Declaring that “information security is national security,” President Tsai Ing-wen’s administration has made considerable progress fulfilling promises to beef up Taiwan’s cybersecurity defenses as well as to spur development of the home-grown cybersecurity sector.
A Department of Cybersecurity was established in 2016 as an official unit under the Executive Yuan, upgraded from its previous incarnation as a taskforce. Consolidating the cabinet’s cybersecurity policies and practices, the department oversees an extensive range of programs and taskforces, including the National Information and Communication Security Taskforce, the Cyberspace Protection System, and the Critical Infrastructure Protection System, among others.
Headed by Director-General Howard Hong-wei Jyan, the department has joined with the National Communications Commission and Financial Supervisory Commission in forming the Information Sharing Center for coordinating information about cybersecurity, including possible breaches. The department also audits government websites and networks for compliance with cybersecurity directives, tests for possible breaches, and runs training sessions and cyber-defense drills. Its trainings on how to deal with bogus “phishing” emails and texts have succeeded in dramatically lowering the rate of network malware infection from such communications.
Jyan says that his unit is currently working on streamlining and standardizing cybersecurity protocols and platforms across the government, so as to create a more unified system that all government agencies can follow. “It will be much better if we have unified standards to follow instead of everybody working on it in isolation,” he says.
According to the Industrial Economics and Knowledge Center (IEK), part of the Industrial Technology Research Institute (ITRI), the Taiwan government has raised its spending on cybersecurity from 4.2% of the total IT budget in 2013 to 8.8% in 2017, more than doubling outlays. The top security technologies purchased by the government were anti-virus protection (89.7%), firewalls (89.3%), mail filtering devices (44.9%), intrusion detection/defense systems (39.9%), and web content filters (26.7%), according to IEK.
Jyan, however, cautions against overly relying on technology for cybersecurity. “Cybersecurity is about risk management,” he says. “Cybersecurity must be very strongly based on the technology, but technology is not as important as policy and management. If you have very strong policy and standardized management, then your handling of cybersecurity will be much easier to implement and will be much more powerful.”
The Cybersecurity Management Act bill is currently being debated in the legislature after having been approved by the Executive Yuan last April. The act has been drafted to enhance protection of critical infrastructure in eight categories, including power and water systems, transportation networks, information and telecommunications, science parks, emergency medical facilities, and financial facilities.
If enacted, the law would require government and private enterprises operating in these sectors to establish enhanced network security systems and protocols in line with government regulations and report any suspected breaches, with heavy fines for violations.
Jyan says that critical infrastructure such as hydropower dams are sometimes very old and use industry control systems (ICS) based on programming languages that are proprietary or no longer in use.
“They use ICS systems that are very different from Microsoft or Linux or other modern systems,” says Jyan. “For these dedicated programming languages, not many people may understand their weaknesses.” Taiwan is seeking to cooperate with international experts in these ancient codes to enhance the understanding and protection of such infrastructure.
Taiwan has set four categories for cyber breaches to information systems, ranging from Level 1 – website tampering or defacement – to more serious incidences. Every month Taiwan receives as many as 100 million “sniffings,” as Jyan describes them, brief attempts to jiggle the cyber doorknob to see if it is open. Of these, some 350-360 per month result in minor breaches, at Level 1 or 2.
So far, only about 12 incidences annually reach Level 3, which Jyan describes as serious breaches resulting in sensitive information or largescale personal data losses. A Level 4 breach would entail widespread devastation of the country’s critical infrastructure, and has obviously never occurred.
Jyan says he is particularly worried about targeted attacks in which malware could be inserted into computer networks without being immediately activated. Such malware could be used to build a map or similar guide to government networks, or spy on government systems. Recently such a malware infection was discovered in the Judicial Yuan’s computer networks, and may have been there for years.
“If the attackers don’t activate the malware, it is very difficult to track,” Jyan says. “And one day if they activate – wow, it will be a problem.”
In an effort to bolster Taiwan’s cyber-defense capabilities, last June an Information and Electronic Warfare Command was established as the newest branch of the military. Consolidating cyber- and electronic-warfare components already existing within the armed forces, the new division will be supported by the Chungshan Institute of Science and Technology and civilian sources, the Ministry of National Defense said in a report released last summer. It said the new division will oversee all aspects of cyber-defense operations.
Military analysts applauded the move, noting that forming dedicated cyber units is a worldwide trend. The United States created its Cyber Command (USCYBERCOM) in 2009, China established its Strategic Support Force in December 2015, and Germany formed the Cyber and Information Space Command in April 2017. NATO declared cyberspace a separate combat domain, in addition to land, sea, air, and space, in July 2016.
Taiwan’s establishment of the new military command “is without a shred of doubt a good move,” says Michal Thim, an Asia analyst at the National Cyber and Information Security Agency of the Czech Republic and a longtime Taiwan watcher with extensive ties to the island’s defense community. “It not only addresses specifics that come with fighting in cyberspace but it also sends a signal that Taiwan takes this part of its defense seriously.”
Although much of the preparatory work is still ongoing, Jyan expresses confidence that the country is safer and more secure now and will continue on this path. “There’s no 100% safe and secure system, but we have high confidence that if we are attacked, we can respond as soon as possible, and that our current system will not be hurt.”