Cities are easy prey for cybercriminals. Here’s how they can fight back

internet cyber

(NASA, Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Robert Muggah, Principal, SecDev Group & Marc Goodman, Founder, Future Crimes Institute


Make no mistake: the world is in the early stages of a techno-war against city governments and urban infrastructure. And while some cities have bolstered their capabilities to patch their vulnerabilities, they are entirely unprepared for the scale of cyberthreats that are coming.

 

Digital strikes are already coming hard and fast. In 2018, a massive ransomware attack launched by Iranian hackers shuttered Atlanta’s city hall for five days. This, the largest cyber breach recorded by a US city, disrupted police services, the processing of court cases, payment of parking tickets, business licenses and water bills, and even the nation’s busiest airport. In Baltimore, ransomware attacks in 2018 and 2019 shut down most of the city’s servers and paralyzed its 911 emergency call centre. And it’s not just big US cities on the front-line. Hundreds of smaller ones have paid hundreds of thousands of dollars in bitcoin ransoms to regain access to their own systems, including 22 towns in Texas last month.

The scope of the cyber threat to cities is becoming clearer. According to industry experts, more than 70 percent all reported ransomware attacks in the U.S. target state and local governments. At least 180 public safety call centers were also targeted in the last two years. Cyber criminals are deploying distributed denial of service attacks, ransomware and other off-the-shelf hacker tools to interrupt and burgle municipal networks. Their digital arsenals are sourced from the Deep Web and their weapons are fully automated, meaning attacks can run 24/7. The impacts of the cyber threat should not be taken lightly.

Lloyds estimates that New York city alone could face over $2.3 billion in cyber-related losses in 2020. Given their snowballing deficits, cities can ill afford the burgeoning costs of these digital incursions.

The economic cost of cybercrime has rocketed over the past year

The economic cost of cybercrime has rocketed over the past year
Image: Statista; FBI; IC3; US Department of Justice

Cyberattacks are not confined to US cities, of course. Virtually all cities large and small have to deal with looming digital disruption. In just the past few year ransomware was used to disrupt the municipal tram system in Dublin, to jam air traffic control and railway ticketing systems in Stockholm, and to shake-down power plants from Johannesburg to Hyderabad. While one might expect these attacks would have set off alarm bells for mayors, city councils and governors, not much has changed.

Why are cities so vulnerable?

One major reason cities have become targets for cybercriminals is because they are lagging far behind the digital revolution. Many of the underlying technologies running their critical infrastructure are outdated. City authorities often lack the skills to upgrade their systems. The brightest minds in tech rarely choose to work for cities, utilities or airports. Instead, they flock to Amazon, Facebook and Google where they earn many times the salary offered in the public sector.

As bad as things are now, technological acceleration could make things dramatically worse. While smart cities, connected homes and intelligent infrastructure will bring certain advantages, their complexity and ubiquity are a hazard for cities.

To date, most city hacks have occurred in “dumb cities”, meaning those that are not yet digitally wired – so imagine the kind of havoc that will ensue when hackers target intelligent transportation networks and traffic flow management systems. In the not so distant future, intelligent roadways – cars that interact with streetlights, ambulances, police cars and fire-trucks – will be widespread. In these environments, cyberattacks won’t just be inconvenient, they will produce pandemonium and ultimately loss of life.

When it comes to digital security, there is very little direction (or funding) being provided by national authorities to nudge states, counties and cities in the right direction. Instead, cities are flooded with technology vendors dressing-up their smart city offerings and touting their economic potential to neighborhoods and residents. There are powerful incentives for them to sell their wares. A study by McKinsey estimated the IoT alone could generate over $11 trillion in economic activity by 2025. In the rush to cash in, private firms are pressing municipalities to build out their infrastructure as quickly as possible but without safeguards to ensure they coexist with existing systems or are regularly updated, patched and protected to the standard required to maintain public safety.

How can cities protect themselves from digital infiltration and disruption?

While traditional crime fighting will continue to demand the attention of leaders and law enforcement agencies, the growth in cyberthreats can no longer be ignored. City and state leaders must adopt a digital security mindset. This means having contingency and disaster plans in place before the next smart-city emergency arises. Just as San Francisco has prepared for earthquakes for decades and Tokyo for tsunamis, so too must cyber-resilience and safety become a core component of disaster response plans for all cities.

Second, city executives have to assume a leadership role in ensuring the digital safety and security of their constituents, and not merely delegate this role to an underling. According to the International City and County Management Association, roughly 60% of municipal technology officials cite a lack of support from their elected officials and top appointees for their city’s poor cybersecurity. Digital security is not only about hardware and software. It is about adopting a comprehensive whole-of-city approach. Security must be conceived as an essential priority, something that is designed into every element of the urban infrastructure, not merely introduced as an afterthought. It requires developing the rules, regulations, procedures and budgets for city authorities, businesses and residents to prepare and respond to digital threats when and after they inevitably occur.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact info@c4c-weforum.org.

Third, city authorities need to recruit the right personnel. In order to keep cities safe in the 5G era, public sector executives have to attract the right talent – including coders, engineers and cybersecurity experts. The appointment of empowered information security officers is critical, as is ongoing training and research. So too is a return to basics. In nearly all of the cyberattacks against our cities, a common theme repeats itself: human error and a failure to implement acknowledged best practices such as software patching, correct firewall configuration, frequent and redundant backups, and use of multi-factor authentication for logons. The overwhelming majority of attacks could be prevented with these changes alone.

Fourth, cities can go on the offensive and help incubate crowdsourced solutions to real and unexpected security threats. Making data publicly available is the first step; data that scientists, researchers and residents can use to help drive innovation and security in our urban spaces. Helping incentivize competitions and hackathons to develop solutions for expected and unexpected digital challenges are others. Partnerships, including with non-profit groups like Code for America, are worthwhile. So too are ‘bug bounty’ programmes that reward ethical hackers who uncover – and report – software security flaws. Crowdsourced cybersecurity and incentive competitions can bring global talent to any municipality, at greatly reduced costs. Supporting digital innovation ecosystems not only bolsters local capacity, it reduces reliance on outside vendors.

Fifth, cities need to initiate a conversation about the kinds of national, state and municipal rules and regulations required to meet the minimum digital security standards with the roll-out of new systems and devices. California recently passed data privacy and digital security legislation requiring all devices sold in the state to possess ‘reasonable’ security features designed to prevent unauthorized access, modification, or information disclosure. Cities would do well to share their experiences, but they must also look to the private sector for inspiration. Smart factories, for example, are very careful about protecting their intellectual property, building in systems of control that limit the possibility of technical, and human error and malfeasance. Many of these ideas could useful inform how the connected city secures itself.

As the world hurtles toward a hyper-connected future, some cities will thrive and others will fall behind. Many cities will struggle to pay for digital upgrades and security because they are already freighted with debt and unfunded liabilities. Some cities are (and will be) forced to sell off their public infrastructure at dizzying discounts, depriving the public of fair compensation of their true value. It is likely that large tech firms will play a growing role in privatizing city functions such as digital and physical infrastructure (as Google’s Sidewalk Labs has started doing in Toronto). There is a real possibility that the next generation of cities will be digitally fenced off, designing in security only for those who can afford to live there.

More positively, the rapid spread and lowered cost of new technologies means that some fast-growing cities in emerging markets may benefit from second-mover advantage. Cities across Asia and Africa are already skipping legacy systems – fixed landlines and railways, for example – and leapfrogging to newer, more efficient and cheaper options. Nairobi, for example, has transitioned rapidly to the use of digital currencies such as M-Pesa for its previously unbanked population and has essentially shifted to wireless systems rather than landline phones. The lowered cost of development and deployment mean that more and more cities in emerging economies can potentially avoid making the mistakes of their counterparts, while improving services to their constituents.

Cities need to adjust their priorities to the realities of a networked urban landscape before disaster strikes. While the conveniences of smart cities are enticing, they must be balanced carefully against the known risks. Given the very high likelihood of attack, metropolitan cybersecurity should be a priority for elected officials and policymakers, matched with the resources to build the right protections. Recognizing the precariousness of our situation is the first step. Attracting the best and brightest to public service is essential. So too is a broad discussion about the future security of our cities. The time to protect them is now, before another 50 billion hackable, un-patchable and un-upgradeable devices are added to the world’s digital grid. Because once that happens, there will be few if any options to go back and fix the mistakes we’ve made.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

the European Sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Trump’s Syrian hit the softest option vis-a-vis Russia

Crimean crisis: not enough to slow down European indices

The Chinese solar panels suddenly became too cheap for Europe

Main results of Foreign Affairs EU Council, 16/07/2018

The EU seals CETA but plans to re-baptise TTIP after missing the 2016 deadline

EU integration: MEPs want to end permanent opt-outs from EU law

UN rights chief ‘appalled’ by US border detention conditions, says holding migrant children may violate international law

Consultant in Forensic Technology – 1969

EU summit: No energy against tax evasion and fraud

How our food system is eating away at nature, and our future

Peace operations benefit from improved cooperation between the UN and troop-providing countries, says peacekeeping chief

Memoirs from a unique trip to China: “my new old dragon” (Part II)

UN and African Union in ‘common battle’ for development and climate change financing

The Bavarians threaten Berlin and Brussels with immigration crisis

EU Commission announces Safe Harbour 2.0 and a wider Data protection reform

Praising Roma’s contributions in Europe, UN expert urges end to rising intolerance and hate speech

Brexit: MEPs concerned over reported UK registration plans for EU27 citizens

This Chinese megacity is building a giant waste-to-energy plant

Here’s how we reboot digital trade for the 21st century

Syria: Civilians caught in crossfire, UN refugee chief urges Jordan to open its border

Children who exercise have more brain power, finds study

A Europe that protects: Continued efforts needed on security priorities

UN rights chief calls for release of hundreds abducted and abused in South Sudan

‘Let the children live’: UN prepares to ramp up food aid to Yemen as famine risk grows

FEATURE: Niger’s girls find sanctuary in fistula treatment centres

IMF’s Lagarde: Ukraine must fight corruption

European Commission recommends common EU approach to the security of 5G networks

Help prevent children ‘from becoming victims in the first place’, implores Guterres at campaign launch

COP21 Business update: Companies urge now for carbon pricing as coal is still a big issue

The Japanese have a word to help them be less wasteful – ‘mottainai’

6 facts to know about EU alternative investment funds

Why do US presidential elections last so long? And 4 other things you need to know

It will take a lot more than free menstrual pads to end period poverty

Who should be responsible for protecting our personal data?

WHO study reveals ‘game-changer’ drug with potential to save thousands of women’s lives in childbirth

UN chief condemns student abductions in north-west Cameroon

The Commission unsuccessfully pretends to want curbing of tax evasion

To win combat against HIV worldwide, ‘knowledge is power’, says UNAIDS report

A new European banking space is born this year

Caspian Sea deal an invaluable step towards easing regional tensions, says UN Chief

EU budget deal struck with Parliament negotiators

Three ideas for leaders to be more successful in the 21st century

‘All efforts must be made’ to ensure peaceful elections for Guinea-Bissau, Security Council hears

Young people all over the world come together to demand paid good quality internships

Banks suffocate the real economy by denying loans

For how long will terror and economic stagnation be clouding the European skies?

UN chief praises Japanese climate resilience, as Typhoon Hagibis cleanup begins

Why Eurozone needs a bit more inflation

Don’t understand the US-China trade war? This metaphor could help

India-UN fund gets 22 development projects off the ground in first year

China’s New Normal and Its Relevance to the EU

Here are 3 alternative visions for the future of work

Millions at risk if Syria’s war moves to last redoubt of Idlib, warns senior aid official

Commission to decide on bank resolution issues

The European Sting writes down the history LIVE from G20 Leaders’ Summit in Turkey

Breaking barriers between youth in the new tech era: is there an easy way through?

Why strive for Industry 4.0

UN health experts warn ‘dramatic resurgence’ of measles continues to threaten the European region

Russia to cut gas supplies again: can the EU get back to growth without a solid energy market?

Keep Africa’s guns ‘from firing in the first place’, UN political chief urges

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s