Castro agreed that should be a goal. “Consumers won’t necessarily look at the details,” he said, but if you get industry to standardize how they do security disclosure, then you might see something like a green, yellow or red label, where the industry lets consumers know about those that are underperforming their peers.”
Lanier also agreed that consumer awareness and the “vetting” of products to rate their security – something like “a Consumer Reports-style rating system,” would make it easier for consumers to make informed choices, and therefore put market pressure on the industry.
He said he would not like to see “the prototypical ‘seatbelt law’-style requirements, but we’re beginning to run out of options.”
That is where Geer comes down as well. In another article, this one co-authored with Poul-Henning Kamp of Den Andensidste Viking, USA, titled "Inviting More Heartbleed," he noted that software is one of the very few industries that remains essentially unregulated.
In other industries, problems eventually cause carnage, and, “at some point, the carnage crosses a pain threshold and regulation sets in: high-rise buildings got fire escapes, domestic electricity got insulated wires, trains got deadman switches, cars got seatbelts, medicine got clinical testing, and Freon got banned.”
So, when the damage from IoT flaws reaches some level of pain, “we see it as a foregone conclusion that sooner or later society will regulate the software industry,” he and Kamp wrote.
That regulation, they wrote, will likely take the form of product liability, which has as its formula, “if you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.”
Or, as Geer put it to CSO, “you either give your users the ability to inspect and turn off what they don't want or you, the provider, own the outcome.”
Which sounds like a lot more lawsuits, and not just from the FTC.
Sign up for CIO Asia eNewsletters.