Skip to content

CSIS warns 'smart city' technology can open door to attacks, foreign interference

OTTAWA — Canada's intelligence service warns that technological innovations adopted by municipalities could be exploited by adversaries such as the Chinese government to harvest sensitive data, target diaspora communities and interfere in elections.
20230308180352-1aba4415f912b3a9492408b590b2bc52b6df7abc48e11cdec4ab6c4b972bbb53
People carry umbrellas while crossing Robson Street as rain falls in Vancouver, on Thursday, January 6, 2022. Canada's intelligence service warns that technological innovations adopted by municipalities could be exploited by adversaries such as the Chinese government to harvest sensitive data, target diaspora communities and interfere in elections. THE CANADIAN PRESS/Darryl Dyck

OTTAWA — Canada's intelligence service warns that technological innovations adopted by municipalities could be exploited by adversaries such as the Chinese government to harvest sensitive data, target diaspora communities and interfere in elections.

A newly released report by the Canadian Security Intelligence Service urges policy-makers and the technology industry to consider steps that can be taken to address and ease the emerging security threat before "smart city" platforms are widely adopted.

Such systems feature electronically linked devices that gather, analyze, store and transmit information through centralized platforms. In turn, municipalities can use artificial intelligence to efficiently control operations and services, allowing them to change traffic lights at the optimal time, manage energy use or track the location of publicly rented bicycles. 

"One of the primary security concerns relating to smart cities is the fact that they necessitate the selection and retention of massive, continuously processed data pools that could be exploited to reveal patterns of individual and societal behaviour," the report says. 

"These concerns are heightened by the lack of control and visibility over where this data is stored and who has access."

The CSIS report, prepared in 2021, was only recently released to The Canadian Press in response to an access-to-information request filed in October of that year.

While the integration of technological innovations and data can make processes more efficient, it can also introduce security risks, CSIS warns.

"Smart city devices collect massive amounts of personal data, including biometric data and other information highlighting personal life choices and patterns. Hostile state actors are currently exploring various means of attaining access to future smart city platforms, including through access provided by state-owned or state-linked technology companies."

Canadian municipalities may willingly agree to technological partnerships with foreign companies that allow hostile or undemocratic states access to collect data, CSIS cautions.

Smart city projects in western countries have faced pushback due to privacy concerns, but China has "embraced the concept wholeheartedly," providing the country's technology companies with a competitive edge, the report says. Beijing's artificial intelligence advantage lies in its access to big data, lax privacy requirements and cheap labour to categorize data and build AI algorithms.

China is using such new technologies to support "digital authoritarianism," the use of advanced technology to monitor, repress and manipulate domestic and foreign populations, CSIS says.

Meanwhile, next-generation networks and interconnected technology will likely become deeply embedded in municipal critical infrastructures in the coming decade, raising the possibility of "back door" access, the report says. A key concern is that a single breach could make all devices vulnerable to interference or attack. 

"In other words, data collected through a bike sharing app could theoretically heighten access to other connected devices, such as a city's energy grid, water supply, or traffic-light management database," the report says.

"This sort of exposure will have serious financial, social and health and safety implications in Canada. Imagine a scenario where a co-ordinated cyberattack took down safety locks that prevent catastrophic explosions at a petrochemical facility, while simultaneously controlling traffic lights to inhibit the emergency response."

Legal access to data could come through contracts between cities and companies, while illicit access could happen internally through a built-in function of foreign equipment or software, or externally as a result of a cyberattack or data breach, the report says. 

The data can subsequently be used to target specific elements of Canadian society, such as Chinese diaspora communities, infrastructure like natural gas plants, water treatment facilities and central government databases, democratic political processes such as elections, or civil society groups to restrict public debate and free expression, it adds.

The use of data-harvesting techniques by countries like China, Iran and Russia to track diaspora populations, namely individuals who are considered opponents, is a genuine concern, said David Murakami Wood, a University of Ottawa professor who specializes in surveillance, security and technology.

"There is no innocent data," he said in an interview.

Murakami Wood cautioned against believing that data is somehow safer if it is kept entirely in Canadian hands. It is common for organizations to seek access to large pools of data for reasons unrelated to why the data was collected in the first place, he said.

"You can be sure if there's a very large-scale national database constructed, for example, that the police will want access to it sooner or later. And they'll come up with an argument for why they should."

While it makes sense to have some municipal services connected to the online world, others such as hospitals might simply be too sensitive to risk having them linked to cyberspace, Murakami Wood said. 

"If you really want to have a very smart city, we should actually think about what it is you don't want to connect, first of all."

Taking the necessary steps to address the security threats of smart cities will require informed discussion and consultation at all levels of government, the CSIS report says.

"Different authorities have jurisdiction over various elements of this challenge. Key among these are municipalities who are leading the way in terms of implementation and contractual arrangements with technology vendors."

The report also recommends:

— Co-operating with partners in the Five Eyes intelligence alliance to identify the risks posed by smart city technologies;

— Collection of intelligence and formulation of advice on adversaries' smart city advances and interests to support Canada's position in negotiations on international technology standards and governance; and

— Ensuring Canadian technology and data are not used to support the development of technologies to be employed in ways that are contrary to democratic values.

This report by The Canadian Press was first published March 9, 2023.

Jim Bronskill, The Canadian Press