Unpacking the latest report from the White House Office of the National Cyber Director

“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem, but that means we need to tackle the hard problem of moving to memory safe programming languages,”  – Harry Coker (US National Cyber Director)

On Monday, February 26th, the White House released a report from the Office of the National Cyber Director.   The report focuses on 4 major themes:

1. Securing the core building blocks of cyberspace, such as programming languages, hardware architectures, and formal methods, in order to reduce vulnerabilities at scale. It focuses especially on the adoption of memory safe programming languages.  
2. Addressing the complex research problem of software measurability in order to develop empirical metrics that measure cybersecurity quality. These metrics can help inform decision-making and shift market forces to incentivize long-term investments in secure software development.
3. The technical community, including software developers and academic researchers, has an important role to play in driving progress on both of these fronts. Their actions can significantly improve the security of the broader digital ecosystem.
4. These will be ambitious long-term undertakings requiring persistent collaboration between government, private sector, and academia. However, there is optimism that progress can be achieved through determined cooperation.

This report is a continuation of the groundwork laid by President Biden with the National Cybersecurity Strategy outlined in March of 2023.  The strategy calls for 2 fundamental shifts in how the US allocates resources to handle long standing cybersecurity issues:

1. Rebalancing the responsibility to defend cyberspace to those most capable and best positioned to reduce risk.  
2. Realignment of incentives to favor long term investments required to make cyberspace more resilient and defensible in the future.  

The Problem Statement

The report lists “memory safety vulnerabilities” as a leading root cause of some of the largest, which is accurate as multiple independent sources state that memory safety vulnerabilities make up 60-70% of Windows and MacOS vulnerabilities. Google estimates that number at 90% for Android.  An analysis of 0-day vulnerabilities exploited in the wild showed around 80% were memory safety issues.  Anyone who has spent time in cybersecurity will recognize the names of some prime examples of memory safety issues: Slammer, WannaCry, Trident (iOS), Heartbleed, Stagefright (Android), Ghost, and many more way back to the Morris Worm of 1988.

This is clearly a significant issue in cybersecurity and one that has so far been addressed in an “after-the-fact” manner.  This report looks to shift security into the area where Qwiet AI is situated: the code itself.  

Software Development as a Key to Cybersecurity

The report specifically calls out C and C++  as being languages that lack proper memory safety traits.  Of course, these specific languages are widely used so it can’t be expected for the entire software industry to switch to Rust or some other language overnight.  Some “quick fixes” recommended by the report include memory-safe hardware (such as Intel MPX or TME) and more rigorous software testing before release.  The report specifically mentions two areas of security that fit right into Qwiet AI’s wheelhouse:
“There are two ways software engineers can use these techniques across software and hardware. First, formal methods can be incorporated directly into the developer toolchain. As the programmer builds, tests, and deploys software, the compiler can automate these mathematical proofs and verify that a security condition is met. Additionally, the developer can use formally verified core components in their software supply chain. By choosing provably secure software libraries, developers can ensure the components they are using are less likely to contain vulnerabilities”.  

Qwiet AI’s Ben Denkers feels that this report is pretty much stating the obvious, “This should serve as no surprise to anyone who has spent any time in the cyber trenches.  We’ve all known for years the issues brought about by improper handling of memory space.  While it is good to call these out, we can’t expect every development group around the globe to suddenly sunset every language that isn’t “memory safe”.  What this report does illustrate is the value of static application security testing (SAST) to ensure code goes out the door secured and protected”

Not only is SAST a key component of ensuring more secure code, but this report should also raise the importance of a good Software Bill Of Materials (SBOM) to help security teams properly assess the risk of an application.  

Shifting Responsibilities

The report also digs into who should be responsible for secure code.  Traditionally, cybersecurity responsibility has resided mainly with Chief Information Security Officers (CISOs); however, Chief Technology Officers creating software and Chief Information Officers acquiring it should also be accountable.  Cybersecurity quality metrics can promote cross-functional decision-making. These metrics assess developer processes, software testing, and operational environments. 

While CISOs emphasize execution contexts, CTOs and CIOs focus more on intrinsic software quality, which metric dimensions capture. Nevertheless, the lack of quality measurement has hindered manufacturers’ security prioritization and customers’ purchasing choices. Developing sophisticated software measurability solutions is essential to fully realize metrics’ potential. They promise to provide vital data to inform choices and motivate strategic, organization-wide investments. Overall, distilling the abstract notion of software “quality” into objective metrics can drive accountability, communication, and alignment between security stakeholders via quantifiable data-based risk insights.

It’s Down to Us

The report makes it clear that cybersecurity is a priority for the Biden administration and that the responsibility lies with all of us across the software and security industries. While the preference is for a future coded in memory-safe languages, the reality is we must address vulnerabilities proactively today. Through robust software analysis, improved accountability, and an unrelenting focus on quality, we can make incremental but impactful progress. The administration’s call to action should spur industry collaboration on defining and implementing cybersecurity best practices. With a shared commitment to secure code and an understanding that national security is at stake, the technical community is compelled to do its part in safeguarding society’s digital infrastructure against emerging threats. Though the road ahead includes both technological and cultural challenges, the imagination and expertise of developers provide reason to believe we can get there through openness, transparency, and collective ingenuity.

If you want to get a jump on the security of your application, please reach out to the team at Qwiet AI.  Our Application Security platform can help you dramatically reduce the risk of your applications, and our consultants can help you better understand your risk posture and find ways to improve it.