Is a smart city really a smart idea?

How can “smart cities” guard against cyber crime and protect people’s sensitive information? 

Sign Up

Get the New Statesman's Morning Call email.

According to a report by the United Nations, 55 per cent of the global population lives in urban areas. By 2050, this figure is expected to increase to 70 per cent. Within the context of the overall growth of the world’s population – which is also living longer than it used to – the UN expects a further 2.5bn people to be living in cities in the next 32 years. In order to cope with the pressures of urbanisation, cities need to do more than just build more houses.

“The underlying concept of a smart city,” explains Tom Symons, principal researcher in policy at Nesta, “is to align the advances of technologies with age-old urban problems, for instance the challenge of reducing traffic on roads. This is important from an environmental perspective, just as it is in terms of the logistics of space. These are not new questions, but new technologies are offering new answers, which are needed when you think about financial challenges and limited resources.”

The common vision for smart cities is to make use of the “internet of things”, which is the interconnection via the internet of computing devices in everyday objects that makes them able to send and receive information. Smart city initiatives can include self-assessing electricity grids that are used to address power outages. These grids provide the basis for other projects, such as smart traffic lights that prioritise cyclists and ambulances; more energy-efficient buildings that adjust power use accoring to information from sensors; and city-wide electronic vehicle charging points.

But new technologies bring new challenges. And the “interconnectivity between physical and digital infrastructure”, according to the associate director of cyber security consultancy firm Control Risks, Jayan Perera, gives rise to “a range of evolving security risks”. In addition to malware, data manipulation or ramsomware, smart cities can be susceptible to signal jamming, phishing and phony emails posing as local authorities, all the while placing a huge amount of faith in technological resistance to these threats. For Cesar Cerrudo, chief technology officer at IOActive and founder of the Securing Smart Cities blog, smart cities create “huge attack surfaces.... As geopolitical tensions escalate, nation states, terrorist groups and the like could start targeting cities with ransomware, for example, with the intention of disrupting services and having a big impact on populations.”

Cerrudo highlights one particularly damaging instance of ramsomware that happened in Atlanta earlier this year. There, a hacker group known as “SamSam” encrypted the city’s municipal court’s files, locking access to online services and prevented it from processing legal cases and warrants. The office lost the use of almost all of its 77 computers, while the police force lost all of its dashcam footage. “SamSam” demanded $51,000 in Bitcoin to stop the attack. Whether Atlanta’s authorities paid the ransom is unknown. Services are now back online, but the estimated cost of the clean-up is, at the time of writing, in excess of $10m. “Cyber criminals are organised and their attack techniques continuously evolve,” says Cerrudo. “Smart city technology is vulnerable because almost everything in a city is or will soon be running software inside.”

While many cities are desperate to experience the benefits of digitalised services, Cerrudo warns that too often authorities will “not do the proper testing” on the technologies they install. “Sadly, cities are implementing new technologies without first testing cyber security. Although cities usually rigorously test devices and systems for functionality, resistance to weather conditions and so on, there is often little or no cyber security testing at all, which is concerning.”

To ensure effective cyber security in smart cities, London’s chief digital officer Theo Blackwell argues, “a clear set of standards must be pre-agreed” between different parties. “Government, the public sector and the private sector should consult with one another,” he says, “before any technologies make their way into the city.” Blackwell, appointed by Sadiq Khan to oversee the UK capital’s smart city ambitions last year, says that the government-funded London Office for Rapid Cyber Security Advancement (LORCA), is “working closely with the Mayor of London’s team to guide companies on the best digital practices.”

Machine to machine (M2M) communication, which forms the bedrock of a smart city, is a double-edged sword. M2M systems can automate processes and services, but with the absence of human operators, the risk of a “cascading error”, as Control Risks’ Jayan Perera calls it, is increased. “What this means,” he explains, “is that an unchecked mistake has the potential to spread through a system. A minor computer error that’s caused a smart [electricity] meter to give an inaccurate reading to its control centre, could lead to an automated, and incorrect, reading that a particular location require an increased amount of electricity. This would require routing some of the existing energy supply to this location which, in turn, could result in increased costs and a reduced energy supply for others.”

There is a temptation, Perera says, “to assume that because digital services are usually an improvement on what they replace, they aren’t going to fail, but of course they have the potential to.” To mitigate for a “component failure” – when one aspect of a digital system stops working – Perera recommends that smart cities should prioritise installing “rapid component replacement” options. “It makes sense to have back-ups in place. Essentially, if you’ve got a system and you have a baseline level of performance, which constitutes normality, then you know whether something has gone wrong. So if you can automate a system to check itself for things that get away from that baseline, then it can replace those components as needed, without it spreading. Obviously for more critical components, which would cause a system failure, you’d need to prepare something different, but on a smaller scale, this could work. Smart cities can benefit from installing behaviour-based cyber security measures.”

Alongside any technical concerns attached to smart cities, of course, is the contentious issue of privacy. Smart cities need data to thrive, but there is a difference between data collected from monitoring technologies, such as air quality or temperature, and data that is more personalised, such as shopping habits, dates of birth or marital status.

Who decides what data is relevant and to whom? How can smart cities garner the trust of their citizens? Nesta’s Tom Symons says that the success of any smart city hinges on its “ability to demonstrate why and how data is being collected” in a way “so that citizens can understand the point of it. Smart cities, collectively, need a consensus on clear ethical principles relating to citizen data. The bottom line is that citizens need to be in control of what is going on with that data, and that probably means some sort of opt-in or opt-out mechanism. A ‘data wallet’, in the form of an app on their smartphone, could help citizens to manage what parts of the smart city they choose to engage with. Maybe they’ll be OK with sharing how often they use their bike, maybe they won’t. The smart city has to let citizens have some binary control over whether they share, and the conditions attached to that. Maybe they only want to share that data if it isn’t used for commercial purposes.”

While “privacy is obviously hugely important”, Theo Blackwell says that in an ambitious smart city such as London, “we could argue that some data is being under-exploited”. He is keen to stress the potential of data to be used “for civic benefit”, and to encourage “a culture of data exchange” in London. “The key point is thinking about collaboration, data, and the needs of citizens. If companies were convinced to share their data, of course with some caveats about privacy, then London could benefit from the more informed decisions that were made. If Transport for London gave insight into passenger journeys – how long, how often and so on – then that could help local businesses.” Of citizens’ willingness to share their data, Blackwell says: “I think if data collection comes with an explicit description of what it’s being used for, how long it’s being held, then people will usually recognise that it’s a worthy trade-off to receive better services.”

Technology can cut operational costs and enhance services. Against the backdrop of rapid global urbanisation, both will be necessary. Smart cities, however, are far from the finished article, and challenges in establishing a set of technical standards along with an ethical guideline for data collection are ongoing. Risk management is not an admission of defeat, insists Perera, who views the need to “prioritise some smart city assets over others” as a natural consideration for “any cyber security budget”.

But, as Cerrudo argues, the long-term aim for any smart city would be to eliminate these risks entirely by ensuring that the technology is fit for purpose in the first place. “Technologies used by cities must be properly security audited to make certain that they are secure before they are implemented. To fail to do so is reckless. When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated, that the systems can be easily hacked, and there are security problems everywhere – that is when smart cities become dumb cities.”

Rohan Banerjee is a Special Projects Writer at the New Statesman. He co-hosts the No Country For Brown Men podcast.