BY BENJAMIN GOH
In 2015, Business Insider magazine predicted ten million self-driving vehicles will be on US roads in the next five years.[i] While many people are eagerly awaiting the ability to read, eat, or check email as their cars themselves do the driving, this raises a whole host of critical questions. Who is at fault if the car crashes? What if the network for self-driving cars is hacked? Is there any way the human can override the commands of a car that is set for collision?
The world is undergoing a major revolution brought about by such ‘smart city’ technology. As defined by security expert Cesar Cerrudo , a smart city is “a city that uses technology to automate and improve city services, making citizens’ lives better.”[ii] Driverless cars, cloud-based services, and networks of sensors are all part of the smart city promise to optimize city performance to cope with urban immigration and unlock new frontiers of economic growth. The smart city will save human time in daily activities and eventually enhance productivity and improve standards of living.
The potential for efficiency and economic opportunity in the smart city has propelled adoption of some of its elements in cities such as Barcelona, New York City, and Singapore. However, the hunger for technological answers to urban management has crowded out a more important conversation on the smart city—how to address the growing threat of cyber-attacks. Unlike physical space where individuals are generally familiar with the dangers that lurk, uploading infrastructure into cyberspace brings a whole host of vulnerabilities that deserve much greater attention as smart city technology proliferates.
Cyberspace challenges our traditional response to security threats. As Pulitzer Prize-winning journalist Ted Koppel points out in his book Lights Out, it is exceptionally difficult to attribute the origin of a cyber-attack to a particular actor, making it almost impossible “to retaliate against an aggressor with no return address.”[iii] New technologies empower small groups and individuals to challenge states and other institutions of traditional authority, suggesting the need to rethink conventional concepts of deterrence and defense—at the very least, the role of primacy of the state in security.[iv] These questions and changes require significant amounts of time for deliberation, but they operate under the reality that the economic draw of the smart city rapidly increases the vulnerability of the entire sector, making the question of national security in the smart city more urgent than ever before.
Data Sharing and Free Enterprise
Smart city technology makes the city uniquely more vulnerable in at least two ways. Firstly, the smart city is built on creativity and innovation, driven by entrepreneurial activity in small and medium enterprises (SMEs). Although they contribute to a dynamic industry that commercializes cutting-edge technology, SMEs often have lean profit margins and underestimate their security risk, significantly under-investing in cybersecurity.[v]
A study by the Kaspersky Lab found that 57 percent of very small businesses do not invest in protection solutions.[vi] Since the smart city depends on interconnection and interdependence, having a significant number of firms that possess poor security and maintenance regimes threatens the security of the entire platform.[vii] As Keith Alexander, former director of the National Security Agency once suggested, if small companies are compromised “in the right order,” a “cascade effect” may be initiated that infects the systems of larger companies and eventually the entire network.[viii]
Secondly, the smart city runs on information technology, with infrastructure owned by private actors in order to enable the dynamism and flexibility required to fuel innovation and creativity. Abertis Telecom, for instance, has worked extensively with the Barcelona government to deliver connection services that power the smart city.[ix] Similarly, AT&T launched a smart city plan in Atlanta in early 2016.[x]
Unfortunately, private companies are ill equipped to deal with sophisticated attacks. With extensive resources, the government is often best able to guard online networks from espionage and sabotage, but this poses a unique challenge. Unlike safeguarding critical physical infrastructure, protection in cyberspace requires granting government access to the entire data server—a much higher level of entry to privileged business information than is necessary when public agencies protect other private infrastructure, such as the military standing guard over an oilrig.
The government’s responsibility to monitor critical assets therefore becomes at odds with the industry’s interest to operate freely. Some have argued that government should take control of the network after the cyber threat passes a certain safety threshold, but an agreed-upon framework for measuring threat levels is still a work in progress.[xi] [Done] Worse, perverse incentives of government overreach may in turn encourage less investment in security since public security agencies act as a guarantor of last resort. A middle-way approach could be to institutionalize information-sharing practices, but liability concerns and industry-confidential information have been stalling meaningful cooperation on these fronts as well.[xii]
In the smart city, cooperation among firms is often lauded as a way to build synergy across the city, but these economic-based arguments fall apart once the system is threatened. A company that relies on government grants to update its security infrastructure will be tempted to keep requesting more to consistently improve its system, whereas a company willing to surrender operations to the government may be able to fend off the attack initially but lose customer trust due to infringement of its ‘confidentiality’ clauses. To truly secure smart cities, pathways to cooperation and integration must be re-thought, with a clear eye to implications in corporate governance, liabilities sharing, and organizational integrity.
The Vulnerability of Everyday Devices
The smart city includes a plan to make personal devices “smart” by connecting a series of objects through cyberspace. The Back to the Future fantasy of automated daily chores such as toasting bread or making coffee will arrive in the next few years. Integrating everyday devices to the network can bring tremendous convenience, but it also exposes us to a series of threats at both the individual and societal level.
Take smart devices that report electricity use in real-time alert us to consumption patterns and enable better decisions. Knowing the air-conditioning unit is consuming electricity when we are at work empowers us to send the unit for repair sooner than otherwise. Yet, these traceable consumption patterns also enable potential burglars to track when we are—or are not—at home.
Moreover, some attacks pose a direct threat to human life. A study by security experts Charlie Miller and Chris Valasek recently found cellular networks in cars were an entry point for potential aggressors to shut the car down.[xiii] Not only can this vulnerability result in car accidents, but also adversaries do not have to be physically close to the target since the attack can be conducted through the network, exponentially increasing the way one can be harmed.
Each device connected on the web creates another potential attack surface with unique vulnerabilities. Whereas computers typically have a user who can install system updates and antivirus software to guard against strikes, smart devices are “headless”—there isn’t a human being operating them who can input authentication credentials or decide whether an application can be trusted.[xiv] The consequences of ceding such control can be disastrous. A malware infection of an airplane monitoring system, for example, can contribute to severe plane mishaps, as it did in the crash of the Spanair flight 5022 in 2008.[xv]
The smart city goes further than we have ever been before, with interconnected and interrelated devices. This integration poses operational and functional risks that cannot be solved simply by switching off one’s computer.[xvi] The quantity of data the devices generate (and therefore the complexity of their web of activity) far outstrips that created by a user and his or her mobile phone. Monitoring web traffic between these objects is challenging, and detecting intrusion in these networks will be a herculean task, making security many times more complex than for less integrated computing devices.[xvii]
Security by Design
For private companies in the competitive startup tech sector, the incentive to prioritize ‘sexy’ features and functions to gain market share means security often takes a backseat. The benefits of security seem intangible, and unless one is able to assess how much can potentially be lost through an attack, it is difficult to determine how much investment should be made in protection.[xviii] For small and relatively unknown companies, not experiencing an attack also gives a false sense of security that further delays investment. The market doctrine suggests profit should always come first in order to create capital fluidity that can later be invested in security.
However, computer-science pioneer Peter Neumann expresses the troubles of such philosophy: “People always say we can add it in later. [But] you can’t add security to something that wasn’t designed to be secure.”[xix] Security cannot be thought of as an add-on, but rather as integral to the reliable functioning of any device or program.[xx] Securing the smart city therefore requires security by design.
One way to ensure security is to institute encrypted communications, both between users and between devices. Encryption prevents communications from being intercepted by a third party, guaranteeing not just the integrity of communication but also its privacy. Encryption is also a powerful tool in building trust in all transactions online. The “https” protocol (as opposed to “http”), for example, provides authentication of a website and creates bidirectional encryption of communications between a client and server, and has formed the basis of most e-commerce transactions today.[xxi]
At a time when human communication is increasingly digital, guaranteeing the confidentiality of all our communications through end-to-end encryption is crucial to reducing our vulnerabilities as individuals. Until now, pushback against encryption has come primarily from law enforcement officials, who relish the ability to tap communications.[xxii]
However, the risks of insecure communications in an increasingly digital society outweigh the cost, and smart cities should create encryption by default to minimize citywide vulnerabilities.
Encryption needs to occur at a more fundamental level too. Wi-Fi hotspots in cities, for example, should be mandated secure by guaranteeing an encrypted connection. This ensures the safe handling of confidential information and personal data such as credit card numbers or social security numbers, which are increasingly at risk in a well-connected city. Moreover, making users “invisible” on public networks leaves them safe from sniffers or potential adversaries, enhancing both systemic and personal safety.[xxiii]
Securing individual communications, nevertheless, is not enough. The driving force of the smart city is its ability to create value by integrating digital systems, but these interactions are precisely where vulnerabilities lie. As Steve Durbin, the managing director of the Information Security Forum attests, many “products and services are deployed with security that may be adequate in isolation, yet becomes lamentably weak when connected to other systems.”[xxiv] The number of vulnerabilities in a smart city network will thus be significantly higher than each of its sub-systems, which requires more investment in the areas of authentication, verification, and validation.[xxv]
A key vulnerability lurking in integrated webs is that malicious software may attempt to impersonate another device in order to infect the system. Having a public key network, in which every device extensively verifies the identity of the system to which it is connecting, will help guard against such impersonation. Think of it like granting someone access to your house—just because a person has found your key does not mean that person is your friend; it will probably be more secure if you could verify the visitor’s identity before you unlatch your door. Having a public-key encryption works the same way, to verify and validate each connection to the network, providing a high level of security for all forms of communications between devices.
Data sharing creates the possibility of generating insights through big data, and actors within the smart city should also start considering seriously the ways in which data and information are shared. The push for economic efficiency has created bodies such as the British Standards Institute’s Smarter Cities Strategy that sets guidelines on the format, encoding, and interchange of data.[xxvi] Perhaps it is also time to consider standards for the security of information exchange. Enforcing benchmarks on data authentication and security forces companies to consider the importance of information security. More critically, it gives direction to the smart city development model by emphasizing the importance of sharing data in a way that protects the smart city platform.
Ultimately, the smart city should be embraced not for its economic potential but for its ability to improve the lives of its inhabitants. A higher quality of life does not just entail saving time in traffic or accessing e-services on the go; it also means providing more opportunities for self-actualization and human agency. Providing such empowerment is more challenging than it sounds, because the rhetoric of a data-driven city implicitly suggests we have lost control of our ability to choose what information we want public, and that which we want kept private.[xxvii] Securing the smart city is not just about securing critical infrastructure; protecting human autonomy increases quality of life as well.
Prioritizing the needs of the citizen above business interests is sometimes good security policy. With encryption, user protection is the default option, which accords citizens a right to privacy but also protects them from bad actors like malware implanters and digital stalkers. Law enforcement agencies may still insist on the need to deny privacy, but encryption offers a more legitimate and targeted approach to soliciting data.
Instead of choosing between snooping communication channels or cracking encryption, city security can track targeted devices instead, to retrieve data from the end user. Indeed, this is the direction society is and should be moving towards. In United States v. Fricosu, the same principle applied, as the government sought a warrant that required the defendant to unlock her laptop and produce unencrypted contents of her computer.[xxviii] Doing so not only preserves privacy, but heightens security as well since the citizenry does not have to be paranoid about the intentions of law enforcement and will be more willing to cooperate.
In securing the smart city, we have to realize privacy can enhance security. The bureaucratic push to import data wholesale has to be subservient to security considerations but also the universal right to privacy. The connected world has made it increasingly unrealistic not to rely on devices to communicate, creating an urgent need to revisit archaic policies that do not guarantee protection for activities involving “third parties.”[xxix] More ethical data-use policies should be in place to meaningfully empower citizens to make choices about data usage in the smart city.
The smart city is a reaction to massive urbanization that is making cities more efficient, livable, and connected. However, the predominance of economic arguments in support of the smart city dangerously obscures its need for infrastructure and human security. To quote urban studies journalist Jane Jacobs, “to suppose that things, per se, are sufficient to produce development creates false expectations and futilities.”[xxx] Designing a technologically integrated city has to go beyond the employment of fancy gadgets and cool consumer apps. Giving the necessary attention to security needs of network systems, with an eye towards the aspirations and empowerment of the city inhabitants, can finally move urban areas towards a truly ‘smart’ city.
[i] John Greenough “10 Million Self-driving Cars Will Be on the Road by 2020,” Business Insider, 29 July 2015, accessed 17 February 2016, http://www.businessinsider.com/report-10-million-self-driving-cars-will-be-on-the-road-by-2020-2015-5-6.
[ii] Cesar Cerrudo, “Hacking Smart Cities,” (paper presented at RSA Conference 2015, San Francisco, California, April 20 to 24). (https://www.rsaconference.com/writable/presentations/file_upload/hta-t10-hacking-smart-cities_final.pdf)
[iii] Ted Koppel, Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath (New York: Crown, 2016), 10. (http://www.amazon.com/Lights-Out-Cyberattack-Unprepared-Surviving/dp/055341996X)
[iv] Benjamin Wittes and Gabriella Blum, The Future of Violence: Robots and Germs, Hackers and Drones: Confronting a New Age of Threat (New York: Basic, 2015) 71. (http://www.amazon.com/The-Future-Violence-Hackers-Confronting/dp/0465089747)
[v] These findings are from a recent survey of 1,015 U.S. small- and medium-sized businesses by the National Cyber Security Alliance (NCSA) and Symantec. (The full survey is available at:
[vi] “Encouraging Very Small Business to Invest in IT Security,” Kaspersky Lab, 2 September 2014, accessed 11 February 2016, http://www.kaspersky.com/about/news/virus/2014/Encouraging-Very-Small-Business-to-Invest-in-IT-Security.
[vii] Steve Durbin, “Building Smart City Security,” TechCrunch, 12 September 2015, accessed 11 February 2016, http://techcrunch.com/2015/09/12/building-smart-city-security/.
[viii] Ted Koppel, Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath (New York: Crown, 2016), 29. (http://www.amazon.com/Lights-Out-Cyberattack-Unprepared-Surviving/dp/055341996X)
[ix] “Abertis Telecom Presents the First Small-scale Smart City in Spain,” Albertis Telecom, 30 November 2011, accessed 11 February 2016, http://www.abertis.com/news/abertis-telecom-presents-the-first-small-scale-smart-city-in-spain-/var/lang/en/idm/487/idc/4037/ano/2011/mes/11.
[x] “AT&T Launches Smart Cities Framework with New Strategic Alliances, Spotlight Cities, and Integrated Vertical Solutions,” AT&T, 5 January 2016, accessed 11 February 2016, http://about.att.com/story/launches_smart_cities_framework.html.
[xi] James A. Lewis. “Thresholds for Cyberwar.” Center for Strategic and International Studies September 2010SIS, accessed 11 February 2016
[xii] Koppel, Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath, 27. http://www.amazon.com/Lights-Out-Cyberattack-Unprepared-Surviving/dp/055341996X
[xiii] Andy Greenberg, “Hackers Reveal Nasty New Car Attacks—With Me Behind The Wheel“, Forbes, 24 July 2013, accessed 1 February 2016, www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/.
[xiv] “Security in the Internet of Things.” Wind River Whitepaper, January 2015, 3. (http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf)
[xvi] “Transformational ‘Smart Cities’: Cyber Security and Resilience,” Symantec Corporation, May 2013, 14. (https://eu-smartcities.eu/sites/all/files/blog/files/Transformational%20Smart%20Cities%20-%20Symantec%20Executive%20Report.pdf_)
[xvii] “Internet of Things: Risk and Value Considerations,” ISACA Internet of Things Series White Paper, January 2015, 11. (http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/internet-of-things-risk-and-value-considerations.aspx)
[xviii] Koppel, Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath, 70.
[xix] Craig Timberg, “The real story of how the Internet became so vulnerable,” Washington Post, 30 May 2015, accessed 11 February 2016, http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/.
[xx] Security in the Internet of Things.” Wind River Whitepaper, January 2015, 6. (http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf)
[xxi] Symantec White Paper, “Hidden Dangers Lurking in E-Commerce- Reducing Fraud with the Right SSL Certificate” (https://www.symantec.com/content/en/us/enterprise/images/mktg/Symantec/Email/12395/FY16_Q1_WP_Hidden_Dangers_Lurking_in_E-Commerce_0215.pdf)
[xxii] Carrie Cordero, “Should Law Enforcement Have the Ability to Access Encrypted Communications? YES: We Need That Ability to Fight Terrorism”, The Wall Street Journal, 19 April 2015, accessed 11 February 2016, http://www.wsj.com/articles/should-law-enforcement-have-the-ability-to-access-encrypted-communications-1429499474
[xxiii] Security in the Internet of Things.” Wind River Whitepaper, January 2015, 6. (http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf)
[xxiv] Steve Durbin, “Building Smart City Security,” TechCrunch, 12 September 2015, accessed 11 February 2016, http://techcrunch.com/2015/09/12/building-smart-city-security/
[xxv] “Transformational ‘Smart Cities’: Cyber Security and Resilience,” Symantec Corporation, May 2013, 11. (https://eu-smartcities.eu/sites/all/files/blog/files/Transformational%20Smart%20Cities%20-%20Symantec%20Executive%20Report.pdf_
[xxvi] BSI, Smart Cities Interoperability (http://www.bsigroup.com/en-GB/our-services/events/BSI-Smart-Cities-Interoperability/)
[xxvii] Sara Watson, “The Issue Formerly Known as Privacy,” Aljazeera America, 4 November 2014, accessed 11 February 2016, http://america.aljazeera.com/articles/2014/11/4/data-privacy.html.
[xxviii] United States v. Fricosu, 841 F. Supp. 2d 1232, 1237 (D. Colo. 2012).
[xxix] Adel S. Elmaghraby and Michael M. Losavio, “Cyber Security Challenges in Smart Cities: Safety, Security and Privacy,” Journal of Advanced Research, 5.4 (2014): 494. (http://www.sciencedirect.com/science/article/pii/S2090123214000290)
[xxx] Jane Jacobs. The nature of economies., 2010, 30