Thanks to analysis published by Consumer Report last month, there is renewed attention to a building block of national cybersecurity: memory safety in computer programming. All computer programming languages require memory space for code to run as intended, but different languages allocate memory in different ways. Older and more commonly used languages, like C and C++, allow programmers to shift memory around manually. Newer languages—like Python, Java, and Rust—automatically allocate computer memory for code to run and are thus memory-safe.
While this may seem an esoteric distinction, how the federal government approaches programming languages and memory safety has at least two major national security implications.
First, the widespread use of memory-unsafe languages like C and C++ allows bad actors to carry out large-scale hacks against the United States. Manual memory allocation is prone to a host of errors—typos, forgotten lines of code, and unintended interactions between codes—that can change how code interacts with computer memory. Hackers prey on these glitches to propagate malware. For instance, North Korean hackers unleashed the WannaCry ransomware across the globe in the 2017 by exploiting a memory-safety error. The malware infected computers in over 150 countries, and the hackers stole hundreds of millions of dollars to help the Kim regime circumvent US sanctions.
The threat becomes grimmer when looking at government targets. Currently, Microsoft dominates the federal market for productivity software. Recent surveys indicate that over 80 percent of federal employees in the Washington, DC, metro area rely on Microsoft products and services like Word, Excel, Outlook, Teams, and OneDrive. At the same time, memory safety concerns are at the heart of these products. Between 2007 and 2019, Microsoft attributed roughly 70 percent of its product’s security vulnerabilities to memory safety issues. And as Microsoft garners more federal contracts—particularly from the Department of Defense—memory safety bears directly on national security operations.
Second, clinging to memory-unsafe programming languages does little to ease the national cyber workforce crisis. Over half a million cybersecurity jobs across the country remain unfilled. The shifting skillsets of the workforce only exacerbates this trend. The coders that could take these positions, particularly in younger generations, increasingly favor memory-safe languages like Python. This gap between talent and employment leaves the public and private sectors highly vulnerable to both hacks from nation-state adversaries like Russia and China and the scourge of criminal ransomware.
Addressing programming and workforce weaknesses requires a major shift in governmental and industry standards. Memory-safety has been on the federal agenda for some time now. But despite the awareness raised by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and even Congress, the Biden administration has made little progress. Even worse, the administration’s penchant for cybersecurity regulation won’t produce results for memory safety in the private sector given the costs and timeframe for companies to comply.
Instead, the Biden administration should leverage federal buying power to shift the market in favor of memory-safe programming languages. For example, the administration can impose new mandates for software procurements by instructing agencies to require or give preference to products based on memory-safe languages. Such a move can incentivize changes in private sector practices over time. Although corporations like Google are already moving in this direction, this remains the exception rather than the rule. The Biden administration must build on this momentum now if it wants to effectively bolster national cybersecurity.
The post Reprogramming National Cybersecurity appeared first on American Enterprise Institute – AEI.