We need proper liability laws for malicious traffic.
You are liable unless you can pass off that liability to someone else. So the ISP would be liable by default, and would have an incentive to filter their customers, or require them to abide by certain rules, pass some audits, provide proof of insurance or post a large deposit.
You could have insurers who in exchange of automated security scans will insure you, solving the problem for end-users at a reasonable cost.
This will actually encourage internet users (both consumers and businesses) to take security more seriously.
Litigation seems too heavy handed for these kinds of attacks.
A major issue here is how your smart toaster or MiVoice box can be spamming the internet and there's no real way to realize it for most people.
Since you pitched a controversial solution, let me make one that's probably even more controversial: maybe bandwidth is too cheap. Maybe the problem would fix itself without legal hell if your C&C'd smart toaster / VoIP box had an impact on your ISP bill instead of being folded into your unlimited bandwidth billing.
You are liable unless you can pass off that liability to someone else. So the ISP would be liable by default, and would have an incentive to filter their customers, or require them to abide by certain rules, pass some audits, provide proof of insurance or post a large deposit.
You could have insurers who in exchange of automated security scans will insure you, solving the problem for end-users at a reasonable cost.
This will actually encourage internet users (both consumers and businesses) to take security more seriously.