The Biden administration continues to push for closer public-private partnerships to strengthen the U.S. information technology infrastructure, calling on companies to move to memory-safe programming languages and calling on the technical and academic communities to create ways best for measuring software security.
This week, the White House Office of the National Cyber Director (ONCD) released a written report for developers and engineers, arguing that the nation must create a new balance of responsibility for defending cyberspace and better incentives for companies to invest in the cybersecurity of their products.
As an initial step, the ONCD called on technology manufacturers to do so transition to memory-safe programming languages – such as Python, Java and Rust – which can eliminate up to 70% of vulnerabilities and develop better ways to measure the security of their products.
The current ecosystem places an undue burden on those least able to afford the costs needed to protect critical infrastructure and systems from attackers, National Cyber Director Harry Coker said in a video statement.
“Today, end users of technology – whether individuals, small businesses, or owners and operators of critical infrastructure – have an outsize responsibility for keeping our nation safe,” he said. “A system that can be brought down with a few keystrokes needs better building blocks, a stronger foundation. We must expect more from those who are most capable and best positioned to defend cyberspace, and that includes the federal government.”
Lean on cybersecurity
The Biden administration has pledged to improve the cybersecurity of the nation’s infrastructure, the vast majority of which is privately owned. One year ago the administration has published its national cybersecurity strategy calling for software accountability and minimum cybersecurity requirements for the critical infrastructure sector. The administration has too has maintained a dialogue with software vendors and the open source development community to find better ways to work together to promote software security.
The latest report, Back to the building blocks: A pat towards secure, measurable softwaredemonstrates that the government sees a long-term role in overseeing software security.
The efforts will likely help convince many private sector organizations to move to memory-safe languages and abandon C, C++ and machine code, says Clar Rosso, CEO of cybersecurity training and certification group ISC2.
“Organizations will become more secure if we are able to abandon the reactive approach to cybersecurity and dedicate a concerted effort to moving left,” he says. “However, none of this will be possible without collaboration between the public and private sectors – we need collective action if we are to chart a path to secure, measurable software.”
Dangerous at any speed
Memory safety is a set of features in modern programming languages that prevents programs from attempting to access memory outside of its intended bounds and from accessing variables after the memory has been freed by the program. By imposing spatial and temporal constraints on software, memory-safe programming languages can eliminate entire classes of vulnerabilities that have previously led to major cyber events, such as the 2003 Slammer worm and the 2014 Heartbleed vulnerability.
Reducing the number of significant vulnerabilities can help end users by allowing them to focus on other aspects of cyber resilience, Anjana Rajan, ONCD’s assistant national cyber director for technology security, said in a video statement.
“The intense reactive posture required by the current status quo is reduced [end users’] ability to predict and prepare for the next wave of attacks,” he said. “To overcome America’s adversaries, we must build a defensible and resilient ecosystem. This means our efforts must focus on how we choose to shape the cyber battlefield to prevent, mitigate and defend against future attacks.”
The open source ecosystem has already moved away from memory-insecure languages, with most projects written in JavaScript, Python, Typescript and Java, which, assuming modern versions, all have memory-safe features, says Mike McGuire , responsible for security solutions with synopsis.
“In the open source world, you’ll find a lot more Java open source libraries, a lot more Python open source libraries, than you will C and C++,” he says. “It’s not necessarily because the industry is moving away from C and C++ – they’re very powerful languages – but, if they want to contribute more to open source, … you want them to contribute memory-safe languages.”
Avoid EU missteps on safety parameters
Perhaps even more difficult will be the second half the Biden administration’s initiative: Creating security metrics that can be applied to software.
While an automated system that instantly issues a security score for software sounds attractive, the research effort will face significant hurdles, says ISC2’s Rosso.
“I have some reservations about this recommendation as the idea of running an algorithm or equation to deem a product ‘safe’ seems challenging with the ever-changing threat landscape,” he says. “[O]organizations should definitely take advantage of products and services that allow them to have a holistic view of cybersecurity risk, [but] …it will be challenging to create standardized measures that can be used to designate software as good or poor quality.”
Last year, the European Union faced criticism after passing the Cyber Resilience Act (CRA) out of fear that a 24-hour vulnerability disclosure rule doesn’t leave companies enough time to fix problems and could lead to less secure software, not more.
Especially when dealing with the open source ecosystem, lawmakers and government officials need to carefully consider policies before implementing them, says Synopsys’ McGuire.
“We need to remember that open source maintainers usually do this at their own expense in their spare time; they do it because it’s the right thing to do,” he says. “To come and say they’re going to have to have extra requirements or provide extra metrics or collect extra metrics – that would be a huge blow, I think, to the open source that’s available to us. That open source… is why we see [the] speed of development that we do today.”