White House urges developers to move away from C/C++, yet federal agencies still run on 65-year-old COBOL

In a bid to enhance national cybersecurity, the Biden administration is urging developers to embrace memory-safe programming languages while moving away from those prone to memory access vulnerabilities, such as C and C++.

In a report released on Monday, The White House Office of the National Cyber Director (ONCD) emphasized the critical need for developers to mitigate the risk of cyberattacks by embracing programming languages devoid of memory safety pitfalls. The administration contends that by adopting memory-safe programming languages, tech firms can proactively stem the influx of vulnerabilities into the digital landscape.

Memory-safe programming languages provide a safeguard against software bugs and vulnerabilities associated with memory access, including buffer overflows, out-of-bounds reads, and memory leaks. Recent research from industry giants Microsoft and Google indicates that approximately 70 percent of all security vulnerabilities stem from memory safety issues.

National Cyber Director Harry Coker stressed the imperative for the nation to seize the opportunity and shoulder the responsibility of minimizing the attack surface in cyberspace.

“We, as a nation, have the ability—and the responsibility—to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,”  Coker said.

Joining the chorus, the US Cybersecurity and Infrastructure Security Agency (CISA) echoed the call for adopting memory-safe programming languages in a September blog post. Collaboratively, CISA, alongside the FBI, the US National Security Agency, and allied agencies, issued the report “The Case for Memory Safe Roadmaps” in December, advocating for this paradigm shift.

The latest 19-page report from ONCD pinpointed C and C++ as prime examples of programming languages fraught with memory safety vulnerabilities while lauding Rust as an exemplar of a safe alternative. Furthermore, an NSA cybersecurity information sheet from November 2022 endorsed additional memory-safe languages including C#, Go, Java, Ruby, and Swift, alongside Rust.

Despite the prevalence of C++ and C in the programming landscape—comprising 22 percent and 19 percent of software programmers, respectively, as of 2023—statistics from Statista reveal their waning popularity compared to languages like JavaScript, Python, and Java. Notably, the TIOBE Programming Community index ranks only Python as more prevalent, with C, C++, and Java closely trailing.

Federal Agency Systems Still Run on a 65-Year-Old COBOL Language, and Now They’re Falling Apart

However, the irony of this report lies in the federal government’s reliance on the 65-year-old COBOL language. Despite the White House’s call for software modernization, a significant portion of US federal agency systems persists in running on COBOL, according to a 2016 report by the Government Accountability Office.

COBOL, an enduring relic developed in 1959, remains deeply entrenched in over a hundred federal agency systems, serving critical functions across various departments including the Department of Veterans Affairs, the Department of Justice, and the Social Security Administration, according to another report from ZoomInfo. Even 45 out of the 50 states and the District of Columbia continue to rely on COBOL for their operations.

Joseph Steinberg, a cybersecurity expert, underscored the historical significance of COBOL in shaping business systems throughout the 60s, 70s, and into the 80s. However, with time, the coding community has gradually shifted away from this aging language, compounded by the scarcity of younger programmers versed in COBOL due to its exclusion from many university computer science curricula since the 1980s.

“It’s a programming language that was used to create a very significant percentage of business systems throughout the 60s, 70s, and even into the 80s,” cybersecurity expert Joseph Steinberg told CNN.

Steinberg continued, “The general population of COBOL programmers is generally much older than the average age of a coder,” adding that “many American universities have not taught COBOL in their computer science programs since the 1980s.”