British spies warn local authorities of technological risks associated with ‘smart cities’

Smart city technology designed to streamline public services could prove to be an “attractive target” for hostile states seeking to disrupt UK infrastructure or steal sensitive data, UK spies have warned.

The intervention by the National Cyber ​​Security Center, a branch of GCHQ, reflects growing fears in the intelligence community that local authorities may inadvertently enter into risky contracts that could expose them to cyber attacks or compromise the privacy of individuals. people. A deal that was aborted at the last minute involved the Bournemouth council in Dorset, which was preparing a contract with Chinese e-commerce company Alibaba to provide “smart place” services, the Financial Times has found.

Advice The advice released on Friday highlights the risk that foreign smart city technology providers will be under pressure to “access and exfiltrate data” on behalf of home security and intelligence services. Security suggestions include cybersecurity and data protection measures, as well as tips on understanding vendor threats.

The NCSC opinion, seen by the FT, does not name any company or country concerned. But China is one of the leading providers of smart city technology, which uses camera and sensor networks to improve service efficiency, from parking and transportation to power consumption. These systems have been widely deployed in cities such as Beijing, Shanghai and Guangzhou.

Earlier this year, the UK’s new defense and security strategy outlined plans to deepen trade ties with China while increasing the protection of critical infrastructure and sensitive technologies against hostile interference.

In a blog post accompanying the advice, NCSC technical director Ian Levy invokes the 1969 film Italian work, in which thieves recruit a professor to shut down Turin’s traffic control system in order to cause a standoff so they can steal a truck full of gold bars.

Levy’s blog explains that an attack “stuck” now “would have catastrophic effects.” “Like these [smart cities] become more and more integrated, the ubiquity of the services they provide will likely make them a target for malicious actors, ”the blog read.

Local government analysts believe the number of potentially risky smart city contracts identified within UK local authorities is in single digits. The Bournemouth example has raised concerns as, as part of the contract, Alibaba would have managed and controlled large volumes of data, according to people familiar with the program.

An investment proposal from the Dorset Local Business Partnership and hosted on the Bournemouth, Christchurch and Poole Council website planned to create a smart places data platform, also known as the ‘Brain of the city ”, which would use artificial intelligence and machine learning.

A separate partnership report released in late 2018 cited “global heavyweights,” including Alibaba and Chinese telecommunications company Huawei, as members of the region’s smart city consortium.

The Alibaba deal was canceled in 2019 after central government intervention, two people familiar with the talks said. Bournemouth council did not comment on the canceled contract, but said ‘data security and the protection of personal information’ will be an integral part of its future smart place program.

Alibaba is a leading provider of cloud and software for smart city projects in Asia, including “smart traffic” projects in Hangzhou of China, Malaysia and Macau. He declined to comment on the Bournemouth deal.

Huawei, which was banned from government 5G networks last year, and surveillance camera vendors Dahua and Hikvision, both of which have been blacklisted by the United States for their alleged involvement in violations rights, are also active in the sector.

The council of Milton Keynes, who signed a contract with Huawei for its 5G smart city project, canceled it and plan to withdraw the kit from the Chinese company following Downing Street’s decision on a wider rollout.

“In accordance with government advice, the equipment will be withdrawn within five years,” he said. The contract was part of a 5G test bed program to test the technology in a variety of locations, including a football stadium, hospital and college campus.

Dahua, which operates in the UK and Ireland, actively promotes its services to local authorities. A council officer recalled a surveillance camera group’s “safe cities” speech a few years ago that suggested facial recognition could be used to help identify and track down people with dementia who had died. lost or disoriented. The officer said the idea was not pursued because they did not see it as an appropriate use of surveillance technology.

Dahua did not comment on this particular program, but said it “fully complies with all local laws and regulations”.

Chinese policy experts have drawn comparisons between Chinese companies targeting British councils and Beijing negotiating infrastructure deals with the Australian state of Victoria. The contracts, which were later canceled by Canberra, had been criticized as a form of foreign interference that undermined the federal government’s trade position on Beijing.

Alexi Drew, an emerging technology and security specialist at King’s College London, said there was growing evidence that Chinese companies involved in delivering smart city contracts “are capable at best. to access huge amounts of personal data which could have significant influence and security. risk and, at worst, actively transfer this data to China ”.

The amount of knowledge to be gleaned in smart cities on behavior patterns and everything from freight to commerce and travel, “is almost impossible to overestimate,” Drew added.

Tobias Ellwood, Tory MP for Bournemouth East and chairman of the House of Commons defense select committee, said he was “shocked” that his own council was not aware of the concerns discussed in Parliament regarding the involvement of Chinese companies in critical infrastructure. He accused hostile states of “attacking organizations that lack GCHQ’s expertise.”

However, Paul Wilson, commercial director of Connected Places Catapult, an incubator designed to accelerate the adoption of smart city technology, said he understood the risks but that it would not be wise to “throw the baby out with it.” bath water ”by creating a sense of panic in the face of potential threats.

He argued that data management would be crucial if cities are to maximize the potential of 5G networks in urban environments, and said it would be “infuriating” if such projects were dismissed as too dangerous.

While Chinese companies are the industry leaders, Wilson said rivals such as Nokia and Ericsson could provide the hardware needed to support 5G smart city technology, while large telecoms and tech companies including BT, Vodafone and Tech Mahindra, could also manage and contribute to projects.