Earlier this week a questionable damning report came out of a security firm no one had heard of claiming there were serious security problems with AMD’s processors. Unlike Intel, who was given over 6 months’ notice on security issues in their processors (allowing their CEO to dump a massive amount of stock before the disclosure, the SEC was not amused, and to make sure China was protected-but the US was not) AMD found out about the report at the same time we did. Up until this report was released AMD appeared to be gaining significant market share on Intel and they had become somewhat of a darling of Wall Street. While it is too soon to tell if the report damaged AMD’s sales, the disclosed vulnerabilities appear substantially less damaging than Intel’s earlier issues, AMD’s stock did initially decline on the news.
Everyone (but the linked Wired coverage above) seemed to focus on the “what” of the report which, as of this writing, appears credible. But I think we should be focused more on the “why” because something stinks to high heaven.
In looking up CTS security it is a very small firm (with executive backgrounds in spying, and hedge funds), that didn’t appear to exist 12 months ago. The depth of research required to identify exploits within a processor typically requires a large established security firm which has the excess resources to do this kind of research (this firm doesn’t even appear to have the right skill set for this work). This is typically done for publicity and to highlight a product the research firm sells. But, CTS appears to both lack the resources to do this research and while they appear to specialize in Chip level security they provide more of a service than a product. This service would typically be used by a chip company like AMD but blind siding the company with the report rather than giving AMD the 90-day grace period that is industry standard likely didn’t endear them to AMD.
So, they got publicity but as a bad actor (in effect releasing the information like this put AMD’s, and other security firms’, customers at risk because there was no time to create a remedy) thus, while they are visible, they won’t be trusted. Trust is critical to a security company.
So, the firm has no history, it is too small to be able to afford the massive amount of work required to do a report like this for free, and the method disclosure they used shouldn’t result in new business. So why do it?
One of the most obvious reasons is that this report would and did move AMD’s stock price. CTS’s CFO has a hedge fund background and Hedge fund managers have been charged before with insider trading AMD shares. Apparently, this is far more common than we realize.
CTS would know when the report was going to be released and therefore would have inside advanced knowledge of the event. This means they could sell AMD’s stock short, wait until the stock bottomed, and then cover their short sale which could make them millions of dollars depending on the amount of shares in play. The SEC is understaffed and overworked, and the firm is located in Israel making it far more difficult for the SEC to bring the firm’s employees to justice. They could also buy Intel stock which would, and did, respond favorably to the news and the two choices aren’t mutually exclusive (they could do both). However, difficult isn’t impossible, and extradition should be relatively easy given the US and Israel have an extradition treaty. So, this wouldn’t come without risk, but it also wouldn’t be the first-time foreign nationals attempted to manipulate US stock prices.
Intel Dirty Tricks
Another possibility, particularly given CTS’ lack of resources, is that Intel did the work (Intel has a significant presence in Israel), fed it to CTS, and had CTS release the report (this wouldn’t be the first time). The report would not only have an adverse impact on AMD sales but, as noted above, also favorably impact Intel’s stock. This could mean billions of dollars in sales to Intel and the positive movement of the Intel stock would not only benefit Intel’s executes it would potentially prevent an SEC action against Intel’s CEO for his stock sale. (The SEC has been reticent to go after executives who have engaged in insider trading but not benefitted from it). If Intel’s stock goes up rather than down as a result of their security problems Brian Krzanich is more likely to keep his job and stay out of jail.
Intel would rather a third party issue the report for two reasons. One the report would appear more credible coming from a third party and two much of the damage from the report would flow to the platform companies, OEMs, and IT customers who are also big customers for Intel. Given how aggravated these firms are already due to Intel’s handling of their earlier security problems, many might consider Intel a bad actor and rather than buying more from the firm shift to something like Power or ARM to get away from the entire Problem.
Of the two choices the Intel option has the strongest financial incentives, the least risks for CTS, and the greatest historical foundation (Intel has screwed AMD a number of times over the years). In addition, Intel has a history of cheating when competing with AMD and in benefitting from that cheating suggesting, from their view, that the risk reward ration is acceptable. But odds don’t assure guilt, and this would be far from the first time that people sought to manipulate stock for their own personal benefits. (CTS’s comments noted in the Wired article do indicate they were either funded to do this or had stock interest in AMD and/or Intel).
Now that we are up to our necks in Fake News, I think we should be asking “why” far more than we are accepting the “what.” This is because the “why” provides the context that makes the “what” make sense.