Taiwan’s Cybersecurity Dilemma

The island’s world-leading ICT and semiconductor sectors have come under the spotlight following a series of high-profile cyberattacks.

In late March, Taiwanese tech hardware giant Acer reportedly was the victim of a ransomware attack – a type of cyberattack in which money is demanded in exchange for hacked sensitive data. According to media reports, the perpetrators of the attack were a hacker group thought to be located in Russia that calls itself REvil (also known as Sodinokibi). It demanded Acer pay US$50 million – the highest amount ever requested in a such an attack anywhere – and posted screenshots of hacked financial documents and confidential files on its dark web-based data leaks blog. Acer was reported to have negotiated with REvil, offering a lower sum, which the hackers refused.

Around a month later, Quanta, Apple’s key Taiwanese supplier of MacBooks, became REvil’s second Taiwanese ransomware target. The group posted on its blog a statement containing 21 screenshots of what it claimed were stolen MacBook schematics. As with the Acer attack, REvil allegedly demanded US$50 million from Quanta to retrieve the files. However, tech news website Bleeping Computer reported that neither Quanta nor Apple paid the ransom by the date REvil provided, and the group began publishing the files thereafter.

Taiwanese electronics company Compal and state-owned Chinese Petroleum Corporation have also allegedly been hit by similar cyberattacks in recent months, indicating a growing and disturbing trend.

The origins of ransomware can be traced back to 1989, when a Harvard-educated evolutionary biologist named Joseph L. Popp sent 20,000 floppy disks infected with a Trojan virus to attendees of the World Health Organization’s global AIDS conference. The software would encrypt or lock files on the victims’ hard drives, and a prompt would direct them to pay US$189 to a company whose address was a PO box in Panama in order to regain access.

Such attacks have grown much more sophisticated and frequent over the years, with hackers commonly demanding payment in cryptocurrency, known for its convenience and anonymity. According to figures from IBM’s X-Force Threat Intelligence Report, ransomware constituted 23% of all cyberattacks observed in 2020.

Photo: IBM X-Force Threat Intelligence

Ransomware attacks operate like any other computer viruses, explains Oliver Wu, CEO of Taiwanese cybersecurity firm Gaia Information Technology. Hackers plant malicious software in computers, network systems, and databases via phishing scams (fraudulent emails, text messages, and advertisements disguised as legitimate links), virus-contaminated downloads, and webpage loopholes.

According to IBM, more than 60% of the companies experiencing ransomware attacks agree to make ransom payments, typically amounting to millions of dollars. But the damage to businesses inflicted by ransomware can extend beyond mere monetary losses. Losing control of important files and being locked out of systems can cause serious disruptions in business operations.

In addition, says Wu, publicity regarding ransomware attacks can negatively impact a company’s reputation. Poor security records make businesses less attractive and reliable as potential business partners, he says.

As Taiwan continues to advance in various high-tech fields, cybersecurity becomes ever more important. Chen Hao-wei, president of NEX Foundation, a nonprofit organization focused on talent reciprocation, says cybersecurity is now a fundamental part of the development of high-end technologies. “When we adopt those technologies, we need to constantly think about what we want to protect,” says Chen. “Companies moving everything online will only give cyber predators more incentives” to attack, he adds.

For Taiwanese semiconductor manufacturers, cybersecurity is becoming an integral part of their business models. Terry Tsao, global chief marketing officer and president of the Taiwan branch of SEMI, an industry association representing companies in the electronics manufacturing and design supply chain, says that a major factor in the success of Taiwan’s semiconductor industry is the trust it has built with customers by keeping their information safe.

While ensuring that sensitive information will be protected is important for customer relations in general, Tsao provides a larger context for the industry’s reputation in this area. Because Taiwanese chipmakers are so critical to the global tech supply chain, he says, cybersecurity is no longer just a company-level concern but is now also a matter of national security. “If we don’t have cybersecurity, we impact Taiwan and the entire global economy,” he cautions.

Maintaining that defense is not easy, however. Gwen Hsieh, security offerings manager at IBM Security, notes that cyber threats pose unique challenges for the operational technology (OT) of the semiconductor manufacturing supply chain. Components like manufacturing equipment, factory facilities, internal computer systems, and other critical parts of the production process are all appealing targets for cyber attackers. Moreover, semiconductor fabs run non-stop, day and night. Disturbances in their operation can have a severe impact on output and – given the current global chip shortage – on the tech market more broadly.

When faced with enterprises like the Taiwan Semiconductor Manufacturing Co. (TSMC), which are equipped with well-developed cyber defenses, attackers opt to inflict indirect damage by targeting the weaker upstream and downstream portions of the supply chain. These weaker targets include equipment manufacturers, materials suppliers, and even public utilities such as water and electricity. Plants with more rudimentary infrastructure are less prepared for cyber intrusions, says IBM’s Hsieh, making them “low hanging fruit for the attackers.”

In addition, fabless companies like Broadcom and Qualcomm exchange large sums of data and sensitive information with their partners in the supply chain ecosystem, a practice that makes preventing phishing emails, theft of credentials, and ransomware attacks ever more of a challenge, says Hsieh.

Having strong cybersecurity should be a given for a country like Taiwan with such an irreplaceable role in the global high-tech supply chain. On closer examination, however, Taiwan has been disappointingly underprepared for OT-related cyber threats. According to an IBM survey, around 81% of attacked companies did not have OT-specific incident-response plans, despite a 2000% increase in OT-related security incidents in 2019. Even more concerning, Hsieh says, many Taiwanese manufacturers are still using outdated Windows operating systems or, in some cases, second-hand computers.

For Taiwanese companies, cybersecurity has always merely been “a nice thing to have” until an actual attack compels them to adopt a more serious approach, says Mika Yu, vice president of Information Security Service Digital United Inc. (ISSDU). Founded in 2004, ISSDU serves as the cybersecurity arm of local mobile telecommunications firm Far Eas-Tone and is the first Security Operation Center established in Taiwan. Companies simply don’t view investing in cybersecurity investments as profitable, Yu adds, as they erroneously consider the costs of undergoing an attack to be much cheaper. 

Notwithstanding the inadequacies of many tech companies’ cybersecurity and the growing sophistication of modern cyberattacks, Taiwan is home to numerous security solutions and services. American software multinational Dell Technologies, for example, offers a data backup and recovery solution in the form of a data vault. The vault protects businesses’ most critical data in an exclusive and encrypted environment and allows the secured data to be retrieved even when databases are wiped out during an attack.

Lai Fu Trading, part of the Taipei-based Rehfeldt Group, represents leading international suppliers of cybersecurity systems, including FireEye and Deep Instinct from the U.S.

IBM’s Hsieh notes that her company provides a comprehensive set of services to mitigate equipment shutdowns, disruptions to Overall Equipment Effectiveness (OEE), damage to facilities, and other OT-related cyberattacks. She says that IBM’s incident response platform streamlines incident management and is complemented by built-in response playbooks tailored to its clients’ businesses. It also replaces the traditional and static Excel Sheets used by many companies for security management with a more integrated and visually accessible system. In addition to offering security solutions, she says, IBM also provides cybersecurity training programs for both its clients’ security teams as well as their corporate executives and public relations personnel. 

Local Taiwanese companies are also coming up with their own home-grown cybersecurity solutions. Gaia Information Technology uses Web Application Firewalls (WAF) to block security breaches arising from security loopholes in websites. The company’s distributed denial-of-service (DDoS) mitigation solutions mobilize global networks to suppress incoming DDoS attacks. ISSDU, on the other hand, offers machine learning and artificial intelligence solutions to mitigate cyberattacks through analyzing collected data.

SEMI Taiwan’s Tsao says that his association is working closely with the rest of the supply chain to build a Global Industry Security Center and propose standards for data and information protection. “We want to make sure our customers and suppliers are all on the same page regarding cybersecurity so that the information flow for the entire supply chain is secure,” he says.

CYBERSEC 2021, a global cybersecurity conference, was held in Taipei in early May. President Tsai attended the event’s opening and delivered the opening remarks. Photo: Wang Yu-ching / Office of the President

The private sector is not alone in the effort to strengthen Taiwan’s cybersecurity ecosystem; Taiwan’s government has also made headway in this area. In 2020, the Tsai administration prioritized strengthening cybersecurity as a major component of its Six Core Strategic Industries initiative, complementing Taiwan’s advancements in ICT, AIoT, and semiconductor technologies.

Following that development, the Executive Yuan announced this March that it would establish a ministry of digital development next year with a mandate to “improve information security and encourage related industry growth.” Offices under the National Communications Commission, Industrial Development Bureau, and Ministry of Economic Affairs currently tasked with cybersecurity matters will be integrated into an overarching cybersecurity department in the new ministry.

To promote civic engagement in the push to bolster Taiwan’s cybersecurity, the government has hosted numerous Hackathon events, such as the annual Presidential Cup aimed at cultivating cyber talent. More recently, the Ministry of Science and Technology hosted the “2021 Girls in Cyber Security Hackathon” in Tainan, featuring 65 teams competing in information security and creative thinking challenges.

Tsao says these efforts are tangible evidence that cybersecurity is now a national priority and is seen as benefiting Taiwan’s high-tech and semiconductor industries. Traditionally, “Taiwan was more like a follower in the area of cybersecurity,” he says. “But now, especially for manufacturing, I think Taiwan is starting to take the lead.” 

President Tsai and Digital Minister Audrey Tang pose with participants in a Hackathon in 2020, one of many such events hosted by the government to cultivate cyber talent in Taiwan. Photo: Mori / Office of the President

Chen of NEX Foundation echoes Tsao’s enthusiasm for the government’s new direction on cybersecurity. Government-organized events and competitions are “very effective in the way they incentivize and raise student’s interests in cybersecurity,” he says.

The missing piece

While both Tsao and Chen express optimism regarding Taiwan’s overall approach to cybersecurity, Chen notes that a culture of accountability is noticeably absent from both its public and private sectors.

Not only has cybersecurity been treated as an afterthought by many Taiwanese companies, Chen says, but building customer trust based on a strong cyber defense is not an ingrained concept for these companies. He notes that many companies in the U.S. proactively inform their customers regarding personal data compromises and cybersecurity breaches. For those companies, “their branding is tied to cybersecurity,” says Chen.

In contrast, he says, Taiwanese companies tend to conceal issues regarding cybersecurity until they are exposed by the media, and in many cases the companies deny such issues by writing them off as “system abnormalities.” To make matters worse, when cybersecurity firms present vulnerability analysis reports to their clients, some of the companies may request two versions of the report: an original copy for the security team and a redacted version for the executives, says Chen.

Whereas in other jurisdictions, companies whose cyber defenses are weak enough to invite an attack are held legally liable, an absence of relevant government regulations in Taiwan can also explain the lack of accountability in its cybersecurity regime. For example, in 2017 cyber attackers in the U.S. stole terabytes worth of customer data from credit reporting bureau Equifax. The company eventually agreed to a US$575 million global settlement with the Federal Trade Commission (FTC), a large part of which was designated for compensating consumers affected by the data breach.

In the EU, the General Data Protection Regulations (GDPR) as well as local legislation impose harsh penalties on non-compliant companies. Operators of critical infrastructure such as information technology and telecommunications in Germany are legally obligated to report security breaches involving consumer or employee data. Violations can lead to fines of the larger of €10 million (US$12 million) or 2% of the company’s annual global turnover.

In Taiwan, however, penalties imposed by the Executive Yuan for unreported security breaches are capped at only NT$5 million. Chen says that harsher regulations are needed to hold Taiwanese companies accountable. Absent more punitive measures, Taiwanese companies – including those in high-tech sectors – will continue to be complacent and disregard the importance of cybersecurity, he says.

The lax approach to cybersecurity in Taiwan also poses serious impediments to long-term cyber talent recruitment and cultivation, which many in the field agree is already a major challenge in and of itself. A lack of promising cybersecurity-related career opportunities in private companies and government drives young talent away from this area. “The missing part is after you graduate, where do you go?” Chen says. “There’s not enough of a job market for those talents in Taiwan.”

Looking to the future, Chen indicates that the ball is in Taiwan’s court. “I would say we have the opportunity and capability to build up an elite cyber force, but the culture is not there yet,” he says. “When companies are held accountable, the culture will start to change. Regulation will be the first step.”