Smart Cities May Constitute Security Risk, Says PST
An increasing number of state and municipal institutions digitalize and coordinate parts of their operations. Some state and private actors are naïve when it comes to digital threat perception, says Section Chief Hanne Blomberg of PST, the Norwegian Police Security Services.
Norway is one of the most digitalized countries in the world, and an increasing number of cities and municipalities want to be smart.
A ‘smart city’ is a city area in which data is collected using sensors and other digital data collection means. Insights from these data are used to manage resources and services.
Increased connecting of units, processes and services creates long and often confusing data chains. This may make it harder for data owners to maintain overview and secure their data.
Health information is an example of sensitive data that may end up in the wrong place. Through simulating an attack on the data systems of four health regions last year, the Norwegian Office of the Auditor General managed to acquire all patient information for hundreds of thousands of Norwegian patients.
In recent years, Norwegian institutions have seen a series of cyber-attacks. There was a hacker attempt against Nord University in 2017. Back then, the PST believed Russian hacker group APT29 to be responsible. Last year, the Norwegian parliament became subject to an extensive cyber-attack. Then, too, the attack was attributed to Russia.
New vulnerabilities
High North News spoke with Section Chief Hanne Blomberg of the Norwegian Police Security Services (PST). She says smart cities and the internet of things creates new vulnerabilities for the Norwegian population.
Is it an advantage for countries like Russia and China that small countries like Norway head for “smart cities” and “the internet of things”, as that provides more contact points for intelligence gathering and potential cyber warfare?
“On the one hand, there is not doubt that this provides us as a society with an opportunity to improve efficiency, and it provides the state with an opportunity to offer its population better services. Yet on the other hand, this also leads to new vulnerability surfaces and dependencies that can be abused by for instance other countries’ intelligence services, Blomberg says and continues:
“State actors can through open attendance as well as covert participation acquire overview over these vulnerabilities and can in that way also acquire insight into critical Norwegian infrastructure. We as a security service believe this to be unfortunate. This can be used in many ways, both for strict information gathering about users connected with these information systems, and it can also be used to blackmail or hit a region during for instance a security policy crisis.”
Blomberg says that PST never will warn against international cooperation. That is something PST also is a part of, after all.
“Our point is that one should be concerned with and aware of the security challenges that exist out there”, she says and adds:
“We will soon present our national threat assessment for 2021. There, we write that network operations and digital forms of espionage will constitute the majority of future Russian and Chinese intelligence activity in Norway. I believe one should take note of just that. This also applies to those who facilitate smart cities, though it also applies to everyone and everything else too.”
Network operations and digital forms of espionage will constitute the majority of future Russian and Chinese intelligence activity in Norway
Many more should be aware of digital threats
What do you think the Norwegian population should be particularly aware of when it comes to threats like this?
“As a starting point, the population should trust the systems facilitated by public authorities. It is more the authorities facilitating these services that should be aware of for instance cyber warfare. Though it is also appropriate for the Norwegian population to be aware that this form of digital espionage is most real.”
The University of Tromsø was recently subject to a data breakin. Blomberg argues that this is another example that goes to stress and demonstrate the focus foreign intelligence services may potentially have against Norway and the region.
Some organizations are naïve
Are Norwegian institutions and companies naïve?
“We see all sorts of things. We see some organizations being very much aware of the security challenges we face today, who are good at protecting themselves and who have a broad understanding of the threat perceptions. And then there are other Norwegian organizations that are very naïve. This applies to both state and private organizations”, she says and adds:
“Norway is a community in which the state apparatus enjoys a high level of trust. The population has high trust in the institutions by which they are surrounded. A high level of trust is a great advantage in a society, though this trust may at times also lead many to be somewhat naïve in facing different forms of threat activity, as many have not fully realized that serious things may actually happen.”
This article was originally published in Norwegian and has been translated by HNN's Elisabeth Bergquist.