The Office of the National Cyber Director (ONCD) has unveiled a detailed technical report titled 'Back to the Building Blocks: A Path Toward Secure and Measurable Software.'
The report underlines the pressing need to address undiscovered vulnerabilities that malicious actors can exploit in the digital ecosystem. It articulates two strategic approaches to achieve this goal: firstly, reducing the attack surface in cyberspace by preventing entire classes of vulnerabilities, and secondly, anticipating systemic security risks by enhancing diagnostics for measuring cybersecurity quality.
It emphasises the necessity of collaboration with the technical community, which is deemed well-positioned to take effective action in securing our digital landscape in this decisive decade.
The first strategic approach involves securing the building blocks of cyberspace, emphasising the need to eliminate vulnerabilities at scale. Analysis of common vulnerabilities and exposures (CVE) data has identified memory safety vulnerabilities as a pervasive class of bugs over the years. The report advocates for a proactive role from creators of software and hardware, emphasising that they are best positioned to make progress in securing the programming language-a fundamental building block of cyberspace. Using memory-safe programming languages is highlighted as a highly leveraged method to eliminate most memory safety errors and significantly improve software security.
Addressing the Software Measurability Problem is the second strategic approach outlined in the report. To anticipate and mitigate systemic risks, better metrics are needed to determine the cybersecurity quality of software. The lack of information about software exposes organizations to risks, and creating effective metrics is challenging due to the dynamic and complex nature of the software ecosystem. The report calls for active involvement from the research community in advancing the science of measuring software, emphasizing the importance of software metrology as a critical research problem. Improved metrics will not only help prevent vulnerabilities but also inform decision-making for a range of stakeholders, fostering long-term investments in secure software development.
The comprehensive nature of this report is a result of incorporating critical input from leaders in the private sector, civil society, and academic communities. Public feedback from a Request for Information on Open-Source Software and Memory Safety, along with insights from nationwide technical workshops on Space Systems Cybersecurity, has been instrumental in shaping the concepts presented in the report.
As part of the report's launch, the ONCD shared statements of support for software measurability and memory safety from technical leaders of leading global organizations. Furthermore, the ONCD pledges to continue working closely with public and private sector partners to implement the recommendations outlined in the report, fostering a collaborative approach to enhance the cybersecurity posture of the nation.