The security and safety challenges of smart-cities are under hot discussion, and thanks to its property as an umbrella term, every infosec vendor has their opinion on it. Most technical research on smart-cities aren’t addressing cyber security and privacy concerns. The consensus is that it’s really the vendor/integrator who should be held accountable.
But engineering professionals are too absorbed with technical implementation. Our thinking revolves around answering the question: “Can we build it?”, that we forget to ask ourselves:
What are potential negative effects to security, privacy, democracy, freedom, liberty? What are the security holes in this architecture?
Comments that touch on the subject of “ethical considerations” are treated as a distraction when brought up for debate in technical standardization groups. It isn’t easy addressing such fundamental questions especially when they can’t be solved by engineering.
The biggest mistake we make, is believing ethical questions will be answered by somebody better qualified for the job. Maybe somebody from philosophy, psychology or theology? And if not that, then the market, or (as last resort) the courts will address it?
A smart-city architecture allows “better” information-sharing, strong identity management, better blanket surveillance as well as targeted surveillance, it benefits law-enforcement with better access to location tracking. Everything you need for more powerful presence in people’s (voters) lives: Constantly. In. Your. Face.
The point is: What court would rule that a smart-city should be rolled back or that it’s surveillance capabilities should be restricted? Do we realise that at this point our code (with all it’s bugs) becomes law? Think about that for a moment.
***
It isn’t surprising that most of technical research on smart-cities only highlights benefits, considering a lot of it was government funded (at least in the EU, programs like H2020 or FP7 contribute to a large share of smart-cities research). Very few documents are submitted on smart-city security. And none of these papers (including the ones dedicated to the subject of smart-city security) provide mitigation techniques to at least the same safety as a non smart-city? No of course not. Adding network functionality to a previously isolated system is always going to make you less secure no matter how much dollars you pump into making people believe it will be safer. Of course the security industry will tell us that they can secure our WIFI lightbulbs. Vendors rarely ask security questions when it comes to early stage design of a product. Our attitude really should be to ask ourselves if such connected gadgets weren’t an utterly dumb idea in the first place.
The security sectors profitability depends on a certain fear factor to be present within the population. You can’t justify security spending when nobody perceives a threat. Smart cities are a great way to maintain and measure this fear-factor very accurately as showcased below.
The idea that a sleepy city council could provide better security by making their cities smart is a sham. Security works always by reducing the attack surface. Sure we’ll manage to curb crime in some notorious “dark corners”, because of smart lighting and better monitoring of public spaces (made possible by improving data analytics and image recognition techniques when filtering CCTV footage). But the real costs to society and democracy are huge in comparison to a short lived improvement in crime rates. Below I’ll try to explain some of my bigger worries with the current state of smart-cities and why many societies aren’t ready (and probably never will be).
***
This morning I stumbled over a fantastic piece of work: How to mesh-up data in a smart-city taken from IoT sensor devices (environmental, cctv camera footage, face recognition, location) with data from social media posts (twitter & Co). The core focus of their research is a Sentiment Analysis platform to gauge citizen satisfaction in the name of improving local municipal services. Who wouldn’t want that?
“The software engineer in me actually wants to design such a system.”
The domain is cutting-edge and the possibilities are endless. We’re on the verge of several other breakthroughs in AI. Data-science is one of the best-payed disciplines in CompSci. A smart-city architecture lets engineers combine all these exciting new advancements. Who wouldn’t want to work on that?
A Smart-City should be designed with additional accountability harnesses to limit abuse, such as decentralized technologies. Also blockchain based auditing of public functions (e.g. bidding processes, decision-making, hand over of power, …) would be the right direction. Such decentralised systems would actually empower individuals, by allowing us to better track the performance over those that rule us.
Unfortunately I have not come across any paper that are addressing such solutions, nor will you see much funding from government grants. Instead all current proposals empower the state (otherwise you couldn’t sell it to them). Design proposals leave it up to the state (the customer) to decide where advantages can be passed to citizens. Accountability as a feature doesn’t make money and even sounds like quite a threat to those who are to be held accountable. Features we already see look promising (smarter parking, and telematics, automated billing, eco-friendly management, …), but nothing that protects us from the new centralization of power, benefiting only those in the cockpit.
Data gathered from subscribers becomes available to expected 3rd parties such as law-enforcement, the IRS, the bank or their risk-management proxies. The data will sooner or later be in the hands of individual hackers or in the hands of terrorist organisations or a foreign nation state adversary. It shouldn’t be too hard for even a single attacker breaching a sleepy municipal IT facility. And looking at breach history the cloud provides no relief.
Imagine a scenario where the attacker is a terrorist stealing the data prior a physical attack in a city. Either to amplify the effects of the actual terror-attack (by taking over billboards, or SMS warning systems to create more fear, DDOS emergency hotlines, etc), or to enable new forms of attacks due to the nature of the freshly gained previously unavailable info. Smart-cities can be a great vehicle in peace for stable nations no doubt.
From a security perspective I’m pessimistic about their real cost to our liberties. Even stable societies can’t fully isolate themselves, in times when national intelligence agencies around the globe engage in active attacks and then try to blame it on single fictional isolated individuals like Guccifer2.0. The future of security has a new benchmark and it’s called Advanced Persistent Threats (APT). Are smart city projects in Poland, and the Baltic countries prepared to have their systems sometimes taken over for display?
The hard question isn’t how to build smart-cities. It’s not a technical problem. I’m not trying to belittle the engineering effort. But we know the steps and how to build it.
Questions that should really be asked during the design is what happens if a smart-city flicks the switch on democracy, or has its switch is flicked by an outside adversary messing with local politics? Are we naive enough to believe that many of these “meme-democracies” around the globe (who won’t shy away from switching off their Internet in order to preserve their status-quo), will not use the data of it’s local smart city to squash dissent? … the coup d’état in Turkey, the “orange revolution” in Ukraine, aggression across the Arab world and dividing the enemy based on faith once again.
Citizens and consumers trust that a smart city closely tied to local politics and business will keep those secrets reliably and securely from third parties, when at the same time we know that these parties battle to control how, when and what type of data we consume? Surely, they’re having a laugh?
Critical topics to discuss for SmartCities architects:
- SmartCities play a role in cyberwar by increasing the decision making ability based on data. There are many overlaps where defence interests and political interests are concerned. They are all about “preserving peace”. A smart city doesn’t create peace. More accurately it preserves the current state by empowering whoever controls the data. Many features can be implemented in the name of security. To understand how smart-cities empower the defence sector please read:
- NATO Cyber Security Framework
- Cyber War in Perspective: Analysis from the Crisis in Ukraine (BlackHat 2016)
- Russia’s new generation warfare in Ukraine: Implications for Latvian defence policy
- Cross-Domain Coercion: The Current Russian Art of Military Strategy
- Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security
- Most who have finished rolling out a smart-city security will tell you the system is 100% secure. But no one can even remotely prevent against another nation state. Poisoning data sets is far more easy and you don’t need a lot of security holes to inject information or game the system. So even you think you’re safe, your smart-city’s core value: the data, (the reason we bought the damn thing) is still open to compromise. Many of our future decisions will be made for us by machines to improve our efficiency. We rely on data to automate our life, it would be essential that if we want to trust that data to build models upon, to at least assess the soundness of our underlying assumptions: That the data we trust is also safe from tempering (see also my comments on why you want a smart city to have a blockchain). But here the attacks:
- Attacking Machine Learning classifiers with adversarial examples
- Deep Learning Adversarial Examples – Clarifying Misconceptions
I’ve been following the Santander Smart city project closely in the ETSI workgroups. There is a lot of awesome potential for better services and an improvement in the environment. Smart cities aren’t a technical challenge but a political one. They can be rolled out fast in smaller nations with less bureaucratic complexity. Especially centralised regimes with lean decision making can adopt these solutions very quickly.
Smart cities are not just a way to increase convenience for commuters and better parking systems. They are also a way to Engineer Consent. See Endward L. Bernays 1947 paper who coined this topic and the later BBC (3 part) documentary showing our history in this subject since WWII.
But it’s not the IoT aspirations of Luxembourg, Monaco, San Francisco, Santander that worry me. Smart cities are most successful when already run by a smart efficient public sector. Smart cities implemented over complex self serving bureaucratic processes can become an electronic manifestation of stupidity written in code. And we all know how long code stays in the field once it’s shipped?
/* * function disclaimer() * When I wrote this, only God and I understood what I was doing. * Now, God only knows */
In this context “code becoming law” takes on a new and scary meaning. What happens once the human political decision making process becomes dependent on a smart-cities data generation? Smart cities become a vehicle of power through their data by allowing the state to better observe citizens behaviour and more importantly (in their eyes) protect itself against dissent. So especially those currently living under oppressive regimes have a lot to lose. Not to forget the risks if power suddenly tilts within a moderate country in favour of a right-wing party as seen in recent EU or US local elections. Do we want our rulers (the better and the worse ones) to wield this kind of power over individuals lives?
Many regimes across the globe currently race to showcase their continents 1st smarty-city, and in the process, “Become the regional flagship, then resell the model throughout the rest of the region”. Sounds like the business model fit for a prince?
How does it affect our responsibility as engineers to society and peace in an age where the biggest investors in Cyber(security) are nation states?
In conclusion,
One doesn’t have to wear a tinfoil hat to understand that these solutions will swing both ways. And some are going to get hurt. To all those who think smart-cities will liberate humanity from repressive regimes, please think again. They’re likely to become high-priced targets in cyber warfare. Anyone thought about dealing with that or is this left to the experts from NATO CCD COE or national intelligence communities? If we can’t protect these cities ourselves who will we contract their defence out to? 3-letter agencies and their external private security firms would be happy to help in exchange for more intrusive ways to track every move.