Security expert Bruce Schneier has a new essay out that makes this case: The only way to prevent the exploitation of insecure internet of things devices from causing catastrophic damage is government regulation, noting “our choice is between smarter government involvement and stupider government involvement.”
His premise would appear unassailable. The problem is we don’t necessarily get to choose; sometimes the difference between smarter and stupider is foisted upon us.
Schneier writes of the growing IoT threat:
It's a form of invisible pollution. … And, like pollution, the only solution is to regulate. The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure. …
Regardless of what you think about regulation vs. market solutions, I believe there is no choice. Governments will get involved in the IoT, because the risks are too great and the stakes are too high. Computers are now able to affect our world in a direct and physical manner.
Before Tuesday’s election I would have pegged the chances of “smarter government involvement” at not great but at least somewhat better than slim.
Today? The chances are all but none.