Cities tend to promote awareness of the importance of data privacy and to get prepared for the impact of cyberattacks, since data will be an important city commodity
As services are becoming highly integrated and interconnected, vulnerabilities created by data exchanges are more common, and data security is therefore vitally important. Threats to privacy and cyberattacks have been on the increase for a long time, but the past few years have seen an explosion in cyberattacks on data and physical assets.1 In 2018, the total cost of losses from cyberattacks for the cities in a survey averaged EUR 2.8 million.2 A ransomware attack on the city of Atlanta in 2018 cost the taxpayer and estimated EUR 14.5 million.3
This integration and interconnection introduce the concept of ‘smart’ (or, at least, smarter) cities. Smart cities offer the prospect of societal benefit and greater personal comfort and convenience, thanks to ubiquitous connectivity. But this connectivity needs to be implemented securely, if smart cities are to have a future.
Cybersecurity is now a key consideration for developers and planners of smart cities, and attention is turning to the risks inherent in such a highly interconnected environment. However, while the cybersecurity industry has developed a mature understanding of how to measure and mitigate the impact of cyberattacks on infrastructure in ‘non-smart’ cities, there is limited knowledge of the potential impact of attacks on smart cities.
An attack on smart city infrastructure may create effects that cascade – or ‘ripple’ – outwards and impact other parts of the city or country, or beyond. These cascading effects can be non-linear and grow far larger than the initial direct damage, revealing hidden interdependencies and disrupting systems that were believed to be segregated from the impact point. Resilience is the essential concept that must be considered when creating these complex and highly interconnected environments. It is essential to use resilience as a cornerstone of city-building, and to do so in a way that can be scaled up and remain flexible for future upgrades and enhancements.
While investing in cybersecurity may be a strain on city budgets, the costs of not investing can be even larger as losses could run into billions of euros. City leaders have acknowledged that the consequences of a cyber incident could extend beyond data loss, and include a financial impact, reputational damage, reduced social trust, and disrupted crucial city services and infrastructure.
As the complexity of technologies, operational interdependencies, and systems management increases, so does the interest of hackers in profiting from this environment. Developing smart city initiatives without considering cybersecurity and privacy can result in a highly vulnerable environment that poses security risks to critical infrastructure and data, and in some cases may even create safety risks for citizens. For instance, there are strong doubts in some countries about autonomous vehicles (43 per cent of people in the US do not feel safe in a driverless car)4 so the development of a smart product has resulted in a need to invest in cybersecurity and data privacy. Planners must ensure that cybersecurity should be considered not just in this example of autonomous vehicles, but also in all the other critical and safety-focused aspects of smart city infrastructure.
The integration of multiple critical services – transport, communications, finance, energy production/distribution, and others – is likely to produce an environment that requires its own infrastructure protection plan. This integration, and its resulting complexity, may also result in an environment that is ‘more than the sum of its parts’, and require new conceptual approaches and models for security.
Advance planning is essential. By one estimate, 95 per cent of Cities 4.0 (as labelled so by ESI Thoughtlab, referring to hyper-connected cities that use technology, data, and citizen engagement in pursuit of the SDGs), ensure that cybersecurity is considered early in the process, compared with only 51 per cent of other cities.5
However, many cities are not ready for the challenges. Besides lagging far behind in the digital revolution, with outdated technologies running critical infrastructure, they lack the human resource expertise to be capable of addressing the challenges.6 Creating ecosystems of innovation – as Tel Aviv has done – could be one approach to improving security. Another approach is to invest in models of public/private cooperation and coordination, in the knowledge that the orchestration of security (as opposed to securing individual components) is the key to sustainable security. Efforts must be backed by city executives and not left to external entities or departments alone. Privacy and security are critical topics not to be neglected.
“It has been an interesting evolution over the last decade or two in terms of cybersecurity protections. Initially cities very much felt that they needed to create a fortress; then they started to realise that using the cloud was going to be more secure because many cloud service providers have 24/7 security experts with greater capacity to monitor, detect and prevent attacks.”
-Jeff Merritt, Head of IoT and Urban Transformation at the World Economic Forum
“We have introduced a bug bounty programme where we ask people: you, white hackers, people who are experts in this, help us look for mistakes, help us look for errors on our websites and we can work together to have more secure government websites and a more secure cyberspace.”
-Kok Yam Tan, Deputy Secretary of Smart Nation and Digital Government Office, Singapore
Interview with Sandy Carter, Vice-President of Worldwide Public Sector Partners and Programs, Amazon Web Services (AWS)