US Government Expands Role in Software Security

The Biden administration continues to push for closer public-private partnerships to harden US information-technology infrastructure, calling on companies to shift to memory-safe programming languages and calling on the technical and academic communities to create better ways of measuring software security. 

This week, the White House Office of the National Cyber Director (ONCD) released a report written for developers and engineers, arguing that the nation needs to create a new balance of responsibilities for defending cyberspace and better incentives for companies to invest in the cybersecurity of their products.

As initial steps, the ONCD called on technology manufacturers to shift to memory-safe programming languages — such as Python, Java, and Rust — which can eliminate up to 70% of the vulnerabilities, and to develop better ways of measuring the security of their products.

The current ecosystem places too much burden on the people least able to afford the costs needed to secure critical infrastructure and systems against attackers, National Cyber Director Harry Coker said in a video statement. 

"Today, end users of technology — whether individuals, small businesses, or critical infrastructure owners and operators — bear too much of the responsibility for keeping our nation secure," he said. "A system that can be brought down by a few keystrokes needs better building blocks, a stronger foundation. We need to expect more of those most capable and best positioned to defend cyberspace, and that includes the federal government."

Leaning into Cybersecurity

The Biden administration has leaned into efforts to improve the cybersecurity of the nation's infrastructure, the vast majority of which is privately owned. A year ago, the administration released its National Cybersecurity Strategy calling for software liability and minimum cybersecurity requirements for the critical-infrastructure sector. The administration has also kept up a dialog with software makers and the open-source development community to find better ways to collaborate to push forward software security. 

The latest report, Back to the Building Blocks: A Path Toward Secure and Measurable Software, shows that the government sees a long-term role in overseeing software security.

The efforts will likely work to convince many private-sector organizations to shift to memory-safe languages and away from C, C++, and machine code, says Clar Rosso, CEO of the cybersecurity education and certification group ISC2.

"Organizations will become more secure if we are able to step away from the reactive approach to cybersecurity and put a concerted effort behind shifting left," she says. "However, none of this will be possible without collaboration between the public and private sectors — we need collective action if we're going to chart a path toward secure and measurable software."

Unsafe at Any Speed

Memory safety is a set of features of modern programming languages that prevents programs from attempting to access memory outside of expected bounds and accessing variables after their memory has been freed up by the program. By placing spatial and temporal limitations on software, memory-safe programming languages can eliminate entire classes of vulnerabilities that have previously led to major cyber events, such as the Slammer worm of 2003 and the Heartbleed vulnerability in 2014.

Reducing the number of significant vulnerabilities can help end users by allowing them to focus on other aspects of cyber-resilience, Anjana Rajan, assistant national cyber director for technology security in the ONCD, said in a video statement.

"The intense reactive posture demanded by the current status quo reduces [end users'] ability to predict and prepare for the next wave of attacks," she said. "To outpace America's adversaries, we must build a defensible and resilient ecosystem. That means our efforts must focus on how we decide to shape the cyber battlefield to prevent, mitigate, and defend against future attacks."

The open source ecosystem has already moved away from non-memory-safe languages, with most projects written in JavaScript, Python, Typescript, and Java, which — assuming modern versions — all have memory-safety features, says Mike McGuire, security solutions manager with Synopsys.

"In the open source world, you're going to find a lot more Java open-source libraries, a lot more Python open-source libraries, than you will with C and C++," he says. "It's not necessarily because the industry is moving away from C and C++ — those are very powerful languages — but, if they are going to contribute more to open source, ... you want them contributing with memory-safe languages."

Avoiding the EU's Missteps on Security Metrics

Perhaps even more difficult will be the second half of the Biden administration's initiative: Creating security metrics that can be applied to software.

While an automated system that instantly spits out a security score for software sounds nice, the research effort will face significant hurdles, says ISC2's Rosso.

"I have some reservations about this recommendation as the idea of running an algorithm or equation to deem a product 'safe' seems challenging with the ever-evolving threat landscape," she says. "[O]rganizations should absolutely take advantage of products and services that allow them to have a holistic view of their cybersecurity risk, [but] ... it will be demanding to create standardized measures that can be used to designate software to be good or poor in quality."

Last year, the European Union faced criticism after passing the Cyber Resilience Act (CRA) over fears that a 24-hour vulnerability disclosure rule does not leave companies enough time to fix issues and could lead to less secure software, not more. 

Especially when dealing with the open source ecosystem, lawmakers and government officials need to consider policies carefully before implementing them, says Synopsys's McGuire.

"We have to remember that open source maintainers are doing this usually on their own dime in their free time; they're doing it because it's the right thing to do," he says. "Coming down and saying that they're going to have to have extra requirements or provide extra metrics or collect extra metrics — that would be a significant blow, I think, to the open source that's available to us. That open source ... is the reason why we see [the] development velocity that we do today."