Connecting state and local government leaders
Q&A: Security and privacy issues will abound if they go unaddressed as cities increasingly install smart infrastructure, according to federal officials.
WASHINGTON — The National Institute of Standards and Technology has used its Global City Team Challenge since 2016 to encourage the formation of “superclusters”—multi-city, multi-stakeholder collaborations around shared challenges.
Superclusters have yielded “smart city” solutions in transportation, public safety, utilities, broadband, data, and agriculture, but localities have grown increasingly concerned with the vulnerability of smart technologies to cyberattacks.
The Homeland Security Department has worked to raise awareness about the need for front-end security in smart cities, but President Trump’s forthcoming infrastructure package complicates matters.
If the plan increases cities’ access to smart infrastructure, will it simultaneously render them more hackable?
Route Fifty caught up with Sokwoo Rhee, NIST Cyber-Physical Systems Innovation associate director, and Scott Tousley, deputy director of the Cyber Security Division at Homeland Security's Advanced Research Projects Agency to discuss the ramifications of an infrastructure bill that expedites the smart cities movement.
Route Fifty: Smart cities initiatives and related cybersecurity efforts have largely been about building awareness among government officials up to this point. Where do you see things heading in 2018?
Scott Tousley: “Each state and city is a little different, but I think probably the vast majority are figuring out how to wrestle with infrastructure investment, efficiency and effectiveness gains, better citizen services, etc. We’ve gotten through the first round of awareness, and that’s a part of what we’re trying to do: bring the security and privacy pieces into a full role. I do think one of the things that will unfold as a larger part of the conversation is what comes out of the [Trump] administration’s discussion of the infrastructure investment that’s needed. People are going to ask the question, ‘How do we make sure this investment happens and doesn’t set up security and privacy issues by not looking at them as part of the effort?’”
Sokwoo Rhee: “Five years ago there was really no market called the ‘smart city market.’ Everybody was doing smart city things, but they didn’t really label it that. Hence there was really no growth in an exponential way. The last few years you can see there are tons of events and tons of companies—carriers are working on smart cities solutions; big companies like cloud vendors are also putting smart cities in the mainstream. It’s going to keep growing. The question is: What would be the financial model that’s going to actually help that accelerate? It’s going to happen no matter what. It’s a question of whether it’s going to take 50 years or five to 10 or even less. You’re going to see a lot of companies coming out with solutions, and the question is: What types of solutions do cities want to actually adopt? They’re past discussion of pure technology deployment. Now we’re talking about applicational value.”
Route Fifty: We’ve established that smart technology, security and privacy need to be a part of the forthcoming infrastructure discussion, but what do you see as the federal government’s role in the equation versus that of states and localities?
Tousley: “At [the Department of Homeland Security], I think we have the benefit of a lot of years of trying to work both on our own and with a lot of other federal partners on the question of critical infrastructure security, where we talk to the different infrastructure organizational, operational groups. We’re not a regulatory activity. The DHS role in critical infrastructure generally is like the NIST role in smart cities: trying to set up conditions for an active set of conversations so things can unfold. In our case we’re trying to end up anticipating surprising breakdowns and problems and be in a place to help industry do that. I think NIST and DHS both have the challenge of taking a model which tends to focus federally and have it reach to what I call the ‘rest of the iceberg,’ which is all these cities and communities of lots of different sizes throughout the country. You don’t want some magic, handcrafted solution that works in Chicago and Boston and maybe New York and isn’t also somehow at least possible for much smaller places, because the entire country can be hacked.”
Rhee: “I really agree with this iceberg analogy because implementing an IT system in the federal government, it’s not homogeneous, but we have our rules—federal policies that we all adhere to. It’s a little bit easier to buy and RFP IT systems for the federal government. Local governments are very different. Frankly, it may not be that the federal government can dictate in those environments. That’s probably not going to be possible because they need to develop on their own through their own collaborations something they can work with themselves. That’s sort of the direction GCTC is trying to go.”
Route Fifty: What sorts of smart city collaborations do you see the federal government promoting as we get further into the infrastructure conversation?
Tousley: “The federal government has to be what I would call an ‘active partner’ in a lot of these things playing out, which means we need to find useful ways to help. That’s not even in the same universe as telling people what to do and how to do it. The infrastructure areas sort of align with supercluster activities. The way that those end up connecting to what a city or community wants, I think that’s tractable. People are exploring it now. The more interesting thing is when you’ve got three or four different superclusters or infrastructure areas all putting in parallel improvements that naturally start to cross-connect because that’s where you get 10-times payoffs and 50-times payoffs. All of a sudden citizens and companies can start to do really interesting things. But the more that you allow those to cross-connect, you also have to pay attention to the security problems because we’re describing a fairly fragmented set of systems, which when you look in the IT world is a recipe for hackability and not in a good way.”
Rhee: “There are 19,000 local governments in the United States, and you cannot work with everyone. I think state government has a critical role that can take the high-level outcomes—like blueprints for superclusters for example—down to the level of committed citizens. That’s sort of what the Commonwealth of Virginia has done. I think a lot of other states can do the same thing. What we can provide is probably 60 percent of the foundation, and the other 40 percent has to be done by local governments and state governments.”
Tousley: “That’s the beauty of the United States, which is a very decentralized, distributed federation of different communities. The word hacking often has a negative connotation about somebody coming in from the outside and disrupting, but you also hear the term used a lot of time as, ‘Let’s hack the solution.’ The solution is a combination of things from the ground up rather than the top down, and we’re seeing some of the best GCTC projects and efforts that we’re hoping to mimic being brilliant ideas from the bottom up.”
Route Fifty: Speaking of the negative kind of hackability, are states and cities taking seriously the need to make cybersecurity a front-end concern when it comes to deploying smart technologies?
Tousley: “I think everybody in the commercial world has really gotten the message to where now—when they talk about a new program, initiative, product, or service—the questions of how could it break, how could it be misused, how could it be hacked are part of the planning discussions at the beginning. Since the Sony hack a couple years ago, nobody talks about the marketing plan for their movie without thinking about the security, given the demonstration of what can happen. At the state, local, community level, as we talk about putting these things in, those are conversations involving smaller systems and fewer people maybe, but it’s the same kind of conversation as we want and are seeing happen commercially across some of the major corporations. Frankly, there’s a degree of follow-through which has often been absent in the IT world sometimes, where the issue may not be that there was a gaping hole in a security concept. Maybe the equipment installed still had default passwords, or nobody went back and checked a year later that something else wasn’t getting added. It’s not just quality if the citizens love it. It’s quality that somehow you’ve taken steps so it’s not easily hacked.”
Rhee: “We are seeing the emergence of CISOs, chief information security officers. Now it’s normal to see the role of CIOs change. When it was first created, the CIO’s job was to get their PCs running in their cities. Now if you talk to CIOs most of the PCs actually handle smart city business themselves like transportation systems. I think the CISO role is going to evolve as well. Right now they mostly see to the security of their IT systems. Going forward their roles are going to expand to deal more with the security and privacy issues of the systems throughout the whole city. That’s where NIST and DHS can come in and be a catalyst. We want to help them make that happen, instead of leaving it to each individual city.”
Route Fifty: What’s one thing that might not be true about the smart cities movement and security now that you hope to be true if we have this conversation a year from now?
Tousley: “I think the mark of success we’re really aiming for is that right now these conversations are happening a little bit in various, scattered places, and in some cases we’re sparking them. If we’re doing our jobs, in a year this has maybe not gone viral but certainly is happening at a scale and pace way beyond what Sokwoo and I can push and force ourselves. Honestly, I think the best benchmark is going to be a degree of publicity and lots of people two or three steps removed that are able to tell a governor or deputy governor or mayor or Congress member, ‘This is a good effort, and we need to do more things like this because this is helpful to me as we try and improve our community.’”
Rhee: “I saw a report the other day; there was an analysis of the IoT market. The No. 1 priority has always been industry applications. It was the first year I have seen that prioritized smart cities applications over industry applications in sheer volume of IoT projects. In a year or two from now, I want that to happen with the cybersecurity and privacy issues in smart cities.”
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.