by Michael Kreutzer and Kirstin Scheel (Fraunhofer SIT)
The topic of smartification has become ubiquitous; urban planners and public organisations are investing heavily in digitalisation projects. At the same time, cybersecurity often seems to still be a sideshow. Is there a way to get from smart cities to smart governance?
The Fraunhofer Institute for Secure Information Technology SIT is one of the world's leading research institutes for cybersecurity and privacy protection. It is part of the National Research Center for Applied Cybersecurity ATHENE and as such is an essential part of the cybersecurity strategy of the Federal Government and the State of Hesse.
As part of a project for the Hessian Ministry of the Interior and Sports on cybersecurity processes within and across Hessian municipalities, our research has led us to realise that existing work on smart city developments has tended to focus on technical challenges and/or theoretical attack scenarios. It emphasises specific aspects of different types on attack vectors, privacy impacts and also considerations for transformative frameworks to developing smart cities or protecting them from specific attacks. In addition, many papers still only talk about smart cities when in fact rural communities also benefit from digitalisation – hence our preference for the term “smart communities”.
However, what seems to be missing in the race to “smartification” is a framework that helps formulate an encompassing governance perspective for all projects, which ensures that cybersecurity underpins all digital developments. Our goal is an integrated multidisciplinary security framework.
We started our project with a broad literature review, with a specific focus on publications from/on Germany’s federal structures [1], as the original research ordinance is focused on the state of Hesse [2]. In addition, we launched a preliminary and continuing review of publicly available sources on real cyberattacks on public infrastructures. We supplemented this with structured interviews with public sector officials in the field of cybersecurity. The observations we are presenting here are a preliminary culmination deduced from these and need to be tested in practice. Nonetheless, we believe that the recommendations of this governance framework are transferable and help strengthen the cybersecurity of all smart community projects.
We have identified five preventive measures that might help to mitigate cyber incidents in the process of smartification. We intend these principles to be applicable as a governance framework on all areas of smart communities. The framework, represented in Figure 1, is based on the principles of:
(i) anchoring,
(ii) responsibilities,
(iii) unification,
(iv) co-operation, and
(v) improvement.
Figure 1: Proposed steps towards smart governance.
One thing to consider is that these are not meant to be building on each other – each principle is equally important and all need to be in effect to bring about the intended outcome. Considering that the most ingenious smart development is likely happening as part of an existing legacy system, it becomes clear that the governance needs to be embedded to bring about a cohesive cybersecurity framework.
Cybersecurity needs to be anchored at the top level. Top management needs to be aware of the necessity of security as a cornerstone of digitalisation and smartification projects. If you want your projects in this area to be sustainable, forward-thinking, and accepted by citizens and public employees alike, cybersecurity needs to be embedded in the organisational culture.
Clear responsibilities need to be assigned. This is particularly true in hierarchically structured organisations. Lack of responsibility or diffusion thereof can counteract preventive measures. In addition, appropriate resources to act on said responsibilities are required. For example, reporting channels and response times need to be defined. It does not end there, though – they also need to be continually practiced and lived in everyday life. Convenience, unsafe habits and “workarounds” are the bane of not just cybersecurity. So, from an organisational psychological perspective, raising awareness and strengthening a culture of responsibility is important.
Another central idea is the unification across organisational units. In the field of IT this can mean a competently set up infrastructure to prevent failures. Many cases of malware infestation can spread through systems that are not properly segmented. IT experts are needed – and they need to continually update their skills.
Operational co-operation and cross-divisional collaboration are also important. Especially in the public sector, resources need to be used efficiently and effectively. With regard to cybersecurity, this can help achieve a higher level of protection overall. For complex IT systems, such as those in smart communities, to work securely together, the different units need to be connected. Information needs to flow – and to actually be used as well as processed. Vertical and horizontal networking is needed.
Dynamically changing environments require continuous improvement. Learning from internal and external mistakes is essential to keep up with these developments. Innovations as well as paradigm shifts are the norm, especially in the digital world. It is necessary to make learning an integral part of the organisational culture. In the field of IT this is nothing new and is usually referred to in the form of maturity models. However, we believe that this needs to be rooted at the heart of the entire organisation and smart community.
We will continue our research in this field in the coming months as part of the current project and hope to expand on it in the future.
References
[1] G. R. Wollinger and A. Schulze Eds.: “Handbuch Cybersecurity für die öffentliche Verwaltung, Wiesbaden: Kommunal- und Schul-Verlag, 2020”, [online] available: https://doi.org/10.5771/9783748912057
[2] J. Remy and R. Stettner: “Cybersicherheit als Aufgabe der Länder,” Datenschutz Datensich, vol. 45, no. 4, pp. 254–258, 2021, doi: 10.1007/s11623-021-1429-y.
Please contact:
Kirstin Scheel
Fraunhofer Institute for Secure Information Technology SIT, Germany
+49 6151 869 268