As governments create smarter cities, they need cybersecurity measures built from the ground up — or they risk costly data breaches which could compromise the privacy of their citizens.
In 2016 alone, cyber-crime cost the global economy more than $450 billion and over two billion personal records were stolen, according to the chief executive of specialist insurer Hiscox.
Cities around the world are using various technologies — smart devices, apps, sensors, big data analytics and Internet of Things applications — to improve the lives of their citizens. This results in massive amounts of valuable data that interest cyber-criminals.
Etay Maor, an executive security advisor at IBM Security told CNBC if there is a way for hackers to monetize any type of stolen data, they will attack it. Traditionally, the kinds of information that drew attention were bank credentials, personal identity information and credit card details, but Maor said anything from airline miles to medical records are now targeted.
“Now we have nations that are connecting (various services to the internet),” Maor said. “It’s critical that when these things are designed, when you’re talking about smart nations, security should be a top priority.”
The digitization of critical infrastructure, such as power plants, water supply and electricity distribution also creates vulnerabilities to cyber-attacks.
Many governments appear to realize that slapping on a layer of security at a later stage of smart city projects is no longer an option. Singapore already has a cybersecurity agency and last year, Prime Minister Lee Hsien Loong outlined the city-state’s comprehensive strategy to tackle online threats.
Jordi Puigneró, secretary for telecommunications, cybersecurity and digital society for the government of Catalonia said cybersecurity needs the same kind of emphasis as security in the physical world. If governments fail to adequately secure their smart cities, people will not trust the services, he said.
“If they don’t trust it, they won’t use it. If they don’t use it, we will not be competitive in this digital world,” Puigneró, who leads the Catalan government’s SmartCATalonia efforts, told CNBC last month at the sidelines of the IoT Asia 2017 conference in Singapore.
Catalonia is awaiting parliamentary approval for a cybersecurity agency, whose mandate will include the creation of a computer emergency response team, building up cyber-resilience, tackling cyber-crimes and developing competencies for cyber-defense, Puigneró said.
Cyber-criminals could theoretically hijack systems to launch powerful distributed denial of service attacks or hold an entire city for ransom in extortion attacks, according to an analysis by Nicolas Reys, a consultant for cybersecurity services at Control Risks. He noted that attacks “could be designed to encrypt and cripple an entire city’s grid, with ransom demands likely to be considerable in such a scenario.”
Such tactics, Reys added, could be “highly profitable for cyber-criminals and represent a natural evolution of trends that we have observed in the current cyber-criminal community.”
The growing complexity of cyber-attacks and the increasing number of people and devices connecting to the internet means there’s almost a near-certain possibility that hackers may be able to breach a system, experts say.
The consensus is that securing smart city projects from digital threats requires multi-layered strategies and should tap into fields such as machine learning, cryptography and artificial intelligence.
Machine learning, where a system is taught to identify anomalies within a network, is promoted by companies like U.K.-based security firm Darktrace. With every interaction, these machines learn and become better at proactively stopping threats.
Maor added that machines can also analyze and interpret huge volumes of internet data to help governments respond to breaches faster. Timing, he said, is critical in limiting the damage.
Others point to the potential benefits of building smart city applications using blockchain technology, particularly the Ethereum open source platform. That system can be used to deploy decentralized applications, according to John Lilic, a director at blockchain software company ConsenSys.
He pointed to personal identity on social networks as an example: “Your identity lives in a bunch of different boxes all over the internet, that’s why you have usernames and passwords. Because you’re logging into a database that somebody else owns.”
“With Ethereum, we can flip that upside down on its head,” Lilic told CNBC.
Building an application on Ethereum could mean the data will not be owned by any single corporate entity and could be accessed from anywhere in the world, Lilic explained. And since blockchain uses corresponding public and private keys to access encrypted data, a breach would not reveal the information without each user’s private key.
A key issue that many experts talk about is the need for more cybersecurity professionals.
“There’s a huge lack of people in this space. You’re talking about smart nations — one of the smart things to do is to get your colleges and universities to train people about security,” said IBM’s Maor.
In Barcelona, some universities were starting to offer a Masters’ degree in cybersecurity in the hope of bringing more professionals into the industry, Pugineró said.
“Without professionals, it is very difficult to create a (cybersecurity) industry … for that to happen, it means that our academies need to start having degrees and masters in cybersecurity so we can produce talent,” he added.