Cybersecurity and Privacy Awareness
Cities tend to promote awareness of the importance of data privacy and to get prepared for the impact of cyberattacks, since data will be an important city commodity
As services are becoming highly integrated and interconnected, vulnerabilities created by data exchanges are more common, and data security is therefore vitally important. Threats to privacy and cyberattacks have been on the increase for a long time, but the past few years have seen an explosion in cyberattacks on data and physical assets.1 In 2018, the total cost of losses from cyberattacks for the cities in a survey averaged EUR 2.8 million.2 A ransomware attack on the city of Atlanta in 2018 cost the taxpayer and estimated EUR 14.5 million.3
This integration and interconnection introduce the concept of ‘smart’ (or, at least, smarter) cities. Smart cities offer the prospect of societal benefit and greater personal comfort and convenience, thanks to ubiquitous connectivity. But this connectivity needs to be implemented securely, if smart cities are to have a future.
Cybersecurity is now a key consideration for developers and planners of smart cities, and attention is turning to the risks inherent in such a highly interconnected environment. However, while the cybersecurity industry has developed a mature understanding of how to measure and mitigate the impact of cyberattacks on infrastructure in ‘non-smart’ cities, there is limited knowledge of the potential impact of attacks on smart cities.
An attack on smart city infrastructure may create effects that cascade – or ‘ripple’ – outwards and impact other parts of the city or country, or beyond. These cascading effects can be non-linear and grow far larger than the initial direct damage, revealing hidden interdependencies and disrupting systems that were believed to be segregated from the impact point. Resilience is the essential concept that must be considered when creating these complex and highly interconnected environments. It is essential to use resilience as a cornerstone of city-building, and to do so in a way that can be scaled up and remain flexible for future upgrades and enhancements.
While investing in cybersecurity may be a strain on city budgets, the costs of not investing can be even larger as losses could run into billions of euros. City leaders have acknowledged that the consequences of a cyber incident could extend beyond data loss, and include a financial impact, reputational damage, reduced social trust, and disrupted crucial city services and infrastructure.
As the complexity of technologies, operational interdependencies, and systems management increases, so does the interest of hackers in profiting from this environment. Developing smart city initiatives without considering cybersecurity and privacy can result in a highly vulnerable environment that poses security risks to critical infrastructure and data, and in some cases may even create safety risks for citizens. For instance, there are strong doubts in some countries about autonomous vehicles (43 per cent of people in the US do not feel safe in a driverless car)4 so the development of a smart product has resulted in a need to invest in cybersecurity and data privacy. Planners must ensure that cybersecurity should be considered not just in this example of autonomous vehicles, but also in all the other critical and safety-focused aspects of smart city infrastructure.
The integration of multiple critical services – transport, communications, finance, energy production/distribution, and others – is likely to produce an environment that requires its own infrastructure protection plan. This integration, and its resulting complexity, may also result in an environment that is ‘more than the sum of its parts’, and require new conceptual approaches and models for security.
Advance planning is essential. By one estimate, 95 per cent of Cities 4.0 (as labelled so by ESI Thoughtlab, referring to hyper-connected cities that use technology, data, and citizen engagement in pursuit of the SDGs), ensure that cybersecurity is considered early in the process, compared with only 51 per cent of other cities.5
However, many cities are not ready for the challenges. Besides lagging far behind in the digital revolution, with outdated technologies running critical infrastructure, they lack the human resource expertise to be capable of addressing the challenges.6 Creating ecosystems of innovation – as Tel Aviv has done – could be one approach to improving security. Another approach is to invest in models of public/private cooperation and coordination, in the knowledge that the orchestration of security (as opposed to securing individual components) is the key to sustainable security. Efforts must be backed by city executives and not left to external entities or departments alone. Privacy and security are critical topics not to be neglected.
Learn more.Download the full report Study Overview by Deloitte Insights Watch the video interviews Listen to the podcasts
“It has been an interesting evolution over the last decade or two in terms of cybersecurity protections. Initially cities very much felt that they needed to create a fortress; then they started to realise that using the cloud was going to be more secure because many cloud service providers have 24/7 security experts with greater capacity to monitor, detect and prevent attacks.”
Why is privacy awareness, cybersecurity and related safety systems relevant in a city?
Technical innovation across smart city applications is developing rapidly. So privacy awareness, data protection and digital infrastructure resilience are crucial for the efficient functioning of a city’s operations and the safety of residents.
A lack of cyber/privacy awareness can increase both distrust and also vulnerability to cyberattacks: It has been observed that in many cities, only top-level managers and officials have a high level of cybersecurity awareness. A lack of awareness among the majority of people creates a substantial risk of cyberattacks and an inability to deal with them. The interdependent nature of smart cities requires stronger public awareness of the security frameworks in a smart/intelligent infrastructure. In a 2019 study, Forrester stated: “Expect the development of more (AI-powered) deepfake–based attacks fabricating convincing audio and video at a fraction of the cost. To mitigate risk, IT departments need to further invest in training and awareness programs.”7
Lack of stand-alone cybersecurity departments/units in a connected city can act as a barrier to achieving higher levels of cyber-resilience and privacy awareness: Many cities are launching smart city and mobility initiatives, which involve high volume data management and exchange, but the IT departments of local governments usually have the primary responsibility for making those digital operations secure. This could restrict the effectiveness of cyber risk management within the city, particularly when there are insufficient skills and experience within the IT department. Rising interconnectivity will create the need for a better risk-response system to secure digital confidentiality and rapid issue management, both of which are crucial elements in a smart city ecosystem.
Disruption to services could be very damaging and even life-threatening: As cities turn into truly smart cities, where data is a strategic asset, cybersecurity integration maturity and social trust related to data exchanges must become transformational, involving continuous improvement and enhancement of cybersecurity frameworks and solutions to protect the city’s systems and citizens’ data and even lives (a cybersecurity failure in a health system can directly threat life; and an attack to autonomous driving operations is another example of how people’s lives could be affected).8
How to ensure a successful implementation?
A trusted secure ecosystem is built on a set of founding principles, which include a Zero Trust model, transparency and privacy, regulations and compliance, micro segmentation, risk-based identity and resiliency. In approaching cybersecurity, cities must have in mind three major goals:
- 1. Govern like a nation: Smart cities combine advanced infrastructure with dense, high-speed connectivity. They offer new economic opportunities and new possibilities for urban life. The potential risks of disruption are also significant, and mitigating these risks requires a professional, methodical and long-term approach to security – in other words, the sort of approach a government would take to protect critical infrastructure, with regular development and enhancement of cybersecurity policies, guidelines and tools.
- 2. Smart cities as a defensive ecosystem: Disruption to smart cities is a matter of high concern for professionals tasked with securing these environments. But ‘smartness’ is a two-way street, posing risks but also containing defensive and self-healing properties. Dense connectivity can allow malicious actors to move swiftly, but defensive countermeasures can move just as fast, and can draw on the insight and visibility provided by myriads of individuals and devices. A smart city is a living organism, and should be constructed to encourage security orchestration and empowerment among its organic and digital residents.
- 3. Reboot with resilience: Smart cities must be designed with cyber resilience in mind. Resilience is a well-understood concept in critical infrastructure protection, but it has a price. Resilient infrastructure and technology tend to contain redundant or reversionary capabilities (i.e. back-ups), and these rarely come for free. The temptation is strong to remove these up-front costs, except for those who have previously witnessed disruption to highly connected environments, and the resulting economic, social and political costs. To them, resilience seems like a bargain. Rebooting with resilience is much easier than the alternative.
To reach those goals, several issues should be kept in mind:
Syncing city with cyber strategy, and allowing for flexibility: Cities should define a detailed cybersecurity strategy that is in line with their broader smart city strategy and that can mitigate the risks arising from the ongoing convergence, interoperability and interconnectedness of city systems and processes. Cities should consider carrying out regular and extensive impact assessments of their data, systems and cyber assets to identify, assess, and mitigate the risks in technology processes, policies and solutions. Cities should leave space for adjustments and improvements, as new solutions, approaches and connections may emerge that impact the strategy in place and require changes. Cities must follow ‘cybersecurity by design’ principles.
Having a clear cyber and data governance in place, with accountability: Cities need to formalise a governance approach to data, assets, infrastructure and other technology components. A comprehensive governance model should spell out responsibilities and roles for each critical component in the smart city ecosystem. Data management—including robust data sharing and privacy policies, data analytics skills, and monetisation models that facilitate the sourcing and usage of ‘city data’—is a critical aspect of governance.
Leveraging the ecosystem and building strategic partnerships to grow cyber capabilities: The cyber skills gap is not going away any time soon, so cities need to be innovative and proactive in plugging the cyber skills gaps in their administration and teams. This approach may require the city administration to explore non-traditional methods of tapping into cyber talent such as crowdsourcing, prizes, and competitions to solve cyber-related issues. A smart city requires new skills and competencies across its various ecosystem layers. Cities can also augment existing capabilities through strategic partnerships and outsourcing contracts with service providers.
Align regulation policies: Policies, legislation, and technology must be aligned continuously to maintain the right balance between protection, privacy, transparency and utility. Governance, policies and processes must mature along with the city’s overall cyber strategy.
Adopt a specific tool to manage the cybersecurity landscape of a smart city: The world’s increasingly connected ecosystems, such as smart cities and smart transport systems, call for new tools to manage their massive cyber risk operations. The broad range of compliance rules for a city determines the need to automate the collection process as well as compliance with this highly complex framework of regulations. This can only be achieved with a specifically developed asset, able to provide daily support to the smart city’s Chief Information Security Officer (CISO) team. This secure asset should be a platform that orchestrates an end-to-end cyber risk management programme across the broad smart ecosystem lifecycle of government sectors, vendors and third parties, regulators, security organisations and, of course,… citizens. It should be able to: contextualise (consolidate smart disparate systems into a holistic view of the entire ecosystem’s security); evaluate (determine compliance gaps to be mitigated based on regulatory requirements and frameworks); monitor and respond (track and respond to cyber activity and threats to the ecosystem), and sustain (maintain the security of the ecosystem for holistic and ongoing resilience). Each smart city ecosystem is different, so this asset should be tailored to the specific connected environment, such as a smart city by complementing and enhancing the city’s current security with a tailored and scalable approach.
Invest in awareness campaigns on privacy: The critical beneficiaries of a cyber secure city are its residents. It is important to have informed and aware citizens, in order to generate trust in the initiatives in place, and promote better behaviours in terms of data sharing and managing data risks.
“We have introduced a bug bounty programme where we ask people: you, white hackers, people who are experts in this, help us look for mistakes, help us look for errors on our websites and we can work together to have more secure government websites and a more secure cyberspace.”
Where to see this in action?
With the Olympics Games being a preferred target for cybercriminals since London 2012, Tokyo and Japan started working on cyber protection after being awarded the 2020 Games (postponed to 2021 due to the coronavirus pandemic). The aim is that preparing for the Olympic Games should give momentum to measures for improving Japan’s national cybersecurity capabilities.9
Japan’s 2015 Cybersecurity Strategy included initiatives to increase security such as public-private cybersecurity partnerships, workforce development (leveraging from an ecosystem of partners, the ‘Cross-Sector Forum’), and cyber exercises. It also called on business leaders to incorporate cybersecurity in their business strategy and invest proactively in cybersecurity for innovation and growth.10 The involvement of the business sector went further through a ’Declaration of Cyber Security Management’ in March 2018.11
Additionally, projects such as Cyber Colosseo12 were created by the National Cyber Training Centre to respond to cyberattacks that were expected to target the Tokyo Olympic/Paralympic Games. Colosseo, started in 2017, is training professionals to the standards needed for protecting the event, but in doing so it will also create a new workforce of professionals for Japan’s cybersecurity market after the Games have ended.13 In 2018, the Tokyo Metropolitan Government produced a guideline for cybersecurity countermeasures for the Olympic/Paralympic Games.14
Pushing the concept of Society 5.0, cybersecurity is at the centre stage in Japan, and Tokyo is benefiting from this investment. The city considers the cyberspace environment and the internet to be drivers of innovation and economic growth, and it is one of the top cities in the world which has strength in both aspects (access and security). As of 2019, 91 per cent of Tokyo’s residents had internet access, and the city was ranked number one for digital security in the Safe City Index 2015, 2017 and 2019, published by The Economist Intelligence Unit.15
With the increasing reliance on digital infrastructure, cyber risks are increasing, especially in relation to transaction services. For instance in 2020 a digital payment system – which is a primary pillar of smart city infrastructure – suffered a major cyberattack, resulting in numerous illicit withdrawals at regional banks. This highlighted the vulnerabilities of e-commerce amid rising digitalisation.17
As a result, in September 2020 the Japanese government increased the focus on strengthening cyber defence strategies and announced plans to set up a government entity, the National Digital Agency, to lead digital transformation in Japan.18, 19
In 2010, faced with the prospect of an ever-increasing number of cyberattacks, the nation’s Prime Minister consulted with Israel’s National Cyber Initiative, which recommended that instead of creating a government-led cybersecurity programme, it should create a cybersecurity ecosystem that could identify and respond to the threats by itself. In response, a constantly evolving framework for this ecosystem was built, in collaboration with the government and the military, knowledge institutions and the business sector.20
With the government as a catalyst, Israel’s cybersecurity industry accounts for 31 per cent of global investments in this sector, ranking in second place after the USA in 2021.21 It is an economic growth engine, and Tel Aviv is the its birthplace: companies like Snyk, SentinelOne, Cato Networks, Forter and BigID achieved unicorn status in 2020.22 Tel Aviv is also home to the Municipal Innovation Centre, which showcases demos of smart city solutions and digital innovation for city leaders and administrators in a non-biased environment, to help local governments implement secure smart systems. Tel Aviv also hosts an important annual global conference, called Muni World and Expo, as well as other international cyber events.
Tel Aviv leverages its innovation and start-up environment to strengthen its ecosystem. The involvement of and close connection to the military is a key element in this. In 2020 Tel Aviv University launched a free online cybersecurity course covering topics such as cryptography, security of identification systems, attack and defence strategies, and viruses and other malware, with participation by students from over 150 countries. In just six months, it became the number one security course in the world, out-competing 1,750 other courses.23
Following a recommendation by the Auditor General, Toronto has been working on developing its cybersecurity in response to threats and attacks. It currently uses network protection technology and cybersecurity practices to secure the integrity of infrastructure and to protect its assets.24
The city established a Cyber Security Program in 2017 which was revised and expanded in 2019. It has appointed a Chief Information Security Officer, with responsibility for establishing a cybersecurity strategy to manage cyber risk and strengthen the existing cyber defences.25 Moving forward, it plans to increase its security capabilities through a partnership with the Auditor General’s Office, provide cybersecurity training to city staff, and offering support for cybersecurity activities.26
Canada currently faces a lack of cyber talent, and the University of Toronto (U of T) has joined forces with five other Canadian universities to explore the feasibility of a cybersecurity operations centre for higher education in Canada.27 The city has also hosted other initiatives, such as the Catalyst Cyber Accelerator, to leverage from the cybersecurity ecosystem and develop expertise.28 Toronto has the knowledge institutions, market conditions, and financing to position itself as a global leader in cybersecurity, both on its own and also as a part of the Ontario Global Security Hub.29
In 2019, the City of Toronto was ranked sixth in The Economist’s Safe Cities Index. High performance results in the Digital Security, Health Security, Infrastructure Security and Personal Security categories placed the city sixth out of 100 cities that were scored in this study.30
As our world has become more interconnected, the importance of privacy has grown. Initial enthusiasm for a hyperconnected smart city concept was followed by a strong backlash from citizens over privacy concerns, and a project to develop Alphabet’s Sidewalk Lab and transform Toronto’s waterfront was abandoned in 2020. Although it included in a plan for a sustainable and affordable community, ’raincoats’ for buildings, autonomous vehicles, and cutting-edge wood-frame towers to make housing more affordable, the project failed to convince the population of the benefits of sensors and monitoring, and instead raised fears and suspicions around privacy (and ‘surveillance capitalism’). 31
Although offering benefits to the population, the inability to gain its trust and the lack of transparency are seen as reasons why the project was dropped, illustrating the balance that local authorities will have to achieve going forward as they implement smart city projects. Toronto has now presented a new vision for the area, to replace the Sidewalk Lab project with a citizen-centric and community focus.
- Deloitte Insights: Making smart cities cybersecure. (2019)
- ESI ThoughtLab: Building a Hyperconnected City; A Global Research initiative. (2019)
- Forrester: Making Smart Cities Safe And Secure. (2019)
- Policy Advice: 25 Astonishing Self-Driving Car Statistics for 2021. (2021)
- ESI ThoughtLab: Smart City solutions in a riskier world. (2021)
- World Economic Forum: Cities are easy prey for cybercriminals. Here's how they can fight back. (2019)
- Forrester: Predictions 2020: This time, cyberattacks get personal. (2019)
- ESI ThoughtLab: Building a Hyperconnected City; A Global Research initiative. (2019)
- Mihoko Matsubara and Dai Mochinaga: Japan’s Cybersecurity Strategy: From the Olympics to the Indo-Pacific; Ifri Center for Asian Studies, Asie.Visions, No. 119. (2021)
- NICT News: Protecting Japanese Cyber Security Even After the Tokyo 2020 Olympic and Paralympic Games. (2020)
- Tokyo Metropolitan Government: Tokyo 2020 Counter measures towards safety and security
- The Economist Intelligence Unit: Safe Cities Index 2019. (2019)
- The National Law Review: New amendments passed to Japan’s data privacy law. (2020)
- The Asahi Shimbun: Docomo halts e-payment system to local banks after thefts. (2020)
- The Japan Times: As cyber attacks rise globally, Japan’s digital security found lacking. (2020)
- The Japan Times: Government determines framework of new digital agency. (2020)
- Forbes: 6 Reasons Israel Became A Cybersecurity Powerhouse Leading The $82 Billion Industry. (2017)
- The Times of Israel: Israeli cybersecurity firms raised record $2.9 billion in 2020 amid pandemic. (2021)
- Jewish News Syndicate: Tel Aviv University cybersecurity course ranked top in the world. (2020)
- City of Toronto: Cyber Security Program. (2019)
- Information Technology Services, University of Toronto: New initiative investigates cyber security threats facing higher education. (2019)
- Ryerson University: Rogers Cybersecure Catalyst.
- Deloitte: Harnessing the cybersecurity opportunity for growth Cybersecurity innovation & the financial services industry in Ontario. (2016)
- The Economist Intelligence Unit: Safe Cities Index 2019. (2019)
- The Guardian: Google affiliate Sidewalk Labs abruptly abandons Toronto smart city project. (2020)
You may access the links to these sources, where available, on page 148 of the Urban Future with a Purpose study.
Managing Director Cyber Risk Solutions | US & Global Smart Cities Cyber Leaderpipandey@deloitte.com
+1 717 460 0184
Global Government and Public Services Cyber Leaderarigoni@deloitte.it
+39 (0)283 322 436
5G Cyber Global Leader | Deloitte Portugal Cybersecurity Leaderfremacias@deloitte.pt
+351 210 422 836