Why The Biden Admin Is Telling Programmers To Avoid C And C++

Cybersecurity is an incredibly complex and vast topic, requiring a multifaceted approach across multiple sectors and disciplines, so the White House wants you to stop using C and C++. While that is a bit of an unnuanced simplification, this is essentially the case, following a publication from the Office of the National Cyber Director (ONCD). These programming languages are realistically at the root of many cybersecurity problems, and moving away from them is a good first step in fixing the security mess we find ourselves in.

For context, cybersecurity vulnerabilities are tracked in a variety of ways online, such as with the Known Exploited Vulnerabilities (KEV) Catalog from the Cybersecurity and Infrastructure Security Agency (CISA). These sorts of catalogs and independent research from organizations like MITRE can give us insights into what are some of the biggest problems in software and hardware, which can be boiled down in the Common Weaknesses Enumeration. The CWE list compiles all the top weaknesses, which in 2023 was led by a memory corruption weakness found prevalently with C and C++ programs.


The ONCD report notes this with references to several past vulnerabilities that were exploited with great success, such as the recent BLASTPASS chain and the past Heartbleed problem. As alluded, the common denominator here is the programming language, and as such, the “highest leverage method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language.”

As such, the Administration and other government agencies, such as the National Security Agency, recommend that developers move toward memory-safe programming languages to help eliminate this class of vulnerabilities. This list of languages includes Rust, Go, C#, Python, and several others which has been published.