As the conventional wisdom goes, connecting more things to the Internet expands the cyber attack surface. For cities that have intentionally or even unknowingly become “smart” by networking critical infrastructure and digitizing services across a city’s domains, smart technologies pose a real risk of disrupting the critical functions that cities depend on every day.

As cities adopt new digital platforms and employ new technologies, ranging from the Internet of Things (IoT) to Artificial Intelligence (AI), into their infrastructure, the risk of a serious cyber incident, across a range of touch points, continues to grow. A cyber incident can result in significant financial harm and compromise the city’s most essential functions, such as the maintenance of its electrical grid or ability to dispatch emergency response services.

In some ways, these challenges are the hidden cost of cities deploying emerging technologies, the price to pay to innovate and take risks.

So we are at a crossroads. The growth of Smart Cities – projected to increase fourfold by 2025 – will continue. Unfortunately, at best, only a few cities have the skilled staff needed to address these new risks and cybersecurity challenges. Hence, the onus is increasingly on city administrators, technology providers and even community leaders to take on a steep learning curve together, and better understand how cybersecurity fits into making cities safe and secure. The question remains – how do we get there?

Emerging Digital Threats to Cities

In June 2019, an employee of the police department in the town of Riviera Beach, Florida opened an email attachment and unleashed a ransomware virus on the town’s networks that disrupted the traffic ticketing system, the city’s payroll department, the municipal administration’s email system and the 911 emergency system. The city council voted to pay USD 600,000 in Bitcoin to the hackers to retrieve the decryption key and regain control over their data and systems. As this example shows, threats do not need to be sophisticated to cause havoc. In fact, simple email phishing is the number one danger to deliver malware or steal credentials in order to cause a breach or disruption.

Rivera Beach is only one in a long line of cities that have been affected by malware and suffered significant financial or operational consequences. Other cities that weathered similar attacks include Baltimore, Maryland (who refused to pay a ransom equivalent to USD 102,000 in Bitcoin, and continued to suffer from intermittent service disruptions weeks later), Atlanta, Georgia (whose post incident recovery cost rose to USD 17 million), and others. In the U.S. alone, more than 170 city or local governments have been attacked since 2013.

Each incident brings lessons and reminds us that while smart technologies are intended to yield benefits, when deployed at scale, the increased number of interconnections and the novelty of adopting radically new capabilities bears its own risk. A good starting point for city administrators is to delve into three dimensions that have direct implications for cybersecurity and public safety:

1)  Expanded Operational Risk: Operating at scale is necessary to reap the benefits that many smart technologies promise. However, new technology-enabled interconnections and software vulnerabilities in thousands of devices across different operational domains, including critical infrastructure operations, bear the risk of large scale failure of a city’s essential services.

This reality is coupled with the fact that there is a dearth of cybersecurity talent currently available to handle this operational growth. A recent study estimated a global shortage of cybersecurity professionals close to three million. Moreover, city administrators are competing with large firms in the race for talent, which tends to gravitate towards the private sector in today’s tight tech labor market.

2)  Increased Management Complexity: The heavy lift of managing multiple systems comprised of varying technology and software is further compounded by the limited purview of local city officials over the broader digital infrastructure and services that are operated by private firms, which are often economically more powerful than the city itself. This is playing out in Toronto, where Sidewalk Labs reached an agreement with the city to redevelop the Quayside area into a technology-based urban innovation platform. Clashes between the need for the city’s public accountability and the alleged secrecy and unilateral decision-making on the part of  Sidewalk Labs highlight a tension in these public-private arrangements. Furthermore, whether the municipality actually has the capability and funds to maintain the heated sidewalks and underground trash infrastructure currently envisioned in the plan, remains an open question. As cities increasingly feel the need to showcase their capability to innovate and attract corporations, residents and talented labor, investments in smart technologies may fall short of delivering value if the city is unable to overcome management complexity.

3)  New Levels of Uncertainty and Distrust: Unexpected glitches or outages in ICT-dependent services such a smart transportation system, or malicious acts of tampering with an emergency response system, will undermine public confidence and trust. Here, AI-facilitated decision-making, such as the use of facial recognition for public safety or boundless surveillance is already raising fundamental privacy, social justice and ethical issues. These are areas of deepening concern that modern cities must effectively deal with to prevent backlash against deployment of smart technologies. Dialogue and education are paramount.

Securing the Smart Urban Environment – Beyond Cybersecurity

While often economic benefits, innovation and inclusiveness are drivers behind the development of modern cityscapes and smart infrastructures, issues around digital security have remained an afterthought; with costly consequences as recent incidents such as the attack in Atlanta have demonstrated. (A city auditor’s report published two months before the Atlanta ransomware attack detailed lax cybersecurity practices through the use of unsupported software systems and non-existent cybersecurity processes.) A secure digital infrastructure is the necessary foundation to build upon, yet, importantly, the city’s executive team holds final accountability for the public safety and general operational implications if smart city systems fail.

While there is no one formula applicable to each city, certain actions must be prioritized to address the challenges presented by the integration of technology across a city’s many operational domains:

First, focus on connecting smart, that is, ensuring the confidentiality, integrity and availability of data, systems and communications. Cybersecurity must be integrated into Smart City strategies from the get go. When thinking about whether or not to connect a system or component, city leaders must make a determination based on a review of the cybersecurity risk and existing risk mitigation measures. Risk-informed procurement requirements, for example, help build a cybersecurity baseline which prescribes that Smart City technologies be capable of accepting security patches and upgrades, default passwords be changed, and encryption enabled for data communications. In this context, serious consideration should be given to designating a chief information security officer (CISO), establishing a cyber risk management plan based on international frameworks and standards, and implementing a tested incident response and recovery plan.

Second, failing safe is a key building block of cyber resilience that ensures a city’s complex systems are designed with an innate ability to continuously deliver critical outcomes despite everyday glitches and acute shocks. Of course, a high level of resilience will come at a cost – critical infrastructures should be built with redundancies, or provisioned with surplus capacity that is available when needed. Building in redundancies and analog operations (such as what is proposed to increase protections in the U.S. electric grid) creates a level of cyber resilience that ensures consequences from cyber attacks can be isolated, so that essential services remain available – even if at reduced capacity. Eventually, these systems will be restored to full capacity. In essence, failing safe means that a city and its systems are adaptable and recoverable in light of a cyber incident.

Third, at the heart of a Smart City lies the collection, analysis and sharing of large amounts of data from sensors, cameras and microphones. This data is integrated across different domains, shared with systems operated by third-parties (in the private or public sector), and used to train Artificial Intelligence and support Machine Learning. While cybersecurity measures protect this data from unauthorized access, if disclosed or misused, such data can result in financial or reputational harm. Biased decision-making resulting from the use of AI is also an increasing concern. While presumed neutral, such bias may stem from sampling errors, faulty data or reflect societal inequalities that have been baked into the AI model. AI-induced harm may include declined job applications or erroneous risk determination in court sentencing.

Even for sensitive data, a 2019 Unisys survey showed that people are willing to provide biometric information in exchange for increased safety, however they also expect that this data is protected and that the government is transparent about how the data is used. Cities must manage responsibly privacy and data protection to ensure public trust.

Options available to cities include proclaiming a privacy and data protection charter applicable to all entities that offer Smart City services, establishing regular transparency reporting, appointing a chief privacy officer (CPO) or a Smart City privacy commission and introducing AI ethic guidelines and transparent data governance agreements with third parties that process Smart City-related data. Ultimately cities are accountable and have a defined responsibility for ensuring their resident’s privacy and safety.

Finally, achieving security and safety require collaboration and coordination among a large set of public stakeholders, businesses and residents, as well as providers of ICT services and the city’s municipal administration. The fabric of a Smart City is made of interwoven relations among these actors, and the boundaries between the private and the public sectors are often fluid. As mentioned, many elements of a Smart City are operated by private actors and city leaders should be aware of the trade-offs for both the municipality and the residents that can come with such arrangements. Furthermore, cities contain varieties of communities and populations with differing concerns, priorities and needs. Leadership should govern inclusively, ensuring wide engagement and inclusiveness by creating a culture and building the structures, processes and incentives that enable effective collaboration and coordination. This extends beyond the city’s geographical and jurisdictional boundaries, where arguably, as interconnectedness continues to grow, a coordinated, aligned approach for county-wide or regional solutions are needed (e.g., regional water management system, or supra-regional economic infrastructures such a major ports or airports).

Enticed by the very compelling attributes of a Smart City, elected and appointed local government officials often lack the capacity and resources to effectively secure and protect Smart Cities from digital threats. This is a daunting task considering the enhanced complexity of technology, and requires policies that capture anticipated benefits while mitigating new cybersecurity risks. The opportunity – and the burden – demands closing the gap and empowering city administrators to effectively make Smart Cities both viable and secure.

The report issued by the EastWest Institute – Smart and Safe: Risk Reduction in Tomorrow’s Cities – in February 2019 is freely available for download.