After decades of memory-related software bugs, White House calls on industry to act

The Biden administration is continuing to pressure the tech industry to make products that are secure from the outset, issuing a call on Monday for greater use of memory-safe programming languages.

The effort by the Office of the National Cyber Director (ONCD) is aimed at cutting down on a class of bugs that has caused problems since the 1980s: coding errors that allow attackers to abuse how software manages computer memory. Such vulnerabilities can be exploited to breach or corrupt data and run malicious code.

“To reduce the attack surface in cyberspace, we must eliminate entire classes of vulnerabilities at-scale, by securing the building blocks of cyberspace,” National Cyber Director Harry Coker said in outlining a new technical report that the White House produced for the industry.

The report has buy-in from leaders in the tech sector and academia, ONCD noted, touting statements of support from officials at companies such as SAP, Hewlett Packard Enterprise and Honeywell.

The White House says the report “takes an important step toward shifting the responsibility of cybersecurity away from individuals and small businesses and onto large organizations like technology companies” that are “more capable of managing the ever-evolving threat.”

The report mentions C and C++ as examples of programming languages that lack “traits associated with memory safety and also have high proliferation across critical systems.” Languages such as Rust, Python and Java are among the recommended replacements.

The White House wants executives and not just engineers to pay attention, a senior Biden administration official said in a call with reporters.

“We’re hoping that memory safety becomes an agenda item on the next board meeting for many of these companies,” the official said.

The report was more than a year in the making and included multiple outreach sessions to the tech industry, the official said, while noting that large companies with many products might have a lot of work to do on the topic.

“Migrating to memory-safe code, to be clear, could become a multi-decade effort depending on the size of a company, and requires the attention and support of all,” but those who do it “will make an outsized impact on the security of our nation,” the senior administration official said.

The difficulty in making the switch is why “for 35 years we’ve seen our adversaries score points against us,” the official said. But the time is right for industry to shift, the official said, because the technology now exists to make changes.

The White House notes that computer memory bugs enabled one of the earliest internet security incidents — the Morris Worm of 1988 — and continue to provide opportunities for attackers today, including the BLASTPASS exploit chain used by a spyware vendor in 2023.

The report also calls for the creation of better metrics for measuring the security of software, an effort that will require “pioneering efforts in software engineering and cybersecurity research,” according to a White House fact sheet.

The report is the latest followup to President Joe Biden’s 2021 executive order on cybersecurity the release of the National Cybersecurity Strategy in 2023.

Other agencies have advocated for the tech industry to think about security as early as possible in developing products. Examples include the Secure By Design initiative from the Cybersecurity and Infrastructure Security Agency (CISA), and a report on minimum elements of a software bill of materials (SBOM) from the Commerce Department.

The National Security Agency (NSA) and CISA also issued an information sheet on memory-safe programming in December.