It’s a clear, crisp October morning. The first chills of autumn bring people to hasten their pace on their way to catch the bus. Traffic is slowly picking up in the city as peak hour approaches when suddenly, all traffic lights go green.
This is not the pitch for a pilot episode of a new series; it’s a very realistic scenario that a city could face if their traffic management system got hacked. “Today, every city is trying to implement smart city solutions, like traffic management, waste management, or water supply. These involve technology and data that bring new security risks,” explains Danijel Antonić, Chief Information Security Officer at the City of Rijeka.
Cities are embracing technical developments that help them improve their services and their offer to citizens. “We also know that by using these technologies, there are risks,” says Joab Q. de Lang, Cyber Security Strategist for the City of Rotterdam, “and it’s important to consider the risks and not go in blind.”
Going in blind
Yet, both Antonić and de Lang take the occasion of European cyber security month to sound the alarm as they estimate cyber security to be too low on the political agenda. “It’s a bit like the beginning of the COVID-19 pandemic, and cases were limited to Wuhan. In Europe, the risk wasn’t felt strongly enough to start taking measures,” says Antonić.
“We waited until the virus spread here to start addressing it. It’s the same with cyber security. If you don’t have any breaches, if you don’t have any incidents, it’s hard to stress the urgency of anticipating the risks,” he adds.
What makes the job of security officers even harder is that cyber security is a very technical and continuously evolving issue. “It’s a challenge for governments and companies to find personnel with these skills and expertise,” says de Lang. Not to mention that the private sector can offer better salaries than the public sector. “It’s very hard to entice people to work for a government job in cyber security,” confesses de Lang.
A solution would be for municipalities to invest in skills training. “We can encourage people to work on their skills on cyber security to hack ethically, for example, warning companies about their weaknesses,” says de Lang.
Skills, funding, and legal frameworks
To bring cyber security higher up on the agenda though other measures are needed. “The GDPR gave us a legal framework for risks related to privacy, but we lack similar legal enforcements for other areas,” says Antonić. “When there is no legal enforcement, there’s no incentive in doing something.”
The General Data Protection Regulation (GDPR), implemented in May 2018, is a regulation of EU law on data protection and privacy of citizens of the EU. The protection of personal data is a right of citizens of EU countries, therefore, all companies and organisations, regardless of their size or area of activity, must follow strict rules to collect, process, share and protect personal data.
Most cities lack the human and financial resources to address cyber security effectively too. “In Croatia, Rijeka is considered the most digitally advanced city, and it’s the only city that has a security officer: me,” says Antonić.
Cyber security relies on tools that are very technical and expensive. These tools must analyse and detect, for example, malware in a device that is part of a network of 9000 other devices while a cyber attack is ongoing. “You need extremely powerful tools that run and analyse enormous amounts of data about the system, which raises more data collecting security issues,” says Antonić.
And this is only 25% of the cost because the other 75% is the skilled workforce you need to use these tools.
If cyber security doesn’t climb on top of the agenda, though, the ones that will end up paying are citizens. “Our municipalities, our government, should get the tools to be able to provide a secure online environment for our citizens,” says de Lang.
For the moment, attacks to destabilise the democratic process have mainly focused on national politics. But there are reasons to target local governments and destabilise the region, politically and economically. “We should get prepared for that,” says de Lang. “During the Cold War, the arms race was very visible; everyone knew about it. Now, we still have an arms race, but in the cyber domain, and you don’t see anything about it, it’s hidden.”
“Social media, for example, is a very powerful tool that can economically and politically steer Europe. Both positively and negatively,” adds Antonić.
So what can be done? “We can’t do it alone. Not as a city. Probably not even as a country, but as Europe as a whole,” says de Lang.
And some initiatives, like the Gaia X project, already exist to help enforce cyber security. For example, by getting better agreements with companies to verify the identity of users. “Cities are good places to pilot solutions because we still have so much to learn,” says de Lang.
Tackling cyber security together
Criminals in the cyber domain are very well organised. They have speciality groups; they share knowledge. “We need to do the same, be better organised and work better together because together we can win this,” says de Lang.
“When working on new legislation, the European Union should involve organisations like Eurocities to include cities’ voices,” adds Antonić. “It’s important for such legislation to be practical and to work on the ground, and cities can help with that.”
Cyber security is a broad issue that touches almost every aspect of the digital world, making it challenging to cover extensively. However, it is crucial to start the conversation locally and stress the urgency of tackling this issue.
So, Rijeka and Rotterdam are sending a message to all cities: “Let’s get together and do this”. Antonić and de Lang propose setting up a working group on cyber security to put cities’ experiences together, “and this is just the beginning,” they promise.