So what you're saying here, is that you're happy to let me drop a device of my choosing on to any part of your network, and that you'll take full responsibility for any damage caused because it was your (or your own developer's) negligence.
I don't see how you're inferring this, as a consumer's home network doesn't have trusted access to the hospital down the street.
What I did imply is that if I develop a device and put it on my network, then I'm essentially responsible for whatever damage it causes. Eg wiring a RPi to a heating element that will start a fire if left on continuously is a poor idea, regardless if the proximate cause is a cosmic ray bit flip or malevolent Internet noise.
So, you're saying that if random consumer buys $25 dollar IP aware camera, puts it on their WIFI (and hence the Internet) so they can look at their cat at work, it is that consumer who the DoS-hit hospital down the road should look to, when that hospital is hit by massive botnet-drive ransomeware attack.
'Cause certainly random average-consumer should know how dangerous adding crap to their network can be ... for others ... and certainly he/she is capable of making provisions for this.
Fortunately, modern legal theory actually does consider "who are talking about here, what can expected of them." in cases like this. Hospitals could theoretically sue IoT manufacturer on this as far my ianal knowledge goes and it's more that the manufacturers are distant cheap factories in China that prevents this.
> it is that consumer who the DoS-hit hospital down the road should look to, when that hospital is hit by massive botnet-drive ransomeware attack.
Erm, no - the exact opposite. The consumer should look at the camera's manufacturer for their own connection being swamped, incurring overage charges, etc. In your scenario, if the hospital's only problem is that their Internet uplink is swamped, then they should be looking at their link provider for robust upstream shaping, etc. In the case of a simple traffic overload, nothing critical at the hospital should be affected because critical traffic should be segmented, or at least prioritized, over traffic from arbitrary endpoints. If there is more of an affect, then that is due to a further vulnerability that belongs to the hospital!
I referenced the hospital's developers/suppliers for these further vulnerabilities - in those cases they should be looking at their network admins, or at the creators of the failing (defective) equipment. The crux of the End to End principle (ie the Internet) is that edge nodes have the intelligence, and thus requirement/responsibility, for discerning "good" traffic from "bad". And (as I said) coming at it from the other direction, general robust engineering principle dictates that physical devices "fail safe" no matter what noise is presented at their network ports.
