Rewarding Resilience: Rust & the U.S. National Cybersecurity Strategy

Shane Miller is the Rust Foundation’s Distinguished Advisor for Open Source Business and the former Chair of the Rust Foundation Board. In this guest blog, Shane shares her perspective on the new U.S. National Cybersecurity Strategy and how it aligns with the Rust language ecosystem.

Orange gradient background with white rust foundation logo up top (letter "R" inside gear icon).  [Heading] “Rewarding Resilience: Rust & the U.S. National Cybersecurity Strategy"   Headshot of Shane Miller (Rust Foundation Open Source Business Advisor) appears to the right of heading inside a circular, zig-zag frame.

Welcome to the first installment in a series authored by the Rust Foundation’s Distinguished Advisors – a group of unpaid experts in the open source space whose policy-focused perspectives help inform our executive strategy as a non-profit foundation serving the Rust ecosystem.

Shane Miller is the former Chair of the Rust Foundation Board of Directors and our current Distinguished Open Source Business Advisor. 

We are pleased to share Shane’s thoughts on the new U.S. National Cybersecurity Strategy, which introduces important priorities to guide us through the next era of cyberspace with security and safety at the helm. 

This post was written by Shane and is being shared here to give you insight into her advisory point of view.

Changing Security Expectations #

The exponential growth of tech innovation over the last twenty years has tightly connected our world and unlocked awe-inspiring impact and potential. While we’re able to build increasingly complex solutions that simplify and automate more and more of our daily lives, we fail to predict all of the consequences those new technologies will have. Sometimes we stumble into surprises that delight us, like amateur youtube videos teaching my autistic daughter five languages before she said her first word. And sometimes new threats emerge, as bad actors get better using the growing ubiquity and fragility of our technology for malicious purposes. 

The technology we depend on today for healthcare, money, defense, and just about everything else is built on top of legacy applications, engineered by creators who could not have guessed the breadth of dependencies their work would eventually support. My own code from the 1990s is still used by financial services today, hidden behind screens and interfaces that appear very modern to users. 

Despite wide recognition of this challenge, there are currently very few policies protecting consumers from their risks, and buyers are not demanding that manufacturers invest more to defend their products and services from attacks. Customers who’ve tried to drive security improvements with contracts requiring security patches as soon as vulnerabilities are discovered, have not been successful, and, in some cases, they’ve encouraged corporate secrecy over transparency. As a result, an ever-increasing number of attacks violate the privacy of our sensitive data and disrupt access to oftentimes critical services. The effects of these attacks are personal. Everything from our food to our money to our homes depends on the security and reliability of increasingly brittle technology.

Meanwhile, the tech industry is focused firmly on the visible and consumer-facing outcomes of innovation and speed to market. From smart homes to self-driving cars, shiny features are far more rewarding than security for both their designers and consumers. The result is that technology manufacturers ignore opportunities to make substantial security investments, while buyers incorrectly assume that sensitive and critical technologies are already regulated and as secure as possible. More often than not, technology manufacturers are releasing new products with security that is “no worse than before,” but the shortcomings of our past cannot be the goal for our future.

The new United States National Cybersecurity Strategy recognizes the importance and urgency of these risks to our citizens and suggests bold steps to “rebalance the responsibility of cybersecurity.” The strategy shifts liability away from end consumers to the stakeholders “most capable of taking action” while recognizing the technical and social complexities shaping our cybersecurity vulnerabilities. The commitment to change tech industry business models in order to “realign incentives to favor long-term investments in security, resilience, and promising new technologies” is pivotal and necessary.

The vision and principles outlined in the cybersecurity strategy are shared by the Rust Foundation, a nonprofit trade organization formed by a partnership of corporations and open source community members to support the sustainability and growth of Rust. Rust is an open source programming language that improves the security and resilience of the products and services built using it. The Rust ecosystem is composed of more than 100,000 software packages created by more than 5,000 volunteers all over the world. “Open source” means that Rust is free for anyone to use, inspect, or contribute.

Because Rust combines memory safety with optimized speed and efficiency, it’s critical to the future of cybersecurity. Memory safety protects data used by software from being accessed or changed by others without permission, and that protection eliminates a substantial class of high severity security vulnerabilities. Several analyses have concluded that building software with memory-safe languages blocks 70% of the most dangerous attacks.

Like Rust, a number of other programming languages offer memory safety, but they achieve it at the expense of efficiency tradeoffs that make those languages poor choices for some products. Devices like phones and cameras have relatively small computing power, so it’s difficult for manufacturers to deliver the features consumers want in those devices using expensive memory-safe languages like Java and Python. Rust is unique, because it can give software developers both optimized efficiency and memory safety. 

Making memory-safe programming languages the default choice for technology manufacturers substantially improves the security and resilience of our products and services. Such a shift would strengthen the security and resilience of our critical infrastructure, private institutions, and national defense. The National Cybersecurity Strategy focuses on consumer education and industry regulation as market forces that can drive that change. The campaigns, standards, and frameworks that these initiatives produce must educate consumers on the benefits of memory safety and drive widespread adoption of memory-safe languages by technology manufacturers. At the same time, governments like the United States that depend on technology manufacturers delivering memory safe products must fund the organizations responsible for the maintenance and security of the open source technology making memory safety possible. Memory safety must be the bedrock of future technology, and organizations like the Rust Foundation that support the security, maintenance, and access to memory-safe programming languages must be adequately and sustainably funded.

Consumer Education #

Consumer education is one of the primary pressures the United States hopes will push technology manufacturers to improve the security and resilience of their products and services. Most technology manufacturers are sensitive to market preferences, making consumer demand a fast way to change priorities and investment strategies inside those companies. Education campaigns and regulatory tools that help consumers understand and evaluate the security of their products will have an impact. The Rust Foundation and others have demonstrated how powerful that can be with their outreach to software developers.

The Rust Foundation’s vision is that global computing will be secure, efficient, and performative through the use of the Rust programming language. An important part of the Rust Foundation’s mission is to educate software developers on the benefits of Rust, and the board of directors and staff have actively leveraged industry platforms to promote Rust’s features. In two years, the Rust Foundation’s support and advocacy has contributed to explosive growth of the Rust community – from 600,000 to 2.8 million builders. The Rust programming language is now ranked as the #1 most loved, the #1 fastest growing, and the #1 most wanted by developers. Rust outreach has effectively created a technology grassroots movement.

Organizations like the Internet Security Research Group are also promoting memory-safe implementations of security-sensitive infrastructure components, but memory-safe languages are not yet the default choice of technology manufacturers in all products and services. There is so much more education and outreach needed, from incorporating memory safety into computer science curriculums to educating technology leaders on the impact of memory safety in their products and services. As our government agencies teach consumers to demand better security, memory safety has to be part of that new digital vocabulary.

For example, the National Cybersecurity Strategy recommits to the ambitious IoT security labeling program directed by Executive Order 14028, “Improving the Nation’s Cybersecurity.” These technology security labels are intended to give American consumers a way to evaluate product security and “incentivize manufacturers to meet higher cybersecurity standards and retailers to market secure devices,” according to National Security Council spokesperson Adrienne Watson in an official White House statement

As the research to develop IoT security labels for American consumers is done, memory safety must be included in the security evaluation criteria, incentivizing manufacturers to adopt it and informing consumers when they don’t. If the government can persuade consumers to demand better security choices like memory safety, it will have a resounding impact on the security and resilience of all products and services. 

Industry Regulation #

While consumer pressure is a powerful market force, it will not be enough to drive the increased investment in security and resilience we need across the tech industry. The National Cybersecurity Strategy recognizes that regulations will also be required to achieve results, saying “Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.” Americans depend on our government to implement and enforce regulations that safeguard consumers. When our automobiles, finances, and food are regulated while the technologies operating and supplying them remain vulnerable, consumers are not protected. As Microsoft Vice Chairman and President Brad Smith has noted, there is not a single industry that has succeeded in regulating itself. 

Some security and privacy compliance standards required by specific market segments, like health and finance, have been effective driving security improvements and auditing for them. When a technology manufacturer is evaluating the profitability of implementing a security feature or improvement today, they look for opportunities to tie that investment to those compliance measures. What they’re asking is, “If I add this security feature, is it something I can use in marketing?” In our current industrial model, technology manufacturers only invest in security improvements when it helps sell their products. 

Manufacturing those technology products and services is a lot like building cars; engineers start with plans and supplies they trust. The difference is that technology corporations are able to abdicate responsibility for the reliability and security of the building blocks they use, while government regulations hold auto manufacturers accountable for the end-to-end results of their work. Technology consumers receive end user license agreements (EULAs) with disclaimers for the third party parts used in their products, and 97% of those technology products and services include free and open source software created by volunteers and licensed “as is” without warranty. Open source is a superstore of free basic building blocks that our modern, complex systems are building on top of without safety assurances.

One open source author’s work is so prolific that he’s created a collection of screenshots of his name in “computer games, mobile phones, television sets, car infotainment systems, software manuals, printer touch screens, device documentation and printed on paper shipped in glossy cardboard boxes.” As a result, the engineer is often contacted by consumers for help, but as he says, “I do not know that product. I do not know how to use, repair or operate that product, device or tool. [...] I do not know the people nor the company. I cannot help you get in contact with them.” Emailing the builders of open source components used in the construction of complex systems for help is like asking the manufacturer of the bolts used in your car for help with your engine. 

The new National Cybersecurity Strategy announces intentions to change the accountability of technology manufacturers by “[developing] legislation establishing liability for software products and services” that will “prevent manufacturers and software publishers with market power from fully disclaiming liability by contract.” That liability stick is paired with an achievable safe harbor carrot designed to drive the adoption of responsible behaviors by “the most capable and best-positioned actors to make our digital ecosystem secure and resilient.”

The National Cybersecurity Strategy commits to imposing an “adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” by evolving existing best practice guidance like the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF). This creates a complete loop by establishing higher security expectations with the updated NIST SSDF and rewarding companies that satisfy the expectations of the framework with limitations on liabilities for security failures that cannot be predicted and prevented. Even when technology manufacturers do everything right, there is still a chance a bad actor will be able to successfully attack a product or service. This plan establishes a set of good behaviors for security and resilience and rewards corporations that demonstrate those behaviors with indemnity.

The regulations and authorities the United States creates must include compliance mechanisms that reward technology manufacturers with limited liability and marketable features when they choose to build with memory-safe languages that improve the security and resilience of products and services and for responsibly investing in the security and resilience of the third party components they use, including open source. 

Funding the Change #

Most modern products are built on top of foundational technologies written in programming languages created before memory safety was introduced, and the control and efficiency of those early unsafe programming languages continue to make them popular for a lot of solutions today. More than a third of all software developers are still actively using unsafe programming languages to build products and services (12.3 million out of 33.6 million). 

Those manufacturers are opting out of memory safety, because for a long time, they’ve had to choose between resource efficiency and memory safety. From IoT devices to the networks that connect them, using expensive memory-safe languages like Java and Python would limit features and result in frequent interruptions in service. As the United States channels market forces like consumer education and industry regulation to make memory-safe programming the default choice for manufacturers, we must also invest in the sustainability of organizations like the Rust Foundation that can secure, maintain, and guarantee those memory-safe open source technologies for our manufacturers.

Open source software like Rust is free to use, but there is often no legal entity responsible for making sure new features don’t break old ones, dependencies are kept current, and security vulnerabilities are patched. Open source maintainers are volunteers who do some of that work, but it’s unreasonable and risky to depend on them. That’s why organizations like the Rust Foundation are critical to our cybersecurity. The Rust Foundation funds the infrastructure, operations, and security engineering for the Rust ecosystem.

The technologies using Rust today represent a broad spectrum of domains. From cloud computing to video streaming to vehicles, the use of the Rust programming language is nearly as diverse as the tech industry itself. Almost 3 million developers worldwide depend on the Rust ecosystem to deliver the optimized safety and speed that make Rust unique, and the Rust Foundation is the organization that guarantees the consistency, security, and sustainability of Rust.

In its first two years, the Rust Foundation raised an astonishing six million dollars in membership fees and donations to fund infrastructure, operations, and security engineering for the Rust ecosystem. Despite the success of the Rust Foundation, this is far short of the funding needed to fill existing gaps in Rust ecosystem security and sustainability while building the scalability and resilience needed to keep pace with Rust’s growing adoption and contributions. More importantly, future funding is not guaranteed. The current funding model depends entirely on voluntary memberships and contributions. Consumer pressure and industry regulation can drive adoption of more secure open source technology like Rust, but that has to be balanced with sustainable and adequate funding for the foundations that support those open technologies like the Rust Foundation.

The Atlantic Council’s Cyber Statecraft Initiative’s recent report on “Open Source Software as Infrastructure” considers the example of the U.S. Highway Trust Fund (HTF) that pays for the maintenance of roads and bridges - critical infrastructure used for transportation. The HTF is funded by a national fuel tax that ensures the users of those roads and bridges pay for its maintenance based on fuel consumption, a proxy measure of how much roads and bridges are used. The United States’ commitment to “continue to invest in the development of secure software, including memory safety” must produce an analogous model to draw equitably and consistently from manufacturers building with critical open source digital infrastructure like Rust to fund its security and maintenance by organizations like the Rust Foundation. 

The new United States National Cybersecurity Strategy acknowledges that “cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense,” and that “the steps we take and the choices we make today will determine the direction of our world for decades to come.”

In my own experience of nearly 30 years in tech, I have never seen a bigger opportunity to have historic impact. We have a choice to make. We can continue adding to the technology house of cards holding up our communities today, or we can start investing right now in this strategy to build secure and sustainable technology that will serve and outlast us all. 

To find all three of the Rust Foundation's Distinguished Advisors, please visit our About page. Stay tuned for guest blogs by our other advisors in the near future.