The situation is seen not only as a threat to be defended against, but also as an opportunity to build new lines of business.
Globally 2017 saw a surge in cyberattacks that raised the alarm over cybersecurity. Among the most sensational incidents were the WannaCry ransomware hack that infected 230,000 computers in 150 countries, including Taiwan, as well as the breach of major U.S. credit agency Equifax in which the personal data of 143 million consumers was stolen. International cybersecurity firm Symantec noted in its Internet Security Threat Report 2018 that it has seen a 92% increase in new malware variants in 2017, along with a 46% increase in new ransomware and a 600% surge in IoT (internet of things) hacks.
Taiwan faces a particularly large cybersecurity challenge, as it experiences 20-40 million attempts to infiltrate government, business, and private websites, networks, and machines every month. Although most of these attacks are attributed to Chinese hackers, Taiwan’s affluence, high rates of quality broadband and wireless connectivity, and until recently a fairly lax attitude towards cybersecurity have made it an inviting target for hackers around the world. In 2016, an Eastern European gang infiltrated the network of financial giant First Bank, causing ATMs around the island to “jackpot” – spitting out all of their cash, at designated times, bringing NT$70 million in losses (about US$2.3 million). A later attack on Far Eastern Bank’s overseas operations netted hackers some NT$1.8 billion (around US$60 million).
“Many recent incidents have highlighted the importance of cybersecurity in the Taiwan market,” observes Irene Lien, an analyst with International Data Corp. (IDC), the technology market research firm, who notes that both government and enterprises in Taiwan have recently been increasing their budgets for cybersecurity.
“The attitude has changed over the last two years,” agrees Allen Own, co-founder of local cybersecurity startup Devco. Many businesses and organizations “now think security is essential, so they will seek some help from cybersecurity companies,” he says. His company, staffed by self-described “white hat” hackers (the good guys), offers threat investigation and analysis for customers proactively seeking to avoid a hack. In contrast, most firms only take cybersecurity seriously after a breach. “Business is good,” he says, declining to give numbers but noting that as Devco’s service is customized for each client, it is not looking for the hockey-stick shaped growth eagerly sought by most startups. Most of his new business derives from word of mouth.
The total market for “cybersecurity, including the appliances and platforms, has shown double-digit annual growth since 2013,” says IDC’s Lien. The performance looks even better when compared with most sectors of the domestic technology market, “which showed not very impressive or stable growth or are even declining,” she notes.
According to an industry report released by the Commercial Section of the American Institute in Taiwan (AIT), the domestic cybersecurity market has expanded at an annual rate of 12.2% since 2013, increasing in scale from US$926.6 million that year to US$1.44 billion in 2017. Chung Ming-hui, a researcher with the Industrial Economics and Knowledge Center (IEK) at Taiwan’s public/private Industrial Technology Research Institute (ITRI), adds that “11.6% of the total IT budget for private enterprise went to cybersecurity in 2017, compared to only 3.4% in 2013.” IEK forecasts a 73% rise in cybersecurity and IT protection investments in 2018 in Taiwan.
Lien notes that although sales of specific cybersecurity products such as firewalls and UTM (unified threat management) systems remain healthy, the market has increasingly shifted towards security platforms that include Artificial Intelligence (AI) and/or Machine Learning (ML) capabilities. Cybersecurity platforms that deploy AI/ML technology act like immune systems, learning from the threats they encounter to better defend against future threats in a never-ending war.
The finance and e-commerce sectors, which handle large amounts of both personal data and money, are particular targets for cyberattacks, pushing them to invest heavily in cybersecurity. Much of the spending in the Taiwan market is driven by government, however. “The government of Tsai Ing-wen is very focused on cybersecurity for national security, so it puts a lot of budget into the sector,” says IDC’s Lien. She forecasts that “we will continue to see double-digit growth in government spending in the sector as well as by private enterprises responding to the increasing threats.”
The government sees cybersecurity not only as a threat but also as a budding new industry that offers the potential for Taiwan’s experienced hardware makers and growing cadre of software experts to generate high-value-added products and platforms. “The output of Taiwan’s information security firms is projected to rise from US$1.12 billion in 2015 to US$1.56 billion in 2019, reflecting an annual growth rate of 8.7%,” AIT noted in its market report.
IEK calculates an even higher production value and growth level for the local cybersecurity industry. It estimates that the cybersecurity production value reached NT$35 billion (US$1.18 billion) in 2016 and rose to NT$38.56 billion (US$1.3 billion) in 2017, and IEK forecasts it reaching NT$55 billion by 2020, a 21% CAGR. “We forecast that this growth rate will continue to 2020,” says Ming.
Taiwan is already leveraging its huge and longstanding presence in semiconductors and hardware manufacturing to advance the cybersecurity industry, and Taiwanese firms are providing equipment to many of the world’s top brands in cybersecurity. “This is a big opportunity, as our ICT hardware sector already has a strong industry network in the communications industry,” says Chung. “Our hardware platform has a long history and the capability to get the market.”
Eric Hsu, vice president of Asia-Pacific sales for U.S. IoT security provider ForceShield, regards the ample talent on the software and especially firmware side of Taiwan’s ICT industry as a major asset. As firmware running semiconductors has recently been proven to be hackable, Taiwan’s prowess in the firmware field is expected to be a growing boon for its cybersecurity business, especially as it applies to the IoT sector.
The government has promoted a number of initiatives for enhancing its cybersecurity sector, including adoption of the National Strategy for Cybersecurity Development Program (2017-2020), which integrates cybersecurity industry development into Taiwan’s 5+2 Industrial Innovation Plan. Out of confidence that Taiwan’s advantages in this sector can translate into growing export sales for Taiwan’s cybersecurity companies, the government has budgeted NT$11 billion over the next three years to promote the industry around the world. “We think the industry has great potential for export,” says ITRI’s Ming. “A lot of the vendors want to go global.”
Still, Taiwan’s own market for cybersecurity platforms remains tilted towards imports, which comprise around 60% of the domestic market, according to IDC’s Lien. She cites consumer confidence in imported products from companies such as Fortinet, Checkpoint, FireEye, and Palo Alto as a key factor. Another factor is consumer awareness that companies with a global scale “have more experience in fending off attacks and so can anticipate a wider range of threats,” says Lien.
Steven Chen, CEO and co-founder of Silicon Valley’s PFP Cybersecurity, which also operates in Taiwan, notes that the Taiwan cybersecurity market remains focused on big-name players and offers little room for startups. “The Taiwanese believe in big names,” he observes, contrasting that with the prevailing view in the United States that “small companies provide more innovation and timely solutions.”
The enormous volume of cyberattacks Taiwan receives actually offers a potential competitive edge by providing lots of samples of brewing malware attacks. “Taiwan is the sandbox for malware developers,” says Hans Breuer, who represents the cybersecurity firm RiskIQ in the Asia Pacific, particularly Taiwan and Singapore. Taiwan has the reputation of being the testing ground for Chinese hackers to finetune their malware before spreading it to the global market. The data generated by these attacks is the feedstock by which cybersecurity-embedded AI/ML technologies learn and adapt.
Silicon Valley-based ForceShield, for example, set up its R&D center in Taipei on the strength of this information feed-stock, and global cybersecurity firm TrendMicro, founded by Taiwanese based in Japan, does extensive research on attacks on Taiwan. Chen of PFP Cybersecurity likewise acknowledges the value of this resource. In an email, he said the company is looking to develop a locally produced library of device signatures and exploits gathered from hardware and firmware attacks for use in future malware defenses. “We are seeking partners in Taiwan to create this new library which could be used locally or by other countries,” he wrote.
Taiwan has many firms both big and small operating in various sectors of the cybersecurity industry, including AI analytics, intelligence and response; mobile and IoT security; cyber threat intelligence, and other segments.
Another of Taiwan’s competitive advantages in this industry, cited by many insiders, is that it is not China. Since China is the source of over a fifth of all of the world’s cyberattacks, according to global cybersecurity firm Symantec, most of the world is reluctant to use Chinese cybersecurity platforms.
Taiwan’s talent pool of dedicated white-hat hackers is also a draw. Taiwanese teams regularly participate in the Taiwan-hosted global hacking competition Hacks in Taiwan (HITCON CTF). HITCON invites hacker teams from around the world to compete in attacking other teams’ servers while defending their own. The team from National Taiwan University is ranked first in the world, while another Taiwanese team was runner-up in the 2017 DEF CON CTF contest sponsored by the U.S. Department of Defense.
IEK sees Taiwan’s growth in the cybersecurity sector trending away from hardware and towards services. While hardware will continue to grow, it will be at a slower pace than the software and services segments. According to IEK’s projections, hardware’s share of the total production value will decline from 67% in 2016 to 48% in 2020, while services will rise from 24% in 2016 to 33% in 2020. Software is expected to remain stable at a 19% share of the value.
Taiwan’s place in the global value chain is hard to determine as global estimates vary widely based on varying definitions of the sector and exactly what products and services are included.
While Taiwan’s cybersecurity industry is growing, some express less than complete confidence about its future prospects. “The Taiwanese government is really trying hard, but there are not enough local entrepreneurs and startups,” says PFP Cybersecurity’s Chen.
Hans Breuer notes that most companies continue to treat investment in cybersecurity as an afterthought, dedicating the least possible amount of money to it. “The regulations aren’t stringent enough and the penalties for leaking data aren’t high enough, so companies do the bare minimum,” he says.
In terms of actually tightening up Taiwan’s domestic cybersecurity, most insiders agree that both enterprises and consumers are still too lax. Insufficient password protection is frequently cited as the most common error, as well as not patching software vulnerabilities fast enough.