No need to criminalize this, conviction rates will be low. Instead require any compromised entity to be subject to a civil court process which is a lot easier for the government to win. All copyrights and patents it holds would become public domain and required to be published on a government run public server created to share seized IP. Re-issue it under GPL 3 or some such. Include music and anything else. If a company messes up, take away their proprietary asset portfolio and put them out of business. Share holders will be a lot more terrified of a civil process that could easily release all corporate owned IP assets than a criminal threat which is much harder to prove against some corporate officers. If the offense is found to be due to negligence or violation of other civil or criminal law, seize all corporate assets including all outstanding shares. What government treasury wouldn't like that.

Intelligence agencies, corporations, corporate spies all welcome the chance to help with "free" code. Installed on as many things as possible. Take a look at any large Linux product, like OpenWRT, check how many contributors it has. It isn't possible to know who 3% of the contributors are, and what their motives are. Checking all source code is virtually impossible. Checking what may be embedded into a compiler or interpreter is also nearly impossible. Coders are too busy writing new code or fixing old code, ABC agencies and affiliates are busy embedding hidden features, phone homes, and back doors. Free maybe isn't totally free. This applies to open standards as well, one wouldn't want to think someone at an ABC agency would weaken encryption or security of a standard in a way impossible to correct after millions of products are produced. Nothing like free open standards. Of course proprietary code from friends like Microsoft, Google, Apple and a slew of others does similar stuff. The money shouldn't go to the open source, but to validating it. Open standards should offer very high cash rewards for finding a major security flaw before being adopted. Routers and switches should be evaluated by UL or some similar group not only for electrical safety, but code safety. It wouldn't be cheap, but may help limit exploits.