U.S. Government Pushes for Memory-Safe Programming Languages Amid Growing Iranian Cyber Threats. In a move aimed at bolstering the nation’s cybersecurity resilience, the U.S. government is urging software developers and federal agencies to adopt memory-safe programming languages such as Rust, Go, and Swift. The call to action comes alongside a renewed warning about escalating cyber threats from Iran-linked hacking groups.
The Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released updated guidance this week, highlighting the persistent risk of memory safety vulnerabilities—flaws that often result in exploitable security bugs such as buffer overflows and use-after-free errors. These vulnerabilities are particularly common in software written in C and C++, which still dominate legacy systems across critical infrastructure, defense, and enterprise platforms.
“The majority of high-impact cyber incidents over the past decade have involved memory safety issues,” said CISA Director Jen Easterly. “Transitioning to memory-safe languages isn’t just a recommendation—it’s a national security imperative.”
The announcement coincides with growing intelligence reports indicating that Iranian state-sponsored threat actors, including the notorious APT groups “Charming Kitten” and “Imperial Kitten,” are intensifying their cyber operations. These actors are reportedly targeting U.S. critical infrastructure, defense contractors, and private sector networks with sophisticated phishing and intrusion campaigns.
CISA’s warning specifically points to the increased use of artificial intelligence-powered phishing and credential harvesting, as well as a rise in zero-day exploits that take advantage of memory safety bugs.
Government Leads by Example
As part of its secure-by-design initiative, the federal government has mandated that all new software development funded by federal grants or contracts must prioritize memory-safe languages starting in fiscal year 2026. Agencies will also begin modernizing legacy systems, beginning with high-risk applications in defense, energy, and healthcare sectors.
“Our adversaries are adapting quickly, and so must we,” said DHS Under Secretary for Strategy Rob Silvers. “Adopting memory-safe coding practices is one of the most effective ways to reduce the attack surface.”
Industry Response
Cybersecurity experts have largely welcomed the move. Many major tech firms—including Microsoft, Google, and Amazon—have already begun transitioning core components of their infrastructure to memory-safe languages. However, industry leaders warn that retrofitting legacy systems will require time, investment, and skilled personnel.
“This is a major cultural and technical shift,” said Katie Moussouris, CEO of Luta Security. “But it’s also one of the most proactive measures we can take to protect our digital infrastructure.”
Looking Ahead
With geopolitical tensions rising and the digital threat landscape evolving rapidly, the U.S. government’s dual announcement reflects a broader push for preventive cybersecurity measures rather than reactive ones. Officials believe that eliminating classes of bugs through language safety can drastically reduce the success rate of nation-state attacks.
As Iranian hackers—and other global adversaries—continue to probe U.S. networks for weaknesses, memory safety may soon become a frontline defense in the nation’s cybersecurity strategy.
