The White House’s new national action plan on cybersecurity, released earlier this month includes a nod to the so-called smart home -- and the vulnerabilities that could accompany an increasingly connected network of sensors, devices and appliances.
It’s among the first times the White House has acknowledged the risks the Internet of Things could pose to consumers and a formal signal the administration is broadening its view of potential attack targets to include everyday devices, according to Gartner analyst Mark Hung.
For the past year, Congress has been convening hearings and discussions related to the Internet of Things, covering various topics including the potential economic benefit to American businesses, privacy concerns for consumers, and encryption of personal data.
In the plan, the White House notes the Department of Homeland Security is working with Underwriters Laboratories, a security certification company, to create a Cybersecurity Assurance program that could evaluate connected devices for safety vulnerabilities before consumers buy them. These “things” might include “refrigerators or medical infusion pumps,” the plan said.
It doesn’t necessarily mean the White House and DHS plan to devote disproportionate resources to protecting consumers’ kitchenware, Hung said.
“Attackers, they value their time, too," Hung said. "They’re going to pick the most valuable asset to attack. In most cases it’s not going to be people’s washers or refrigerators. Hackers may not be interested in hacking your refrigerator, but they may be interested in attacking the president’s refrigerator or a Fortune 500 CEO’s.”
Still, “despite the mention of the refrigerator thing, I think the vast majority of DHS’ concern is with the commercial and industrial [applications],” Hung said. “Whether it’s energy generation, whether it’s manufacturing, whether it’s overall infrastructure."
As attack points proliferate, “obviously, the government feels that there is a role that it needs to play in helping secure” that rapidly growing network, he said.
In January, DHS issued a call to startups in the private sector who have technology that can detect devices and sensors in the Internet of Things and also verify or authenticate them. The Internet of Things "allows every node, device, data source, communication link, controller and data repository ... to serve as a security threat and be exposed to security threats,” that notice said.
Correction: An earlier version of this article misidentified Mark Hung's employer. He is an analyst with Gartner.