G20 Global Smart Cities Alliance Cyber Accountability

The G20 Global Smart Cities Alliance on Technology Governance was established in 2019, including over 20 partners representing more than 200,000 cities and local governments, companies, start-ups, research institutions and non-profit organizations. The Alliance is led by the World Economic Forum as secretariat.

The Alliance unites municipal, regional and national governments, private-sector partners and city residents around a shared set of principles for the responsible and ethical use of connected places technologies. It also establishes and advances global policy norms to help accelerate best practices, mitigate potential risks, and foster greater openness and public trust. The Alliance also helps co-design, pilot and advance new innovative policy approaches to address unresolved governance gaps.

The convergence of Information Technology (IT) systems with Operational Technology (OT) systems provides numerous entry points for cyber attackers targeting a city, and the disparate technology platforms and devices used by cities can create hidden vulnerabilities. This is exacerbated by the lack of common standards governing critical and interconnected devices, resulting in the use of devices from multiple vendors with different communication and security protocols. A number of debilitating incidents such as ransomware attacks against local authorities have left many bewildered and needing to pick up the pieces of systems which have been compromised – leaving citizens without access to services such as birth and death records, health care records and others.

36 cities across 22 countries have agreed to pioneer a new roadmap for safely adopting new technology. The roadmap is designed to give cities the processes and regulations they need to use new technology responsibly. The cities will adopt 5 new model policies initially, which focus on the protection of privacy, better broadband coverage, accountability for cyber security, increased openness of city data, and better accessibility to digital city services for disabled and elderly people.

These initial policies have been prioritized on the basis of two main conditions:

• that they are established as good practice based on considerable experience in leading cities from multiple geographies;
• that they are foundational to building smart cities, and not prescriptive of the technologies, applications or outcomes.

Connected Places Catapult leads the task force responsible for policy development of the Cyber Accountability policy. The purpose of this policy is to define the key areas for a model of accountability for cyber security which is applicable for all cities worldwide, protecting the information and operational assets owned by the city and its citizens. These measures provide a structure that cities can follow to prioritize their operational execution of cyber security. This is an aspirational policy which aims to create clearer lines of accountability within a city context, despite differing examples of city governance structures.

This policy ensures that accountability is clearly defined within local government, with buy-in from senior levels. Good governance can go a long way to ensuring that cities are better protected against incidents and to improve resilience against threats. The process included convening a group of experts from government, industry and academia to feed into policy development. The model policy was then tested via a number of interviews with city Chief Information Security Officers (CISO’s) or similar roles, to gain an understanding of their position and views which were incorporated into the model policy. The policy focuses on what key elements should be included for a Senior Officer such as a CISO, but maintains a level of flexibility in order to be as customisable as possible globally – accounting for different types of organisational structure within cities.

Thirteen cities globally have signed up to be pioneer cities, testing this model policy in their own cities. These include Bilbao, Brasilia, Chattanooga, Cordoba, Gaziantep, Hyderabad, Indore, Istanbul, Kampala, London, Manila, Mexico City and Milan. Support from the Alliance and the Cyber task force will be in the form of three workshops over summer 2021 which discuss the specifics of the policy, and work with participants to determine how it can be adapted to be implemented successfully in each individual city.