Of course there is no way to tell how much these initiatives, however well intended, will reduce the risks of catastrophic attacks. As the saying goes, that remains to be seen.
“It’s going to be long process,” Fu said. “I don’t see bad people or malfeasance, but systems aren’t aligned in a way to give consumers what they need. Consumers don’t have choices (to buy secure devices).
“But if we don’t put standards in place, this market could collapse. It’s not going to be sustainable,” he said.
Waddell said he would like to see bug bounty programs expand—especially those that involve both the public and private sector. He pointed to the 2016–17 “Hack the Pentagon” program as an example. In that program, more than 600 researchers reported more than 3,600 vulnerabilities to the DoD.
“Let’s continue to encourage this type of ethical crowd-sourced hacking on IoT and critical infrastructure,” he said.
And he agrees with Fu that security is a journey. “We shouldn’t be treating cybersecurity as an all-or-nothing approach,” he said. “Embrace risk management, prioritize your most critical assets and work to reduce the likelihood and impact of breaches.”