Economy & Business
Cybersecurity in Taiwan
As cyber-attacks continue to rise, is Taiwan doing enough to guard against cybersecurity threats?
By Paul Shelton
It would be easy to attribute the growing attention being paid to the issue of cybersecurity in Taiwan to recent on-going geopolitical upheavals in Europe and closer to home. However, that would be both ignoring the history of cybersecurity in Taiwan and how there is an on-going effort to defeat the hackers and other associated criminals and the potential dire consequences of a cybersecurity breach to both Taiwan, its world leading technology firms and even its residents.
To put the topic into context, cybersecurity is the application of technologies, processes, and controls to protect systems, networks, programmes, devices, and data from cyberattacks. It aims to reduce the risk of cyberattacks and protect against the unauthorised exploitation of systems, networks and technologies.
Cybersecurity is becoming increasingly important to Taiwan in the face of a rising number of cyber-attacks. According to an article published by Taiwan News on 20 January this year, citing a survey conducted by Israeli security software provider, Check Point Software Technologies, the frequency of cyber-attacks targeting Taiwan institutions surged by 38% to reach an average of 2,644 per week. This number puts Taiwan well above the global average.
Perhaps unsurprising is the fact that cyber-attacks often focused on educational and research bodies (on average 1,605 attacks per week) then some 1,136 attempted attacks on government and military institutions and finally some 1,079 attacks per week on the telecom sector. We should also acknowledge the global importance of local companies such as TSMC, the largest contract semiconductor manufacturer in the world (followed by other major Taiwanese manufacturers such as ASE Technology, AU Optronics etc.). Cybersecurity is an integral part of their business models, and it is acknowledged that a major factor in the success of Taiwan’s semiconductor industry is the trust it has built with customers by keeping their information safe. In fact, because Taiwanese chipmakers are so critical to the global tech supply chain, cybersecurity is no longer just a company-level concern but is now also a matter of national security. Cybersecurity failure in this industry alone would severely impact Taiwan and the entire global economy.
What counts as a cyber-attack? Well, it is a whole raft of actions by those attempting unauthorised exploitation. A sample list includes (but is by no means is limited to):
Hacking (i.e., unauthorized access)
Infection of an IT system with malware (including ransomware, spyware, worms, trojans and viruses)
Identity theft or identity fraud
Electronic theft (e.g., breach of confidence by a current or former employee or criminal copyright infringement)
Unsolicited penetration testing (i.e., the exploitation of an IT system without the permission of its owner to determine vulnerabilities and weak points
Taiwan’s cybersecurity efforts began in the early 2000s. To strengthen Taiwan’s capabilities in cyber-security the government announced the National Information & Communication Security Mechanism Plan in January 2001, and the creation of the National Center for Cyber Security Technology (NCCST). This eventually led to the creation of the Department of Cyber Security in August 2016, marking a new stage in Taiwan’s efforts to protect information and promote the latest security measures.
National Information & Communication Security Mechanism Plans have been implemented in the years 2001-2004, 2005-2008, 2009-2012, 2013-2016, 2017-2020 (with President Tsai Ing-wen including cybersecurity in the six core strategic industries during her 2020 inauguration speech) and 2021-2024 (the latest being a detailed reference guide for promoting Taiwan’s cyber-security protection strategy and plans which also saw the passing of the Cyber Security Management Act (CMA) & Related Regulations).
In addition to the above, in a further initiative to strengthen the cyber defense capabilities of financial institutions and achieve secure, convenient, reliable, and resilient financial services for customers, the Financial Services Commission (FSC) published its own “Financial Cyber Security Action Plan” in August 2020. The plan was expected to serve as a guide for financial institutions as they work to build up their cyber defense capabilities. The plan was designed to run for four years and was also intended to enhance the competent authority’s cyber security supervision, strengthen financial institution’s cyber security governance and cyber security resilience, and implement cyber security joint defense. The key approaches to implement the action plan included public-private partnerships, differentiated regulatory treatment, resource sharing, compliance initiatives and international cooperation. The FSC reviews the plan’s performance each half-year and adjusts its contents in response to cybersecurity trends and business needs.
Whilst the passing of the CMA & Regulated Regulations was welcomed by the industry it is by no means the only piece of legislation/regulation relating to cybersecurity in Taiwan. A short stroll through Taiwan’s existing legislation leads us to the following (although this list is most likely not exhaustive nor does its length suggest any form of legislative/regulation confusion):
CMA - the CMA requires Taiwan Government agencies as well as certain specific non-government agencies to adopt cyber-security maintenance plans and report any cybersecurity incident to the relevant government authorities – more on this later
Personal Data Protection Act (PDPA)
Communication Security & Surveillance Act
Trade Secret Act
National Security Act
Counter-Terrorism Financing Act
Regulations governing the export and import of strategic high-tech commodities
So, with all this government support, plans, and legislation/regulation is Taiwan really in the top tier of countries enforcing cybersecurity? It seems the answer is a disappointing “no”. Taiwan is viewed as having been disappointingly underprepared for operational technology related cyber threats (i.e., acts related to digital transactions). It is estimated that 81% of Taiwanese firms that suffered such attacks did not have a specific incident-response plan, despite a 2,000% increase in operational technology related security incidents in 2019 alone. Industry sources also express concern that many Taiwanese manufacturers still use outdated Windows operating systems or, in some cases, second-hand computers.
Disappointingly, many Taiwanese companies, have viewed cybersecurity as merely being “a nice to have” until an actual attack compels them to adopt a more serious approach and these same companies erroneously consider the costs of undergoing an attack to be much cheaper (with a corresponding lack of understanding of how such attacks and lack of preparedness impacts customer relations – an attitude at odds with the industry in the US or the EU where companies view their branding as tied to cybersecurity). Further, in Taiwan, penalties imposed by the government for unreported security breaches are capped at only NT$5 million. This has led to calls for harsher regulations to hold Taiwanese companies accountable (with fines equivalent to those seen in the US and EU). It is argued that absent more punitive measures, Taiwanese companies including those in high-tech sectors will continue to be complacent and disregard the importance of cybersecurity.
But times are changing. The government announced in March 2021 that it would establish a ministry of digital development in 2022 with a mandate to “improve information security and encourage related industry growth”. Offices under the National Communications Commission, Industrial Development Bureau, and Ministry of Economic Affairs currently tasked with cybersecurity matters will be integrated into an overarching cybersecurity department in the new ministry and in December 2021 it was also announced by the FSC that securities and futures companies must reveal cybersecurity incidents, consequent losses, and countermeasures in annual reports from next year, given the rising frequency of cyberattacks in the past few years (although it seems that only incidents that cause serious losses (to be defined) would need to be disclosed.
Currently, securities and futures companies only need to report such incidents to the Taiwan Stock Exchange (TWSE) and the FSC within 30 minutes after a hacking attack is detected.
To enhance information disclosure to investors, the FSC has indicated that companies need to reveal such incidents in annual reports as well and in addition to compensating investors affected by cyberattacks, securities firms must reveal how their financial results and operations were disrupted by the attacks, and specify what measures would be taken to lower such risks.
Despite the slow pace of the adoption of domestic cybersecurity (or do we instead view the situation more positively as decades of steady progress on the domestic front?) Taiwan’s cybersecurity industry actually looks to be expanding globally.
Major worldwide data breaches in both the government and private sector have highlighted the growing threat posed by cybercrime for individuals and institutions at all levels and this has led to a spike in demand for security solutions.
Taiwan based firms are aiming to develop globally trusted data security systems while further strengthening the defenses of Taiwan’s critical infrastructure and major industries. Already a variety of digital security tools designed and produced by domestic companies are widely used at home and abroad.
One Taiwanese firm, Trend Micro, has already emerged as a world leader in cybersecurity. Its global R&D center is based in Taipei City and the company develops security software for more than 500,000 enterprises worldwide and has established strategic alliances with US tech giants like Amazon.com Inc., Hewlett Packard Enterprise Co., IBM, and Microsoft (to name but a few). Trend Micro sees cybersecurity as providing the foundation for all industrial sectors to grow their businesses and enable digital transformation.
Likewise, Taipei-based CHT Security Co., welcomes government support measures and believes that such support and policy framework brings expanded government assistance with experimentation facilities, finance, talent cultivation, technology and regulatory frameworks. CHT believes that through interindustry collaboration and strong government support, Taiwan is set to become a world leader in cybersecurity.
So, we have something of a mixed bag of results for cybersecurity in Taiwan. Perhaps current geopolitical events really have focused attention of the government, industry and even the populace. Action is in progress but vigilance, investment, growth, domestic and international cooperation must be strengthened and maintained in the digital world.
Paul Shelton is a consultant with 30 years of experience in the international financial services and related industries with skills in all aspects of legal and financial crime compliance and regulatory relationship advisory and management.