Technical innovation across smart city applications is developing rapidly. So privacy awareness, data protection and digital infrastructure resilience are crucial for the efficient functioning of a city’s operations and the safety of residents.

A lack of cyber/privacy awareness can increase both distrust and also vulnerability to cyberattacks: It has been observed that in many cities, only top-level managers and officials have a high level of cybersecurity awareness. A lack of awareness among the majority of people creates a substantial risk of cyberattacks and an inability to deal with them. The interdependent nature of smart cities requires stronger public awareness of the security frameworks in a smart/intelligent infrastructure. In a 2019 study, Forrester stated: “Expect the development of more (AI-powered) deepfake–based attacks fabricating convincing audio and video at a fraction of the cost. To mitigate risk, IT departments need to further invest in training and awareness programs.”⁷

Lack of stand-alone cybersecurity departments/units in a connected city can act as a barrier to achieving higher levels of cyber-resilience and privacy awareness: Many cities are launching smart city and mobility initiatives, which involve high volume data management and exchange, but the IT departments of local governments usually have the primary responsibility for making those digital operations secure. This could restrict the effectiveness of cyber risk management within the city, particularly when there are insufficient skills and experience within the IT department. Rising interconnectivity will create the need for a better risk-response system to secure digital confidentiality and rapid issue management, both of which are crucial elements in a smart city ecosystem.

Disruption to services could be very damaging and even life-threatening: As cities turn into truly smart cities, where data is a strategic asset, cybersecurity integration maturity and social trust related to data exchanges must become transformational, involving continuous improvement and enhancement of cybersecurity frameworks and solutions to protect the city’s systems and citizens’ data and even lives (a cybersecurity failure in a health system can directly threat life; and an attack to autonomous driving operations is another example of how people’s lives could be affected).⁸

A trusted secure ecosystem is built on a set of founding principles, which include a Zero Trust model, transparency and privacy, regulations and compliance, micro segmentation, risk-based identity and resiliency. In approaching cybersecurity, cities must have in mind three major goals:

1. Govern like a nation: Smart cities combine advanced infrastructure with dense, high-speed connectivity. They offer new economic opportunities and new possibilities for urban life. The potential risks of disruption are also significant, and mitigating these risks requires a professional, methodical and long-term approach to security – in other words, the sort of approach a government would take to protect critical infrastructure, with regular development and enhancement of cybersecurity policies, guidelines and tools.
2. Smart cities as a defensive ecosystem: Disruption to smart cities is a matter of high concern for professionals tasked with securing these environments. But ‘smartness’ is a two-way street, posing risks but also containing defensive and self-healing properties. Dense connectivity can allow malicious actors to move swiftly, but defensive countermeasures can move just as fast, and can draw on the insight and visibility provided by myriads of individuals and devices. A smart city is a living organism, and should be constructed to encourage security orchestration and empowerment among its organic and digital residents.
3. Reboot with resilience: Smart cities must be designed with cyber resilience in mind. Resilience is a well-understood concept in critical infrastructure protection, but it has a price. Resilient infrastructure and technology tend to contain redundant or reversionary capabilities (i.e. back-ups), and these rarely come for free. The temptation is strong to remove these up-front costs, except for those who have previously witnessed disruption to highly connected environments, and the resulting economic, social and political costs. To them, resilience seems like a bargain. Rebooting with resilience is much easier than the alternative.

To reach those goals, several issues should be kept in mind:

Syncing city with cyber strategy, and allowing for flexibility: Cities should define a detailed cybersecurity strategy that is in line with their broader smart city strategy and that can mitigate the risks arising from the ongoing convergence, interoperability and interconnectedness of city systems and processes. Cities should consider carrying out regular and extensive impact assessments of their data, systems and cyber assets to identify, assess, and mitigate the risks in technology processes, policies and solutions. Cities should leave space for adjustments and improvements, as new solutions, approaches and connections may emerge that impact the strategy in place and require changes. Cities must follow ‘cybersecurity by design’ principles.

Having a clear cyber and data governance in place, with accountability: Cities need to formalise a governance approach to data, assets, infrastructure and other technology components. A comprehensive governance model should spell out responsibilities and roles for each critical component in the smart city ecosystem. Data management—including robust data sharing and privacy policies, data analytics skills, and monetisation models that facilitate the sourcing and usage of ‘city data’—is a critical aspect of governance.

Leveraging the ecosystem and building strategic partnerships to grow cyber capabilities: The cyber skills gap is not going away any time soon, so cities need to be innovative and proactive in plugging the cyber skills gaps in their administration and teams. This approach may require the city administration to explore non-traditional methods of tapping into cyber talent such as crowdsourcing, prizes, and competitions to solve cyber-related issues. A smart city requires new skills and competencies across its various ecosystem layers. Cities can also augment existing capabilities through strategic partnerships and outsourcing contracts with service providers.

Align regulation policies: Policies, legislation, and technology must be aligned continuously to maintain the right balance between protection, privacy, transparency and utility. Governance, policies and processes must mature along with the city’s overall cyber strategy.

Adopt a specific tool to manage the cybersecurity landscape of a smart city: The world’s increasingly connected ecosystems, such as smart cities and smart transport systems, call for new tools to manage their massive cyber risk operations. The broad range of compliance rules for a city determines the need to automate the collection process as well as compliance with this highly complex framework of regulations. This can only be achieved with a specifically developed asset, able to provide daily support to the smart city’s Chief Information Security Officer (CISO) team. This secure asset should be a platform that orchestrates an end-to-end cyber risk management programme across the broad smart ecosystem lifecycle of government sectors, vendors and third parties, regulators, security organisations and, of course,… citizens. It should be able to: contextualise (consolidate smart disparate systems into a holistic view of the entire ecosystem’s security); evaluate (determine compliance gaps to be mitigated based on regulatory requirements and frameworks); monitor and respond (track and respond to cyber activity and threats to the ecosystem), and sustain (maintain the security of the ecosystem for holistic and ongoing resilience). Each smart city ecosystem is different, so this asset should be tailored to the specific connected environment, such as a smart city by complementing and enhancing the city’s current security with a tailored and scalable approach.

Invest in awareness campaigns on privacy: The critical beneficiaries of a cyber secure city are its residents. It is important to have informed and aware citizens, in order to generate trust in the initiatives in place, and promote better behaviours in terms of data sharing and managing data risks.

Tokyo, Japan

With the Olympics Games being a preferred target for cybercriminals since London 2012, Tokyo and Japan started working on cyber protection after being awarded the 2020 Games (postponed to 2021 due to the coronavirus pandemic). The aim is that preparing for the Olympic Games should give momentum to measures for improving Japan’s national cybersecurity capabilities.⁹

Japan’s 2015 Cybersecurity Strategy included initiatives to increase security such as public-private cybersecurity partnerships, workforce development (leveraging from an ecosystem of partners, the ‘Cross-Sector Forum’), and cyber exercises. It also called on business leaders to incorporate cybersecurity in their business strategy and invest proactively in cybersecurity for innovation and growth.¹⁰ The involvement of the business sector went further through a ’Declaration of Cyber Security Management’ in March 2018.¹¹

Additionally, projects such as Cyber Colosseo¹² were created by the National Cyber Training Centre to respond to cyberattacks that were expected to target the Tokyo Olympic/Paralympic Games. Colosseo, started in 2017, is training professionals to the standards needed for protecting the event, but in doing so it will also create a new workforce of professionals for Japan’s cybersecurity market after the Games have ended.¹³ In 2018, the Tokyo Metropolitan Government produced a guideline for cybersecurity countermeasures for the Olympic/Paralympic Games.¹⁴

Pushing the concept of Society 5.0, cybersecurity is at the centre stage in Japan, and Tokyo is benefiting from this investment. The city considers the cyberspace environment and the internet to be drivers of innovation and economic growth, and it is one of the top cities in the world which has strength in both aspects (access and security). As of 2019, 91 per cent of Tokyo’s residents had internet access, and the city was ranked number one for digital security in the Safe City Index 2015, 2017 and 2019, published by The Economist Intelligence Unit.¹⁵

The city has prioritised investment in digital security, such as privacy policy, awareness of citizens’ privacy, public-private partnerships, and the technology employed, and it has created dedicated cybersecurity teams to secure its digital ecosystem. For instance, in 2020 the Japanese government passed a new amendment to the Act on the Protection of Personal Information (APPI) to bring policy more in line with the EU’s General Data Protection Regulation (GDPR). New guidelines will provide individuals with greater personal information protection and include provisions expanding an individual’s rights to require the deletion or disclosure of personal information.¹⁶

With the increasing reliance on digital infrastructure, cyber risks are increasing, especially in relation to transaction services. For instance in 2020 a digital payment system – which is a primary pillar of smart city infrastructure – suffered a major cyberattack, resulting in numerous illicit withdrawals at regional banks. This highlighted the vulnerabilities of e-commerce amid rising digitalisation.¹⁷

As a result, in September 2020 the Japanese government increased the focus on strengthening cyber defence strategies and announced plans to set up a government entity, the National Digital Agency, to lead digital transformation in Japan.^{18, 19}

Tel-Aviv, Israel

In 2010, faced with the prospect of an ever-increasing number of cyberattacks, the nation’s Prime Minister consulted with Israel’s National Cyber Initiative, which recommended that instead of creating a government-led cybersecurity programme, it should create a cybersecurity ecosystem that could identify and respond to the threats by itself. In response, a constantly evolving framework for this ecosystem was built, in collaboration with the government and the military, knowledge institutions and the business sector.²⁰

With the government as a catalyst, Israel’s cybersecurity industry accounts for 31 per cent of global investments in this sector, ranking in second place after the USA in 2021.²¹ It is an economic growth engine, and Tel Aviv is the its birthplace: companies like Snyk, SentinelOne, Cato Networks, Forter and BigID achieved unicorn status in 2020.²² Tel Aviv is also home to the Municipal Innovation Centre, which showcases demos of smart city solutions and digital innovation for city leaders and administrators in a non-biased environment, to help local governments implement secure smart systems. Tel Aviv also hosts an important annual global conference, called Muni World and Expo, as well as other international cyber events.

Tel Aviv leverages its innovation and start-up environment to strengthen its ecosystem. The involvement of and close connection to the military is a key element in this. In 2020 Tel Aviv University launched a free online cybersecurity course covering topics such as cryptography, security of identification systems, attack and defence strategies, and viruses and other malware, with participation by students from over 150 countries. In just six months, it became the number one security course in the world, out-competing 1,750 other courses.²³

Toronto, Canada

Following a recommendation by the Auditor General, Toronto has been working on developing its cybersecurity in response to threats and attacks. It currently uses network protection technology and cybersecurity practices to secure the integrity of infrastructure and to protect its assets.²⁴

The city established a Cyber Security Program in 2017 which was revised and expanded in 2019. It has appointed a Chief Information Security Officer, with responsibility for establishing a cybersecurity strategy to manage cyber risk and strengthen the existing cyber defences.²⁵ Moving forward, it plans to increase its security capabilities through a partnership with the Auditor General’s Office, provide cybersecurity training to city staff, and offering support for cybersecurity activities.²⁶

Canada currently faces a lack of cyber talent, and the University of Toronto (U of T) has joined forces with five other Canadian universities to explore the feasibility of a cybersecurity operations centre for higher education in Canada.²⁷ The city has also hosted other initiatives, such as the Catalyst Cyber Accelerator, to leverage from the cybersecurity ecosystem and develop expertise.²⁸ Toronto has the knowledge institutions, market conditions, and financing to position itself as a global leader in cybersecurity, both on its own and also as a part of the Ontario Global Security Hub.²⁹

In 2019, the City of Toronto was ranked sixth in The Economist’s Safe Cities Index. High performance results in the Digital Security, Health Security, Infrastructure Security and Personal Security categories placed the city sixth out of 100 cities that were scored in this study.³⁰

As our world has become more interconnected, the importance of privacy has grown. Initial enthusiasm for a hyperconnected smart city concept was followed by a strong backlash from citizens over privacy concerns, and a project to develop Alphabet’s Sidewalk Lab and transform Toronto’s waterfront was abandoned in 2020. Although it included in a plan for a sustainable and affordable community, ’raincoats’ for buildings, autonomous vehicles, and cutting-edge wood-frame towers to make housing more affordable, the project failed to convince the population of the benefits of sensors and monitoring, and instead raised fears and suspicions around privacy (and ‘surveillance capitalism’). ³¹

Although offering benefits to the population, the inability to gain its trust and the lack of transparency are seen as reasons why the project was dropped, illustrating the balance that local authorities will have to achieve going forward as they implement smart city projects. Toronto has now presented a new vision for the area, to replace the Sidewalk Lab project with a citizen-centric and community focus.