City leaders will face any number of challenges as they dive into smart city projects, but there are two big challenges that are so universal that cities of any size will inevitably have to deal with them: cybersecurity and data governance. The following discussion summarizes advice, insights and suggestions offered by representatives from Cary, Dallas, Aurora, and Los Angeles, as well executives from NTT Data, on these two big challenges.
When embarking on #smartcity projects, ALL cities, regardless of size, will have to face the challenges of #cybersecurity and #datagovernance. Here is what #cityleaders have to say about these topics. Click To TweetSecuring the City from Ransomware
By the end of May 2019, 22 cities had already been impacted by ransomware – hackers holding city data hostage until the ransom is paid. Click To Tweet The most recent and severe case struck Baltimore on May 7th.
As a result of the ransomware attack on Baltimore, critical files were encrypted, which ended up taking down a variety of city services, including voicemail, email, the system used to pay water bills and property taxes, and more. The hackers said they want 13 Bitcoins (about $102,000) to unlock the seized files. It could take months to clear up the disruption, and although Baltimore Mayor Bernard Young says they will not give in to the hackers’ demands, he has admitted that he might have to think about it in the future in order to move the city forward.
“When on the Smart City jouney, there is a never-ending issue around security.”
Following this event, the question city leaders may be asking themselves is, “Where are we now?” As cities around the globe watch Baltimore deal with the attack, do they feel they have learned from it and are protected? Or are they thinking, ‘Wow, this could be us next.’?
On this topic, city officials seem to agree that any city could be next. Although every city takes security seriously, no city is 100 percent protected, especially as attacks keep getting more sophisticated. That said, city leaders have several ideas on how cities can up their protection and planning, should an attack happen to them.
- Create a Risk Register, which is an inventory of assets categorized by high, medium, and low, so the city understands what data is available and what is most critical to protect. Funnel efforts to secure the most critical data first.
- Do penetration tests to find vulnerabilities in the system. Some city leaders suggested enlisting the help of high school and college students in hackathons to identify security vulnerabilities and possible solutions for remediation.
- Create an incidence response plan that details how the city will identify, detect, and react to a security breach, should one happen.
- Conduct security awareness training regularly. Software such as KnowBe4 can be used to train and test city employees and also identify potential weaknesses in the system. Some cities also do emergency management tabletop exercises across the entire city.
- Carry enough cybersecurity liability insurance to get the city through an attack if needed. Once you follow the above steps and put control mechanisms in place, the insurance company may even lower your liability rate.
- Back up data in other locations and in the cloud to ensure business continuity and disaster recovery.
- Stay on top of what is happening by getting threat assessments and threat updates.
- Build a better network from the inside out, knowing that many ransomware events happen from someone within the organization.
- Learn from others. The city of Los Angeles gets hacking information from a group of local businesses, and cities can also learn from each other.
As one city leader put it, when it comes to cybersecurity, “It’s the risk mitigation game.” If cities know they could potentially get hacked (and they can’t 100 percent prevent it), then what they can do is try to make it not as crippling. Planning, preparation, education, and awareness are all important ways to do that. Click To Tweet
“We share that information together so that we can all be smarter together and we can all be watching each other’s back.”
Data Governance Decisions
Data governance is another main challenge that cities of any size face when they embark on smart city initiatives. Data governance involves all decisions around gathering, storing, and managing data. As cities get more and more devices and sensors, the amount of data coming in can be overwhelming. How can the city manage all of this data, maximize its impact, and also protect the privacy of citizens? Before setting up a data governance model, city leaders should be asking themselves the following questions.
How Do You Find the Right Use Cases?
The right use cases can show success for your data program, improve public trust, and guide the direction of data policy down the road. As such, city leaders must always be asking themselves what use cases will bring wins and solve real city issues that impact citizens.
“If you’re on the grid, you are never safe. It’s not a matter of ‘if’, it’s just ‘when’ you actually get hit.”
Do You Monetize Data?
Some cities have explored monetizing the data they collect as a way to get revenue to pay for services and new projects. Other cities feel strongly that city data should not be monetized because it has already been paid for by the taxpayer and monetizing could make it inequitable (i.e., those who can afford to pay for the data have access to it, while those who cannot afford it are left out). There are good arguments on each side, and it is a question that every city leader must contemplate.
How Do You Open Data While Protecting Anonymity?
Many cities have been working on making their data open, where city data is available in an online portal for city residents and innovative businesses to use. Although each data set may seem to protect individual identities, sometimes the combination of two or more data sets (even those that seem unrelated) can be enough to compromise privacy. City leaders should always be thinking about how they can maintain privacy, including these often unexpected interactions.
“It just gets smarter and smarter every day, and the threats come from everywhere.”
Should You Buy Data?
Although cities can collect their own data, they may be able to gain access to data that they otherwise couldn’t gather on their own. If a city does decide to buy data, leaders must be thinking about what data will work best for the city’s purposes, and how to leverage it for use cases. For example, a city may buy data to get a better picture of what the housing environment looks like, additional demographics that can’t be collected in a public census, as well as data around economic development and transportation.
How Do You Organize Data?
Cities have data flowing in from many avenues and departments. And if that data resides in many locations and the city doesn’t have a full picture of what data it has, it can’t maximize the value of that data to solve city problems. One city official advised that cities should pause before collecting more data and catalog their existing data from all the various silos, first.
Should You Co-Own Data?
For various reasons, a city may enter into an agreement with a vendor where the two parties co-own the data that is collected. City leaders must think carefully before getting into these agreements. Is it the right thing to do? A main danger is that the city does not know what the other party is going to do with that data, and can protect it better if it is owned fully by the city itself.
“The whole approach is about reducing the risk and making it more difficult for hackers to get in.”
How Do You Avoid Data Overload?
There are so many pieces of data that a city could collect…but the more data that comes in, the bigger the burden is in terms of organizing and protecting that data. Panelists suggested that you can avoid data overload by thinking carefully about what you need before you collect data. Only gather what the city needs to solve the specific problem at hand.
These are some of the main questions that city leaders should contemplate when setting up a data governance model, although there are several related issues that cities may have to address too, such as when to purge data, the benefit of creating a template for data agreements, and the importance of establishing an ethical use of data manifesto.
Cybersecurity and data governance are the two big challenges that every city will encounter when they embark on smart city projects. While cities are still exploring how to address these challenges, city leaders made one thing clear: we can come closer to solving these challenges if we work together.
These insights were shared at the Smart Cities Innovation Accelerator at Harvard.