As Internet-connected devices become ubiquitous, it remains an open question whether security- or privacy-can or will scale, or whether a combination of perverse incentives, new problems, and new impacts of old problems like "technical debt" amassing from products being rushed to market before being fully vetted, will derail progress and exacerbate cyber insecurity. This Article investigates contemporary approaches to Internet of Things (IoT) governance through an in-depth comparative case study focusing on the European Union (EU) and the United States. Particular attention is paid to the impact on IoT security of the General Data Protection Regulation (GDPR) and the Network Information Security (NIS) Directive in the EU, and the influence of the U.S. National Institute for Standards and Technology Cybersecurity Framework (NIST CSF), with a focus on mitigating the risk of politically motivated attacks on civilians. We analyze reform proposals and apply lessons from major prior Internet governance debates to argue for a polycentric approach to improving IoT security and privacy in the transatlantic context.
