Smart Technology Must Be Part of the U.S. Infrastructure Discussion, Too

 

Connecting state and local government leaders

Q&A: Security and privacy issues will abound if they go unaddressed as cities increasingly install smart infrastructure, according to federal officials.

WASHINGTON — The National Institute of Standards and Technology has used its Global City Team Challenge since 2016 to encourage the formation of “superclusters”—multi-city, multi-stakeholder collaborations around shared challenges.

Superclusters have yielded “smart city” solutions in transportation, public safety, utilities, broadband, data, and agriculture, but localities have grown increasingly concerned with the vulnerability of smart technologies to cyberattacks.

The Homeland Security Department has worked to raise awareness about the need for front-end security in smart cities, but President Trump’s forthcoming infrastructure package complicates matters.

If the plan increases cities’ access to smart infrastructure, will it simultaneously render them more hackable?

Route Fifty caught up with Sokwoo Rhee, NIST Cyber-Physical Systems Innovation associate director, and Scott Tousley, deputy director of the Cyber Security Division at Homeland Security's Advanced Research Projects Agency to discuss the ramifications of an infrastructure bill that expedites the smart cities movement.

Route Fifty: Smart cities initiatives and related cybersecurity efforts have largely been about building awareness among government officials up to this point. Where do you see things heading in 2018?

Scott Tousley: “Each state and city is a little different, but I think probably the vast majority are figuring out how to wrestle with infrastructure investment, efficiency and effectiveness gains, better citizen services, etc. We’ve gotten through the first round of awareness, and that’s a part of what we’re trying to do: bring the security and privacy pieces into a full role. I do think one of the things that will unfold as a larger part of the conversation is what comes out of the [Trump] administration’s discussion of the infrastructure investment that’s needed. People are going to ask the question, ‘How do we make sure this investment happens and doesn’t set up security and privacy issues by not looking at them as part of the effort?’”

Sokwoo Rhee: “Five years ago there was really no market called the ‘smart city market.’ Everybody was doing smart city things, but they didn’t really label it that. Hence there was really no growth in an exponential way. The last few years you can see there are tons of events and tons of companies—carriers are working on smart cities solutions; big companies like cloud vendors are also putting smart cities in the mainstream. It’s going to keep growing. The question is: What would be the financial model that’s going to actually help that accelerate? It’s going to happen no matter what. It’s a question of whether it’s going to take 50 years or five to 10 or even less. You’re going to see a lot of companies coming out with solutions, and the question is: What types of solutions do cities want to actually adopt? They’re past discussion of pure technology deployment. Now we’re talking about applicational value.”

Route Fifty: We’ve established that smart technology, security and privacy need to be a part of the forthcoming infrastructure discussion, but what do you see as the federal government’s role in the equation versus that of states and localities?

Tousley: “At [the Department of Homeland Security], I think we have the benefit of a lot of years of trying to work both on our own and with a lot of other federal partners on the question of critical infrastructure security, where we talk to the different infrastructure organizational, operational groups. We’re not a regulatory activity. The DHS role in critical infrastructure generally is like the NIST role in smart cities: trying to set up conditions for an active set of conversations so things can unfold. In our case we’re trying to end up anticipating surprising breakdowns and problems and be in a place to help industry do that. I think NIST and DHS both have the challenge of taking a model which tends to focus federally and have it reach to what I call the ‘rest of the iceberg,’ which is all these cities and communities of lots of different sizes throughout the country. You don’t want some magic, handcrafted solution that works in Chicago and Boston and maybe New York and isn’t also somehow at least possible for much smaller places, because the entire country can be hacked.”

Rhee: “I really agree with this iceberg analogy because implementing an IT system in the federal government, it’s not homogeneous, but we have our rules—federal policies that we all adhere to. It’s a little bit easier to buy and RFP IT systems for the federal government. Local governments are very different. Frankly, it may not be that the federal government can dictate in those environments. That’s probably not going to be possible because they need to develop on their own through their own collaborations something they can work with themselves. That’s sort of the direction GCTC is trying to go.”

Route Fifty: What sorts of smart city collaborations do you see the federal government promoting as we get further into the infrastructure conversation?

Tousley: “The federal government has to be what I would call an ‘active partner’ in a lot of these things playing out, which means we need to find useful ways to help. That’s not even in the same universe as telling people what to do and how to do it. The infrastructure areas sort of align with supercluster activities. The way that those end up connecting to what a city or community wants, I think that’s tractable. People are exploring it now. The more interesting thing is when you’ve got three or four different superclusters or infrastructure areas all putting in parallel improvements that naturally start to cross-connect because that’s where you get 10-times payoffs and 50-times payoffs. All of a sudden citizens and companies can start to do really interesting things. But the more that you allow those to cross-connect, you also have to pay attention to the security problems because we’re describing a fairly fragmented set of systems, which when you look in the IT world is a recipe for hackability and not in a good way.”

Rhee: “There are 19,000 local governments in the United States, and you cannot work with everyone. I think state government has a critical role that can take the high-level outcomes—like blueprints for superclusters for example—down to the level of committed citizens. That’s sort of what the Commonwealth of Virginia has done. I think a lot of other states can do the same thing. What we can provide is probably 60 percent of the foundation, and the other 40 percent has to be done by local governments and state governments.”

Tousley: “That’s the beauty of the United States, which is a very decentralized, distributed federation of different communities. The word hacking often has a negative connotation about somebody coming in from the outside and disrupting, but you also hear the term used a lot of time as, ‘Let’s hack the solution.’ The solution is a combination of things from the ground up rather than the top down, and we’re seeing some of the best GCTC projects and efforts that we’re hoping to mimic being brilliant ideas from the bottom up.”

Route Fifty: Speaking of the negative kind of hackability, are states and cities taking seriously the need to make cybersecurity a front-end concern when it comes to deploying smart technologies?

Tousley: “I think everybody in the commercial world has really gotten the message to where now—when they talk about a new program, initiative, product, or service—the questions of how could it break, how could it be misused, how could it be hacked are part of the planning discussions at the beginning. Since the Sony hack a couple years ago, nobody talks about the marketing plan for their movie without thinking about the security, given the demonstration of what can happen. At the state, local, community level, as we talk about putting these things in, those are conversations involving smaller systems and fewer people maybe, but it’s the same kind of conversation as we want and are seeing happen commercially across some of the major corporations. Frankly, there’s a degree of follow-through which has often been absent in the IT world sometimes, where the issue may not be that there was a gaping hole in a security concept. Maybe the equipment installed still had default passwords, or nobody went back and checked a year later that something else wasn’t getting added. It’s not just quality if the citizens love it. It’s quality that somehow you’ve taken steps so it’s not easily hacked.”

Rhee: “We are seeing the emergence of CISOs, chief information security officers. Now it’s normal to see the role of CIOs change. When it was first created, the CIO’s job was to get their PCs running in their cities. Now if you talk to CIOs most of the PCs actually handle smart city business themselves like transportation systems. I think the CISO role is going to evolve as well. Right now they mostly see to the security of their IT systems. Going forward their roles are going to expand to deal more with the security and privacy issues of the systems throughout the whole city. That’s where NIST and DHS can come in and be a catalyst. We want to help them make that happen, instead of leaving it to each individual city.”

Route Fifty: What’s one thing that might not be true about the smart cities movement and security now that you hope to be true if we have this conversation a year from now?

Tousley: “I think the mark of success we’re really aiming for is that right now these conversations are happening a little bit in various, scattered places, and in some cases we’re sparking them. If we’re doing our jobs, in a year this has maybe not gone viral but certainly is happening at a scale and pace way beyond what Sokwoo and I can push and force ourselves. Honestly, I think the best benchmark is going to be a degree of publicity and lots of people two or three steps removed that are able to tell a governor or deputy governor or mayor or Congress member, ‘This is a good effort, and we need to do more things like this because this is helpful to me as we try and improve our community.’”

Rhee: “I saw a report the other day; there was an analysis of the IoT market. The No. 1 priority has always been industry applications. It was the first year I have seen that prioritized smart cities applications over industry applications in sheer volume of IoT projects. In a year or two from now, I want that to happen with the cybersecurity and privacy issues in smart cities.”

Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.

FEATURED CASE STUDIES
Powered By The Atlas
Orlando Protects Citizens During Heavy Rain Events by Optimizing Water Data Intelligence
Orlando, FL, USA
Small city of Baldwin, GA with <5K residents reduces info calls to City Hall by 50%
Baldwin, GA, USA
Integrated city systems, unified data, & automation drive 316% increase in field efficiency
Seattle, WA, USA

NEXT STORY: National Governors Association to Ramp Up State Cyber Assistance

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.