The White House Office of the National Cyber Director (ONCD) has released a new report today urging the technology industry to take steps to reduce vulnerabilities in software that leave digital systems open to cyberattacks.
The report, titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” emphasises the importance of technology manufacturers adopting memory-safe programming languages to prevent entire classes of vulnerabilities from entering the digital ecosystem.
“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory-safe programming languages,” said National Cyber Director Harry Coker.
The report – which is a result of collaboration between the ONCD team, the technical community, and public and private sector partners – outlines the threat and opportunity available in moving towards a future where software is memory-safe and secure by design.
“The Office of the National Cyber Director has written what will become mandatory reading for the entire technical community as it works towards maximising the security of our shared digital ecosystem,” says Shyam Sankar, CTO at Palantir.
“By taking an engineering-first approach to cybersecurity policy, the White House is providing an actionable roadmap for reducing memory safe vulnerabilities and improving software measurement capabilities — both of which are necessary to ensure that all software innovators are doing their part to defend against daily cyber threats to US national security.”
The ONCD is also encouraging the research community to address the problem of software measurability in order to develop better diagnostics that measure cybersecurity quality. By adopting an engineering-forward approach to policymaking, the ONCD is ensuring that the technical community’s expertise is reflected in how the Federal Government approaches these problems.
“It is impressive to see the White House take on the important topic of software security via the use of better programming languages. Memory safety bugs have led to numerous vulnerabilities in real-world systems,” comments Dan Boneh, Professor of Computer Science, Stanford University,
“Software quality would be greatly improved if we could somehow wave a magic wand and have all existing software translated to a memory-safe language. Unfortunately, such a magic wand does not yet exist.”
Assistant National Cyber Director for Technology Security, Anjana Rajan, highlighted that some of the most infamous cyber events in history – such as the Morris worm of 1988 and the Heartbleed vulnerability in 2014 – were caused by memory safety vulnerabilities.
“For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” says Rajan, Assistant National Cyber Director for Technology Security.
“This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume—and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and, ultimately, the nation.”
The ONCD has engaged with a diverse group of stakeholders, rallying them to join the Administration’s effort.
“This new technical report takes a positive step forward on a critical issue—the need for foundational safeguards against the root cause of many vulnerabilities across the software supply chain,” comments Mark Danberg, Chairman and CEO of Viasat.
“Addressing vulnerabilities across systems and infrastructure, and ensuring resilient and diverse connectivity options are vital to national security interests.”
The report aligns with two major themes of the President’s National Cybersecurity Strategy released nearly one year ago, which aims to shift the responsibility of cybersecurity away from individuals and small businesses and onto large organisations like technology companies and the Federal Government that are more capable of managing the ever-evolving threat.
This latest work also complements interest from Congress on this topic, including efforts from the US Senate and House Appropriations Committees and legislative efforts from the US Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-MI) and US Senator Ron Wyden (D-OR).
“Internet security problems are global problems, and solving them will require engagement from our nation’s leaders. I commend the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls-to-action the technical and business communities can understand,” says Jeff Moss, President of DEFCON and Black Hat.
“I endorse the recommendation to adopt memory-safe programming languages across the ecosystem because doing so can eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years.”
A copy of the full report can be found here (PDF)
(Photo by KOMMERS on Unsplash)
See also: Python packages caught using DLL sideloading to bypass security
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Additionally, the upcoming Cloud Transformation Conference is a free virtual event for business and technology leaders to explore the evolving landscape of cloud transformation. Book your free virtual ticket to explore the practicalities and opportunities surrounding cloud adoption.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.