With the rise of smart cities and technology in everyday life, the associated security vulnerabilities likewise grow. Cities, as centres of resources and critical infrastructure, are particularly attractive targets and hosts for cybercrimes. Cities need to embrace new mind-sets and strategies to tackle this.
Cities mentioned in this article:
Photo of a server room
Technological innovations have radically changed cities round the world in just a few short decades, from bridging communities and facilitating governance to enhancing liveability and public security. With the rise of smart cities, technology is steadily becoming inseparable from urban life.
At the same time, the technologies transforming cities into dynamic urban hubs are also exploited by criminals to carry out sophisticated cybercrimes. Cities, as centres of resources and sensitive information, critical information infrastructure, and populations, are key targets and hosts for cybercrimes.
When it comes to smart cities, the stakes are further heightened. “Everything that has an IP address can be weaponised – a laptop, a smart phone, parking metre or even a camera,” observes Maria Vello, Chief Operating Officer, Cyber Defence Alliance. “Smart cities are underprepared for such criminal acts and we are seeing more and more ways for criminals to penetrate into our systems through smart devices and systems.”
Smart cities at risk
Smart cities are particularly vulnerable to cybercrime for a few reasons. Firstly, with millions of interconnected devices, from air quality monitoring systems to automated traffic management tools, the potential attack surface in smart cities is vast during an attack.
Secondly, smart objects and systems deployed by cities for municipal purposes usually rely on machine-to-machine interactions and automated decision-making. For instance, when sensors detect pedestrians at a crossing, they can send signals to lengthen crossing time. Such chains of automated responses can be hijacked for criminal purposes once a system is compromised.
Thirdly, the interconnectivity of smart objects means that a self-propagating malware can easily proliferate and take down key systems at a high speed. As more and more municipal services depend on smart systems, the breakdown of critical services and security breaches through cybercrime is increasingly a reality. Vital services, from water and electrical supply to traffic management and e-citizen portals, are susceptible to attacks, which in turn render cities vulnerable to being held ransom by criminals. The 2017 global Wannacry ransom ware attack which effectively crippled England’s National Health Service is a precursor of the near future.
“Everything that has an IP address can be weaponised – a laptop, a smart phone, parking metre or even a camera.”
— Maria Vello
Chief Operating Officer, Cyber Defence Alliance
The challenges of defending smart cities
Given the potential scale and consequences of cyber threats, smart cities need to secure their systems holistically while staying ahead of cybercriminals. However, much of the cybersecurity put in place by cities today is more often implemented in silos and is dependent on individual municipal agencies. The challenges of ensuring effective cybersecurity further compound the risks.
One of the biggest issues faced by municipal authorities is the lack of skilled talents in cybersecurity in their ranks. Many cities have been slow to formalise the recruitment and investment in such talents, whether through establishing new posts or offices dealing with cybersecurity, or long-term partnerships with the technology companies. What ensues then are city authorities with limited capabilities to assess cyber threats, and effect sound strategies to address the risks.
There is also often a lack of close partnership and culture of information exchange on cyber-attacks among a city’s agencies, and between the public and private sectors. This leads to fragmented threat intelligence as well as lack of clarity in whose responsibility it is to ensure security, which makes it even harder for municipal authorities to accurately assess risks and propose measures.
Lastly, the influx of new technology and systems makes it hard for security to catch up. A smart system that is secure may easily become obsolete in a short time. “In general, companies want to be the first to market when it comes to new smart devices, so security is often an afterthought,” Vello points out. At the same time, cities typically require substantial time to identify, test and deploy smart systems, by which time the systems’ vulnerabilities may have been discovered and exploited.
Tackling cybercrime holistically
To begin tackling cybercrime, smart cities first need a holistic, comprehensive strategy. Such strategies must address critical aspects – legislation to empower city authorities to deal with cybercrimes, creation of key offices in charge of a city’s cybersecurity strategy, systematic identification of key vulnerabilities and critical assets, definition of roles, responsibilities and standard procedures for all stakeholders to implement security, and a disaster recovery plan to contain the impact should an attack take place.
With cyber-attacks on the rise, cities are now becoming more aware of the need for such comprehensive city-wide strategies and policies. In mid-2017, Singapore proposed a new cybersecurity bill which lays out proactive measures to protect the city’s critical information infrastructure in water supply and healthcare to media and infocomms etc.
Key highlights of the bill include legislative powers to allow law enforcement to take precedence over privacy rules in the case of a suspected cyber-attack, appointment of a commissioner of cybersecurity, and assignment of responsibilities to owners of critical information infrastructure to protect and secure the assets. Such acts allow cities to be comprehensive in their approach towards cybersecurity and address challenges such as recruiting talents and delegating responsibilities.
Partnership as the way forward
Another key pillar of implementing cybersecurity lies in building long-term partnerships, both with tech companies and private industry. As Vello notes, “Security needs to be part of the design and architecture of smart systems and cities from the onset, as it is harder to reengineer than to do it right from the start. Criminals are very sophisticated and they have rapidly accelerated their capabilities to attack our systems because they share information and resources. We need to do the same. The risks are far greater if we don’t share.”
As such, not only do city authorities and urban planners need to take into account cyber threats in designing a smart city, they also need to work with tech companies to prioritise security as part of smart systems before deployment. The challenge posed by fragmented intelligence can only be addressed through collaboration, so as to facilitate sharing of timely information and developing solutions. The Cyber Defence Alliance, which brings together researchers and stakeholders in the public and private sectors to work on building a secure cyber commerce ecosystem, is an example of how sector-based partnerships work.
The non-profit Securing Smart Cities initiative, launched by leading tech companies, IT researchers and organisations, is an example of fostering partnerships on a global scale. By creating a platform to share information and research data and catalysing collaboration among stakeholders, the initiative enables companies, governments and other non-profits around the world to be involved in building and improving safe smart cities. On top of that, the initiative also invests in educating smart city planners and providers on security best practices and creating standards to improve cybersecurity.
As cybercrimes become more prolific and globalised, cities should leverage collaborative platforms in their fight against cybercrimes. The World Economic Forum is another entity which has invested in fostering such platforms. Head of Public Security Policy and Security Affairs, World Economic Forum, Jean-Luc Vez, shares, “In recent years, the forum has gathered Chief Information Security Officers and Chief Risk Officers from our partners and top representatives from law enforcement authorities acting on the global level, such as Interpol. We catalyse discussions among them so that they can achieve a comprehensive assessment of global cyber threats, and based on the assessment, identify common needs and decide on common measures. Such an information sharing platform has also been set up here in Singapore at the Interpol Global Complex for Innovation.”
“Security needs to be part of the design and architecture of smart systems and cities from the onset, as it is harder to reengineer than to do it right from the start.”
— Maria Vello
Chief Operating Officer, Cyber Defence Alliance
Moving towards a truly safe, smart city
The responsibilities for securing smart cities are not exclusive to public agencies. Rather, as a significant number of smart devices in cities today are personal possessions, engaging citizens in cybersecurity efforts makes a huge difference in creating safe, smart cities.
Nurturing smart citizens who are trained in keeping their own devices and data secure go a long way in limiting cybercrimes on the ground, as it becomes harder for criminals to weaponise those devices and use stolen data for criminal purposes. At the same time, citizens who are educated on the right responses when smart systems are compromised are crucial in the making of resilient cities.
For such a vision to become reality, not only do cities need to address cybersecurity from top-down through strategies and partnerships, they also need to tackle the issue from grounds-up, through strong public awareness campaigns, citizen education, and providing clear disaster recovery protocols for citizens. Only then will smart cities be truly safe, and smart. O