Protecting the privacy of consumer data continues to be one of the most daunting challenges confronting smart cities. Local governments face mounting pressure to adopt the new technology needed to deliver the best digital customer experience possible – but often the answers come not from new technology but in leveraging the technical competencies already in place.
In the digital age, constituents’ expectations for “always on” access must be balanced with another high priority: protecting the confidentiality and privacy of information about the citizens the government entities serve. In recent years, a perfect storm of challenging conditions has formed as municipalities expanded their online services: new threats, such as ransomware, emerged, and budgets tightened. As a result of these conflicting pressures, today’s digital pirates have more points of potential entry into sensitive government data, including consumers’ information.
Ransomware attacks rising
Disturbing incidents, such as the ransomware-triggered weeklong shutdown of Atlanta’s IT systems and similar attacks in Maryland, California, Florida, Maine and Massachusetts, bring real-world clarity to security risks. Reported attacks, which rose from 38 in 2017 to 53 in 2018, are expected to continue increasing in the coming years. However, the solution is not necessarily new technology. Rather, the answer centers on making existing solutions better fit the demands of the new online-driven, privacy-oriented world.
Accumulating data, the digital economy’s new gold, leads to opportunities for those who can monetize it and others who intend to abuse it. The volume and value of data available on government sites creates such an enticingly rich target that few attackers can resist. In addition, the growing prevalence of shadow IT, the practice of government staff using non-standard and unapproved technical solutions to mask the weaknesses inherent in approved tools and services, creates new and unprotected vulnerabilities that often fly under IT’s radar.
To further complicate the government landscape, new privacy legislation, such as the California Consumer Privacy Act which goes into effect in 2020 and Massachusetts’ proposed An Act Relative to Consumer Data Privacy, push for an even wider open door. Many government entities are well prepared to meet new privacy requirements; however, the complex job of safeguarding consumer data is never finished.
In fact, complying with local and national mandates is often not enough. Notably, U.S. companies doing business in the EU must adhere to the General Data Protection Regulation (GDPR) as well. This legal framework sets out exacting guidelines for the collection and processing of personal information from individuals who live in the EU.
How to work with technology vendors
Whether a smart city is just starting to shore up its security defences or has already managed its way through international compliance, it is highly likely that a third-party security vendor will play a role in its security strategy. Simply put, digital security is too complex and too fast-paced for most local governments to handle on their own.
Local governments must implement cybersecurity strategies at least as strong as those of corporations, as the impact of a breach or successful attack can be far more complex than a simple commercial threat. While few governments have the same resources as their private sector counterparts, the legal responsibility and consumer expectations about protecting confidential data are the same. Some smart cities choose to ignore this shared expectation and instead delegate liability to third parties, such as large specialized technology companies.
Two factors make this approach dangerous. First, as budgets grow, the name of the game for the selected vendor can be to specify a minimum fee in the contract and assess change orders for everything else. When government budgets are challenged, it is often security that is the first point of failure since effective security must be adaptive to the latest threats – an expensive proposition. Secondly, cities often create a public-private partnership (PPP) where the vendor takes full ownership of all the key resources needed to deliver the project, including staff and systems. This choice can build a dangerous one-way street should there be a change in the partners’ relationship or a shift in strategy. In those cases, the inevitable outcome is that the scope and depth of new digital services compresses to fit the budget.
Whichever path is selected, it is critical that the city maintain a highly skilled and motivated staff directly aligned to delivery of the strategic digital services. This small group must have direct access to vendors with ongoing innovation.
Email – A great place to start
Monolithic legacy technologies, aging programs that have been institutionalized into the operations of local governments, often lack the robust security infrastructure needed to thwart today’s sophisticated attackers. Consider, for example, the use of public key infrastructure (PKI) or S/MIME technology to secure email. Aside from the known limitations of handling large files and being used in an ad hoc manner, the technology’s underlying architecture is flawed. The use of static key pairs (asymmetric encryption) allows tenacious attackers to access valuable data. This vulnerability also risks any stored email, all of which can be opened at an attacker’s leisure. Even more frightening, neither the intended recipient nor the sender would be aware that their data had been compromised.
Using more modern symmetric encryption methods can solve this vulnerability at the message level where each data packet is secured with a unique set of credentials. Security-oriented innovations that eliminate passwords or codes after a first communication can combine to create a new level of security and convenience.
No matter where a smart city is on its journey to digital transformation, opportunities to take small or even large steps into strengthening security in visible places that matter to citizens can deliver “quick wins” that begin building trust with the citizenry. For example, email offers a highly visible quick win – it’s built on a standard that works, SMTP (Simple Mail Transport Protocol), everyone already has it and its limitations are well known. Those limitations, which include security, an inability to handle larger and longer content and the absence of an audit trail can be solved to make email the digital bridge to join the city’s core infrastructure with its citizenry.
For governments and the public, email is a preferred communications platform it is universally available, familiar to all, non-proprietary and very easy to use. If you solve the three most well-known limitations of email – security, handling larger files and maintaining an audit trail – it can become the first and most inclusive choice for 21st century communications.
Modern security applications build on email’s substantial advantages by solving these three known problems, further simplifying its use and replacing more costly alternatives. The same secure servers that handle email can use simple APIs (application programming interfaces) to send and receive all types of confidential files as well. The only requirement to exchange data securely is a standard valid email address – no tokens, no special software and no user training. These modern security applications deliver ROI quickly and their short installation times can be a win-win for cities and counties as well as their hard-pressed security teams.
These extended security solutions already exist and can be placed inside existing smart city infrastructure to deliver new value to projects in hours – not months – and for an affordable cost. For example, using secure email to collect taxes can begin to build all-important trust with taxpayers by making a difficult process easier and faster, eliminating paper, and helping fund smart city advances simultaneously.
Mark Forrest is chief executive officer of Cryptshare AG and President of its U.S. subsidiary, Cryptshare, Inc. provider of a secure communication solution for the exchange of business sensitive information. he can be reached at firstname.lastname@example.org