Managing Liability in Smart Cities

Cities and other organizations use insurance to decrease the risk burden of everything from natural disasters to accidents. Cyber insurance, however, is still an evolving market. The cyber insurance market lacks reliable data that can predict loss, especially in the public sector.¹ Partly because of the lack of data, insurance carriers face difficulty in pricing and underwriting, and they often closely limit the kind of coverage offered.

Not only is the cyber insurance market just beginning to mature, the more mature parts (like insurance for data breaches) are focused almost exclusively on traditional business IT systems—those responsible for data storage, transmission, and analysis. Smart cities, however, feature an explosion of cyber-physical systems in sectors from transportation, to water systems, to lighting, to parking, in which computers do not merely store and manipulate data, but collect data through sensors and manipulate the physical world through actuators of various types. Thus, the places in which cyber insurance has recently grown in value are for applications very different than the ones presented by smart cities. Increasingly, cyber insurance will be required for all sorts of physical systems which previously were not controlled by computers.

However, even if the insurance market evolves to cover physical systems, a number of important, open questions remain:

In a highly technical environment that increases risk from cyber attacks or other technology-related issues affecting citizen services, how will insurers react?
Will cities be able to offload as much risk as they need to for safe operations?
Will insurers be able to reasonably price the risk of the shutdown of huge municipal systems (like transit systems) the way they are currently able to price the risk of breaches of Personally Identifiable Information (PII)?
When a computer-controlled system fails, will such losses be viewed as losses under traditional property and casualty insurance or under cyber insurance?
If an attack can’t be attributed, or is attributed to a state actor, will cyber insurance coverage still pay out?²

The possibility that city infrastructure could be used by malicious actors for their own purposes raises further questions about liability for damages. IBM X-Force research group found that many of the vulnerabilities that helped enable the October 2016 Mirai attacks remain in smart city devices.³ The Mirai botnet used insecure IoT devices with default passwords to perpetuate a massive distributed denial of service (DDoS) attack on multiple targets.⁴ Smart city technology would massively increase the amount of IoT devices deployed across the world; ensuring their security would be paramount to preventing criminal and offensive attacks.

The potential of having a city’s “smart” infrastructure used in a cyberattack, particularly as a result of poor security practices or management, that targets victims across the world may expose a city to liability claims. So far, much of the discourse around liability for IoT-powered attacks has rested with the manufacturer; in a smart city implementation, where these devices are likely to be customized and/or integrated with other systems, liability exposure could increase.⁵ In that case, is the city a victim or an accessory-by-neglect to the crime?

Furthermore, there is already a strong debate over whether a city can or should pay the ransom if its systems were affected by ransomware. Beyond the argument over the effectiveness of paying the ransom in the first place—many attackers are not sophisticated enough to actually decrypt what they encrypted⁶—cities have to deal with the moral conundrum of paying criminals from taxpayer funds.⁷ In a smart city, it could be about getting back basic services like transportation or lighting, which changes the calculus by changing the level of consequence.

Citizen engagement and trust is critical in any smart city deployment, and issues of citizen consent pose a real challenge for the smart city concept. The success of the smart city model relies on the participation of citizens en masse, and many of the technologies are passive collectors, meaning that citizens do not actively opt-in. How can citizens give consent for smart city adoption? There is a huge education piece to this puzzle, first of all, and regardless if citizens are educated or not, it will be difficult, if not impossible, to turn services off for some citizens and on for others.

Relatedly, smart city implementations and other technological projects will often be done as pilot projects or phased implementations because resources are not available for major upfront capital investments. Thus, to paraphrase William Gibson, the future will arrive, it just won’t be evenly distributed.⁸ In a world in which the future is not evenly distributed, how will cities decide what areas and neighborhoods get smart applications first? In some cities it will be driven by questions of economic development, in others by the presence of certain industries or institutions (like universities). However it seems unlikely that it will start in the poorest or most in need areas in many cities. Thus, the explosion of smart cities and smart city projects will also create a vast set of questions about ethics and equity.

Citations

Friedman, Sam. "Demystifying Cyber Insurance Coverage." Deloitte Insights. February 23, 2017. source.
Ross, Andrew. "Mondelez Vs. Zurich: How Watertight Is Cyber Insurance Coverage?" Information Age. January 25, 2019. source.
Leonard, Matt. "Smart Cities Vulnerable to Easy Attacks on Unsecured Connected Apps." GCN. August 10, 2018. source.
Fruhlinger, Josh. "The Mirai Botnet Explained: How IoT Devices Almost Brought down the Internet." CSO Online. March 09, 2018. source.
Brown, Scott, General Counsel, BlueVoyant. Telephone interview by author. March 24, 2019.Also see for example:Norton Rose Fulbright. “Legal Implications of DDoS Attacks and the Internet of Things (IoT)” Data Protection Report. December 5. 2016. source Society. “IoT Security for Policy Makers” Internet of Things. April 19, 2018. source
Mathews, Lee. "Why You Should Never Pay A Ransomware Ransom." Forbes. March 09, 2018. source.
Blinder, Alan, and Nicole Perlroth. "Hard Choice for Cities Under Cyberattack: Whether to Pay Ransom." The New York Times. March 29, 2018. source; Kozloski, Matthew. "Cities Must Pay For Cybersecurity, Not Ransoms." Hartford Courant. October 22, 2018. source.
Maharajh, Robert. "The Future Has Arrived." Medium. May 24, 2016. source.

Education & Work

Democratic Futures

Global Security

Technology & Democracy

Thriving Families

Trending Topics

Real Skills, Real Income: Why Youth Apprenticeship Is Resonating Now

Future-Proofing U.S. Nuclear Policy: Forecasting Outcomes of the Nuclear-Armed Sea-Launched Cruise Missile

Debunking Myths on Student Parent Data Collection

The App Store Accountability Act Poses Serious Concerns for Privacy, Security, and Free Expression

Redrawing School Boundaries for Fairer Funding

Reframing Fusion Voting as a Practical, Powerful Reform Strategy

Harnessing Terrorism Data to Reshape U.S. National Security Policy

Establishing a National Housing Loss Rate

New America Fellows

Making Child Care Work for Student Parents

Drinking Water Data for the Nation: Version 1.0 Release Webinar

The Understated Value of Regional Intermediaries for Workforce and Economic Development

The Charleston Regional Youth Apprenticeship Model

Smart is Not Enough

Table of Contents

Managing Liability in Smart Cities

Citations

Managing Liability in Smart Cities

Smart is Not Enough