As urban centers expand their reliance on automated sensors and algorithms, they increase risks of data security breaches, vulnerabilities to invasions of privacy and concerns about software reliability.
The demand for smart city technologies shows little sign of slowing down, which comes as no surprise. Cities are growing in size and population, and the need for digital tools and systems to help manage everything from traffic and public safety to garbage and parking meters continues unabated. Technology spending for the global smart city market is expected to reach $27.5 billion by 2023, according to market research company Navigant Research.
But as urban centers expand their reliance on automated sensors and algorithms that improve productivity, sustainability and engagement, they increase risks of data security breaches, vulnerabilities to invasions of privacy and concerns about software reliability. And as cities rely more on data to drive their decision-making, it raises the concern that technocratic governance could begin to replace the traditional political process that’s more deliberative and citizen-centered.
So far, problems with smart city technology have happened at a slow pace, but some of the incidents have been alarming. A software bug closed down San Francisco’s subway system three years ago, temporarily trapping some riders underground. In 2006, during a labor strike, two Los Angeles traffic engineers were accused of hacking smart traffic light systems that created gridlock that lasted for several days. In 2012, the traffic management system for a major artery in the port city of Haifa, Israel, was also hacked. And two years ago, a researcher at a security firm blogged about how easy it was to hack into Washington, D.C.’s traffic signals, which lacked any security controls.
Smart city technology relies largely on wireless IP networks, which have become increasingly vulnerable to hackers. These networks interconnect for greater performance, like electrical grids to reduce power waste, traffic management systems to reduce congestion across a city’s road and highway grid, and smart water systems that are designed to improve utility efficiency.
The U.S. Department of Homeland Security last year released a study that looked at the cybersecurity risks of smart cities. The Future of Smart Cities: Cyber-Physical Infrastructure Risk divided the problem into three themes that cut across security considerations for smart infrastructure. First, the “seams” that have existed between rural and urban, and legacy and new infrastructure components are moving or disappearing. As a result, the sectors that make up transportation, electrical and water systems are becoming more permeable and remotely accessible. While this increases connectivity and speeds up data flows, it also stretches the borders that cities must secure.
Second, the report raised concerns about “inconsistent adoption” of smart technologies because of limited resources or consumer willingness to use the technology, such as autonomous vehicles. An uneven transition to these technologies raises issues about security vulnerabilities, like “blind spots” where old and new technologies haven’t fully merged and are able to report problems that have occurred. There’s also the cost issue for utilities that must pay for a smart grid solution while maintaining a manual backup system in case things go wrong.
Third, smart city systems reduce human interaction in order to maximize computer efficiency. As cities shift to data-driven, sensor-based solutions, the number of security access points will only increase while manual override systems are reduced and human skills to run the systems atrophy.
There’s another consideration with over-reliance on smart systems to run critical pieces of infrastructure or to increase the efficiency of city services. Something could go wrong. Just think of the assumptions that were built into HealthCare.gov that resulted in it crashing when too many people logged on. Similarly, Y2K is a classic example of a software bug that was buried deep in just about every mainframe in the world, a flaw that cost companies and governments more than $300 billion to fix.
These are the sorts of problems that can occur when software programs are deployed with “potentially buggy, brittle and hackable urban systems, which create systemic vulnerabilities across critical infrastructure,” wrote Rob Kitchin, a professor at Maynooth University in Ireland who specializes in smart city and urban infrastructure issues.
Then there’s the concern about using technology to squeeze maximum efficiency from infrastructure that might be decades old. If a problem occurs, can a sensor-based water system shut down properly or does it fail catastrophically? The primary cause of the 2003 Northeast blackout was a software bug in the alarm system in an energy company’s control room that led to a catastrophic shutdown of the electrical grid, affecting 55 million people.
“Large sections of America’s infrastructure are already crumbling. When you take something so fragile and add another level of complexity to it, such as smart technology, it’s going to be even harder to maintain,” said Kevin Desouza, associate dean of research at the College of Public Service and Community Solutions at Arizona State University. The best solution to making old infrastructure smart is to completely rebuild it. “But I don’t see that happening, given the fiscal resources in our government,” he said.
One objective of smart city technologies is to gather data that can measure the real-time awareness of people and activities and then feed information about the impact of those activities back to decision-makers. Using what’s known as “behavior economics,” public officials can initiate policies that will hopefully modify behavior for the common good. Predictive policing is one example. Another involves speed monitoring devices to encourage people to drive more slowly in residential neighborhoods. But used the wrong way, these intelligent systems can lead to bad policies.
“It’s one thing to gather data and use analytics that lead to more intelligence to nudge a person’s behavior in an ethical way, but it’s something else when you force someone to do something that constrains their behavior,” Desouza said. He cited policies that might discriminate against a certain class of people based on data gathered about their profile, forcing them to pay more for services or receive fewer public benefits.
Privacy is the other major concern with smart city technologies, many of which can capture personally identifiable information and household-level data about citizens, and link the information together to create profiles of people and places in order to make decisions about them, wrote Kitchin, in his 2016 report, Getting Smarter About Smart Cities. One major risk factor are the smartphone apps, upon which many smart city services rely on to work.
“Each smartphone has unique identifiers that can be accessed and shared by apps, some of which can be captured externally via Wi-Fi or Bluetooth signal. These identifiers can be used to track the phone and, by association, its owner. Although the IDs are pseudonyms, they act as very clear personal markers that have a range of other information attached to them, such as phone numbers, email accounts, messaging logs, address books, social media accounts, credit card details, etc., as well as inferred information such as home and work addresses,” Kitchin pointed out.
Perhaps the least understood, but potentially most worrisome risk with smart city technology is the need for analytical software to interpret the vast flows of information from sensors and other data collecting systems. As the reliance on data analytics grows, there are concerns that technology could measure and monitor all aspects of city life, implying that cities are rational machines rather than a complex system full of problems and competing interests.
Such a viewpoint “promotes a strong emphasis on creating technical solutions and overly promotes a top-down technocratic form of governance, rather than political and social solutions and citizen-centered deliberative democracy,” wrote Kitchin. The worst fear is that smart city solutions could be turned against citizens should the political landscape shift from a benign democratic form of government to an autocratic one. Imagine a scenario in which a smart city in the hands of a repressive regime turns public safety and transportation monitoring sensors into surveillance tools.
Given the broad range of risks, it’s easy to become an alarmist about the future of smart cities and to throttle back some of the initiatives that are underway or planned. But the opportunities for benefits from the tech are too strong to ignore. Instead, public officials, CIOs and technology partners need to take a more comprehensive approach to reducing the potential for risk, while continuing to move forward.
Cesar Cerrudo, chief technology officer with security firm IOActive, recommends cities test systems and devices for security flaws before activating them. “A simple checklist for encryption, authorization and authentication as well as software updates will make a big difference,” he said at the 2015 RSA Conference. He also recommends that cities pressure technology vendors to provide comprehensive and timely security documentation and response.
While states and cities should try to ensure the digital systems that manage water, power and transportation infrastructure are secure, the DHS acknowledged in its study on smart city vulnerabilities that it must play a key role too. “The DHS can assist in the development of standards and regulations, helping to ensure consistency across sectors and geographic areas. Strategic communication and engagement may influence a more secure evolution of cyberphysical infrastructure as smart cities adopt technologies at varying rates. DHS can also facilitate or direct federal assistance to state and local governments.”
Anticipating the need for a more robust response to risk factors, a number of researchers from some of the leading IT security firms have created the Securing Smart Cities initiative to act as a consulting service to local governments that are looking to improve their infrastructure with technology. The nonprofit, founded last year, acts as a communication hub between government officials, companies and media outlets, with the goal of educating and spreading information pertaining to city cybersecurity.
At the same time, officials must start thinking about what truly makes a smart city work for the good of its citizens. “Ignoring or deliberately avoiding smart city technologies is not a viable approach; nor is developing smart cities that create a range of harms and reinforce power imbalances,” wrote Kitchin. “Rather, we need to create a particular kind of smart city that has a set of ethical principles and values at its heart.”