Protecting smart cities and smart people
In the ramp-up to a smart cities utopia, many societal concerns are often left overlooked when in truth, trust and privacy need to define the future role of cybersecurity.
Originally published in Networkworld from IDG
Smart cities require protection. In a smart cities context so does the community and the individual. How do we protect these valuable and lucrative future assets? What is the role of cyber and privacy specialist in this emerging smart eco-system?
You would be forgiven for believing the smart cities express has nothing but green traffic lights on its way to its final destination. Conferences are packed with eager smart sellers convincing smart buyers their “smart service” will address all their current and future woes. Perhaps this is true. We will have cleaner air, improved waste management, and ultimately a more responsive and intuitive society. To many more, the smart revolution will deliver the longest overdue promise of all: a safer community.
An example. An IoT smart city sidewalk sensor identifies traces of a prohibited substance in the vicinity of a “known” citizen. A robotic device is dispatched to investigate the citizen, who is easily identified due to his myriad of network enabled, devices and gadgets. Job done. Sounds great, right?
Interestingly, if we break down the steps to the aforementioned robotic law enforcer, we discover the challenges facing societies, individuals and industry professionals immersed in this wave of smart technologies. It is not my intention to elaborate on the possible sensitive interfaces and liberties such technologies may abuse, but rather to highlight what we are at risk of losing. Even selling off.
Trust and privacy
That’s what’s at stake. Maintaining our society’s trust models, both implied and explicit, and the protection of our most important personal asset, our privacy. By applying trust and privacy principles to the above example, we can see how the success of these services will depend greatly upon their ability to maintain the value of trust and the right to privacy. In addition, it highlights the complexity of services and institutions such solutions incorporate. This is new territory for cyber security, requiring a collaborative and integrated approach.
Unfortunately, at most of these smart industry events the cyber security and privacy speaker is invariably tacked onto the tail end of the show. After a long lunch, often a substantial one, and just before conference wrap-up drinks. It is not the best timeslot to start discussing cyber and privacy responsibilities within a smart cities and critical infrastructure context. Nevertheless, discuss it we must.
The truth is, in the ramp up to a smart cities utopia, many societal concerns are often left overlooked. Of course, there are those “within the cyber and privacy industry” who are making the case that more attention be given to protecting our future states of existence, and interaction. Privacy experts are demanding privacy requirements be reflected in all smart technology deployments, a privacy by design approach, if you will. These voices are becoming loader, but there is still a long way to go.
Too often, these professionals are presenting to the converted. The message is not getting out to those who need to listen. In the race to an ever-smarter world, security industry leaders are concerned society, by which we mean its people, will be more vulnerable and susceptible to exploitation and external attack. This is not an inevitable conclusion, we can properly secure our future, and protect our citizens but we need to adopt a “time to act” approach immediately. We need to acknowledge we cannot speak of smart cities and critical infrastructure and leave cyber and privacy concerns off the agenda.
The success or failure of such ambition is not simply about the cost efficiencies and return on investment opportunities, but rather in ensuring the trust and privacy of people, corporations, government services, and communities are put first from design to base build.
A meeting of industry vectors
Perhaps this is where the problem stems from? Poor communication. The lack of understanding for the imperative at hand? For as long as most can remember, information security was a technology concern, handled by technologists, and discussed by security engineers and associated professionals. The security vendors presented at security conferences, the security professional attended accordingly, Cat people with cat people. You know how it goes.
Within a Smart city eco- system, we need to extend the cyber conversation beyond the traditional players. How do we make the City Planner appreciate what we understand? How do we share and apply security best practices to an engineering company providing a Building Information Modelling (BIM) service to a Hospital or Defence project? Moreover, how do we, in the first instance highlight the security concerns?
Attending and speaking at numerous cyber conferences I sometimes wonder, is this the right audience? In this digital eco-system, we should be speaking to civic and government leaders about our security concerns facing smart cities and critical infrastructure, not exclusively to other security professionals. They are well aware of the challenges and the resistance experienced.
Let us face it the landscape has changed. The job has changed. IoT and IIoT has ushered in a new game. Security and privacy concerns are now and have been for some time in the public arena, under public scrutiny, beyond the corporate firewall, beyond the IT department and its role as the security technology gatekeeper. In other words, technology within an IoT world is not the answer. It is part of the solution. A solution that encompasses, in country, and global legal and regulatory compliance frameworks.
Moreover, these concerns have become part of our societal fabric. Social media exploitation, daily data breaches, fraud and ransomware, seem almost daily occurrences. These threats need to be considered and remediated as part of our smart cities design and build specifications. New territory, dangerous territory? Perhaps. Now I understand why some believe such conversations are best left for the late afternoon timeslot. Let us not scare the Punters in this billion-device, billion-dollar IoT market bonanza with all this security stuff. Of course, not scare, but advise accordingly, yes.
The way forward
Talking the problems is fine, but in the end, we have to do something about it. To effect real smart cities design and implementation change, cyber and privacy professionals need to engage with the new decision makers of the day. Step outside the circle. This includes engaging the municipalities driving change, the architects, urban planners, and design engineers to mention just a few. The conversation needs to address the security issues as they relate to their environments and their communities. Smart cities are information hubs, exchange portals and so much more. A new approach is required to ensure that cyber issues are addressed as they apply to a living environment. A fertile, changing eco-system, which learns from itself, its network of connections, and builds upon its own success. Security has come a long way from protecting the perimeter. Unfortunately, many still think in these terms. Addressing security as an after though or arbitrary plugin. The continuation of such beliefs will not doubt come at a cost.
The good news? Working with numerous cyber and privacy professionals, I notice how things have changed within smart technology deployments. The challenges are often approached more on a personal level. Protecting what matters, what if lost cannot be replaced. We can always rebuild a server, but we cannot easily rebuild a compromised identity. These observations leave me positive about our smart futures and reaffirms my belief we are on the right track.
Author:
Alan Mihalic is a cybersecurity and risk advisory professional. Alan is the founder and president of the IoT Security Institute, a not-for-profit academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things ecosystem.