Thanks for participating! After this thread winds down, I and my team are going to comb through it for suggestions and take as many as we can. We're also looking into other venues to engage directly with cybersecurity professionals. But please feel free to comment on the record as well -- a robust and detailed record is worth a lot more than whatever I can do individually.
I would suggest to my peers, that the links you gave are "official channels," and are probably what you really want, as opposed to a rather rambling thread of comments.
But for me, you just get a rambling comment.
I made my career on devices. In particular digital scanners and cameras.
I worked for a company that was about as tinfoil as you could get, and they supported devices long past their sell-by date.
But I also know that my company was an outlier. They sold premium equipment, at a premium price. They were an "old-fashioned" Japanese corporation, and had a basic mindset of keeping the customer's workflow in the center of the screen.
I think IoT security is a huge issue, and I think that the solution could be that there are standard, open-source, open-license, free-to-use packages; maybe written in languages like C, that could be offered to the industry. These could enforce low-level compliance with security standards.
Oh, and keep the TLAs out of it. They would really like to put a bit of "extra spice" in something like that.
That said, I know that it will never happen. There's a gazillion issues.
I would suggest to my peers, that the links you gave are "official channels," and are probably what you really want, as opposed to a rather rambling thread of comments.
I sort of want both. Official commentary moves the needle, but selfishly, I love the thread comments. People tell you what they really think, and sometimes go into a lot of detail as to why. It's an education for me.
I think IoT security is a huge issue, and I think that the solution could be that there are standard, open-source, open-license, free-to-use packages; maybe written in languages like C, that could be offered to the industry. These could enforce low-level compliance with security standards.
"Universal basic security" would probably be a major field of policy approach if we found ourselves with some huge disaster requiring a regulatory response. It's at least worth thinking about now, even if it goes beyond the scope of what the immediate regs can do.
They're definitely making efforts to engage where practitioners and subject matter experts are. Substantial Federal gov showing at defcon this year for example.
Thanks for engaging, where the rubber meets the road!
Hopefully, you are also looking into other venues, as well.
HN has a great group of folks that represent some of the most cutting-edge tech, but IT runs on Java 8[0].
[0] https://news.ycombinator.com/item?id=19877916