The National Cyber Security Centre — a branch of signals intelligence agency GCHQ — and MI5 have both raised concerns about the risks presented by this technology.
The agencies are keen on curbs, potentially through legislation, which would bar certain vendors from bidding or ban management contracts allowing companies to run an entire service on behalf of a local authority, according to several people with knowledge of the discussions.
One of the key threats is misuse of personal data. “Because you’ve got all this population-scale data anonymised in different ways, there’s a risk that someone could recombine them to identify . . . the types of people visiting particular buildings or accessing particular services,” a security official said.
“Lots of companies are offering not just products but services, so they supply the kit and they run the programme for you,” the official added. “That’s an aggregation of a lot of risk in a single place, so that’s the sort of thing we’d advise against.”
There are wider concerns that Beijing could compel Chinese companies to hand over data gleaned from these contracts, which could then be used for espionage.
If the technology itself is insecure, and vulnerable to hackers, this would pose a different type of threat: information about movements of people around cities could assist in terrorist attack planning.
Many local authorities are pursuing safe smart city projects with UK companies, in areas such as AI-controlled road junctions and digitised parking systems.
But the potential scale of Chinese smart city procurement were highlighted last month, when freedom of information requests obtained by Reuters revealed that at least half of London’s boroughs have bought and deployed surveillance systems made by Chinese suppliers, including Hikvision. The company is one of the Chinese suppliers blacklisted by the US over Beijing’s repression of Uyghur Muslims in China.
Central government currently has no powers to prevent councils from signing up with a specific supplier. The NCSC and the Centre for the Protection of National Infrastructure can advise local authorities about prospective projects, and the cyber security team in the Department for Culture, Media and Sport is also assessing how to provide guidance in this area.
Sam Markey, director of strategic analysis at Connected Places Catapult — a government-backed body that provides advice and research on urban innovation — said the resilience of smart city technology and the privacy of personal data gathered through these services was an “increasingly pressing topic of discussion” among both buyers and suppliers of this technology.
“With local budgets tighter than ever in the wake of Covid-19, the benefits of connected places technologies to local authorities, public transport bodies, and property managers are real and obvious,” he said, adding that smart city technologies have “huge potential” to deliver more personalised local services, drive down costs and reduce carbon emissions, if used safely.
Tom Tugendhat, chair of the House of Commons foreign affairs committee and a China hawk, welcomed the push for tighter controls but suggested government should go further in its clampdown on risky technologies. “Data that shapes our lives isn’t just about smart cities,” he said. “Payment systems, social media and many more services need protection, and that means asking the government to help.”
The government said the security and resilience of 5G and other emerging technologies was a “top priority”, and that it was working with local authorities to provide robust guidance so they can “seize the benefits of these technologies in a safe and secure way”.
Alibaba, Huawei and Hikvision declined to comment.