Computing Applications Security

Security Done Right Can Make Smart Cities Wise

Seeking security improvements for smart cities.
  1. Introduction
  2. Why Smart Cities?
  3. More Technology Means More Security Risk
  4. Security Should Be Baked into Smart City Governance
  5. References
  6. Author
  7. Footnotes
key shape within a city grid, illustration

In 1995, as the Internet became commercialized, visionary architect Bill Mitchell published City of Bits,1 an exploration of how digital technology could profoundly change the structure and function of cities while cyberspace evolves to complement physical spaces. Information and communication technology (ICT) has embodied his title in even more ways than he might have guessed, and it promises to continue to do so. The 21st-century evolution of so-called smart cities partly realizes Mitchell's vision. Across smart cities worldwide, data is the common denominator, thanks to the various ICT applications that collect and share data, often through devices associated with the Internet of Things (IoT). The centrality of data drives many of the security concerns, as well as privacy concerns, for smart cities. Indeed, when the President's Council of Advisors on Science and Technology looked in 2016 at the range of technologies that can enhance cities, they moved from discounting smart-city hype to concluding that urban technology progress hinges on data—data collection, data analysis, and data integration.3 Notwithstanding enormous innovation and proliferating pilot projects around the world, smart cities remain in a phase of experimentation and development. Among the lessons being learned is how important security is to smart cities—to achieving the benefits of different applications and to avoiding the kinds of problems observed increasingly when the confidentiality, integrity, and/or availability of data systems for infrastructure and services are compromised. It is time to ensure that security for smart cities is addressed early and often, including by engaging city residents in the process.

Back to Top

Why Smart Cities?

Smart cities promise genuine benefits to city governments and residents in terms of sustainability (through improved energy and water management), efficiency (through improved resource utilization and service delivery), public health (through air and water quality monitoring and public health hot-spotting), and equity (through improved distribution of urban activity and access to services).5 The quest for such benefits led many of the first smart-city efforts to address challenges involving congestion and mobility. For example, multimodal transportation coordination is growing, often with a goal of diminishing the use of personal vehicles. Mobility as a service (MaaS) facilitates access to and integration of information on public transportation, micromobility (for example, bike- and scooter-sharing services), and other options. Both private and public actors are advancing MaaS. Many city governments seek to leverage if not directly offer MaaS services, and rideshare and transportation network companies are moving to offer information about how their service can connect to public transportation. These data-fueled mobility enhancements and the coordination benefits from evolving MaaS present the benign face of smart cities.

The realization of smart cities is more complex than just delivery of benefits. New concerns arise from the collection of the data undergirding those benefits. Some of those concerns reflect who is collecting the data—much of the innovation for smart cities involves companies that produce or package sensors and services that depend on the data collected. Transportation network companies tussled early with city governments about access to the data they collect, data that affects use of public infrastructure and affects demand for other mobility services. Companies supplying smart cities technology and services leverage data for competitive advantage, collecting and analyzing it in ways that are opaque to customers and governments. The March 2020 cancellation of the Side-walkLabs Toronto Quayside project appears to be a cautionary tale, associated with the publicized concerns of residents about anticipated data collection and use in that particular urban area. Who accesses and controls what data and what algorithms are themes being raised in challenging all kinds of ICT, as illustrated by controversy surrounding social media and big tech, but smart cities literally bring those concerns home. Although many contemporary concerns about widespread collection and use of data are associated with privacy, protection and stewardship of data begin with security.

Back to Top

More Technology Means More Security Risk

When it comes to security, smart cities connect concerns associated with specific data-collecting devices (for example, sensors of different kinds in different locations), local data storage, intermediate processing systems (expected to proliferate with the spread of 5G systems and architectures that will aggregate data), wireless communication among components, and the cloud systems that integrate data and host services. Smart cities, in short, are complex and multifaceted systems of systems. Layered communication systems, beginning with low-power wide-area networks or campus and community networks and extending to the cloud distribute the processing load for a growing volume of data generated by these systems. Each layer, of course, presents its own cyber vulnerabilities, a situation compounded with differing ownership and operation of different layers.

Concerns begin with IoT devices in homes—increasingly likely to capture images and voices even if their purposes relate to functions like temperature control—and extend to devices throughout the urban environment. In neighborhoods, technology can facilitate functions like traffic management—or if tampered with, totally confound it. The growth in ransomware attacks on city systems indicates malicious actors are tracking the growing use of ICT and data collection associated with city operations. At least as important, they are capitalizing on lagging attention to security in the acquisition and use of ICT in delivering the services on which lives depend. Security that is not sought explicitly might not be offered or supported in the configurations provided upon installation.

Surveillance has emerged as a kind of dual-use application in the context of smart cities.2 Cameras are everywhere, whether or not they are visible, which increasingly is not the case. Governmental use of cameras in urban environments is not new—the U.K. is well known for its introduction of CCTV systems in the middle of the last century. What arouses contemporary concern is the combination of proliferating camera systems deployed by both public and private actors that use increasingly sophisticated software to recognize individuals from faces, gait, and other features, systems that can work even with the kinds of masks used during the COVID-19 pandemic and that might be able to detect the affect of the person observed. Cameras generate security concerns in a smart city that extend beyond their implications for privacy. Increasingly, they are combined with other kinds of sensors dotting more and more urban surfaces—manhole covers, trash and recycling bins, streetlights, signposts, pavement, and so on. Cameras are combined with audio systems in large-event venues (for example, sports arenas) or certain urban areas where gunshots are unfortunately not uncommon. China appears to be the leader in facial recognition technology, blending a national focus on developing artificial intelligence (AI) capability with broad urban use of cameras, national citizen identifier numbers, and government commitment at all levels to smart-city development in China, and it also is active in selling such technologies to city governments in other countries.4

Surveillance has emerged as a kind of dual-use application in the context of smart cities.

Less visible and obvious are the systems that connect physical activities of different kinds to payment and other financial systems. Transportation network companies built payment into their offerings from the outset, a feature that added to the appeal of ridehailing. MaaS more broadly features connections to payment, with examples involving links to parking (for example, SpotHero) or prepaid transit (for example, Whim) without the need for a farecard. Credit-card and other financial service providers have begun to partner with such city-focused programs. Although financial systems have high reliability and security requirements, their involvement implies that more data about individuals are collected and used than a transportation system, say, might otherwise need. Financial enterprises might be particularly attentive to cybersecurity, but where they provide third-party services to city governments questions arise about the disposition of data collected about people using public infrastructure and services.

The different trajectories of smart cities around the world make clear that local choices reflect local culture as well as capacity—what works in one place will not necessarily work in another. The extent of integration and use of surveillance seems most obvious in China. As in other countries, Chinese smart-city projects are specific to the physical city in which they unfold. They not only combine cameras and other kinds of sensors, they are advanced in a policy context that promotes smart cities broadly, connects "smartness" with safety ("safe cities"), and integrates information about physical movement and other activity with social media and payment/finance systems. That integration yields a kind of governance labeled a social credit system, designed to facilitate or restrict activity depending on a person's past activity and to promote trust among people as they interact and transact. The spotlight on safety implied with "safe cities" projects does not, however, guarantee security of the associated systems.

Back to Top

Security Should Be Baked into Smart City Governance

Globally, smart cities arise from the bottom up, with technologies deployed by retail outlets, transportation network companies, and residence owners, among others, and from the top down, with city governments procuring systems focused on single or multiple functions. These trends motivate many questions, beginning with who has access to what information associated with a given system, and how porous are both public and private systems? City governments and nonprofits (for example, FIWARE Foundation) have promoted open data for city applications, but many of the new services see competitive advantage in the data they collect and use, and various vendor-provided systems are closed. With urban systems evolving from both the bottom up and top down, cybersecurity may well fall through the cracks or at least be protected unevenly. Now that there have been a few years of smart-cities pilot projects, combined with the steady progress in numerous component technologies, it is time to take stock and think through the large range of governance issues. Prominent among those is security.

More systematic dialogue about how technologies are designed, deployed, and used in cities is needed, perhaps catalyzed by a public awareness campaign. The last several years have seen powerful illustrations of citizens as sensors—people capturing phenomena on their cellphones and sharing, people agreeing to use those phones for pandemic contact tracing. Yet sousveillance cannot substitute for intentional and coordinated steps to promote security (and privacy) by design. Such steps can then enable clarity when urban officials and their vendors communicate with the public about the risks as well as the benefits of the systems within which we increasingly live, work, and play.

As Bill Mitchell observed, the spatial aspects of cities are "elaborate structures for organizing and controlling access." The invisible cyberspace counterparts the Mitchell observed and anticipated might, absent explicit planning and attention to the security aspects, organize and control access and activities to a far greater degree than has been the case with physical infrastructure. If our cities are to become truly smart, then not only must technology developers and implementers explain how the AI behind some of the data processing works, they must also explain and assure the security aspects of complex urban ICT and associated data collection. Cybersecurity must be part of the new city planning process if we are to make the most of the potential of smart cities.

    1. Mitchell, W.J. City of Bits: Space, Place, and the Infobahn, MIT Press, Cambridge, MA, 1995.

    2. Muggah, R. and Walton, G. 'Smart' cities are surveilled cities. Foreign Policy. (Apr. 17, 2021).

    3. President's Council of Advisors on Science and Technology. Technology and the Future of Cities. Executive Office of the President, Washington, D.C., 2016.

    4. Sutherland, M.D. China's Corporate Social Credit System. IF11342, Congressional Research Service, U.S. Congress, Washington, D.C., 2020.

    5. Winter, S.J. Who benefits? Considering the case of smart cities. Commun. ACM 62, 7 (July 2019).

    The views expressed in this column are the author's own.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More