The proliferation of software-embedded devices through the Internet of Things (IoT) suggests that more features of daily life will be run on software and delivered as online services. Advocates argue that this accelerating shift will generate enormous benefits for consumers, businesses, and governments. But the IoT also presents an acute and growing risk of deploying insecure embedded software into critical systems. This paper argues that the economic incentives for industry are insufficient to deliver an optimal level of cybersecurity for embedded systems and that policy makers must fill the void. Through synthesis of the objectives of regulators and product counsel, a regime for promoting the development of secure embedded systems that preserves “permissionless innovation” while responsibly “protect[ing] public health, welfare and safety” is developed. Drawing on legal and economic analyses of software security and integrating lessons from the open source software movement, the proposed regime combines incentives for public source code disclosure with enhanced ex post liability for insecure software in a limited number of high-risk embedded systems. Autonomous vehicles are analyzed as a test case.

As physical objects increasingly rely on software-embedded systems, regulation must keep pace. Promoting secure software without stifling innovation is critical, particularly given the exponential rate of improvement of networked devices. This paper offers a path to promote the security of embedded systems through a regulatory regime that facilitates vigorous competition between IoT manufacturers, incentivizes secure software development at scale, reduces uncertainty surrounding liability, and fosters public confidence.