“Smart City” is one of those buzz terms bandied around so much that it doesn’t even sound like a word anymore. Poorly defined, and even more poorly understood – it’s something well worth getting your head around. Why? Because they are here, rapidly growing in size and adoption and will absolutely be part of the cybersecurity industry as we head into the next decade.
So what is a smart city?
There are about as many definitions of what a smart city is as there are bonafide smart cities. Broadly speaking, a smart city is a metropolitan area that leverages a mixture of data collection and analytics, the Internet of Things, mobile computing and interconnected devices. They make the building, running and governing of a city more efficient and better off for everyone involved. Essentially, smart cities leverage data collected from increasingly digitally active citizens to optimise the services required from a city: sanitation, business, innovation and arts/culture.
What does that look like in practice, though? It all sounds really cool, but so did an eighth Game of Thrones season, and look how that turned out.
Joking aside, it may sound like a floaty concept that doesn’t affect you, but the principles underpinning smart cities exist in places you’ve likely walked straight past and never noticed. There are cities already out there designated as “smart cities”, adopting and leveraging technology to make running their cities as efficient as possible.
Examples of smart cities
London, Singapore, Copenhagen, Kyiv, Shanghai, New York and Milton Keynes, have all implemented smart functionality into their infrastructure and the list grows by the year.
Copenhagen, for example, has implanted air quality sensors into the Google Streetview car to create heatmaps of where the air quality is the best. This data then gets fed into an application and database so cyclists and joggers can plan routes with the best air quality and avoid car exhaust fumes.
London has improved its “SCOOT” smart traffic management system to optimise green light time at junctions and intersections. Data from magnometers and inductive loops (used to detect the presence of cars) are fed into a central supercomputer, where the data is used to co-ordinate traffic lights across London to improve traffic and lessen congestion throughout.
The city of Santander in Northern Spain has installed 20,000 sensors connecting everything from buildings, infrastructure, transport and utilities services. The data used to monitor pollution levels, noise levels, traffic volume and even to calculate the amount of parking available.
Barcelona has some really cool stuff implemented already. One example is sensors in the irrigation system in Parc del Centre de Poblenou. They transmit real-time data to gardeners about the amount of water the plants need. Data analytics have been used to design a bus network based on the most common traffic flows to generate the most efficient routes using the least amount of fuel. Barcelona has even implemented a response system which calculates the approximate quickest route when an emergency is reported and the information gets sent directly to the traffic lights. All the lights along the way to the emergency turn green as the ambulance/fire truck/ police car approach. This is achieved through a mix of GPS and traffic management software.
Let’s not forget Milton Keynes. The city has partnered with academics, businesses and local government to create the state-of-the-art data “MK Data Hub”. This will include data about energy, water and services consumption as well as social and economic datasets to allow the design of applications that can spot the most efficient way to serve its citizens.
This is all stuff that is already out there and operational – the era of the “smart city” is definitely here and all around you. But it wouldn’t be modern technology if there wasn’t some way it was also terrifying – so let’s get into some potential security concerns about the increasing adoption of the “smart city” movement.
Most of the developing uses of smart city technology centre around the collection of data, leveraging it after analysis and trend identification to make the providing of a given service better or more efficient. This has led to the collection and storage of datasets which were unthinkable a decade ago, and the information carried within has real power to affect citizen’s lives.
High levels of “big data” collection and sticking sensors on almost anything have led to concerns about the possibility of surveillance becoming widespread – and not just by those in charge of the city. The science of big data analytics and its widespread adoption by government means that the chance of agencies in charge of justice and policing could start putting more faith in the dataset rather than traditional interaction with the population -known as ‘predictive policing’.
A population already under surveillance from every direction would be very susceptible to having that data leveraged to “predict” the kind of person (or people) most statistically likely to commit a given crime based on a variety of separate datasets – location, age, build etc. You might recognise this as similar to a detective having a “hunch” (or the plot of Minority Report). It is well-established that a hunch fails to meet the legal standard of reasonable cause. Inferring something from observed data is no truer if the dataset is a million people than it is from one or two – and the legal implications are massive.
New York City implemented a data-driven “smart” stop-and-frisk program that was found to constitute racial profiling. This created grave implications for anyone concerned with authoritarianism or their right to protest. The internet has already been leveraged to attempt to subvert protests – the risk that it can be leveraged on a grand scale in a smart city are just as present. That’s not even getting into what might happen if someone else from an adversarial nation-state tapped into this mass surveillance without anyone knowing – though that’s getting into cyber warfare territory.
Speaking of cyber warfare – hackers are already well-versed in holding municipal systems hostage for financial gain. After Atlanta, Georgia and North Carolina were hit by concentrated ransomware attacks – Baltimore was hit by a particularly aggressive attack in May 2019. Ransomware attacks involve the breach of an organisation’s network defences, silently encrypting all the files the ransomware has access to. When triggered, it locks the computer. A message is displayed where it is made clear to the victim that their files have been encrypted and will not be returned to them until a “ransom” has been paid, usually in Bitcoin. Some pieces of ransomware have started to forcibly use the victim’s computing power to mine cryptocurrency during its time as a hostage too.
Baltimore was hit by a strain of ransomware known as ‘Robbinhood’ that disconnects all network services that could stop it doing its work. It encrypts everything and even randomises the labels, so you can’t work out what was what even if you wanted to. Everything is locked with AES encryption too, which is part of the military encryption standard in the US – so you’re either restoring everything from backups (if you have them!) or paying the ransom. Malware like this only needs one misconfigured gap in the network to get a foothold and then it will encrypt everything it’s connected to. Imagine if, instead of a city council’s office and servers, it was literally the entire city. This is not scaremongering though, three cities have been hit in the last 18 months with large-scale attacks of this kind.
Overall, the development of the smart city movement is exciting and presents huge opportunity for enhanced living. But with the ethical and security concerns, we should also not be too hasty to totally embrace it.