Cities are easy prey for cybercriminals. Here’s how they can fight back

internet cyber

(NASA, Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Robert Muggah, Principal, SecDev Group & Marc Goodman, Founder, Future Crimes Institute

Make no mistake: the world is in the early stages of a techno-war against city governments and urban infrastructure. And while some cities have bolstered their capabilities to patch their vulnerabilities, they are entirely unprepared for the scale of cyberthreats that are coming.


Digital strikes are already coming hard and fast. In 2018, a massive ransomware attack launched by Iranian hackers shuttered Atlanta’s city hall for five days. This, the largest cyber breach recorded by a US city, disrupted police services, the processing of court cases, payment of parking tickets, business licenses and water bills, and even the nation’s busiest airport. In Baltimore, ransomware attacks in 2018 and 2019 shut down most of the city’s servers and paralyzed its 911 emergency call centre. And it’s not just big US cities on the front-line. Hundreds of smaller ones have paid hundreds of thousands of dollars in bitcoin ransoms to regain access to their own systems, including 22 towns in Texas last month.

The scope of the cyber threat to cities is becoming clearer. According to industry experts, more than 70 percent all reported ransomware attacks in the U.S. target state and local governments. At least 180 public safety call centers were also targeted in the last two years. Cyber criminals are deploying distributed denial of service attacks, ransomware and other off-the-shelf hacker tools to interrupt and burgle municipal networks. Their digital arsenals are sourced from the Deep Web and their weapons are fully automated, meaning attacks can run 24/7. The impacts of the cyber threat should not be taken lightly.

Lloyds estimates that New York city alone could face over $2.3 billion in cyber-related losses in 2020. Given their snowballing deficits, cities can ill afford the burgeoning costs of these digital incursions.

The economic cost of cybercrime has rocketed over the past year

The economic cost of cybercrime has rocketed over the past year
Image: Statista; FBI; IC3; US Department of Justice

Cyberattacks are not confined to US cities, of course. Virtually all cities large and small have to deal with looming digital disruption. In just the past few year ransomware was used to disrupt the municipal tram system in Dublin, to jam air traffic control and railway ticketing systems in Stockholm, and to shake-down power plants from Johannesburg to Hyderabad. While one might expect these attacks would have set off alarm bells for mayors, city councils and governors, not much has changed.

Why are cities so vulnerable?

One major reason cities have become targets for cybercriminals is because they are lagging far behind the digital revolution. Many of the underlying technologies running their critical infrastructure are outdated. City authorities often lack the skills to upgrade their systems. The brightest minds in tech rarely choose to work for cities, utilities or airports. Instead, they flock to Amazon, Facebook and Google where they earn many times the salary offered in the public sector.

As bad as things are now, technological acceleration could make things dramatically worse. While smart cities, connected homes and intelligent infrastructure will bring certain advantages, their complexity and ubiquity are a hazard for cities.

To date, most city hacks have occurred in “dumb cities”, meaning those that are not yet digitally wired – so imagine the kind of havoc that will ensue when hackers target intelligent transportation networks and traffic flow management systems. In the not so distant future, intelligent roadways – cars that interact with streetlights, ambulances, police cars and fire-trucks – will be widespread. In these environments, cyberattacks won’t just be inconvenient, they will produce pandemonium and ultimately loss of life.

When it comes to digital security, there is very little direction (or funding) being provided by national authorities to nudge states, counties and cities in the right direction. Instead, cities are flooded with technology vendors dressing-up their smart city offerings and touting their economic potential to neighborhoods and residents. There are powerful incentives for them to sell their wares. A study by McKinsey estimated the IoT alone could generate over $11 trillion in economic activity by 2025. In the rush to cash in, private firms are pressing municipalities to build out their infrastructure as quickly as possible but without safeguards to ensure they coexist with existing systems or are regularly updated, patched and protected to the standard required to maintain public safety.

How can cities protect themselves from digital infiltration and disruption?

While traditional crime fighting will continue to demand the attention of leaders and law enforcement agencies, the growth in cyberthreats can no longer be ignored. City and state leaders must adopt a digital security mindset. This means having contingency and disaster plans in place before the next smart-city emergency arises. Just as San Francisco has prepared for earthquakes for decades and Tokyo for tsunamis, so too must cyber-resilience and safety become a core component of disaster response plans for all cities.

Second, city executives have to assume a leadership role in ensuring the digital safety and security of their constituents, and not merely delegate this role to an underling. According to the International City and County Management Association, roughly 60% of municipal technology officials cite a lack of support from their elected officials and top appointees for their city’s poor cybersecurity. Digital security is not only about hardware and software. It is about adopting a comprehensive whole-of-city approach. Security must be conceived as an essential priority, something that is designed into every element of the urban infrastructure, not merely introduced as an afterthought. It requires developing the rules, regulations, procedures and budgets for city authorities, businesses and residents to prepare and respond to digital threats when and after they inevitably occur.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact

Third, city authorities need to recruit the right personnel. In order to keep cities safe in the 5G era, public sector executives have to attract the right talent – including coders, engineers and cybersecurity experts. The appointment of empowered information security officers is critical, as is ongoing training and research. So too is a return to basics. In nearly all of the cyberattacks against our cities, a common theme repeats itself: human error and a failure to implement acknowledged best practices such as software patching, correct firewall configuration, frequent and redundant backups, and use of multi-factor authentication for logons. The overwhelming majority of attacks could be prevented with these changes alone.

Fourth, cities can go on the offensive and help incubate crowdsourced solutions to real and unexpected security threats. Making data publicly available is the first step; data that scientists, researchers and residents can use to help drive innovation and security in our urban spaces. Helping incentivize competitions and hackathons to develop solutions for expected and unexpected digital challenges are others. Partnerships, including with non-profit groups like Code for America, are worthwhile. So too are ‘bug bounty’ programmes that reward ethical hackers who uncover – and report – software security flaws. Crowdsourced cybersecurity and incentive competitions can bring global talent to any municipality, at greatly reduced costs. Supporting digital innovation ecosystems not only bolsters local capacity, it reduces reliance on outside vendors.

Fifth, cities need to initiate a conversation about the kinds of national, state and municipal rules and regulations required to meet the minimum digital security standards with the roll-out of new systems and devices. California recently passed data privacy and digital security legislation requiring all devices sold in the state to possess ‘reasonable’ security features designed to prevent unauthorized access, modification, or information disclosure. Cities would do well to share their experiences, but they must also look to the private sector for inspiration. Smart factories, for example, are very careful about protecting their intellectual property, building in systems of control that limit the possibility of technical, and human error and malfeasance. Many of these ideas could useful inform how the connected city secures itself.

As the world hurtles toward a hyper-connected future, some cities will thrive and others will fall behind. Many cities will struggle to pay for digital upgrades and security because they are already freighted with debt and unfunded liabilities. Some cities are (and will be) forced to sell off their public infrastructure at dizzying discounts, depriving the public of fair compensation of their true value. It is likely that large tech firms will play a growing role in privatizing city functions such as digital and physical infrastructure (as Google’s Sidewalk Labs has started doing in Toronto). There is a real possibility that the next generation of cities will be digitally fenced off, designing in security only for those who can afford to live there.

More positively, the rapid spread and lowered cost of new technologies means that some fast-growing cities in emerging markets may benefit from second-mover advantage. Cities across Asia and Africa are already skipping legacy systems – fixed landlines and railways, for example – and leapfrogging to newer, more efficient and cheaper options. Nairobi, for example, has transitioned rapidly to the use of digital currencies such as M-Pesa for its previously unbanked population and has essentially shifted to wireless systems rather than landline phones. The lowered cost of development and deployment mean that more and more cities in emerging economies can potentially avoid making the mistakes of their counterparts, while improving services to their constituents.

Cities need to adjust their priorities to the realities of a networked urban landscape before disaster strikes. While the conveniences of smart cities are enticing, they must be balanced carefully against the known risks. Given the very high likelihood of attack, metropolitan cybersecurity should be a priority for elected officials and policymakers, matched with the resources to build the right protections. Recognizing the precariousness of our situation is the first step. Attracting the best and brightest to public service is essential. So too is a broad discussion about the future security of our cities. The time to protect them is now, before another 50 billion hackable, un-patchable and un-upgradeable devices are added to the world’s digital grid. Because once that happens, there will be few if any options to go back and fix the mistakes we’ve made.







the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Benefits of rural migration effect often overlooked, new UN report suggests

Politicization of migrant ‘crisis’ in Hungary making them scapegoats, independent UN human rights expert warns

What do the economic woes of Turkey, Argentina and Indonesia have in common?

Latvian economy is thriving, but boosting productivity, improving social protection and transitioning to a low-carbon productive model are vital for sustainable and inclusive growth

EU elections: The louder the threats and the doomsaying the heavier the weight of the vote

Bundestag kick starts the next episode of the Greek tragedy

The Europe we want: Just, Sustainable, Democratic and Inclusive

Blockchain can change the face of renewable energy in Africa. Here’s how

FROM THE FIELD: Weather reports come to aid of Uganda’s farmers

Concern rising over fate of Rohingya refugees sent home by India: UNHCR

The MWC14 Sting Special Edition

We don’t need to ban plastic. We just need to start using it properly

Huawei answers allegations about its selling prices

How telehealth can get healthcare to more people

Eurozone stuck in a high risk deflation area; Draghi expects further price plunge

EU-Japan trade agreement enters into force

UN agency chief calls Ethiopia’s revised refugee law ‘one of most progressive’ in Africa

Digital transformation and the rise of the ‘superjob’

The next Google in biotech: will it be Chinese?

DR Congo: efforts to control Ebola epidemic continue, UN food relief agency doubles assistance to affected people

Amsterdam is getting a 3D-printed bridge

I cycled over 6,000km across the United States to document climate change. Here’s what I learned

3 ways to fight stress at work

Germany’s strong anti-bribery enforcement against individuals needs to be matched by comparably strong enforcement against companies

We all have a ‘hierarchy of needs’. But is technology meeting them?

Technology can help us end the scourge of modern slavery. Here’s how

Saudi Arabia, China, among 14 nations under UN human rights spotlight: what you need to know

European Parliament and Eurovision sign partnership for European Elections

France is building a village for people with Alzheimer’s

Greece’s last Eurogroup or the beginning of a new solid European Union?

UN ‘prioritizing needs’, ramping up aid, as Hurricane Dorian continues to batter the Bahamas

Gender equality and medicine in the 21st century

“Leaked” TTIP document breaks post 8th negotiations round silence and opens door to critics

‘Crippling to our credibility’ that number of women peacekeepers is so low: UN chief

Women must be at ‘centre of peacekeeping decision-making’, UN chief tells Security Council

This app lets you plant trees to fight deforestation

Africa Forum aims to boost business, reduce costs, help countries trade out of poverty

EU–US: What is the real exchange in a Free Trade Agreement?

Eurozone: Even good statistics mean deeper recession

The EU Commission vies to screen Chinese investment in Europe

With security improving in DR Congo’s Kasai, thousands of refugees head home from Angola

Partnerships key to taking landlocked countries out of poverty: UN Chief

These are the world’s 20 most dynamic cities

Biggest London City Banks ready to move core European operations to Frankfurt or Dublin?

New Erasmus: more opportunities for disadvantaged youth

What is digital equality? An interview with Nanjira Sambuli

‘Race against time’ to help women who bore brunt of Cyclone Idai: UN reproductive health agency

At UN, Cuba slams US ‘criminal’ practices undermining country’s development

UN chief hopes for new agreement after Israel concludes international observation mission

Migrant workers sent more money to India than any other country last year

Security Council condemns ‘heinous and cowardly’ attack in Iran

Opening – Parliament expresses support for victims of Fuego volcano in Guatemala

Kenya wants to run entirely on green energy by 2020

A Sting Exclusive: “The Digital Economy and Industry are no longer opposing terms”, Commissioner Oettinger underlines live from European Business Summit 2015

Can Obama attract Iran close to the US sphere of influence?

This is what the world’s CEOs really think of AI

COP21 Breaking News: “We must accelerate the process”, Laurent Fabius cries out from Paris

Migrant caravan: UN agency helping ‘exhausted’ people home

European Citizens’ Initiative: Commission registers ‘Mandatory food labelling Non-Vegetarian / Vegetarian / Vegan’ initiative’

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s