Governance & Risk Management , Government , Industry Specific
US Official Reproaches Industry for Bad Cybersecurity
CISA Director Says Programming Language Swap Will End Memory Safety VulnerabilitiesA top U.S. government official urged industry to become more conscientious over cybersecurity by preventing vulnerabilities from accumulating before products ship.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
Jen Easterly, who heads the Cybersecurity and Infrastructure Security Agency, told an audience assembled Monday at Carnegie Mellon University in Pittsburgh that the era of products released to the public with "dozens, hundreds or thousands of defects" must end. She praised Apple for nudging users into activating multifactor authentication while calling MFA takeup among the Microsoft and Twitter user bases "disappointing" (see: US CISA Official: 'Forcefully Nudge' Users to Adopt MFA).
"The fact that we’ve accepted a monthly 'Patch Tuesday' as normal is further evidence of our willingness to operate dangerously," she said in an additional dig at large tech companies, including Microsoft, which each month dumps a slew of fixes for its operating system.
Easterly argued for a stronger government role in cybersecurity, an additional sign that the decadelong Washington consensus of cybersecurity as a matter of voluntary partnerships between agencies and the private sector is being replaced by a view that government should be more assertive.
The Biden administration is close to releasing a revamped national strategy for cyberspace that close observers expect will call for more regulation. Administration officials have said more regulation is needed and have urged critics to consider the benefits rather than just the costs of government mandates.
Easterly said government should "play a role in shifting liability" onto companies that fail to live up to a cybersecurity duty of care, calling on legislators "to prevent technology manufacturers from disclaiming liability by contract."
Still, regulation is "not a panacea," she said.
The private sector could improve cybersecurity by transitioning to memory-safe languages, Easterly said, citing statistics showing that roughly two-thirds of known software vulnerabilities stem from bugs that capitalize on poor practices around how computer memory is accessed.
Hackers take advantage of organizations that use programming languages such as C and C++, which lack mechanisms to prevent coders from introducing memory errors.
These vulnerabilities can be eliminated simply by switching to memory-safe programming languages such as Rust, Go, Python and Java, Easterly said.
'Putting Our Money Where Our Mouth Is'
Easterly specifically called out Google's August 2022 debut of Android 13, which was the first Android release in which a majority of the new code added to the release was in a memory-safe language. Easterly said there wasn't a single memory safety vulnerability discovered in the Rust code added to Android 13.
Open-source software community Mozilla created Rust in 2015 and currently has a project to integrate Rust into its Firefox web browser. Amazon Web Services has begun to build critical services in Rust, which Easterly said has resulted in both security benefits as well as time and cost savings for the public cloud behemoth.
Making memory-safe languages ubiquitous within universities will serve as a building block to companies migrating their key libraries to memory-safe languages, Easterly said. This effort hinges on the technology industry containing, and eventually rolling back, the prevalence of C and C++ in key systems. C and C++ are still written and taught due to the belief that migrating away from them would harm performance.
"There are things that that we say that make it sound like we really do care about safety," Easterly said. "But we're not actually across industries putting our money where our mouth is because of the competitive pressures to get a new product to market."
Easterly chided the country's top computer science programs for not requiring a single security course as an undergraduate graduation requirement. Of America's top 20 computer science programs, only the University of California San Diego requires a security course, according to Easterly.
"At most schools, a student can earn a computer science degree without learning the fundamentals of safety and security," Easterly said. "I urge every university to make taking a security course a graduation requirement for all computer science students."