White House Advocates for the Shift from C and C++ to "Safe" Programming Languages in a New Cybersecurity Strategy
In a groundbreaking move that underscores the importance of cybersecurity in the digital age, the White House, through the Office of the National Cyber Director (ONCD), has issued a clarion call to developers and the tech community at large to transition from traditional programming languages like C and C++ to what it terms “memory-safe” programming languages. This directive is a pivotal element of President Joe Biden’s cybersecurity strategy, aimed at fortifying the foundational blocks of cyberspace against the myriad of threats that loom in the digital shadows.
The advice from ONCD comes against a backdrop of increasing cyber threats that exploit vulnerabilities inherent in the way memory management is handled in software coding. It’s a well-documented fact that improper memory management can open the floodgates to severe security breaches, allowing malicious actors to launch sophisticated cyberattacks. Languages such as Java are lauded for their error-detection mechanisms during execution, providing a safer haven against memory management mishaps. In contrast, C and C++ afford developers the latitude to perform pointer operations and direct memory address manipulations—capabilities that, while powerful, also introduce significant risk. This risk is exemplified by the revelation from Microsoft security engineers in 2019 that approximately 70% of vulnerabilities were attributed to memory safety issues, a statistic echoed by Google in 2020 concerning bugs discovered in the Chromium browser.
The ONCD report identifies several programming languages, including C and C++, as lacking essential memory safety features yet being prevalently used in critical systems. It echoes the recommendations of the Cybersecurity and Infrastructure Security Agency’s (CISA) Open Source Software Security Roadmap, advocating for the adoption of memory-safe programming languages from the onset of software development. This approach is championed as a best practice for developing secure software from start to finish.
Spanning 19 pages, the report’s ambition extends beyond merely shifting the responsibility of cybersecurity onto individuals and small businesses. Instead, it posits that the mantle of cybersecurity must be collectively borne by large organizations, technology firms, and the government at large. It delves into the problems posed by C and C++ while also presenting a suite of alternatives deemed “safe for memory” by the National Security Agency (NSA). Among the recommended languages are Rust, Go, C#, Java, Swift, JavaScript, and Ruby. These languages are equipped with mechanisms designed to thwart common types of memory attacks, thereby enhancing the security of the systems developed with them.
The call to action from ONCD is for companies and engineers to employ best practices in software development and to utilize memory-safe programming languages to minimize the attack surface available to adversaries. Although the report stops short of detailing what constitutes a memory-safe programming language, the NSA had previously outlined its stance on memory-safe languages in a cybersecurity bulletin published in November 2022.
Furthermore, the report advocates for improved measurement of software security, positing that better metrics would enable technology providers to more effectively plan, anticipate, and mitigate vulnerabilities before they escalate into significant threats.
This report is the latest in a series of steps taken by the U.S. government to bolster cybersecurity. In March 2023, President Biden signed an executive order on cybersecurity, initiating processes to protect software and hardware infrastructure and to foster collaboration within the tech industry. This strategic pivot towards advocating for memory-safe programming languages marks a critical juncture in the ongoing battle to secure cyberspace, reflecting a comprehensive approach to cybersecurity that encompasses not just the technological aspects but also the human and organizational facets of safeguarding digital assets.