The Economist Intelligence Unit released its 2017 Safe Cities Index, a biennial study that ranks 60 global cities using 49 indicators of safety across four categories, including digital security, health security, infrastructure security and personal security.

Tokyo, Singapore, Osaka, Toronto and Melbourne top the global index using all four categories of indicators. At number 15, San Francisco ranked as the safest U.S. city, with Los Angeles (18), Chicago (19), New York (21) and Washington, D.C., (23) rounding out the U.S.‘s top five in the index.

Digital security comprised one-fourth of the data used to rank total safety – with each of the four categories equally weighted. To derive its digital security rankings, the Economist used the indicators of privacy policy, citizen awareness of digital threats, public-private partnerships, level of technology employed and dedicated cybersecurity teams. These indicators, in turn, produced outputs that influence rankings, including the frequency of identity theft, percentage of computers infected and percentage with internet access.

Measuring by digital security indicators alone, the Economist ranked Tokyo, Singapore, Chicago, Amsterdam and Hong Kong as the safest. The lowest-ranked cities in digital security alone include Jakarta, Manila, Dhaka, Yangon and Ho Chi Minh City.

The report noted that the poor state of America’s infrastructure contributed to lower overall rankings of U.S. cities, even while U.S. cities outperformed by digital security indicators alone. Five U.S. cities (Chicago, Los Angeles, San Francisco, New York and Dallas) made the top 10 when ranked by only digital security indicators.

The index produced several interesting findings. With two exceptions (Madrid and Seoul), cities slipped in their security rankings since the 2015 report. Asian and European cities retained most top rankings in the 2017 index, while cities in the Middle East, Africa and South America dominate the lower rankings. And the findings point to a correlation of overall wealth and better security.

The Economist’s report also draws attention to a paradox: The very factors that enhance cities’ perceived “livability” also increase their vulnerability to cyberattacks. For instance, urban trends such as pervasive networking (particularly wireless connectivity) and “smart technology” are often viewed as measures of technological advancement. On the other hand, these technologies introduce a much larger “attack surface” for threat actors to target.

Much of the Economist’s report on digital security centers around the threats and risks posed by cybercriminals, which are nontrivial. But the Economist largely omits discussion of how technologies at the infrastructure scale open the door for nation-states to launch significant cyberattacks via cyberwarfare.

Years ago, security experts such as Richard Clarke warned of the growing possibility of nation-state waged cyberwarfare and the many points of vulnerability in critical infrastructure that threat actors would eventually be capable of targeting, with potentially debilitating effect. At the time, many critics scoffed at Clarke’s analysis and warnings, dismissing them as alarmist.

In recent years, however, Clarke’s warnings have proved prophetic. The Democratic People’s Republic of Korea has repeatedly carried out cyberattacks against Seoul, with varying impacts. Iran temporarily disrupted Saudi Arabia’s oil and gas industry in the Shamoon attack of 2012 and again, on a smaller scale, in late 2016. And unknown threat actors launched cyberattacks (e.g., WannaCry, NotPetya, etc.) earlier this year that partially or completely disrupted critical infrastructure in cities globally. (Microsoft claimed “with great confidence” late last week that DPRK was behind WannaCry.)

In the U.S. and globally, power grid vulnerabilities remain a top concern for national security and cyber experts. Russian threat actors are believed to have been behind cyberattacks on the Ukraine power grid, which caused blackouts across Kiev in 2015 and 2016. Earlier this year, researchers at cybersecurity firms ESET and Dragos independently published reports on Industroyer/CrashOverride, essentially an exploit kit easily customizable to the industrial control systems that monitor and manage much critical infrastructure technology globally.

As regional and global tensions with DPRK and Iran escalate – as well as remain elevated with Russia – the possibility persists of nation-state-directed cyberattacks on cities and their underlying critical infrastructure. Some cybersecurity analysts have warned that recent events, such as the Ukraine grid hacks and WannaCry, could have been “test runs” in preparation for larger-scale cyberattacks.

These smaller-scale cyberattacks have demonstrated that some nation-state threat actors no longer lack the capability. As cities rush to implement pervasive networking and smart technologies, often with insufficient attention to cybersecurity, capable threat actors have a growing abundance of vulnerabilities to target.

Rather than threat actors’ limitations in means, motive or opportunity, the critical factors that influence future critical infrastructure cyberattacks may now revolve around scale and timing, making such events not a question of if, but one of when and against whom.

The findings in the Safe Cities Index can be compared and contrasted with similar studies, such as cybersecurity company Rapid7’s National Exposure Index.

The full Safe Cities Index is available online here.