The security and safety challenges of smart-cities are an area of hot discussion, and thanks to its property as an umbrella term, every vendor has their opinion on it.
Most technical research on smart-cities aren’t addressing cyber security and privacy concerns in their design. The consensus is that it’s really the vendor who should be held accountable. The security researchers among you who practice Responsible Disclosure might know how frustrating this can be. There are plenty who get bullied and blocked by vendors for reporting problems. Lack of Security isn’t just an issue with designers/standardization not addressing it but transcends across from the technical issue to business units tasked with creating silly excuses and loopholes in the Terms to remove all possible liability (or ‘Skin in the Game’).
Here a quite common example of how vendors address their obligation to protecting users:
Most engineering professionals are too absorbed with technical implementation. Our thinking revolves around answering the question: “Can we build it?”. .. that we sometimes forget to ask ourselves:
What are potential negative effects to security, privacy, democracy, freedom, liberty? What are the security holes in this architecture?
Comments that touch on the subject of “ethical considerations” are treated as a distraction when brought up for debate in technical standardization groups. It isn’t easy addressing such fundamental questions especially when they can’t be solved by engineering.
The biggest mistake we make, is believing ethical questions will be answered by somebody better qualified for the job. Maybe somebody from philosophy, theology? And if not that, then the industry, … or at last resort for sure the courts will address it? And what have courts to win in a smart-city? A smart-city architecture allows “better” information-sharing, strong identity management, better blanket surveillance as well as targeted surveillance, it benefit law-enforcement with better access to location tracking. Everything you need for more powerful presence in people’s lives: Constantly. In. Your. Face.
The point is: What court would rule that a smart-city should be rolled back or that it’s surveillance capabilities should be restricted? Do we realise that at this point our code (with all it’s bugs) becomes law? Think about that for a moment.
It isn’t surprising that most of technical research on smart-cities only highlights benefits, considering a lot of it was government funded (at least in the EU, programs like H2020 or FP7 contribute to a large share of smart-cities research). Very few documents are submitted on smart-city security. And none of these papers (including the ones dedicated to the subject of smart-city security) provide mitigation techniques to at least the same safety as a non smart-city? No of course not. Adding network functionality to a previously isolated system is always going to make you less secure no matter how much dollars you pump into making people believe it will be safer. Of course the security industry will tell us that they can secure our WIFI lightbulbs. Vendors rarely ask security questions when it comes to early stage design of a product. Our attitude really should be to ask ourselves if such connected gadgets weren’t an utterly dumb idea in the first place.
The security sectors profitability depends on a certain fear factor to be present within the population. You can’t justify security spending when nobody perceives a threat. Smart cities are a great way to maintain and measure this fear-factor very accurately as showcased below.
The idea that a sleepy city council could provide better security by making their cities smart is a sham. Security works always by reducing the attack surface. Sure we’ll manage to curb crime in some notorious dark corners because of smart lighting and better monitoring of public spaces (made possible by improving data analytics and image recognition techniques when filtering CCTV footage). But the real costs to society and democracy are huge in comparison to a tiny short lived improvement in crime rates. Below I’ll try to explain some of my bigger worries with the current state of smart-cities and why I think that many societies aren’t ready (and probably never will be).
This morning I stumbled over a fantastic piece of work: How to mesh-up data in a smart-city taken from IoT sensor devices (environmental, cctv camera footage, face recognition, location) with data from social media posts (twitter & Co). The core focus of their research is a Sentiment Analysis platform to gauge citizen satisfaction in the name of improving local municipal services. Who wouldn’t want that?
“The software engineer in me actually wants to design such a system.”
The domain is cutting-edge and the possibilities are endless. We’re on the verge of several other breakthroughs in AI and Machine Learning. And data-science is one of the best-payed and most promising disciplines in CompSci. A smart-city architecture lets engineers combine all these exciting new advancements. So yes who wouldn’t want to work on that?
We have a long way to go if we want to build smart-cities that won’t turn on us. One of the biggest drawbacks with the current design proposals is that we have no accountability on the Internet. The way we currently handle trust is outdated and outsourced to self-serving, too big to fail Certificate Authorities who themselves have no skin in the game or engage in outright corrupt practices (recent example WoSign).
There is so much room to expand the current design proposals. We need a CA that is owned and managed by the public, and not by BigCorp Inc., that puts interest of their shareholders above all else. Wes Kussmaul has some great ideas here which would solve a lot of the underpinning issues with trust:
A Smart-City should be designed with additional accountability harnesses to limit abuse, such as decentralized technologies like Streembit or BigchainDB. Also blockchain based auditing of public functions (e.g. bidding processes, decision-making, hand over of power, …) would ensure tamper-proof logging of events. Such decentralised systems would actually empower individuals, by allowing us to better track the performance over those that rule us.
Unfortunately I have not come across any paper that are addressing such solutions, nor will you see much funding from government for such solutions. Please ask yourself why!
All current proposals empower the state (otherwise you couldn’t sell it to them). Design proposals leave it up to the state (the customer) to decide where advantages can be passed to citizens. Accountability as a feature doesn’t make money and sounds like quite a threat. Features we already see look promising (smarter parking, and telematics, automated billing, eco-friendly management, …), but nothing that protects us from the new centralization of power benefiting only those in the cockpit:
Data gathered from subscribers becomes available to expected 3rd parties such as law-enforcement, the IRS, the bank or their risk-management proxies. The data will sooner or later be in the hands of individual hackers or in the hands of terrorist organisations or a foreign nation state adversary. It shouldn’t be too hard for even a single attacker breaching a municipal IT facility.
It’s horrible to imagine a scenario where the attacker is a terrorist stealing the data prior a physical attack in that city. Either to amplify the effects of the attack (take over billboards, or SMS communication systems to create fear, etc), or to enable new forms of attacks due to the nature of the freshly gained previously unavailable info. Smart-cities can be a great vehicle in peace for stable nations no doubt.
From a security perspective I’m pessimistic about their real cost to our liberties. Even stable societies can’t fully isolate themselves, in times when national intelligence agencies around the globe engage in active attacks and then try to blame it on single fictional isolated individuals like Guccifer2.0. The future of security has a new benchmark and it’s called Advanced Persistent Threats (APT). Are smart city projects in Poland, and the Baltic countries prepared to have their systems sometimes taken over for display?
The hard question isn’t how to build smart-cities. It’s not a technical problem. I’m not trying to belittle the engineering effort. But we know the steps and how to make it.
Questions that should really be asked during the design is what happens if a smart-city flicks the switch on democracy, or has its switch flicked by an outside adversary messing with local politics)? Are we naive enough to believe that many of these “meme-democracies” around the globe won’t shy away from switching off their internet in order to preserve their status-quo will not use the data of it’s local smart city to squash dissent? … the coup d’état in Turkey, the “orange revolution” in Ukraine, aggression across the Arab world and dividing the enemy based on faith once again. Recent history increasingly becomes littered with horrible examples just as the last generation who witnessed WWII dies out.
A smart city knows almost everything about you, more than your intimate partner and accountant combined. In other words we as citizens and consumers trust that a smart city closely tied to local politics and business will keep those secrets reliably and securely from third parties, when at the same time we know that these parties battle to control how, when and what type of data we consume? Surely, you must be having a laugh?
Critical topics to discuss for SmartCities architects:
- SmartCities play a role in cyberwar by increasing the decision making ability based on data. There are many overlaps where defence interests and political interests are concerned. They are all about “preserving peace”. A smart city doesn’t create peace. More accurately it preserves the current state by empowering whoever controls the data. Many features can be implemented in the name of security. To understand how smart-cities empower the defence sector please read:
- NATO Cyber Security Framework [pdf]
- Cyber War in Perspective: Analysis from the Crisis in Ukraine (BlackHat 2016) [pdf]
- Russia’s new generation warfare in Ukraine: Implications for Latvian defence policy [pdf]
- Cross-Domain Coercion: The Current Russian Art of Military Strategy [link]
- Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security [link]
- Most who have finished rolling out a smart-city security will tell you the system is 100% secure. But no one can even remotely prevent against another nation state. Poisoning data sets is far more easy and you don’t need a lot of security holes to inject information or game the system. So even you think you’re safe, your smart-city’s core value: the data, (the reason we bought the damn thing) is still open to compromise. Many of our future decisions will be made for us by machines to improve our efficiency. We rely on data to automate our life, it would be essential that if we want to trust that data to build models upon, to at least assess the soundness of our underlying assumptions: That the data we trust is also safe from tempering (see also my comments on why you want a smart city to have a blockchain). But here the attacks:
I’ve been following the Santander Smart city project closely in the ETSI workgroups. There is a lot of awesome potential for better services and an improvement in the environment. Smart cities aren’t a technical challenge but a political one. They can be rolled out fast in smaller nations with less bureaucratic complexity. Especially centralised regimes with lean decision making can adopt these solutions very quickly.
Smart cities are not just a way to increase convenience for commuters and better parking systems. They are also a way to Engineer Consent. See Endward L. Bernays 1947 paper who coined this topic and the later BBC 3 part documentary showing our history in this subject since WWII.
But it’s not the IoT aspirations of Luxembourg, Monaco, San Francisco, Santander that worry me. Smart cities are most successful when already run by a smart efficient public sector. Smart cities implemented over complex self serving bureaucratic processes can become an electronic manifestation of stupidity written in code. And we all know how long code stays in the field once it’s shipped?
/* * function disclaimer() * When I wrote this, only God and I understood what I was doing. * Now, God only knows */
In this context “code becoming law” takes on a new scary meaning. What happens once the human political decision making process has becomes dependent on a smart-cities data generation. Smart cities become a vehicle of power through their data by allowing the state to better observe citizens behaviour and more importantly in their eyes protect itself against dissent. So especially those currently living under oppressive regimes have a lot to lose. Not to forget the risks if power suddenly tilts within a moderate country in favour of a right-wing party as seen in recent EU or US local elections. Do we want our rulers (the better and the worse ones) to wield this kind of power over individuals lives?
Many regimes across the globe currently race to showcase their continents 1st smarty-city, and in the process, “Become the regional flagship, then resell the model throughout the rest of the region”. Sounds like the business model fit for a prince? Well, it is.
How does it affect our responsibility as engineers to society and peace in an age where the biggest investors in Cyber(security) are nation states?
Sounds like doublethink to me!
one doesn’t have to wear a tinfoil hat to understand that these solutions will swing both ways. And some are going to get hurt. To all those who think smart-cities will liberate humanity from repressive regimes, please think again. They’re likely to become high-priced targets in cyber warfare and APTs. Anyone thought about dealing with that or is this left to the experts from NATO CCD COE or national intelligence communities? If we can’t protect these cities ourselves who will we contract their defence out to? 3-letter agencies and their external private security firms would be happy to help in exchange for more intrusive ways to track every move.
Thanks for bearing with me during this long post. If you’re serious about solutions that empower individuals and interested in how we plan to shape smart city architecture using a P2P driven decentralised design and blockchain transaction proof of consensus to deliver tamper-proof transparency to citizens you should check out Streembit. We’d love to talk to you about your smart cities initiative and help you define a vendor neutral strategy as well as monetization strategies. All our proposals are built to empower individuals and based on well tested open source components which can be audited against backdoors. We believe that there are better (fairer) ways to monetize than centralized data harvesting, which regardless of all good intention in the end always leads to a security disaster.
pretty good reading:
- ENISA Architecture model of the transport sector in Smart Cities [link]
- US Department of Homeland Security: Future of Smart Cities: Cyber-Physical Infrastructure Risk [link]
- Cyber security challenges in Smart Cities: Safety, security and privacy [link]
- Cesar Cerrudo 2015 BlackHat slides on Hacking Smart-Cities [link] (youtube [video])
Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.