Today, as part of London Tech Week, Artyom Ermolaev, president of the NGO ‘Smart Cities,’ former minister of IT and head of the Moscow IT Department, spoke at the TechXLR8 event in London’s Exel centre. He was explaining his role in the digital transformation of Moscow which included coordinating building the ICT infrastructure for e-health, e-education, public services delivery, and citizen engagement projects.
SC Media UK asked Ermolaev where security considerations fitted in to the digital transformation of Moscow - and what steps were taken to mitigate potential vulnerabilities?
Ermolaev responded: "As the amount of data grew, we knew we needed to concentrate on security. Even our children at school now have electronic diaries - when they were paper children tried to change a D mark before showing their parents. Now it’s completely digital and all marks are immediately sent to parents So data is trying to be ‘corrected’ from the beginning, by children from the age of 10. The number of threats is increasing along with the level while the age of cyber-criminals is falling, so the number of threats is vast."
The importance of data integrity was then expanded upon as Ermolaev added: "How do we answer this challenge? There are several lines of activity to take. First, when using AI, it won’t work correctly if it is not given the correct data, so the data must not be changed. We have implemented blockchain technology to ensure the data is not changed. The first big public test of this will be the 8 September elections for the Moscow parliament (the city has its own parliament). It will use electronic voting for some regions of Moscow where all votes will be put in blockchain. It’s already used elsewhere as a safe solution for tackling the threat of data being changed.
"Also when facing massive DDoS attacks, we don’t want to rely on one server, so again we are using blockchain. If a server goes down, with whole city online its mission-critical. If the city’s entire transportation system stops for a minute, we will have a nightmare as the city has five million cars and 10,000 sets of traffic lights.
"Secondly, we need to ensure the data is not stolen. There are several actions taken to avoid this. Personal data is never stored in just one database. It is segmented and rendered unusable, so it is encrypted, and uses hash codes so if it were stolen you will get 15379 has x and y so it doesn’t divulge people’s personal data.
"We hold sensitive and non-sensitive information separately. Even the less sensitive data is encrypted but it is less of a concern if it were stolen, though we would still investigate how it has happened. The city is investing heavily in digitisation at the back-end, with more data available for business to access and create applications and usage cases for city, but this is (aggregated) and not identified as individuals."
SC Media UK asked Ermolaev about privacy issues, and citizens’ concerns about the potential misuse of their data, by the state or others. In this area, there was clearly a wide cultural divide in the approach within Russia compared to western countries, with the interests of the society as a whole far outweighing those of the individual.
Ermolaev explained: "Previously, as the USSR, it was another world. Government had access to all data and citizens lived in that. (Russian citizens) Now need to understand that we live in a glass world, and all our actions are already seen, not only by government.
"The law (in Russia) allows the government to control all data on citizens - their work, medical, family relations, etc, to help the citizens, to provide personalised services. So by knowing the age of their children, for example, it can ensure there will be a place at kindergarden when a place is needed in three years time. We are creating a law to allow the city to collect data for its own needs. But we are also explaining to the citizens that it is better not to fight this as its part of the modern world. You can’t hide, and there is no need to hide. It helps you to live in a safe town, and you don’t need to be afraid of CCTV and AI. And it’s not just criminals - if say you have your dream car and its out on the street and gets scratched, then you want justice."
What is the preferred route to authenticate ID to access these public services, asked SC Media UK, is it biometrics, behavioural, federated security or what? Ermolatev told SC: "ID now goes through biometrics, through the banking systems. Government biometric systems (effectively use) banks as the front end, using voice, fingerprint and facial recognition. We are still collecting and finding ways to use this data."
The rapid progress of digitisation in the finance sector makes it no surprise that financial fraud is one of the major areas of concern for the Moscow city administration. "We are ahead of Europe and the US in Fintech. Moscovites only need a phone number to transfer £1 to £1 million, they don’t need to know your VAT or NI number or anything like that, and will make wire transfers of huge amounts, person to person credits, and Mostovites use it. There is no need for a wallet or plastic card, as they have bank applications to give or receive credit by pushing only one button.
"That’s where major threat is, the threat of criminals stealing money. So we are concentrating on making our security system difficult to penetrate. The most successful attack was where the criminals created a system to imitate the technical support of one of biggest Russion banks, and send SMS messages and pushed out applications and asked bank customers for their pin and password. It really looked like tech support, but we explained to citizens that this is something the banks would never ask for, yet 20 percent of customers gave their details and lots of money was stolen."
The propensity of people to be fooled or cheat was seen as the highest risk to the system hence there is a drive to "eliminate human involvement," but it was acknowledged that this will take time. "In the digital strategy of the city for the next ten years, AI will only be the adviser, not the decision-maker, but if AI passes this stage, it will have enough knowledge of how to ensure security and AI can move to the next stage (of making decisions)." Ermolaev concludes, that then the major threat is "how to defend the AI, not just the AI’s data, but the algorithms on which it operates (ie the basis on which it makes its decisions)."