The Biden administration continues to push for closer public-private partnerships to strengthen America’s information technology infrastructure, urging companies to switch to memory-safe programming languages and urging the technical and academic communities to create better ways to measure software security.
This week, the White House’s Office of the National Cybersecurity Director (ONCD) released a report written for developers and engineers, arguing that the nation needs to create a new balance of responsibility for defending cyberspace and better incentives for companies to invest in the cybersecurity of their products.
As a first step, ONCD called on technology manufacturers to moving to memory-safe programming languages — such as Python, Java and Rust — that can eliminate up to 70% of vulnerabilities and develop better ways to measure the security of their products.
The current ecosystem places too much of a burden on the people who can least afford the costs needed to secure critical infrastructure and systems from attackers, National Cyber Director Harry Coker said in a video statement.
“Today, the end users of technology — whether individuals, small businesses or critical infrastructure owners and operators — bear an overwhelming responsibility for keeping our nation safe,” he said. “A system that can be brought down with a few keystrokes needs better building blocks, stronger foundations. We need to expect more of those most capable and best positioned to defend cyberspace, and that includes the federal government.”
Leaning on cyber security
The Biden administration has committed to efforts to improve the cybersecurity of the nation’s infrastructure, the vast majority of which is privately owned. A year ago, the administration published its National Cyber Security Strategy calling for software accountability and minimum cybersecurity requirements for the critical infrastructure sector. The management also has continued dialogue with software manufacturers and the open source development community to find better ways to work together to improve software security.
The latest report, Back to Building Blocks: A Step Towards Secure and Scalable Softwareshows that the government sees a long-term role in overseeing software security.
The effort is likely to convince many private sector organizations to switch to memory-safe languages and move away from C, C++ and machine code, says Clar Rosso, CEO of cybersecurity education and certification group ISC2.
“Organizations will become more secure if we can move away from a reactive approach to cybersecurity and put a concerted effort behind the shift to the left,” she says. “However, none of this will be possible without collaboration between the public and private sectors — we need collective action if we are to chart a path to secure and scalable software.”
Unsafe at any speed
Memory safety is a set of features of modern programming languages that prevents programs from attempting to access memory outside of expected limits and from accessing variables after the program has freed their memory. By placing spatial and temporal constraints on software, memory-safe programming languages can eliminate entire classes of vulnerabilities that previously led to major cyber events, such as the Slammer worm in 2003 and the Heartbleed vulnerability in 2014.
Reducing the number of significant vulnerabilities can help end users by allowing them to focus on other aspects of cyber resilience, Anjana Rajan, assistant national cyber director for technology security at ONCD, said in a video statement.
“The intense reactive posture required by the current status quo is reduced [end users’] the ability to anticipate and prepare for the next wave of attacks,” she said. “To outsmart America’s adversaries, we must build a defensive and resilient ecosystem. That means our efforts must focus on how we choose to shape the cyber battlefield to prevent, mitigate and defend against future attacks.”
The open-source ecosystem has already moved away from memory-safe languages, with most projects written in JavaScript, Python, Typescript and Java, which — assuming modern versions — all have memory-safe features, says Mike McGuire, head of security solutions with Synopsys. .
“In the open source world, you’re going to find a lot more open source Java libraries, a lot more open source Python libraries, than you’re going to find with C and C++,” he says. “It’s not necessarily because the industry is moving away from C and C++ — those are very powerful languages — but, if they’re going to contribute more to open source, … you want them to contribute memory-safe languages.”
Avoiding EU missteps on security metrics
Maybe the second half will be even more difficult initiative of the Biden administration: Creating security metrics that can be applied to software.
While an automated system that immediately outputs a security score for software sounds nice, research efforts will face significant hurdles, says ISC2’s Rosso.
“I have some reservations about this recommendation because the idea of running an algorithm or equation to evaluate a ‘secure’ product seems challenging given the ever-evolving threat landscape,” she says. “[O]organizations should absolutely take advantage of products and services that give them a holistic view of their cybersecurity risk, [but] … it will be challenging to create standardized measures that can be used to label software as good or bad quality.”
Last year, the European Union faced criticism after the passage of the Cyber Resilience Act (CRA) due to fears that the 24-hour vulnerability disclosure rule did not give companies enough time to fix problems and could lead to less secure software, not more.
Especially when it comes to the open-source ecosystem, lawmakers and government officials need to carefully consider policies before implementing them, says Synopsys’ McGuire.
“We have to remember that open source maintainers are usually doing this for their own money in their spare time; they’re doing it because it’s the right thing to do,” he says. “To come down and say they’re going to have to have additional requirements or provide additional metrics or collect additional metrics — that would be a significant blow, I think, to the open source that’s available to us. That open source … is why we see [the] the speed of development we are doing today.”