Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.


Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.

Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.

The US has a bazillion devices with crap security because we set ourselves up for this.

> Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware.

The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.

What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.

What you need is the ability for consumers to replace the firmware.

That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.

"You ship something with no known bugs and then someone finds one."

You managed to say that with a straight face!

Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.

How on earth is embedded creds in any way: "no known bugs"?

I think we are on the same side (absolutely) but please don't allow the buggers any credibility!