recommended reading

What the White House Cybersecurity Plan Says About the Internet of Things


The White House’s new national action plan on cybersecurity, released earlier this month includes a nod to the so-called smart home -- and the vulnerabilities that could accompany an increasingly connected network of sensors, devices and appliances.

It’s among the first times the White House has acknowledged the risks the Internet of Things could pose to consumers and a formal signal the administration is broadening its view of potential attack targets to include everyday devices, according to Gartner analyst Mark Hung.

For the past year, Congress has been convening hearings and discussions related to the Internet of Things, covering various topics including the potential economic benefit to American businesses, privacy concerns for consumers, and encryption of personal data.

In the plan, the White House notes the Department of Homeland Security is working with Underwriters Laboratories, a security certification company, to create a Cybersecurity Assurance program that could evaluate connected devices for safety vulnerabilities before consumers buy them. These “things” might include “refrigerators or medical infusion pumps,” the plan said.

It doesn’t necessarily mean the White House and DHS plan to devote disproportionate resources to protecting consumers’ kitchenware, Hung said.

“Attackers, they value their time, too," Hung said. "They’re going to pick the most valuable asset to attack. In most cases it’s not going to be people’s washers or refrigerators. Hackers may not be interested in hacking your refrigerator, but they may be interested in attacking the president’s refrigerator or a Fortune 500 CEO’s.”

Still, “despite the mention of the refrigerator thing, I think the vast majority of DHS’ concern is with the commercial and industrial [applications],” Hung said. “Whether it’s energy generation, whether it’s manufacturing, whether it’s overall infrastructure."

As attack points proliferate, “obviously, the government feels that there is a role that it needs to play in helping secure” that rapidly growing network, he said.

In January, DHS issued a call to startups in the private sector who have technology that can detect devices and sensors in the Internet of Things and also verify or authenticate them. The Internet of Things "allows every node, device, data source, communication link, controller and data repository ... to serve as a security threat and be exposed to security threats,” that notice said.

Correction: An earlier version of this article misidentified Mark Hung's employer. He is an analyst with Gartner. 

(Image via /

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.