that only one of them is known to affect other vendors’ products.

Its response continues:

Intel has begun providing software and firmware updates to mitigate these exploits… Intel is committed to the industry best practice of responsible disclosure of potential security issues…

As worded, Intel’s press release more strongly words that it is “committed” to announcing issues with its hardware than it is to fixing them, as it has only just “begun” providing updates — a stark contrast to Google’s approach, in both action and communication.

…which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Again, the choice of words here is regrettable. Intel again associates itself with other vendors who, inferred from its words, were coordinating the bad news and the press rather than fixing the issue quickly. Now, it is responding with this press release not to help consumers but to contradict “inaccurate media reports”.

In this era of Trump’s America, such wording invokes the “fake news” sentiment now too often used as a scapegoat.

Worse yet, in tandem to the press release, when questioned about the fact that the CEO sold off all of the shares he could sell last year (after learning of the vulnerability), a company spokesperson responded with a simple statement that the sale was “unrelated” — with no further elaboration.

And then to follow up this press release hours later with what it should have released in the first place? I don’t have enough palm for my face on this one.

At best, the company’s response is lacklustre and, at worst, potentially damaging to its shareholders’ value.

What a mess.

The Rest

Each and every other company involved has taken a different approach.

Microsoft and Apple commendably went first to fixing the problem before communicating about it (neither having formally tackled the issue just yet), but their lack of public response leaves consumers looking to news sites and message boards for any comfort.

Meanwhile, AMD appealed to the more tech-savvy directly with a painfully clear message board response that its processors were not as affected. The resonating take-away for this niche audience? “Maybe it’s time to switch to AMD.”

Even the inventor of Linux weighed in, with resounding agreement.

The Takeaway

I could go on and dig deeper into the language and mediums of the responses, but the impact of the two different approaches is pretty clear.

Intel’s stock is down, Google has reasserted itself as one of the strongest minds in tech, and both consumers and businesses are left footing the bill for a mistake that will be analyzed and remembered for quite some time.

So what lessons can we draw from this? I can think of three.

1. Know Your Audiences And Address Them In Their Language

In its response, Google understood that a big part of its audience is consumers, so it chose to communicate in a medium more approachable by that audience.

Google also understood that the issue was complex and nuanced, and that getting into the details for those interested will not only provide educational value but also assert a subject matter expertise that connotes both confidence and trustability.

Importantly, Google addressed investors, consumers, and developers equally and in precise language.

Intel, on the other hand, chose a press release, which addresses investors and the media but not consumers or businesses.

Doing so left their message very open to misinterpretation, particularly given that their language is clearly geared towards investors and reads like an ask for exoneration rather than an explanation.

2. Write And Respond With Humility

Kendrick Lamar’s oft-played song rings true when it comes to disaster response.

In this case, Intel is at least partially in the wrong, and acknowledging that is an important first step. Over 75% of its response is spent articulating its lack of culpability. On the flip side, Google spends the majority of its response explaining what the company did to find and fix the problem as well as providing clear actions on what to do next as a user.

What’s more, Intel’s response lacked an understanding and humility around the encircling conversation. The company didn’t initially address the major negative speculation around its CEO’s dubious stock sale, and that conversation now hangs as a cloud over the company thanks to its lacklustre follow-up.

3. If It Can’t Be Held Fast, Be First

Leaks are bad news for most companies, but when a damaging issue leaks, it can do even more damage to lay unaddressed.

I think it’s pretty clear in the reporting and the writing from Google and Intel that Intel was trying to coordinate a specific release, likely timed around the release of fixes by the big players in the space as well as concern for investor impact.

In this case, there’s good reason to remain silent and secretive. Letting the world know about this exploit before it is fixed will only cause more collateral damage.

But once the word was out, Intel should have responded intelligently and immediately. Google was, instead, the first to respond, and this pole position gave Google the leg up in the media fallout that followed. It took Intel another entire business day to respond, and the press release hit the wire painted with the haste of reaction — not thoughtful premeditation.

Had it considered any or all of these in its response, Intel likely wouldn’t have had to scramble to avoid a meltdown born by the spectre that now hangs above it.

And to think, a few written words typed and timed differently could’ve made all the difference.

What about you? Any lessons you’ve drawn from this? Respond away. And if you’d like to learn more about me or my business, visit www.frankcaron.com.