<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Love this discussion. Similar discussions going on on IEEE policy lists and at recent DEFCON/Blackhat. Id be the last one to say govt should get too involved
(having worked inside before) but I have seen some encouraging efforts like those out of US Federal Trade Commission (FTC) in the form of funded contests for upgradeable IoT devices. ..and NIST/FISMA/OMB guidance on government procurement. Although the later
seems a bit less effective that one may think given a continued lack of awareness re: DNSSEC (a requirement for USG procurement) with comments like …”hey I thought we didn’t need dnssec anymore…” Sigh… Thank you for this discussion. -Rick<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> iot-discussion [mailto:iot-discussion-bounces@ripe.net]
<b>On Behalf Of </b>Gordon Lennox<br>
<b>Sent:</b> Saturday, August 5, 2017 12:36 PM<br>
<b>To:</b> Patrik Fältström <paf@frobbit.se><br>
<b>Cc:</b> iot-discussion@ripe.net<br>
<b>Subject:</b> Re: [iot-discussion] Proposed US legislation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I agree. The US federal government buys a lot of kit and so may have an effect on the market. They also have a small set of bodies / agencies - OMB, Homeland Security, NIST - who can be tasked in this particular case. This is not the case
in the EU. MS do the purchasing.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">But “trade” tends to mean "international trade" and that is “complicated". I think we are not there. I can expand if required.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">But briefly. Everybody - everybody! - has supplied kit with vulnerabilities. So it is cool to accept broken stuff from local - NA / EU - suppliers but say we will not buy any stuff from certain other countries? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">And anyway your smartphone was manufactured where exactly?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">;-)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Gordon<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 4 Aug 2017, at 19:31, Patrik Fältström <<a href="mailto:paf@frobbit.se">paf@frobbit.se</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">To comment on what Gordon wrote, I think the choice of saying for example "procured by the federal government" etc is simply because of what power the legislator have. In
many MS of EU one could probably say "public sector" and not only federal level. But it may differ between MS.<br>
<br>
Regarding Europol, I think they only act as proxies between police in the various MS. They do not take action on their own. And regarding ENISA, well, we have the struggle between COM and ENISA and I personally think it would be COM that make statements.<br>
<br>
That said, this is most certainly much more a trade issue than IT or even security.<br>
<br>
So Gordon, who knows trade?<br>
<br>
paf</span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>