The White House Office of the National Cyber Director (ONCD) released a report today calling on the technical community to proactively reduce the attack surface in cyberspace by adopting memory safe programming languages and developing better cyber diagnostics.
“Back to the Building Blocks: A Path Toward Secure and Measurable Software” builds upon the administration’s National Cybersecurity Strategy (NCS) released nearly one year ago in describing the urgent need to address undiscovered vulnerabilities that malicious actors can exploit.
Specifically, the report outlines two strategic approaches to achieve this goal:
- Reduce the attack surface in cyberspace that our adversaries can exploit by preventing entire classes of vulnerabilities from entering the digital ecosystem; and
- Anticipate systemic security risk by developing better diagnostics that measure cybersecurity quality.
The Feb. 26 report makes the case that technology manufacturers can prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory safe programming languages – such as Rust, Python, or Java.
“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,” said National Cyber Director Harry Coker in a written statement.
“Thanks to the work of our ONCD team and some tremendous collaboration from the technical community and our public and private sector partners, the report released today outlines the threat and opportunity available to us as we move toward a future where software is memory safe and secure by design,” he said.
A senior ONCD official said during a press call with reporters today that the office has been working on this problem for over a year, but “right now feels like the right moment to tackle this because the technical solutions actually exist.”
“Migrating to memory safe code, to be clear, could become a multi-decade effort depending on the size of the company and requires the attention and support of all,” the senior ONCD official said. “But the sooner we do it, those who are able to move forward will make an outsized impact on the security of our nation.”
The March 2023 NCS commits “to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools.” Additionally, the NCS Implementation Plan – unveiled in July 2023 – tasked ONCD with promoting open-source software security and the adoption of memory safe programming languages.
ONCD’s new report also encourages the research community to address the problem of software measurability to enable the development of better diagnostics that measure cybersecurity quality.
“I’m also pleased that we are working with and calling on the academic community to help us solve another hard problem: how do we develop better diagnostics to measure cybersecurity quality? Addressing these challenges is imperative to ensuring we can secure our digital ecosystem long-term and protect the security of our Nation,” Coker said in a statement.
By adopting an engineering-forward approach to policymaking, ONCD is ensuring that the technical community’s expertise is reflected in how the Federal government approaches these problems. Creators of software and hardware can have an outsized impact on the nation’s shared security by factoring cybersecurity outcomes into the manufacturing process, ONCD said.
“This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume – and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the Nation,” Assistant National Cyber Director for Technology Security, Anjana Rajan, said in a statement.
Coker told reporters today that his office has engaged with a diverse group of stakeholders, “rallying” them to join the administration’s effort for a memory safe future. In August, ONCD released a request for information on open-source software security and memory safe programming languages, soliciting feedback from industry experts.
John Delmare, the global cloud and security application lead at Accenture said, “Memory safety vulnerabilities pose a significant security risk to software systems and are a root cause of many of the most damaging cyberattacks. To address this, we need to adopt memory safe programming languages for new applications and rewrite code using modern memory safe languages with secure development practices from the start. We’re pleased to see the ONCD raise this issue because the integrity of the global software supply chain is critical for national and international security.”
Jeff Moss, the president of DEFCON and Black Hat noted, “Internet security problems are global problems, and solving them will require engagement from our Nation’s leaders. I commend the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls-to-action the technical and business communities can understand.”
“I endorse the recommendation to adopt memory safe programming languages across the ecosystem because doing so can eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years,” he said. “As the report accurately states, responsibility for cybersecurity by design starts with the CEO and the board of directors and flows down to the chief technology officer, the chief information officer, and the chief information security officer.”
In line with two major themes of President Biden’s NCS, the report released today takes an important step toward shifting the responsibility of cybersecurity away from individuals and small businesses and onto large organizations like technology companies and the Federal government that are more capable of managing the ever-evolving threat.
This work also aligns with and builds upon secure by design programs and research and development efforts from across Federal entities, including those led by the Cybersecurity and Infrastructure Security Agency, the National Security Agency, FBI, and the National Institute of Standards and Technology.
