"There is literally no way to fix all this dumb fragile infrastructure without a massive government program that accepts responsibility for doing so."
Regulation and/or software liability. So far, they can ignore security with it rarely costing them anything. In a few industries, ignoring safety will cost a lot. So, they spend a fraction of that cost on preventing the overall cost. It might also be a requirement of even selling the product. Basic stuff like memory safety, login practices, updates, and so on being a requirement could get the bar way up. It was done before under TCSEC with DO-178C doing it now for safety. A whole market of safe products formed.
Alternatively, people do a strong push in courts to hold companies liable for any time their computers are used to attack a 3rd party. The folks suing and experts testifying focus on the core practices that prevent most problems. The argument is professional negligence. We stay on them until the risk-reward analysis for information security has executives making sure it gets done with specific stuff in the lawsuits addressed. Since that stuff is 80/20, then it solves about 80% of the problems. The new incentives might also make it easier to convince them to partly or wholly use systems like OpenBSD, QubesOS, and Genode.
Although I favor regulation, I think the lawsuit strategy should get a lot of experimentation first. It doesn't require a change in government. Just good lawyers. :)
Regulation and/or software liability. So far, they can ignore security with it rarely costing them anything. In a few industries, ignoring safety will cost a lot. So, they spend a fraction of that cost on preventing the overall cost. It might also be a requirement of even selling the product. Basic stuff like memory safety, login practices, updates, and so on being a requirement could get the bar way up. It was done before under TCSEC with DO-178C doing it now for safety. A whole market of safe products formed.
Alternatively, people do a strong push in courts to hold companies liable for any time their computers are used to attack a 3rd party. The folks suing and experts testifying focus on the core practices that prevent most problems. The argument is professional negligence. We stay on them until the risk-reward analysis for information security has executives making sure it gets done with specific stuff in the lawsuits addressed. Since that stuff is 80/20, then it solves about 80% of the problems. The new incentives might also make it easier to convince them to partly or wholly use systems like OpenBSD, QubesOS, and Genode.
Although I favor regulation, I think the lawsuit strategy should get a lot of experimentation first. It doesn't require a change in government. Just good lawyers. :)