Imagine a city where subway cars connected to each other, synchronizing transfers based on average transport time between arrival of one train and the departure of another; where streetlights varied in brightness based on ambient light and population presence, saving the city millions of dollars and decreasing energy requirements; where your phone could direct you to the nearest parking spot to your next meeting.

For years, smart city vendors, engineers of many stripes, and thought-leading urbanists have been telling us a wonderful story about the smart cities to come. These stories are filled with efficiencies and savings, targeted and personalized services, frictionless interactions and payments, and infrastructure that learns and adapts to changing usage and needs. We are not there yet—important technologies required for this vision at scale remain just over the horizon. And some of the challenges are as much political and cultural as technical—how to deliver last mile fiber effectively in many places,¹ for example, is still an open question, as is the challenge of automating or computerizing aging and poorly maintained infrastructure.²

But the smart city is no longer purely science fiction either, and building ever smarter cities is a major priority globally. More than 26 smart cities are expected to be established by 2025; Singapore wants to become the world’s first “Smart Nation.”³ Yet, the technology needed to build smarter cities and nations carries major risks. As security expert Bruce Schneier has observed, when “smart” can translate loosely to “hackable,” this future takes on some new connotations.⁴

But the smart city is no longer purely science fiction either, and building ever smarter cities is a major priority globally.

Despite increasing concern from the information security community, it is far from clear that even the smartest of U.S. cities are in a position to deal with the full range of new risks that the technology may bring. The required financial, social, security, operational, legal, and policy innovations needed for smart cities to deliver on their aforementioned promises do not appear to be moving at the pace of innovation of the technology.⁵ It is important that city managers, activists, engineers, and policymakers recognize that many of the most important hurdles to achieving the promise of the smart city will not be technological problems.

This paper will look at smart cities with a critical eye, examining this promise of a smart city and asking the questions we will have to wrestle with as technology becomes more and more integrated into our daily life in cities, states, and countries. We will also highlight some of the areas that need further attention if we are to continue the rapid deployment of smart city technology in our cities, states, and countries. We hope that this paper informs the range of stakeholders in smart cities—from the engineers who build the technology, to the city leaders who are responsible for making the best decisions for their constituents, to the activists and policymakers who look at the various aspects of what a smart city will mean in implementation.

The technology is here for smart cities, but should we be implementing this technology at scale yet? At the 2019 Institute of Electrical and Electronics Engineers (IEEE) Smart City Conference in Kansas City, technical panels detailed new methods for scaling smart city applications and integrating various data sets, improving technical smart city capabilities at a rapid pace. Yet, one of the themes that emerged in the plenary sessions in Kansas City was that answering the the call for technical improvements would not be sufficient to increase the deployment, utilization, and optimization of smart city applications. The reason? These are not merely technical problems, but socio-technical ones, and the rapid pace of technological improvement has in many ways outpaced our ability to manage that technology. While cities may have large networks of infrastructure and computers, they are not merely machines. The policy and governance questions around smart cities, which are still largely unanswered, may be as likely as technical ones to delay, or even derail, the benefits of smart cities.

Even in some large cities, IT governance may still be maturing. City Chief Information Security Officers are a relatively new invention, if they can be afforded at all. Many cities still employ IT professionals in civil service job titles that date back to the earliest introduction of computers into city government. Even the managerial capability to contract for modern IT systems, let alone the ability to evaluate their construction or assess their safety, is sometimes poorly developed. The fact that some cities lack the organizational or institutional capability to effectively implement, manage, contract for, or evaluate smart city goods and services offered by vendors may not prevent them from pursuing such projects.

Even in some large cities, IT governance may still be maturing.

Smart city deployments are almost always done in deep cooperation with the private sector. Do we trust these companies to have the greater good of citizens first in their mind? How they calculate risk and return on investment are naturally different. Indeed, companies have not just the right, but the fiduciary responsibility, to walk away from sectors, markets, or products that don’t offer strong outlooks for profits; however, cities do not have that luxury. There may be profitable smart city implementations that are technically feasible, but that violate some other concern that cities take seriously, like privacy, equity, accountability, or transparency.

Do our city leaders have the education or staff expertise to stand up to the technology firms? Do they have the financial backing or market position to do so? Do our city leaders have the technical support from state, federal, or non-profit partners to ask technology firms the hard questions about the economics and safety concerns of smart implementations? In many cities, unfortunately, the answer is no.

Much of the existing literature around smart cities has a utopian feel. It is certainly true that smart city applications can reduce costs in some cases, improve efficiency in some cases, and collectively improve urban service delivery and quality of life. However, like all technologies, smart city technologies are largely agnostic to whether they are implemented well, ethically, economically, safely, or with accountability.

As researchers from the Brookhaven National Lab observed in 2000:

A vision of the city of the future has been presented—one that rests on the integration of science and technology through information systems. A future that will require a re-thinking of the relationships between government, city managers, business, academia and the research community. The title of this vision is Smart Cities.⁶

This observation sets the stage for our study of smart cities.

Our definition does not stray much from Hall et al’s. A smart city uses information and communication technologies to increase operational efficiency and effectiveness, share information with the public, and improve the quality of services. To achieve these aims, cities deploy technology across various parts of city infrastructure. These technological systems will use sensors to collect data about the environment and city operations, centralized and distributed or embedded computing power to process that data, and actuators to manipulate urban infrastructure and adjust city operations. In this sense, the smart city transforms the city into a large socio-technological system (or a system of such systems) that “senses, thinks and acts.”⁷

But this wide-scale implementation of technology introduces challenges in risk transfer, liability, citizen protection, data management, and citizen consent.

Cities and other organizations use insurance to decrease the risk burden of everything from natural disasters to accidents. Cyber insurance, however, is still an evolving market. The cyber insurance market lacks reliable data that can predict loss, especially in the public sector.⁸ Partly because of the lack of data, insurance carriers face difficulty in pricing and underwriting, and they often closely limit the kind of coverage offered.

Not only is the cyber insurance market just beginning to mature, the more mature parts (like insurance for data breaches) are focused almost exclusively on traditional business IT systems—those responsible for data storage, transmission, and analysis. Smart cities, however, feature an explosion of cyber-physical systems in sectors from transportation, to water systems, to lighting, to parking, in which computers do not merely store and manipulate data, but collect data through sensors and manipulate the physical world through actuators of various types. Thus, the places in which cyber insurance has recently grown in value are for applications very different than the ones presented by smart cities. Increasingly, cyber insurance will be required for all sorts of physical systems which previously were not controlled by computers.

However, even if the insurance market evolves to cover physical systems, a number of important, open questions remain:

• In a highly technical environment that increases risk from cyber attacks or other technology-related issues affecting citizen services, how will insurers react?
• Will cities be able to offload as much risk as they need to for safe operations?
• Will insurers be able to reasonably price the risk of the shutdown of huge municipal systems (like transit systems) the way they are currently able to price the risk of breaches of Personally Identifiable Information (PII)?
• When a computer-controlled system fails, will such losses be viewed as losses under traditional property and casualty insurance or under cyber insurance?
• If an attack can’t be attributed, or is attributed to a state actor, will cyber insurance coverage still pay out?⁹

The possibility that city infrastructure could be used by malicious actors for their own purposes raises further questions about liability for damages. IBM X-Force research group found that many of the vulnerabilities that helped enable the October 2016 Mirai attacks remain in smart city devices.¹⁰ The Mirai botnet used insecure IoT devices with default passwords to perpetuate a massive distributed denial of service (DDoS) attack on multiple targets.¹¹ Smart city technology would massively increase the amount of IoT devices deployed across the world; ensuring their security would be paramount to preventing criminal and offensive attacks.

The potential of having a city’s “smart” infrastructure used in a cyberattack, particularly as a result of poor security practices or management, that targets victims across the world may expose a city to liability claims. So far, much of the discourse around liability for IoT-powered attacks has rested with the manufacturer; in a smart city implementation, where these devices are likely to be customized and/or integrated with other systems, liability exposure could increase.¹² In that case, is the city a victim or an accessory-by-neglect to the crime?

Furthermore, there is already a strong debate over whether a city can or should pay the ransom if its systems were affected by ransomware. Beyond the argument over the effectiveness of paying the ransom in the first place—many attackers are not sophisticated enough to actually decrypt what they encrypted¹³—cities have to deal with the moral conundrum of paying criminals from taxpayer funds.¹⁴ In a smart city, it could be about getting back basic services like transportation or lighting, which changes the calculus by changing the level of consequence.

Citizen engagement and trust is critical in any smart city deployment, and issues of citizen consent pose a real challenge for the smart city concept. The success of the smart city model relies on the participation of citizens en masse, and many of the technologies are passive collectors, meaning that citizens do not actively opt-in. How can citizens give consent for smart city adoption? There is a huge education piece to this puzzle, first of all, and regardless if citizens are educated or not, it will be difficult, if not impossible, to turn services off for some citizens and on for others.

Relatedly, smart city implementations and other technological projects will often be done as pilot projects or phased implementations because resources are not available for major upfront capital investments. Thus, to paraphrase William Gibson, the future will arrive, it just won’t be evenly distributed.¹⁵ In a world in which the future is not evenly distributed, how will cities decide what areas and neighborhoods get smart applications first? In some cities it will be driven by questions of economic development, in others by the presence of certain industries or institutions (like universities). However it seems unlikely that it will start in the poorest or most in need areas in many cities. Thus, the explosion of smart cities and smart city projects will also create a vast set of questions about ethics and equity.

The focus on public-private partnerships in smart cities is the result of both technical expertise being resident in such companies and the fact that companies often create unique funding models to avoid forcing cities to make major upfront capital investments for the sensors, actuators, and computing platforms that make up the Internet of Things. This requires the companies to make up for such funds in alternative models of “monetization”¹⁶ that may include selling smart city data to third parties or keeping data as proprietary information. These new business models could create problems around privacy, transparency, accountability, and other democratic values.

These new business models could create problems around privacy, transparency, accountability, and other democratic values.

Part of what should make citizens concerned is the question of data ownership and management. Most smart city implementations are done through cooperation between the private and public sectors. In most pilot programs, the private sector retains control over the data and leases it to the city, but in a mature program, the city should own the data for its services.¹⁷

However, if these conditions are achieved, several important questions remain:

• If the city owns and controls the data, where is the benefit for the private sector?
• Will the advantageous pricing offered today survive in that model?
• Can cities take advantage of these services if that kind of pricing is not continued?
• And if it isn’t, will cities feel pressure to cede control over their data or share it with the private sector in a way that puts the security of its citizens at risk?

These questions get to the heart of the last concept discussed: consent. Forward-leaning cities such as New York, Amsterdam, and Barcelona have started talking about fundamental digital rights for their citizens,¹⁸ but do those rights extend to data held by private companies? These arrangements have yet to be worked out. Other cities, like Seattle and Dallas, have begun to incorporate such concerns in their organizational structures by creating a Chief Privacy Officer position for the city or utilizing a non-profit structure to do community engagement.¹⁹

Even within cities, the question over data control and governance will be tricky. Data owners or the business unit (or agency) leaders that own an application typically decide how data can be used.²⁰ In a smart city environment, this decision must be tied to both the method of collection and purpose of the system, which will require technical expertise. This process is an added expense that will need to be integrated into any smart city deployment. Additionally, the elements of city government that support these business unit leaders—specifically those that provide legal counsel and support the purchase of insurance—will need to be involved in this decision-making as well. In many cases, data will be a valuable asset to a city²¹ and will have to be treated as such.

The data collected in smart city applications varies across almost every possible spectrum and includes among the most sensitive personal data, as well as largely mundane and uninteresting data. Pressure readings in water mains, wind speed data from environmental monitors, and light level readings from smart lighting applications are the kinds of large-scale environmental data collections in some smart city applications that seem relatively innocuous and unconcerning and probably largely are. This data is valuable for adjusting city services for efficiency, and it poses little threat from breach or exposure. However, many smart city applications will collect information that is tied to individual users, their devices, their locations, and other sensitive information.

Smart parking applications or automated license plate readers will not just collect user license plate numbers, but they will tie that license plate to geocoded data about where it was collected. This is prototypical surveillance data, and often users will not have any option to opt in or opt out. Even seemingly less invasive applications, like city-provided free Wi-Fi hotspots or Bluetooth connections, could collect unexpected user data, like data from an embedded medical device that automatically connects to open Wi-Fi to upload telemetry. Are cities prepared to safely store logs filled with device information on citizens pacemakers, and would the pacemaker owners feel comfortable with this? Would the citizens even know?

Part of the challenge here is that we are consistently adding more and more devices to the environment, and so the data privacy concerns are broader than just data collection, and they increasingly include data collation across disparate and unconnected datasets. Datasets that will be, in the case of the smart city, owned and protected by either the municipality or their vendors. Cities are, in many cases, not currently prepared for the task of warehousing the vast amounts of data that smart city applications will produce—in terms of both the logistics of holding such data and the defensive agility to protect such data. Historically, cities have collected and stored a lot of sensitive data, but they did so largely at a human scale. The automation of collection platforms, the increasing sensitivity of data (because of technologies like geocoding and facial recognition), and the use of data to actually change physical city operations through actuators on infrastructure systems (vastly increasing the importance of data protection, and particularly data availability and integrity) means the new data protection challenge for cities is different in both scale and type.

Smart city systems collect data to improve the effectiveness and efficiency of city services. These technologies can add to the span of delivery, save energy, fill gaps, add customization to offerings already provided, or enable new applications developed based on the data gathered. Once these digitally enabled services become the default, however, citizens and city officials alike will depend on them.

Once that happens, cities will face the same challenge as all critical infrastructure providers: high uptime requirements. High uptime requirements make updating systems more difficult because infrastructure often needs to be taken offline to be updated. With this concern in mind, city networks must be designed for resiliency and segmented appropriately to prevent attacks from spreading from system to system and to enable administrators to update systems regularly.

Additionally, systems must be designed to “fail usable.” While failing safely or failing securely are common themes in engineering discussions of fault tolerance, even in terms of urban infrastructure and smart cities, failing to a usable state is less commonly explored or discussed.²² The comedian Mitch Hedberg once joked, “I like an escalator man, because an escalator can never break, it can only become stairs.”²³ Smart city applications–like Hedberg’s escalator–will have to remain usable in some form if their digital componentry or network connections fail.

…The city must have a manual backup or usable setting that is automatically engaged upon system failure.

If essential city services are digitized—parking meters that are tied to phone applications, for example—and the application driving the service fails, the city must have a manual backup or usable setting that is automatically engaged upon system failure. City street lights controlled by motion sensors, for example, should default to “on” if the control system fails. An illustrative example of not “failing usable” was the ransomware infection on the payment kiosks of the San Francisco Municipal Transit Authority (SFMTA) light rail system. Because there was no manual back up, the system was faced with serious challenges, and the city ultimately decided to let customers ride for free for several days while they reimaged all the systems in the payment kiosks.²⁴

There is a fundamental question that has yet to be answered: to what degree are cities responsible for the safety of their citizens? Some cities (and countries)²⁵ consider the digital security of their citizens to be just important as the physical security of their citizens, but this is a new and still frontier idea. There is still more work to be done on how much protection a city should and can provide, and to whom it provides protection. For example, is protection provided only to citizens of the city, or does it extend to those who work in it and those who travel to it?

Smart cities technology can improve the quality of services provided to citizens, but it will also introduce a considerable amount of additional digital risk to citizens, their data, and the services that are provided to them.

With all of these concerns, then, should we even bother with smart city technology? The answer has to be yes. The increasing urbanization of the world’s population, environmental concerns, and budget challenges demand that we do. But we need to do it safely.

Doing smart cities safely will cost more money in the short term. That is the reality. Such technology will ultimately usher in monetary savings and benefits for the larger community and the environment, but not as much as if systems were installed without the necessary security features and design. These features are necessary, and installing smart city technology without a security mindset and tooling raises too many risks. It is time to dedicate resources to answering the tough questions that go along with the benefits of technological innovation.

This economic reality—that a responsible and safe smart city is more (perhaps much more) expensive than just implementing smart technology immediately—must also be balanced against one of the more important realities of cities in the current era: that cities are struggling for resources. In the United States, cities are facing a series of important financial hurdles. Cities often face declining budgets or revenues,²⁶ shrinking state and/or federal support,²⁷ increasing pension obligations,²⁸ and ultimately more financial uncertainty.²⁹ Thus, at a time when we would prefer cities to be investing in making smart applications safer and more secure, they will often be in a financial situation that makes such investments much harder to justify. This resource challenge exacerbates the mismatch between city contracting capabilities and needs and the differing bottom lines and goals of cities and their vendors.

There is further research needed in multiple areas to make smart cities a truly “smart” reality.

Some of these key questions have been identified in this paper, and others will continue to pop up over time as new devices, systems, applications, and functionalities are introduced in smart cities. Cities will have to answer some, but they will not be able to do so alone. Other organizations and individuals—federal and state government agencies, legislatures at all levels, academic and research institutions, private sector companies, technologists, ethicists, lawyers and courts, and stakeholder and community organizations—will all have to play a part in working with cities to understand what smart city implementations truly mean for society and how to make sure the benefit is an overall positive one. In that sense, the project of making smart cities safe, stable, secure, and sustainable will be a national and communal one as much as a municipal one.

We have made amazing progress on the technical questions around smart cities and smart city applications. However, the technical questions are not the only ones we face. There are still areas of concern, each of which will include not individual questions but large portfolios of questions—ethical, financial, social, logistical, political, demographic, economic, bureaucratic, and otherwise—that are decidedly not technical.

That said, there is a series of broader functions that define what it is that cities provide and are expected to provide for the people who live in them, work in them, and visit them. These functions can manifest as services—fire or emergency response, snow removal, trash collection, or education—or aspects of community—social justice, safety, or urban development. Each of the following broad areas of expectations have implications for smart cities and public policy, and each raise both broad philosophical and ethical questions as well as narrower, practical questions. Below are some of those broad philosophical questions, along with a non-comprehensive sampling of more specific ones.

• Sustainable Finance: What business models and investment or pricing strategies will make smart cities feasible and sustainable?
  • Should vendors be able to offer lower-cost smart city implementations in exchange for owning or monetizing the collected data?
  • Will the city or the vendor be responsible for the cost of maintenance, sensor calibration, and/or maintaining stores of spare components?
  • What will the exploding cost of data storage and processing needs that come with smarter cities do to city budgets, and how will that balance with potential savings?
• Social Justice: How will the implementation, management, and automation processes of smart cities differentially impact various communities, constituencies, and stakeholders in the city, and what responsibilities do cities have to mitigate these impacts?
  • What neighborhoods will get pilot or phased smart city implementations first? Will it be those with most needs or those that contribute the most to the city tax base?
  • What populations—domestic violence victims, the homeless, and/or the elderly—will face what risks from automated personal data collection in smart city applications?
  • Should companies be given tax credits or incentives for installing smart city applications, and where does that funding come from?
• Security and Safety: Can cities and their partners (from vendors, to state and federal government agencies, to third sector partners) really secure the data and systems that are likely to come with smart city growth?
  • Are city network operators going to be able to effectively monitor the alarms on intrusion detection systems when the number of devices on their networks doubles, triples, or increases by a factor of 10?
  • Will smart city transportation applications fail over into a manual mode, or will computer failures on the systems mean that city transit grinds to a halt? (And would the city even still employ drivers or train operators to do the manual work if there was a failure like this?)
  • How resistant to flooding are the sensor networks that operate a city’s smart parking infrastructure? Can such systems be installed in flood prone areas?
• Effective Municipal Operations: Can cities improve their cross-agency, cross-disciplinary, and cross-jurisdiction coordination, as well as their contracting and acquisition processes, sufficiently to make smart cities viable?
  • When fire departments respond to calls at facilities with smart city infrastructure, will they know what infrastructure is where, and will they know how to avoid damaging it in the course of firefighting?
  • When a driver crosses the line between two municipalities, will they need a second smart parking token or beacon, or will the systems in adjoining communities be interoperable?
  • When parking meter data can be used to show who parks at or around hospitals or medical service providers, will parking management officials recognize that data as sensitive and valuable?
• Consequence and Liability Management: When people are injured, killed, or otherwise negatively impacted by automated systems that are part of a smart city, will cities, the courts, the insurance industry, first responders, and others be able to reasonably manage the consequences, understand the technologies and systems sufficiently to assign blame, and take steps to mitigate such negative impacts?
  • When buggy code results in the derailment of a subway car, will the court system be able to parcel out blame and responsibility among the city transit agency, train operators, vendors and system integrators, hardware and software producers, and other key stakeholders?
  • If tens of thousands of smart city devices from across a dozen cities are used to conduct denial of service attacks on a company across the globe, what is the city’s responsibility?
  • If algorithms determine that it is more efficient to send trains more often to some neighborhoods than others because of traffic volume, but some percentage—30, 50, or 70 percent—of the less-served neighborhoods are among the more accessible ones, could that violate the Americans with Disabilities Act?

Each of these broad research areas is underdeveloped but key to answering a broader question about the viability and sustainability of the smart city ideal. We have to answer many of these questions to get a sense of the kind of smart cities we will end up with. The initial impulse will be to pursue the strategy of implementing smart cities “fast” and “cheap.” Answering these questions will be an important part of changing the strategy to push toward optimizing for “good” smart cities.