Love this discussion. Similar discussions going on on IEEE policy lists and at recent DEFCON/Blackhat. Id be the last one to say govt should get too involved
(having worked inside before) but I have seen some encouraging efforts like those out of US Federal Trade Commission (FTC) in the form of funded contests for upgradeable IoT devices. ..and NIST/FISMA/OMB guidance on government procurement. Although the later
seems a bit less effective that one may think given a continued lack of awareness re: DNSSEC (a requirement for USG procurement) with comments like …”hey I thought we didn’t need dnssec anymore…” Sigh… Thank you for this discussion. -Rick
From: iot-discussion [mailto:iot-discussion-bounces@ripe.net]
On Behalf Of Gordon Lennox
Sent: Saturday, August 5, 2017 12:36 PM
To: Patrik Fältström <paf@frobbit.se>
Cc: iot-discussion@ripe.net
Subject: Re: [iot-discussion] Proposed US legislation
I agree. The US federal government buys a lot of kit and so may have an effect on the market. They also have a small set of bodies / agencies - OMB, Homeland Security, NIST - who can be tasked in this particular case. This is not the case
in the EU. MS do the purchasing.
But “trade” tends to mean "international trade" and that is “complicated". I think we are not there. I can expand if required.
But briefly. Everybody - everybody! - has supplied kit with vulnerabilities. So it is cool to accept broken stuff from local - NA / EU - suppliers but say we will not buy any stuff from certain other countries?
And anyway your smartphone was manufactured where exactly?
;-)
Gordon