Smart city technology designed to streamline public services could prove an “attractive target” for hostile states seeking to disrupt Britain’s infrastructure or steal sensitive data, UK spies have warned.
The intervention by the National Cyber Security Centre, a branch of GCHQ, reflects growing fears in the intelligence community that local authorities may inadvertently enter risky contracts which could expose them to cyber attack or compromise individuals’ privacy. A deal that was aborted at the last minute involved Bournemouth council in Dorset, which was preparing a contract with the Chinese ecommerce company Alibaba to provide “smart place” services, the Financial Times has discovered.
Guidance to councils published on Friday highlights the risk that overseas smart city technology suppliers may come under pressure to “access and exfiltrate data” on behalf of security and intelligence services in their countries of origin. Safety suggestions include cyber security and data protection measures, as well as tips on understanding threats posed by suppliers.
The NCSC advice, seen by the FT, does not name any companies or countries of concern. But China is a lead supplier of smart city technology, which uses networks of cameras and sensors to improve the efficiency of services from parking and transport to energy use. These systems have been deployed extensively in cities such as Beijing, Shanghai, and Guangzhou.
Earlier this year the UK’s new defence and security strategy set out plans to deepen trade links with China while increasing protection of critical infrastructure and sensitive technology against hostile interference.
In a blog post accompanying the guidance, Ian Levy, the NCSC’s technical director, invokes the 1969 film The Italian Job, in which thieves recruit a professor to shut down Turin’s traffic control system to cause gridlock so they can rob a lorry full of gold bullion.
Levy’s blog explains that a “gridlock” attack now “would have catastrophic impacts”. “As these [smart cities] become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors,” the blog reads.
Local government analysts estimate the number of potentially risky smart city contracts identified within UK local authorities is in single digits. The Bournemouth example prompted concern because, under the contract, Alibaba would have managed and controlled large volumes of data, according to people briefed on the scheme.
An investment proposal by Dorset’s Local Enterprise Partnership and hosted on the Bournemouth, Christchurch and Poole Council website set out plans to create a smart place data platform, also known as a “city brain”, which would use artificial intelligence and machine learning.
A separate partnership report published in late 2018 cited “global heavyweights” including Alibaba and Chinese telecoms company Huawei as members of the region’s smart city consortium.
The Alibaba deal was quashed in 2019 after intervention from central government, said two people familiar with the discussions. Bournemouth council did not comment on the cancelled contract but said “data security and safeguarding personal information” would be “integral” to its forthcoming smart place scheme.
Alibaba is a leading supplier of cloud and software for smart city projects in Asia, including “smart traffic” projects in Hangzhou in China, Malaysia and Macau. It declined to comment on the Bournemouth deal.
Huawei, which was banned from the government’s 5G networks last year, and surveillance camera providers Dahua and Hikvision, which have both been blacklisted by the US owing to their alleged involvement in human rights violations, are also active in the sector.
Milton Keynes council, which signed a contract with Huawei for its smart city 5G project, has cancelled it and is planning to strip out the Chinese company’s kit following Downing Street’s decision on the wider rollout.
“In line with advice from government, the equipment will be removed within five years,” it said. The contract was part of a 5G test bed programme to trial the technology in various locations including a football stadium, hospital and university campus.
Dahua, which has a UK and Ireland business, has been actively promoting its services to local authorities. One council officer recalled a “safe cities” pitch from the surveillance camera group a few years ago which suggested that facial recognition could be used to help identify and find dementia sufferers who had become lost or disorientated. The officer said the idea was not pursued as they did not consider it an appropriate use of surveillance technology.
Dahua did not comment on this particular programme, but said it “fully complies with all local laws and regulations”.
China policy experts have drawn comparisons between Chinese companies targeting UK councils and Beijing negotiating infrastructure deals with the Australian state of Victoria. The contracts, which were subsequently cancelled by Canberra, had been criticised as a form of foreign interference which undermined the federal government’s trade position on Beijing.
Alexi Drew, a specialist in emerging technology and security at King's College London, said there was increasing evidence that Chinese companies involved in delivering smart city contracts “are, at best, capable of accessing huge amounts of personal data that could have significant influence and security risk and, at worst, actively transferring that data back to China”.
The amount of knowledge to be gleaned from smart cities on behavioural patterns and everything from freight to trade and travel “is almost impossible to over-emphasise”, Drew added.
Tobias Ellwood, Conservative MP for Bournemouth East and chair of the House of Commons defence select committee, said he was “shocked” that his own council had been unaware of the concerns being discussed in parliament about Chinese companies’ involvement in critical infrastructure. He accused hostile states of “preying on organisations which don’t have the expertise that GCHQ has”.
However, Paul Wilson, chief business officer at the Connected Places Catapult, an incubator designed to accelerate the adoption of smart city technology, said he understood the risks but that it would be unwise to “throw the baby out with the bathwater” by creating a sense of panic about potential threats.
He argued that data management would be crucial if cities are to optimise the potential of 5G networks in running urban environments, and said it would be “exasperating” if such projects were dismissed as too dangerous.
While Chinese companies are leading in the sector, Wilson said rivals such as Nokia and Ericsson could provide the hardware needed to support 5G-based smart city technology while large telecoms and technology companies including BT, Vodafone and Tech Mahindra, could also manage and contribute to projects.