Love this discussion. Similar discussions going on on IEEE policy lists and at recent DEFCON/Blackhat. Id be the last one to say govt should get too involved (having worked inside before) but I have seen some encouraging efforts like those out of US Federal Trade Commission (FTC) in the form of funded contests for upgradeable IoT devices. ..and NIST/FISMA/OMB guidance on government procurement. Although the later seems a bit less effective that one may think given a continued lack of awareness re: DNSSEC (a requirement for USG procurement) with comments like …”hey I thought we didn’t need dnssec anymore…” Sigh… Thank you for this discussion. -Rick From: iot-discussion [mailto:iot-discussion-bounces@ripe.net] On Behalf Of Gordon Lennox Sent: Saturday, August 5, 2017 12:36 PM To: Patrik Fältström <paf@frobbit.se> Cc: iot-discussion@ripe.net Subject: Re: [iot-discussion] Proposed US legislation I agree. The US federal government buys a lot of kit and so may have an effect on the market. They also have a small set of bodies / agencies - OMB, Homeland Security, NIST - who can be tasked in this particular case. This is not the case in the EU. MS do the purchasing. But “trade” tends to mean "international trade" and that is “complicated". I think we are not there. I can expand if required. But briefly. Everybody - everybody! - has supplied kit with vulnerabilities. So it is cool to accept broken stuff from local - NA / EU - suppliers but say we will not buy any stuff from certain other countries? And anyway your smartphone was manufactured where exactly? ;-) Gordon On 4 Aug 2017, at 19:31, Patrik Fältström <paf@frobbit.se<mailto:paf@frobbit.se>> wrote: To comment on what Gordon wrote, I think the choice of saying for example "procured by the federal government" etc is simply because of what power the legislator have. In many MS of EU one could probably say "public sector" and not only federal level. But it may differ between MS. Regarding Europol, I think they only act as proxies between police in the various MS. They do not take action on their own. And regarding ENISA, well, we have the struggle between COM and ENISA and I personally think it would be COM that make statements. That said, this is most certainly much more a trade issue than IT or even security. So Gordon, who knows trade? paf