Why the US Government Is Urging a Move Away from C/C++ to Memory‑Safe Languages

C and C++ are unsafe; developers should switch to memory‑safe languages , the Office of the National Cyber Director (ONCD) declared in a 19‑page PDF titled “Back to the Basics: The Path to Secure Software.” The report, part of President Biden’s cybersecurity strategy, links the use of unsafe languages to national security risks.

ONCD asks companies and developers to act on two fronts: reduce memory‑safety vulnerabilities by using memory‑safe programming languages and hardware, and advance software measurability to better assess security quality.

Reduce memory‑safety bugs through memory‑safe languages and memory‑safe hardware .

Address the research challenge of software measurability to shrink the attack surface available to malicious actors.

Memory safety means preventing errors such as buffer overflows and dangling pointers that can cause crashes, undefined behavior, or exploitable vulnerabilities. These bugs fall into two categories: spatial (out‑of‑bounds accesses) and temporal (use‑after‑free or race conditions).

Historical incidents like the 1988 Morris Worm, the 2003 Slammer Worm, the 2014 Heartbleed bug, and the 2023 BLASTPASS chain illustrate the severe impact of memory‑safety flaws. Industry data show that roughly 70% of Microsoft CVEs (2006‑2018) and 70% of severe Chromium bugs (2020) stem from memory‑unsafe code, while 67% of 2021 zero‑day exploits were memory‑related.

ONCD stresses that “the most effective way to improve software security is to use memory‑safe programming languages.” It does not prescribe a single replacement language but points to the NSA’s list of recommended memory‑safe languages: Rust, Go, C#, Java, Swift, JavaScript, and Ruby.

According to the TIOBE index, Java ranks highest among the NSA‑recommended languages, followed by C#, JavaScript, Go, Rust, Swift, and Ruby. The report also calls for hardware that supports memory protection, citing projects such as CHERI (SRI International & Cambridge) and Arm’s Morello architecture.

ONCD highlights the difficulty of measuring software quality, noting that unlike physical products, software lacks a uniform structure, making universal metrics complex. It urges large organizations, tech companies, and governments to collaborate on this challenge.

Industry reactions vary: the Rust Foundation urges public‑funded projects to default to Rust; Microsoft focuses on software supply‑chain security; IBM advocates protecting existing code; Google supports transitioning to memory‑safe languages; AWS backs the use of memory‑safe languages for new projects but warns that logical bugs can be a larger issue.

A senior C++ ISO committee member countered that C++ offers a formal memory model and a vibrant community, arguing that many criticisms target legacy code lacking modern safety features. The response emphasizes that memory safety is only one aspect of security and that education and modern language facilities can mitigate many risks.

In practice, C and C++ remain dominant in system‑level, game, and AI/ML infrastructure, making a rapid, wholesale replacement unrealistic. A mixed‑approach—rewriting critical components while retaining legacy code—may be the most pragmatic path forward.