IoT data management and security at Smart Cities Week, Washington, DC The Autumn 2019 Smart Cities Week in Washington, DC ran from Sept. 30th to Oct 2nd at MGM National Harbour, a venue just outside of the city. The conference was hosted by the Smart Cities Council, a network of companies working with universities, regulators, and cities to foster municipal projects, host workshops, share resources, and organize biannual Smart Cities conferences. ICTC was on the panel “Five Secrets to Building the Next Generation Workforce in your Organization,” along with the Behavioral Insights Team and GovEx Academy. Our panel and conversation featured a lively discussion about strategies for fostering a diverse workforce, making use of existing strengths in career transitioners, and upskilling existing municipal employees. The conference’s main preoccupations, however, rested more with (a) use of data, and (b) cybersecurity. First, the municipalities in attendance were no longer worrying about insufficient data: rather, they seemed to be grappling with how to deal with piles of structured and unstructured data now that they had it. Second, with the conference occurring just months after a high-profile ransomware attack on neighbouring Baltimore, securing all that data and keeping cities safe from cybercrime was at the forefront of many conversations. Speakers were contending with these challenges but also offering solutions to them over the course of our two days in DC. This post breaks down the major challenges and solutions offered by the Smart Cities conference attendees. Challenge A: In their efforts to join the “data economy,” many municipalities have more data than they realize or know what to do with. One of the conference’s first speakers, Pamela Gupta, President of OutSecure, Inc., noted that less than half of structured data is used in decision-making, while less than 1% of unstructured data is analyzed or used at all. This issue happens for a few different reasons. First, data for decision-making is often only used once (for real-time anomaly detection), rather than stored and used for longitudinal analysis. For example, a sensor in a parking spot is usually used to report real-time vacancies: however, if its data were stored and used over time, a city could learn about important patterns in parking and congestion at different hours of the day and seasons of the year. Second, many IoT devices gather information that is not part of their primary purpose, and this is rarely considered or utilized. Jill Sciarappo, Strategic Marketing Director at Intel spoke about the cameras installed throughout autonomous/assisted vehicles, noting that “everything a car must see to be able to drive is data that can be used for other purposes,” such as mapping manholes for urban planning. Third, data is siloed & used on different platforms that lack interoperability. A new hurdle in data management is making sure that a municipality manages its data assets in a unified, coherent, and interoperable way, rather than having multiple apps or dashboards for multiple purposes. How do we solve the challenge of too much data? New job titles like “Chief Data Officer” and “Chief Privacy Officer” bespeak a growing awareness of the time and resources it may take to leverage data assets effectively and appropriately. In the session “Data-Driven in the DMV,” Carlos Rivero, the CDO of Virginia, spoke to creating an effective “data culture” in an organization, with a few important recommendations for anyone working with large quantities of data. First, he recommended building a data asset inventory, so that everyone on a team knows what datasets they have access to, what those datasets contain, and how to access them. Second, he recommends understanding that a “data culture” means more than collection. Data governance & policy, system integration, inventory, analysis, decision-making, and actions taken are all part of a data culture and value chain. A later presentation by a small city in Australia’s Northern Territory, Darwin, presented on their efforts to build a data culture and measure its impact. Darwin had introduced three different municipal dashboards: one for IoT infrastructure (monitoring sensors for temperature, lighting, etc.); one for open government and budget transparency; and one for neighbourhood analytics. The latter promises to measure social wellbeing through automated indicators such as google business data (types of business, hours of operation, amenities, diversity of options) and online event platforms (frequency of social events, types of gatherings, family-friendliness). As the vendor’s representative commented, “sometimes you want to be able to measure longitudinal social data without having to do a survey every month.” Eventually, these analytics will be used to measure the success of the city’s other smart cities initiatives. Darwin’s example seemed to be a prime case of a city with too many apps and dashboards, but the team had tried to solve this issue by creating a solution that makes secure data sharing easy for siloed departments and organizations. A fourth and final dashboard had been brought on through the company Civic Analytica in order to integrate all the datasets being used in Darwin and allow them to be shared through contracts with granular permissions allowances. In addition to integrating the datasets from each of the three previous dashboards, this meant that, for example, the local airport and health authorities could upload data and allow a regional university student to use it for analysis on a single platform, under custom conditions of data privacy and use. When asked by an audience member to describe the single biggest challenge to implementing their project, the Darwin team responded that at the beginning, leadership had come from technology advocates rather than CEOs or managers, leading to multiple siloed projects with little long-term planning or follow-through. “You need someone who won’t end the project when they’ve successfully implemented the tech,” commented one presenter, “an experienced project manager who can lead your smart city initiative from the beginning.” One tension in this idea – that a smart cities leader should not be a technologist – came from the conference’s cybersecurity crowd, leading to: Problem B: With regard to cybersecurity and privacy, “the sky is falling.” Yes, that was an actual quotation from the conference, along with “it’s not if you’ll be attacked, but when.” The security conversation took on two major themes: IoT devices and cybercrime-aware staff. First, connected devices can reveal sensitive information, even when released in aggregate. Pamela Gupta gave an example of the fitness app Strava’s global heat map of exercise routes inadvertently mapping US military bases. IoT data that we consider to be unidentifiable, aggregate, and “safe” could in fact render us very unsafe in ways we might not anticipate. The second part of this same problem is that with mass unstructured data collection, sensitive data is difficult to find and label. For example, the advent of facial recognition technology can render the data from many sensors and cameras personally identifying. If a dataset isn’t treated as sensitive, it won’t be given the same level of security. While concern related to IoT devices was apropos to the “smart cities” theme, at the one session thematically dedicated to cybersafety the conversation stuck to a different theme: social vulnerability. The majority of cybersecurity issues come from phishing and social engineering. Prevention is difficult as scams become more sophisticated, and staff members were often characterized by speakers as “the weakest link” in organizational cybersecurity. Compounding this fear is that municipalities often cannot afford to hire and retain cybersecurity professionals. Cybersecurity salaries are high, supply is low, and early-career personnel that start off with a municipality to get work experience eventually leave for higher-paying jobs. The twin challenges of (a) training staff to effectively avoid phishing, and (b) hiring cybersecurity professionals to manage a municipality’s risk and detect/prevent vulnerabilities, were relatable for every public servant in the room of the Wednesday afternoon session “Top Five Strategies for Ensuring that your Smart City is Secure.” Security by design: preventing and preparing for attacks With regard to municipal IoT projects, two important recommendations were made. First, only collect and store data that serves a particular need, and be aware of what additional data is being collected. In comparison to those speakers advocating for greater and more diverse use of all IoT data, cybersecurity-focused panelists contended that being able to monitor and properly label and store incoming data was essential to privacy and security. The second recommendation was, in essence, to be considering cybersecurity from the get-go of any project, or to implement security by design. When a new IoT system is implemented, incorporate vulnerability detection into your “smart cities” data culture and design a data collection system that prevents privacy threats. In a related point about avoiding ransomware attacks, an audience participant from the FBI made the strong point that once infected by ransomware, a municipality can’t be sure that any of its connected systems are virus-free. Having an offline backup of essential data, not connected via the cloud, allows cities to restart operations more nimbly without having to worry about paying ransomware attackers. Finally, developing a corporate governance structure that implements similar protocols, systems, and tools was presented as key to cybersafety. If there is only one set of municipal software being used, training, monitoring, staff education, and vulnerability detection is made much easier for a CISO and IT security team. Training existing staff and hiring new ones Experienced IT officials and others also had strong recommendations for training existing staff and hiring cybersecurity personnel. Gayle Guilford, CISO of Baltimore City in particular had a list of pointers for other municipalities, such as “be prepared for disaster, and never trust the guarantees of solution-providers.” One of her main comments was: “don’t think of your staff as your weakest link, think of them as your front-line soldiers.” Gayle Guilford prioritizes staff education, such as circulating phishing test emails that appear to describe timely current events but have misleading links. By hiding the tests in interesting content, she says that she avoids fatiguing municipal staff with unending “cyber safety” educational material. While high cybersecurity salaries aren’t going anywhere, Guilford and others shared additional tips on how to maximize the use of cybersecurity staff. The overall lesson was that understanding your risk profile should allow you to use a part time CISO or contractor with a solid understanding of your organization’s core risks. In addition, one panelist pointed out that in automating cybersecurity, you aren’t stealing a job: cybersecurity personnel are always in high demand, and that cluster of roles is currently experiencing high growth in the United States. While heavy and complex, the ideas shared throughout the conference seemed to help cities facing common challenges. The public sector is beginning to muster its resources and wade into new territories like IoT data governance and security, and events like Smart Cities Week provide cities with some of the connections and support they need.Faun Rice is a Research and Policy Analyst at the Information and Communications Technology Council (ICTC). ICTC is a national centre of expertise, with over 25 years of experience delivering evidence-based research, practical policy advice, and innovative talent solutions for the Canadian digital economy. As part of an ongoing study on Smart Cities in Canada, ICTC will be studying municipalities’ technology needs, with a short brief on key technologies coming out in early fall 2019 as well as subsequent papers on the smart cities labour market and its associated social and economic impacts.