Connecting state and local government leaders
State and local governments are balancing privacy, security and citizen service as the amount of available data explodes -- and finding that policy needs to catch up with the tech.
SALT LAKE CITY -- The promise of smart cities is seductive: Sensors and analytics can calm traffic, slash energy consumption and spot patterns in everything from property crimes to garbage pickup, making cities safer and more efficient. Personalized citizen services, meanwhile, can tap all that data to keep residents better informed and deliver the exact information they need.
As IT executives from around the country discussed at the NASCIO annual convention, however, the reality is a bit more complicated.
First, there are all those devices that constitute the Internet of Things -- the cameras, sensors and controllers that are increasingly part of city systems.
"We've gotten the technology ahead of the ability to be able to manage the tech," Washington Chief Information Security Officer Agnes Kirk said in the Oct. 12 panel discussion. So many IoT devices lack basic security protections, she noted, and asked: "What happens when the things you've bought for your city, the company goes out of business? Who's patching it?"
"Somehow we haven't been able to lock down secure coding" for IoT devices, North Carolina Chief Information Risk Officer Maria Thompson agreed. She added that one of her priorities is to improve security supply chain management for her state's agencies: "If we know where these devices are coming from, we can better protect ourselves."
Nor are the risks limited to cutting-edge IoT devices. "We as CIOs have to get smarter about industrial controllers," Minneapolis CIO Otto Doll said. The automated valves in municipal water systems, he noted, were often "built years and years and years ago. Security was just not on anybody's mind then."
And getting funding to address such risks can be difficult, he noted. Most city officials would "go out and hire another policeman long before they have me go put a sensor in to secure a water system."
Still, the panelists agreed, the hardware is not the half of it. The real challenges lie with the data all those devices are generating.
"With smart tech," Kirk said, the "level of data that brings all those benefits also creates concerns," and so Washington state is putting the policy questions front and center.
Thompson agreed. "Data is data is data," she said -- whether it comes from sensors at an intersection, police body cameras or state tax records. "But do we need that data?"
North Carolina, Thompson said, is crafting a "privacy threshold analysis" to help agencies determine whether and why they need certain data sets, how long to save them and what security and privacy precautions are required. And in Washington, Kirk noted, there's a concerted effort underway to focus on "data minimization."
Doll agreed that clear policies are important, but also noted that governments can go too far in focusing on data security. "We're not Fort Knox," said of his city. "The majority of what we hold is open data. You can request it, if we haven't already put it on our open data portal."
"Yes, we need to protect some data," he said. "I'm not one to say, just open yourself up." But agency officials should also "be very considerate of the fact" that more and better data can truly make cities run better.
Doll noted that in Minneapolis, data from a wide array of sources is now being fed into a central exchange, with update frequencies that range from monthly to near-real-time. A suite of decision-making analytics tools is layered on top of that data, and made available to a "research corps" of city employees "who are looked upon to paint pictures for leaders to inform their decision making."
An important consideration, Doll said, is " the appetite for risk" among a city's senior management and elected officials. "That informs us ... when we're evaluating the risk for whatever we're talking about," he said. "I'm managing risk -- you can't control it."
NEXT STORY: USPS staff take the bait in phishing test