If you don't like the "regulations to prevent bad stuff" approach, then use the "we'll let you do whatever you want, but if you screw up you're going to pay dearly to fix it" approach.
Then companies can balance the cost of adding a secure enclave and a Grsec kernel (just an example) to their smart coffee maker against having to recall all of their infected products from the market when a botnet takes over them.
Besides that stick, I would throw a couple of carrots in there, too, like the companies being able to brag that their products are A+ security rated, etc, in their promotional materials and on their packages.
"In short, I think regulations will prevent more damage than post-hoc legal retribution."
Time has proven that wrong so far. We got a lot of highly-secure products after DOD's Computer Security Initiative giving clear guidance plus financial incentive. DO-178B and other safety-critical markets are cranking out lots of them on safety side. So is segment of smartcard industry focused on high-security.
Regulation works so long as it has effective standards, they're clear, evaluated against product, and must be followed to sell the product. As in TCSEC era and DO-178B, reusable components for common cases show up to reduce the evaluation cost or risk. Open-source security would likely get a boost, too, as companies sponsoring it would sponsor certifiable versions with the higher QA.
The constraints of DoD CSI, DO-178B, and the smart card industry focus are all embodied in regulations, which precede legal retribution.
If a company busts the regs, it can be sued. But the first line of defense is that companies are required to do it right - by the regulations.
I agree regulation needs clear definition and followup to be effective. I continue to regard regulation as a better mitigator of damage than post-hoc penalties.
Regulation is about preventing a mess. Litigation is about cleaning it up. I'd rather not have the mess to begin with.
"Regulation is about preventing a mess. Litigation is about cleaning it up. I'd rather not have the mess to begin with."
That's exactly it. Although, I did propose possibility in this thread of defining regulations that aren't immediately applied but apply in court after harm is alleged. The reason being evaluation costs and time can be a big problem, esp for startups. This lets them simply follow guidelines with evidence produced during development & they only pay the cost if they screw up. The cost goes up with level of deviation and harm it caused.
You're mentioning an industry funded by about 1/6th[0] of the Federal Budget related to war and consequences if things go wrong (like losing/death/geo poltical problems).
Just cause it worked for the DOD doesn't mean it'll work everywhere else.
The LOCK project reported high-assurance cost them 30-40% over a regular development. Altran/Praxis does it regularly for a 50% premium. You don't need the DOD's budget to get even high-assurance software. High-quality stuff usually just cost a bit more upfront followed by savings in maintenance.
I'd rather put the burden on the owner of the device. If someone puts a device on the internet, he is resposible for its actions. Don't want to be liable? Better buy a safe device. Can't buy a safe device? Don't put it on the internet.
Which is insecure because the creator of the coffee maker didn't consider security to be a necessary feature. The true liability lies with the person that made that decision and should not be transferable.
If we transfer the liability to the consumer, he _will_ consider this a necessary feature. And ask for it. It takes one serious conviction of a consumer and the company selling him crap will go out of business.
What good is a smart coffee maker? I don't need one. All this IoT stuff is over-hyped marketing nonsense. I've been playing with some Arduino and Raspberry Pi based devices to control things in my house, but they're toys. It's just more junk to buy.
Then companies can balance the cost of adding a secure enclave and a Grsec kernel (just an example) to their smart coffee maker against having to recall all of their infected products from the market when a botnet takes over them.
Besides that stick, I would throw a couple of carrots in there, too, like the companies being able to brag that their products are A+ security rated, etc, in their promotional materials and on their packages.