It's interesting to read the comments above because most of them identify one, and only one, actor and attempt to put the entire burden of security on that actor.
End-users whose hardware is used to run a botnet should be liable say some. The manufacturers of the IoT device should secure their devices aver others. ISP's should not be allowed to just provide dumb pipes chime in some. It's a cultural issue says the paper referred to in the article.
To make things interesting, for each candidate scape-goat there are apologists. End-users are too clueless, you can't expect them to take responsibility say some. The market precludes manufacturers from putting money in (security) features nobody wants say some. ISP's shouldn't be press-ganged to play network cop say others,
All of them are both right and wrong I think. There are areas of responsibility for everyone. Just like with driving a car. Car manufacturer are responsible for providing a car with certain minimum quality and safety features.They're liable if the brakes don't work or if the turn indicators are shoddy. Dealerships that do shoddy or incompetent maintenance may face liability claims too. Road owners (municipal, county state, and federal) can all be held liable for unsafe situations if they're careless. And nothing protects individuals drivers from making mistakes or driving under influence.
So it's not a contradiction to say that every actor is liable for a subset of the risks.
The government can do a lot by adopting a law that all and any IoT devices must be capable of being secured among others against unauthorised access. No more no less. No specifics, no technicalities: the market will figure that one out. That gets the manufacturers in a position where they can afford to put minimum levels of security in because nobody is going to undercut them on that. ISP's shouldn't be saddled with police duty, but they might be obligated to detect and report port scans and widespread probes for open ports. And finally, consumers could be held liable if they install hardware that's not "approved".
It will take awhile to get that far, but it looks like a stable and sensible equilibrium. As long as people agree it's not an "either or" but an "and and" proposition.
Besides, there could well be money in it too.
What if we can come up with a legal framework for a realistic apportionment of responsibility, strike a sensible balance between cost and security, introduce an "FTC-approved IoT device" stamp and market that entire framework as a solution. I think it will find takers in the EU, Japan, Korea, Taiwan at least.
Then we could start putting diplomatic pressure on "irresponsible" countries that don't have this framework in place. Ought to generate a market for "FTC-approved" gear, consultancy, and perhaps even assistance in adopting equivalent legal frameworks, no?
Of course China would rush to copy it, but they'd be copying us again (not the other way round) and lots of countries (especially those with purchasing power) might have reservations about installing a PRC-approved communications infrastructure as opposed to an FTC-approved one.