[firebones]

I'm confused by your first sentence. Read as you have written it, I think you mean that regulation will hurt innovation in the IoT space, not security in the IoT space, because you've already said that none of these companies have coherent plans for software security today. Regulation won't hurt security; it may help it by creating incentive for standardization around secure infrastructure to chip away at the "market rates for this kind of work" which "none of them can afford".

There is good regulation and bad regulation, but regulation can accelerate innovation. With or without regulation, addressing this problem with more standardization of secure software and hardware infrastructure would reduce the need for human assessors (or at the very least, push what they're worrying about higher in the stack). Addressing it with licensing and more humans is probably not the kind of regulation I'd look for. So could there be bar-raising regulation that encouraged infrastructural solutions that benefited the industry as a whole?

I'd hate to inject insurers into this world, but one way might be to require IoT manufacturers to carry some sort of indemnification against potential consumer damages, and the insurers drive the security quality. In the 1990s, it was insurers, tired of anesthesia-related malpractice losses, who created back-pressure on the profession to put better clinical standards in place, and errors related to anesthesia-related causes dropped, as did premiums for practitioners following the guidelines. Everyone benefited--especially the patients.

But in the IoT world today, there are no meaningful incentives around securing devices, and consumers have little influence.

[tptacek]

Yeah, you're confused because I mis-wrote that. Wow, that was indeed a confusing sentence. I meant regs will hurt innovation, not security.

The problem is that I think the security gains will also be marginal, and the innovation harm will be significant.

In particular, the history of security standards, which you bring up as an example of "good regulation", is checkered.

I agree with you that mandatory insurance could be a "middle way" between intrusive regulation and no regulation. But that's essentially the structure the payments industry uses with PCI, and PCI has been a race-to-the-bottom.