The ‘smart city’ is invariably promoted as an unqualified good thing, particularly given pressures for more efficient, economic and effective governance in rapidly expanding cities. However, in the dash for technological fixes to the various pressures of urbanisation, there is a tendency to mute reflection on the security implications of ‘smarter’ critical infrastructure, including its vulnerability to criminal enterprise. Such reflection is especially pressing if, as Sir David Omand remarked in a recent keynote speech at the University of Winchester, both commercial and governmental dependence on the internet has gone ‘past the point of inflexion’. If pulling the plug on Web2.0+ is no longer a viable strategy for urban security, what might this imply for prospective research agendas on the organisation of serious crimes?
By way of giving some context to the strategic issue of security in smart cities, just over half the world’s population currently resides in city-regions, with the UN estimating that this will rise to two-thirds by 2050. In this context, the smart city is a policy construct advanced primarily by commercial digital technology companies keen to capture the interests of urban public administrations that are in the market for solutions to pressures on their critical infrastructure, including the management of their transport and healthcare systems.
The WannaCry attack compromised a third of English hospital information systems over a 72-hour period, resulting in the cancellation of 20,000 appointments and operations
The related migration of the management of such critical infrastructure to online systems partly explains the enormously debilitating impact of the WannaCry ransomware attack of May 2017. Amongst its many and varied effects around the globe, the attack compromised a third of English hospital information systems over a 72-hour period, resulting in the cancellation of 20,000 appointments and operations. Subsequent investigations attributed this to the vulnerability of those healthcare authorities who had not upgraded their obsolete IT operating systems, such as Windows XP, which Microsoft had withdrawn support from three years prior to the attack. This and countless other human decisions left unpatched operating systems vulnerable to a relatively unsophisticated virus, demonstrating the brittle security of critical infrastructure in smart cities.
In its report into the impact of the WannaCry attack on the NHS, published in March 2018, the House of Commons Public Accounts Committee noted that, ‘Some NHS organisations still have a lot to do to improve their cyber security including Barts Health NHS Trust, one of the largest NHS trusts affected by WannaCry’ and consequently recommended that, ‘The Department [of Health] and its national bodies should urgently consider and agree implementation plans’ and report back by June 2018.
Recent reports in the UK note the widening skills gap between the emerging threats to ‘cybersecurity’ and the availability of sufficiently skilled security experts to counter their effects, with one estimate suggesting there will be more than three million unfilled jobs in the UK cybersecurity industry by 2021. Notwithstanding the good intentions of the UK government in filling this skills gap, public sector initiatives are not renowned for their alacrity or remuneration, especially when compared with the speed at which wealthy criminal enterprises can attract what talent does exist in the labour market for cyber security and, crucially, counter-security and counter-surveillance.
In terms of longer-standing research into the organisation of serious crimes, WannaCry demonstrates the possibilities for ‘protean criminalities’ – so-called because they are versatile in adapting to their environments – capable of exploiting technological innovations for their own illicit gains – in this instance the advent of rapidly expanding opportunities for the racket in cyber extortion.
The online migration of critical infrastructure has triggered a new socio-technical ‘arms race’ between the organisers and preventers of serious crimes
Moreover, the online migration of critical infrastructure has triggered a new socio-technical ‘arms race’ between the organisers and preventers of serious crimes. This race, at least for the moment, is tilting in favour of wealthy, versatile and fast-moving criminal enterprises capable of attracting labour from a limited pool of talent in cybersecurity.
Yet collaborative research, capable of anticipating and forecasting various scenarios in this arms race and in its emerging ‘battlegrounds’, is at a premium.
It is possible, however, to conceive of the smart city as much more than digitalised critical infrastructure. When viewed as a socio-technical system synthesising many other disruptive digital technologies – from the mobile and ubiquitous access to the internet via smart phones, through innovations in networked and distributed (potentially driver-less) courier systems, to the cryptomarkets of the Dark Net insulated by end-to-end encryption – it is possible to envisage the augmentation of established criminal enterprises, such as the illicit drugs trade, and the reinvention of others, such as the vice and gambling trade in ‘virtual nightclubs’.
The impact of the emergent technologies of the smart city in accelerating this arms race has certain implications for research. Principally, how can rigorous but often labour-intensive and time-consuming research strategies keep abreast of this race and, at the same time, support policymakers and other users of this research who are more immediately confronted with addressing the vulnerabilities of the smart city? In addition to the more conventional case study research (that provides opportunities for corroborating or revising conjectures about the arms race), there are the more immediate contributions individual researchers can make through thought experiments.
A further option for a relatively quick (annual) method of informing the policy process is through deliberative methods, such as the policy Delphi, in which key informants participate in iterative rounds of question and debate with one another as a means of generating collective intelligence about social problems and forecasting scenarios about their likely impact and how they might be better anticipated and responded to. As such, the policy Delphi provides an ideal method for reconciling intellectual rigour with the current imperatives to respond to the rapidly evolving and uncertain risks of the smart city and its allied technological innovations.
The views expressed in this article are those of the author(s) and do not necessarily reflect the views of RUSI or any other institution.