The United States Social Security Administration
There is little chance any government is going to deploy a working solution to this in any short amount of time, and no chance that very many will. And as is pointed out, it's going to be 10-30 years before we managed to flush out all of the millions of insecure device already out there. Even if shipping insecure devices is a death sentence for the company that did it, you will still have it happen from time to time, so there will always be a non-trivial number of insecure devices that the system will need to be secure in the face of.
Official website of the U.S. Social Security Administration.
Thus, making the consequence real to the vendor would at least improve their incentive to push back against dangerous governmental interference with their products, as well as moving market demand to wherever that happens the least. That's an unfair mountain of pressure to apply to any one specific vendor, sure. But this is a policy that would affect all vendors and their competitors equally, so it's really the collective industry picking up the tab and that finally is a player big enough to exert counter-pressure against governmental malfeasance. :P
So ultimately that means that the state and nature of IoT remains an important part of the equation. The challenge of securing or even allowing UPnP is the actual symptom in the face of the difficult-to-secure perceived needs of both lazy users and lazy vendors. :3
Brian Krebs is a popular reporter on the cybersecurity beat
On the source end an ISP would have to have some kind of razor to tell which kind of traffic is really Grandma trying to log into her AOL email and Nancy posting selfies to Flopbook and Jacob connecting to his pal Jim's homebrew Minecraft server (because all that traffic has to get through, and ideally with no added latency!) and which kind of traffic is Bob's HP printer sending out carefully crafted attack frames designed to coordinate with billions of similar packets coming from entirely unrelated ISPs but converging upon the same target during the same fraction of a second.
Connect with EarthLink, the award-winning Internet …
The potential to blacklist devices completely from having internet access also sounds like a ridiculous amount of power to bestow upon any one standard's body. Precisely what mechanism of checks and balances would prevent the body from giving in to corruption and extorting vendors just to allow their otherwise perfectly clean products online, or silence competitors or influence political communication in their favor?
The CIS Critical Security Controls for Effective Cyber Defense
Before the Internet was commercialized, if any network misbehaved, the rest of the Internet would block it until the administrators cleaned up their act. This would block some legitimate traffic, but newbie administrators learned quickly. The same system killed off open SMTP (email spam forwarding) nodes.
Enterprise Security | IBM Security
As a part of the Department of Commerce’s Internet Policy Task Force, 131 groups were asked to comment on the ‘Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things’
Comodo | Global Leader in Cyber Security Solutions
Most likely IoT devices are made visible on the Internet by using UPnP to poke a hole in the router firewall. Many routers ship with UPnP enabled by default. This, to me, is the real problem.