fbpx
HCR Law Events

7 May 2021

Smart cities; a cyber criminal’s dream?

The description of cities of the future as ‘smart cities’ has become a term of art synonymous with improved functionality and interconnectivity, which could bring quality of life improvements and a raft of benefits to civilisation. What is often overlooked is the potential downside of smart cities; for example, how they will be regulated and the risks such interconnectivity might bring.

There are many forecasts as to what the future holds. It is not unreasonable to estimate that by 2025 there could be over 200bn connected sensors contained within 30bn internet of things (IoT) devices, and that, by that stage, the market value for the internet of things will be running into trillions of pounds.

The rewards of interconnectivity

One does not even need to look to the future to see that we already live in a world where physical devices and the IoT are capable of being interconnected and exchanging data. It is increasingly the case that household devices and everyday goods contain sensors that can detect data input such as physical movement, biometric information or other atmospheric circumstance. The price of sensors has fallen so dramatically that they can now be widely used at little cost.

Meters, installed in homes for gas and electricity, called ‘smart’ meters are well-known and an entire range of usual everyday devices are now fitted with sensors. These can be linked to a variety of devices such as a mobile phone app or computer to measure heart rate, body mass index, body fat percentage or worn on wrists or ankles to measure steps from distances walked and provide a plethora of metrics and feedback.

Over the next few years there will be increased connectivity between every area of human habitation, from home to car to hotel, to each and every point of existence, so that we create a vast interconnected web.

The IoT will be a whole new frontier where the advantages intrinsic to the interconnectivity of the IoT devices can be exploited. The benefits are much talked about. They include improvements in healthcare with medical apps used to arrange everything from an initial hospital appointment through to more effective delivery of medical and other health services. All of this in a swift remote way that is presently not possible with our reliance on staff and the separation of systems. There are undoubtedly huge benefits that can be brought by the IoT, yet this positive focus often overlooks or minimises the dangers of smart cities.

Security and regulation

One key problem area with the IoT will be its security and how it can be properly regulated. It is the very interconnectivity of the devices that creates an enlarged attack surface which will enable hackers to find potential access points- points of weakness across the chain.

The very nature of IoT devices means that they are designed to be convenient in use and often capable of being transported around wirelessly and easily. They therefore have physical restrictions and, in general, must be relatively small and light. This creates potential for security weaknesses; the processing power necessary for effective security is not generally optimal where microprocessors are used in small form IoT devices. Put simply, there is not yet enough computer power to undertake both the desired IoT task and to provide cybersecurity for the device through encryption.

Portable devices in smart cities of the future may well sacrifice security to enhance their desirability and portability. Indeed, there may be little incentive for those manufacturing devices to consider cybersecurity as a priority, not least since the incorporation of adequate security measures would represent a likely additional cost. There is also the problem of properly vetting third parties who would install or maintain the devices, as third-party installation or maintenance will represent a further risk to cybersecurity.

In short, the huge attack surface created by the IoT presents a range of opportunities to hackers. Points of access across the chain will be the first vulnerability – then, through access, control over a myriad of interconnected devices, so that a cyberattack might result in the attacker taking control of the home’s interconnected contents, car and so on.

Who does the data collected through the IoT belong to?

In our scenario, would the hacker be able to sell data onto a third party with or without the consent of the owner/user? The ownership of data has other sinister connotations too, for example, where the nation state either claims ownership or is otherwise given access to its citizens’ IoT devices. This would result in everyone being under constant surveillance through the use of each and every IoT device in their lives. This would doubtless result in a state’s ability to successfully prosecute anyone it wished, or to micro-monitor every action.

We are aware that Big Data can have significant consequences. Look for example, at the debate around Cambridge Analytica; yet in a smart city of the future, access by a nation state to IoT devices would undoubtedly result in Big Data being available to analyse the lives of every citizen. So, can we regulate in such a way as to protect ourselves? Furthermore, can criminal law keep pace with the evolving threat and aggregated injuries that smart city crime might bring?

Regulation is not just a problem of the future but of the present. One only has to look at the General Data Protection Regulations (GDPR), which was hailed as the great unifying act for data protection regulation, to understand that the cultural and philosophical differences between nations is such that one size of regulation or approach rarely fits all.

Regulation – favouring the individual or the state?

In the case of the GDPR, while Europe saw fit to put the protection of an individual’s data protection rights at the heart of its regulation, other countries, notably China and Russia, decreed that the state, not the individual was the ultimate owner of data. Those countries do pay some lip service to the rights of the individual, but ultimately individuals’ rights are trumped by the powers of the state in relation to data. The regulation of the IoT would be similarly diverse across the world.

In the UK the current regulatory strategy is set out in Secure by Design: Improving the Cybersecurity of the Consumer Internet of Things Report, which was published by the UK government on 7 March 2018.

That report sought to introduce a draft Code of Practice for Industry on Consumer Internet of Things. The code is designed to be applied throughout the IoT sector and, in summary, sets out steps that should be taken by any company supplying devices.

It recommends that all device passwords should be unique and resettable and that suppliers must avoid universal default values. The code also asks that all companies provide internet connected devices and services with a public point of contact, as part of a vulnerability disclosure policy, so that security researchers and others are able to report issues. It further stipulates that all software components in internet connected devices should be securely updatable and the updates must be timely and not impact on the functioning of the device. The code also seeks to minimise the exposed attack surfaces by restricting user or program access to only the information necessary for a legitimate purpose and code or hardware, which might expose the device, is to be minimised.

The great flaw in the code is that it is currently voluntary, and consequently impossible to enforce in the event of non-compliance. In essence, the current regulation for the IoT is an unenforceable, voluntary code of practice. This is remarkable when compared to, for instance, the regulation of food. One can scarcely imagine manufacturers and suppliers of food being politely asked to abide by a voluntary code of practice to ensure that their products are fit for human consumption and not likely to result in disaster. The IoT carries great potential for humanitarian disaster and its regulation needs to be scaled-up and, so far as possible, uniformly enforced across all regions.

It should be noted, however, that organisations supplying IoT products and services that collect and process personal information may be subject to the Data Protection Act 2018 and/or the GDPR, providing some effective regulation of personal data where it applies. An example would be that device manufacturers and IoT service providers must provide consumers with clear information about how their personal data is being used and by whom, and for what purpose.

But such data protection regulation has not been adopted throughout the world, so, in an interconnected world, homogenised and consistent regulation of smart cities will be difficult, if not impossible, to achieve. Indeed, there are warnings that we face a dystopian future if governments do not seek to regulate devices properly and implement mandatory codes of practice and enforceable regulations. Without this, manufacturers will cut cybersecurity corners in favour of profits and there will be innumerable weak access points for criminals to exploit across a huge surface of interconnectivity.

Other risks will doubtless arise from privacy considerations. In the UK, e-privacy regulations being brought into force should provide another layer of useful compliance. But again, that is merely the UK; smart cities around the world will doubtless generate privacy concerns through inter-connection, the inherent insecurity of IoT devices and the aggregated risk that a breach could generate. Smart cities will require smarter regulation, smarter security and a new way of thinking that we have yet to successfully apply to the IoT.

Share this article on social media

About the Author
Dan Hyde, Partner

view my profile email me

Want news direct to you?

sign up


Minimise your risk

show me more

Got a question?

Send us an email

x
Newsletter HCR featured image

Stay up to date

with our recent news

x
LOADING