The White House Office of the National Cyber Director (ONCD) has released a report calling on the technical community to proactively reduce the attack surface in cyberspace. ONCD makes the case that technology manufacturers can prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory safe programming languages. ONCD is also encouraging the research community to address the problem of software measurability to enable the development of better diagnostics that measure cybersecurity quality.
“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,” said National Cyber Director Harry Coker. “Thanks to the work of our ONCD team and some tremendous collaboration from the technical community and our public and private sector partners, the report released today outlines the threat and opportunity available to us as we move toward a future where software is memory safe and secure by design. I’m also pleased that we are working with and calling on the academic community to help us solve another hard problem: how do we develop better diagnostics to measure cybersecurity quality? Addressing these challenges is imperative to ensuring we can secure our digital ecosystem long-term and protect the security of our Nation.”
By adopting an engineering-forward approach to policymaking, ONCD is ensuring that the technical community’s expertise is reflected in how the Federal Government approaches these problems. Creators of software and hardware can have an outsized impact on the Nation’s shared security by factoring cybersecurity outcomes into the manufacturing process.
“Some of the most infamous cyber events in history – the Morris worm of 1988, the Slammer worm of 2003, the Heartbleed vulnerability in 2014, the Trident exploit of 2016, the Blastpass exploit of 2023 – were headline-grabbing cyberattacks that caused real-world damage to the systems that society relies on every day. Underlying all of them is a common root cause: memory safety vulnerabilities. For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” says Anjana Rajan, Assistant National Cyber Director for Technology Security. “This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume – and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the Nation.”
ONCD has engaged with a diverse group of stakeholders, rallying them to join the Administration’s effort. Statements of support from leaders across academia, civil society, and industry can be found here.
In line with two major themes of the President’s National Cybersecurity Strategy released nearly one year ago, the report released today takes an important step toward shifting the responsibility of cybersecurity away from individuals and small businesses and onto large organizations like technology companies and the Federal Government that are more capable of managing the ever-evolving threat. This work also aligns with and builds upon secure by design programs and research and development efforts from across the Federal Government, including those led by CISA, NSA, FBI, and NIST.
The work on memory safety in the report complements interest from Congress on this topic. This includes the efforts of the U.S. Senate and House Appropriations Committees, who included directive report language requiring a briefing from ONCD on this issue in Fiscal Year 2023 appropriations legislation. Additionally, U.S. Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-MI) and U.S. Senator Ron Wyden (D-OR) have highlighted their legislative efforts on memory safety to ONCD.
Read the full report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.”
