Comment Re:Technical OR legislative? (Score 1, Interesting) 351
Civil or criminal solutions are intrinsically Local, with varying measures of corruption involved.
No, I disagree. Governmental authorities are not equal, and that's helpful in this potential area of regulation.
If the United States and European Union were to introduce common IT security fitness requirements then they would likely be more than enough to form a "critical mass." A fairly straightforward legislative remedy, at least conceptually, would be to require Internet connected device and software vendors to provide complementary, opt-out, timely security updates for a minimum of X years after product withdrawal from sale (where X varies by product category, never less than 5) or, if failing in their obligations, to be barred from selling any new devices and to owe per device per month financial penalties to a consumer restitution fund. The penalty amount would be based on the product's market price but also subject to an inflation-adjusted minimum. Vendors might also be required to post performance bonds before first sale so that these security obligations (and restitution) survive their corporate demise. Then, even if Uganda, for example, does not enact the same legislation (or does not enact "proxy" legislation which simply says "the product can only be sold in Uganda if also legally offered for sale in the U.S. or E.U."), the combined might of the world's two largest economies would be enough to establish a global standard in vendor security maintenance practices.
Government product fitness regulation could work quite well in this instance.