Three questions to ask your local leaders

Mary Writes is VP of Product Management at ForgeRock, a global leader in digital identity.

Before our eyes, new technologies are changing the way cities work and improving the lives of their citizens. Particularly in urban areas, smart city technologies promise more effective planning and optimization of municipal services such as traffic management, waste collection, public safety services and road maintenance.

At its core, the concept of smart cities takes traditional municipal devices, infrastructure and layers in a combination of sensors and internet connectivity. This transforms trusted structures into connected structures that communicate with each other and collect data to make services faster and more efficient. The demand for and market for smart city technology is skyrocketing as the federal government prioritizes infrastructure development.

As more and more cities embrace connected technologies, a key challenge on the horizon is the lack of clear guidelines for implementing security and privacy. As someone who examines the intersection of cybersecurity and identity every day, there are three key areas that business leaders, government leaders and citizens alike should consider to effectively protect the livelihoods of citizens of existing and future smart cities.

What happens if a smart city device or management system is hacked?

The existential security stomach acid with a smart city system is an age-old challenge for any type of digital transformation. While internet connectivity unlocks great ways to improve our lives, it also creates or increases the attack surface. For example, it is quite difficult to hack into an insulin pump that is not connected to the internet. But once that pump is plugged in and considered “smart,” it becomes accessible to malicious parties. Likewise, smart cities are putting online many devices that have never been online before, creating new targets for attackers to exploit.

To add an extra layer of complexity, smart devices also face physical threats (such as a water meter exposed to the elements) and are more difficult to update than standard laptops or phones, so installing security updates takes longer and requires more resources. From a drastic weather event to an attack on a nation-state, the opportunities for trouble multiply with smart city technology.

But that shouldn’t be a cause for concern. Like all security protocols, good preparation ensures better protection. Regular risk analysis and targeted contingency planning should be incorporated into planning efforts and are already the norm for large enterprises. There is no reason why this cannot be implemented by local governments as well.

What happens when a malicious actor poses as a city device?

When a human logs into his bank account, a lot of work is done to ensure that the human is exactly who he says he is. This is often done by means of a password or some sort of biometric measure, such as a fingerprint. When connected devices need to securely identify themselves, trusting that the connection isn’t a fraudulent impersonation is more challenging because you can’t ask a device to enter its password or scan its face.

It is technically possible to bake at a very high level of confidence in a smart device, but it must be established at the time of manufacture. With the right root of trust represented as an identity token, we can make that trust much better. The challenge is that this process is quite expensive and there is not yet a standard for enforcement in smart cities. What would be the worst case scenario? A malicious actor can impersonate a plethora of insecure smart city devices to send a bunch of bad data that triggers automated responses (think bad traffic management).

Fortunately, this is already being addressed at a national level. The National Institute of Standards and Technology (NIST) is developing a Smart Cities and Communities Framework suite to provide best practices and guidance. While this is still a work in progress, it is a solid first step that will only improve as more funding and resources are allocated.

How much of our citizen data is on smart city devices and what are your rights?

One of the most pressing elements of smart city implementation is the consideration of citizen privacy and data ownership. While most smart city devices have sensors that do not collect personally identifiable information about citizens, they do have data that can be linked to users (for example, smart meters or video surveillance). Since the implementation of smart cities is largely related to data collection, citizens have a right to know how their data is being used.

Anecdotally, many citizens seem willing to give up some privacy if it is returned through better service or increased security. But it’s unclear what exactly is collected from citizens living in smart cities, and unless you stay indoors all the time, it’s hard to opt out or ask to be forgotten by a basic utility you use every day.

The solution will likely need to fall into clear policies and regulations to provide trust and transparency about what is collected, how it is used, and what levels of “opt-out” are possible and available. The first step in this direction is transparency about what is collected attributable to individuals, and that starts with voters and policymakers making it a priority.

Smart cities are promising. But with any new innovative technology, security and privacy should not be forgotten. The implications of trust, security and privacy must be prioritized as much as convenience. And while there may be hitches along the way, the intersection of convenience and security is possible when citizens, governments and business leaders ask the right questions and answer them with action.


Forbes Technology Council is an invite-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?


Leave a Reply

Your email address will not be published.