During World War II, a team of researchers at the Columbia University was asked to examine the damage done to aircraft that had returned from missions and recommended adding armor to the areas that showed the most damage. This sounded pretty logical, but the statistician Abraham Wald contradicted the US military’s conclusions by pointing out that only the aircraft that had survived had been considered. Since the bullet holes in the returning aircraft identify areas where a bomber could take damage and still fly well enough to come back safely to base, Wald proposed to reinforce areas where the returning aircraft were unscathed.
The ‘survivorship bias’ – thus the logical error of concentrating on people or things that passed some selection process and overlooking those that did not – can lead to some false conclusions in several different ways, and it is a pitfall for cybersecurity too.
In 2020 the Center for Long-Term Cybersecurity at UC Berkeley surveyed 76 cybersecurity experts and ranked different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack. According to this study, not all Smart City technologies pose equal risks: emergency alerts, street video surveillance, and smart traffic signals stand out as the most vulnerable, while smart waste systems and satellite water leak detection are meant among the safest.
City officials should therefore consider whether cyber-risks outweigh the potential gains of technology adoption on a case-by-case basis, and invest more on technologies are both vulnerable in technical terms and constitute attractive targets to capable potential attackers because the impacts of an attack are likely to be great. Again, this sounds like a logical recommendation – but let us beware the survivorship bias.
Achieving 100% cybersecurity is an impossible goal unless we fully give up on innovation and digital transformation. However, Cities should be 100% conscious that any urban network infrastructure and application should be properly designed and implemented with security built in from the outset. Even potentially unattractive systems – such as streetlights – might become interesting for criminals, and the human element is often the weak link to turn a vulnerability into an actual leak.
Many governments around the world are raising cybersecurity consciousness and starting dedicated programs to protect critical systems and resources. Last May, President Joe Biden signed an executive order aimed at strengthening US cybersecurity defenses, a move that follows a series of sweeping cyberattacks on private companies and federal government networks over the past year. The order seeks to move the federal government toward more modern and safer digital infrastructure, and sets stricter rules for IT service providers working with public bodies.
Italy is set to create a national agency responsible for fighting cyberattacks and creating a unified cloud infrastructure to increase security for public administration data storage. Most European countries are boosting their efforts to counter cyber risks, seen as a threat to their security and competitiveness in an increasingly networked world.
While we head for improved systems and data protection, we shouldn’t forget that it is possible to balance the value of innovative technology with the lowest possible risks. At Paradox Engineering, the balance is made thanks to our ‘security by design’ approach: this means injecting cybersecurity into IoT technologies from their very inception, and combine different methods (blockchain, dedicated hardware security modules on devices, ultra-reliable encryption, and other features) to ensure urban infrastructures are intrinsically secure.
Securing cities is an ongoing challenge which requires an overarching approach and strategy (let us avoid the survivorship bias!), together with constant monitoring, learning and collaboration, especially as hackers tap advanced technologies such as AI to become more effective and cybersecurity insurance costs soar.