The perils of the smart city

There will be more than 50 billion smart devices in the world by 2030, managing and monitoring everything from our health to our roads. But what are the pros and cons of handing city management over to the IoT?

There is a tacit acceptance that the world appears to be growing ‘smarter'. The total number of internet-facing smart devices is expected to exceed 38 billion by 2025, and reach 50 billion by 2030. By next year, the average family home could contain over 500 smart devices. Consider the ‘smart city', in which critical infrastructure, government services, utilities and management systems are all interconnected. What benefits do these smart cities promise to bring? And what are the concerns?

A smart device lives in its environment, constantly monitoring or sensing what is going on. When that environment is sensed, it creates data - and potentially lots of it. On its own, data has limited value; it needs to be collated, compared and contrasted in a structured way for insight to be generated. That insight can then be used in many different ways to give us an outcome. In the smart city example, this could be fusing knowledge of ongoing roadworks, and a subsequent increase in traffic flow to inform a change in traffic light patterns, which then reduces the traffic flow.

The result of so many devices sensing environments, and the increasing number of supportive systems providing additional data, is an enormous (and growing) volume of information. It's not possible to manually manage this level of data, and so we are becoming more and more dependent on artificially intelligent (AI) oversight, facilitating the move towards a more data-driven normal.

Different approaches

Smart cities develop in one of two ways - retrospective deployment, by embedding sensor, connectivity and compute capability into products and services, which are deployed into an existing environment; and integrated deployment, where the capability is integrated into the core fabric of the infrastructure at build.

In the latter approach, government agencies might deploy environmental sensors to monitor natural events; all contributing to a deep pool of ambient data, promising to augment the city's operations and - in the cases of emergency services and disaster monitoring - potentially save lives.

By far, the growth of retrospective deployment far outstrips the ground-up integration into new infrastructure - there aren't many new cities being built at the moment. However, there are plans.

In 2017, Saudi Arabia announced ‘Neom'. Neom, reportedly a $500 billion investment, will supposedly feature ‘artificial clouds' to allow for rain in the desert, schools taught by holographic teachers, a giant artificial moon, and more.

However, there is a sizeable issue to be addressed: protecting all of the collected data.

Data: lifeblood/vulnerability

In December 2016, renowned cybersecurity expert Mikko Hypponen tweeted ‘Hypponen's Law' - "If it's smart, it's vulnerable". This simple premise has proven repeatedly itself over the ensuing years.

Numerous smart city products are left exposed to the open internet. Leaving public safety sensors or industrial control systems vulnerable creates unpleasant possibilities - tampering with traffic lights, silencing disaster warnings, or interfering with radiation readings are a few examples.

We can use the USA as a case study for compromised data. In 2016, an enormous DDoS attack brought down a large proportion of America's internet. This was driven by the ‘Mirai' botnet, mostly made up of IoT-enabled devices. Because of the sheer number of devices in its network, Mirai could bring an incredible amount of processing power to the attack.

These types of complex cyberattacks are only growing in frequency and scope. In fact, honeypots operated by Kaspersky Labs detected 105 million attacks on IoT devices in the first half of 2019 alone.

Steps must be taken to protect such information from malicious actors who might incorporate it into attacks, both on states and on individuals.

Security vs privacy: the ethics and politics of the smart city

As with many issues at the leading edge of technology, the legal framework around smart cities (and the governance of data within them) continues to evolve.

Personal devices play a large role here. One of the most obvious issues is safety at the expense of privacy. Individuals already surrender vast amounts of data to their personal devices; much of this will have to be managed, and decisions will be made at both the individual and governmental level over what data to absorb into the smart city. With instances like the Cambridge Analytica scandal, trust in data is somewhat lacking. Though the trepidation isn't unfounded, there are plenty of reasons to be excited by the prospect of smart city. And efforts such as GDPR will bolster this too.

Still, some are less reserved in their outlook. Issues of personal privacy tend to be more politically charged in the West, where many nations in the more collectivistic East choose a different path.

China, for instance, has built arguably the world's most intricate surveillance system in its Xinjiang district. Millions of CCTV cameras watch its inhabitants, and the details of people's energy use, and travel habits are all collected to help collate a ‘social credit score' that penalises or incentivises individuals, based on their behaviour. Elsewhere in China, some Chinese consumers embrace facial payment technology.

‘Predictive' policing and AI surveillance

There are a number of security measures that pertain to the smart city environment, but two are of particular note.

PredPol is an American predictive analytics program, used by dozens of police departments. It forecasts criminal activity by examining enormous volumes of past data, claiming to be able to predict who will commit crimes, and where. It has raised more than a few eyebrows [accusations say that PredPol's forecasts are unfairly biased against people of colour due to its reliance on historical, and racist, arrest records - Ed.], and for this reason, a number of police departments choose not to admit to their use of predictive policing.

The second technology, AI surveillance, has a broader definition - drawing on everything from facial recognition systems and social media monitoring to license plate tracking, along with body language analysis. Champions highlight the ability to help emergency services and law enforcement better deal with crimes and accidents. But biases implicit to AI systems have caused concern, along with a culture of ubiquitous surveillance that could be ushered in. Though such concerns are legitimate, the heavily-invested-in technologies like Explainable AI begin to address some of them and will pave the way for some really credible and enriching experiences with AI in the smart city.

Basic steps for inevitable vulnerabilities

By 2050, the UN projects that 68 per cent of the world's population will live in urban areas, many of them, presumably, full of smart architecture. From our current vantage point, the smart city is more than inevitable - the transition is happening, right now. But there is much to be done to ensure that this new, data-rich world doesn't turn out to be a Faustian bargain (at least from a security perspective).

In the shorter-term, there are some relatively simple best practice quick wins. For instance, ensuring that devices are not publicly discoverable, not set to use default passwords and regularly patched for software vulnerabilities. Many smart device exploits can be (and have been) achieved via simple ‘old school' black hat hacking techniques, like SQL injections to bypass authentication during login, or simple password guessing.

And of course, going forward, there is also an obvious and substantial amount of work to be done to protect the smart city at the legislative and technical level. Our new, smart urban spaces have the potential to be one of the sharpest double-edged swords of the next decade.

James Bambrough is head of concepts and services at defence tech company QinetiQ