The Biden administration continues to pressure the tech industry to make products that are secure from the start, calling Monday for greater use of memory-safe programming languages.
Efforts by the Office of the National Cyber Director (ONCD) are focused on reducing a class of bugs that have caused problems since the 1980s: coding errors that allow attackers to abuse the way software manages computer memory. Such vulnerabilities can be exploited to breach or corrupt data and run malicious code.
“To reduce the attack surface in cyberspace, we must eliminate entire classes of vulnerabilities at the level securing the building blocks of cyberspace,” said National Cyber Director Harry Coker, outlining a new technical report the White House produced for the industry.
The report is backed by leaders in the technology sector and academia, ONCD noted, praising statements of support from officials at companies such as SAP, Hewlett Packard Enterprise and Honeywell.
The White House says the report “takes an important step toward shifting cybersecurity responsibility from individuals and small businesses to large organizations like technology companies” that are “better able to manage an ever-evolving threat.”
The report mentions C and C++ as examples of programming languages that lack “features related to memory safety and also have a high proliferation in critical systems.” Languages such as Rust, Python, and Java are among the recommended replacements.
The White House wants executives, not just engineers, to pay attention, a senior Biden administration official told reporters.
“We hope that memory security will become an agenda item at the next board meeting for many of these companies,” the official said.
The report was more than a year in the making and included multiple briefing sessions for the tech industry, the official said, noting that large companies with many products could have a lot to do on the topic.
“Migration to memory-safe code, to be clear, could become a multi-decade effort, depending on the size of the company, and requires everyone’s attention and support,” but those who do “will have a huge impact on our nation’s security.” , said a senior administration official.
The difficulty of change is why “for 35 years we’ve seen our opponents score points against us,” the official said. But the time is right for the industry to change, the official said, because the technology now exists to make the changes possible.
The White House notes that computer memory flaws enabled one of the earliest Internet security incidents — the Morris worm of 1988 — and continue to provide opportunities for attackers today, including the BLASTPASS exploit chain used by a spyware vendor in 2023.
The report also calls for the creation of better metrics to measure software security, an effort that will require “pioneering efforts in software engineering and cybersecurity research,” according to a White House fact sheet.
The report is the latest follow-up to President Joe Biden’s 2021 cybersecurity executive order to release the 2023 National Cybersecurity Strategy.
Other agencies advocated that the technology industry consider security as early as possible in product development. Examples include the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure By Design initiative and the Commerce Department’s Software Bill of Materials Minimum Elements (SBOM) report.
The National Security Agency (NSA) and CISA also issued a fact sheet on memory-safe programming in December.
A recorded future
Intelligence Cloud.
Find out more.