According to Surfshark, data breaches have risen globally by as much as 70% from July through September. Europe alone recorded 52 million individual breaches during this period. However, secure, performant, and sustainable digital infrastructures are at the basis of Europe’s Digital Decade. In other words, cybersecurity is a hot topic and cities all over the continent are concerned.

Cities increasingly leverage the potential of digital tools and technology to organise processes and deliver services to locals. They play a connecting role in complex ecosystems, offering services across domains in public and private partnerships.

 Jose Ángel Álvarez, Head of the Cybersecurity Centre of the City of Madrid, said during the Eurocities Digital Forum, which took place in Madrid on 4 October, that “when you think in terms of a city, the challenges to guarantee cybersecurity are many.” In Madrid, 3.5 million people live in the city, and 5 million commute daily. It’s an amazing challenge to keep all of them safe.

“Cybersecurity failure is considered a growing global risk. The city is a complex and dynamic environment, with a lot of actors, infrastructures, private companies, public entities, and local, regional and national entities, all providing services in the same physical and digital space,” explained Álvarez, adding that “major cities in the world are deploying millions, even billions, for smart and intelligent devices – smart grid, smart lights, smart signs, etc. And we must guarantee the security of such devices.”

What does a city need in terms of cybersecurity?

Quite a lot. Álvarez explained that, in the first place, a city needs “strong leadership and commitment from the top hierarchy and management of the local government. It’s not just about support. They have to understand the importance of cybersecurity and the risk posed to the city by hackers, for example.”

Also, cities need a plan, such as Madrid’s cybersecurity strategy, which includes goals, strategic objectives, allocation of resources, etc. Between 2019 and 2022, Madrid has seen an increase of 150% in the workforce with knowledge of cybersecurity. Cities should tap into these talents and hire the most skilled personnel. Álvarez also highlighted the need for coordination both with entities providing city services and with the national cyber authorities, and collaboration between peers, such as Spanish and European cities, to exchange ideas, procedures, best practices, etc.

“And finally, we need an integrated approach to identify, protect, detect, respond and recover,” he added.

In the end, a city needs a ‘real security’ focus, which anticipates basic, medium and difficult attack paths and develops solutions for them. Also, one that is capable of discovering weaknesses and vulnerabilities before attackers do with 24×7 detection and response and working towards resilience.

Armed for the fight

The Eurocities Community of Practice on Cybersecurity is one of the tools cities have to deal with cybersecurity issues and challenges. Its main goal, explained Joab de Lang, Cybersecurity Strategist, at the Municipality of Rotterdam, “is to collaborate by sharing experiences, such as how to cope with attacks or what are the challenges to implementing a cybersecurity strategy, or how to keep people and companies safe. The community also wants to contribute to European policies on cybersecurity.”

De Lang started the Community of Practice on Cybersecurity along with Danijel Antonic, from the City of Rijeka, and they both contributed to the discussions that led to Eurocities Digital Forum in Madrid.

Safe means included

Mentioning possible threats against users, companies and cities, de Lang noted that “based on data from 2021, 2.5 million (17%) of the population of the Netherlands were victims of online crime. And 1 in 5 Dutch entrepreneurs got attacked that same year.”

“A large portion of our population has been victimised by cyber attackers. Yet online safety is a fundamental value and a prerequisite to digital inclusion today. If people don’t feel safe, they won’t participate in the digital world, and the digital divide will grow,” he said.

Therefore, it’s important not only to invest in cybersecurity but also in digital inclusion. “If people don’t feel safe in the digital world, they will not participate, so it’s a prerequisite to have digital inclusion,” said de Lang.

Digital inclusion, and also its counterpart, the digital divide, are intimately connected with the discussions on cybersecurity and Europe’s Digital Decade.  The more the economy and society become digital, the bigger the risks of people being left behind as well as becoming vulnerable to scams and attacks., therefore one cannot speak of cybersecurity without dealing with the need for a fully digitally literate society.  Digital inclusion not only allows people to have full access to digital tools and services but also helps them stay safe and reduce possible cybersecurity threats.

He also reminded us that today we can speak of ‘crime as a service,’ that is, “criminal groups are specialised on parts of the hacking process, and if we want a fighting chance, we need to work together. Only when we organise better than them, we can protect cities and locals.”

With some optimism, he hopes that investments are focused on detection and not on prevention. “You know you will get hacked, and of course, you need a basic level of security, but you shouldn’t put all your money on prevention because you can’t always prevent an attack,” he explains. “It’s a good idea to invest more money in detection, so it won’t impact the usability of applications once it reaches the public.”

Cyber crimes have a devastating effect and impact on the physical world as the digital and physical are intertwined and, said de Lang, “with cities offering more and more online services, the importance of cybersecurity grows. Every country in the EU has a National Cyber Security Strategy, but cities need a cross-sector approach to cybersecurity, as threats don’t stay in silos. Attackers hack one institution or area to get to another. Therefore, there’s a need to engage actors across sectors.”

What can we take away from all this discussion? A lot.

Cities need to invest heavily not only in cybersecurity but also in closing the gap of the digital divide as a way to minimise risks and effectively include the population in the digital decade with strong leadership and integrated approach also collaborating with other cities and institutions.