Why Bjarne Stroustrup Says the NSA’s Call to Ditch C/C++ Misses the Mark

At the end of 2022 the U.S. National Security Agency (NSA) published a report titled “Software Memory Safety,” stating that C and C++ are unsafe and recommending that organizations abandon these languages in favor of safer alternatives such as C#, Rust, Go, Java, or Ruby.

Following the recommendation, Bjarne Stroustrup, the creator of C++, responded that, in his view, the “secure” languages cited by the NSA do not actually outperform C++ in critical applications.

Stroustrup argued that the NSA’s assessment overlooks more than three decades of progress in C/C++ and ignores many improvements that have dramatically increased safety, including static guarantees for type and resource safety.

Now, if I believed any of those “secure” languages were superior to C++ for the use cases I care about, I wouldn’t consider the phase‑out of C/C++ a bad thing, but the reality is not so. Moreover, “security” as described is limited to memory safety and ignores the many other ways a language can be used to violate security and assurance.

Stroustrup emphasized his decades‑long effort to make C++ better, safer, and more efficient, especially through the C++ Core Guidelines, which aim to provide static guarantees of type and resource safety. A good static analyzer that follows these guidelines can ensure C++ code safety more easily than switching to a newer language.

He criticized the NSA report for focusing solely on memory handling issues while ignoring many other factors that affect project security and reliability. He recommends using code annotations and compiler options to control rule inclusion, ensuring that types and resources are handled safely.

Stroustrup also noted that many perceived weaknesses of C are actually avoidable in C++ by writing more efficient code that directly expresses programmer intent.

In an email to InfoWorld, he defined security as type and resource safety—each object used according to its type without resource leaks. For C++, this means runtime range checks, eliminating dangling‑pointer accesses, and avoiding misuse of casts and unions. C++ offers high‑level tools such as containers, span, range‑for loops, and variant that provide guarantees without sacrificing productivity or performance.

He further argued that the “secure” languages cited by the NSA are also vulnerable to attacks from unverified code, and that effective hardware access is rarely secure on its own.

Stroustrup outlined his strategy for safe C++ use:

Static analysis to verify that no unsafe code is executed.

Simplify coding rules so that industrial‑scale static analysis is feasible.

Provide libraries that make writing such simplified code easy while ensuring runtime checks when needed.

He also raised a question about the lack of expert consultation before the NSA report and suggested publishing a clear checklist of “wise practices.”

Today, millions of developers maintain billions of lines of C++ code across domains such as aerospace, medical devices, artificial intelligence, biomedical research, and high‑energy physics.

Relevant paper: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p2739r0.pdf