On May 11, Taiwan’s Legislative Yuan passed the Cybersecurity Management Law, Taiwan’s first national cybersecurity law (iThome, May 22). This law, which mandates cybersecurity requirements for Taiwan’s government agencies and operators of critical infrastructures, represents the latest initiative in the Tsai administration’s push for cyber security under the policy “Cyber Security is National Security.” As part of this push, the administration is also working to develop Taiwan’s indigenous cybersecurity industry through a policy of “cyber autonomy” (资安自主).
The cyber threats to the island are substantial. Taiwan has been ranked as one of the top targets of advanced cyber attacks in the world, mainly from state-initiated or state sponsored Advanced Persistent Threats, or APTs (FireEye, January 14, 2014). These APTs conduct cyber espionage against government agencies and corporate entities in Taiwan, most of which can be traced back to China. In April, the Department of Cybersecurity of Taiwan’s Executive Yuan revealed that China’s “internet army” accounted for 288 successful attacks against Taiwan’s government agencies in 2017 (Liberty Times, April 5). Last March, the Director of Taiwan’s National Security Agency admitted to the Legislative Yuan that China’s cyber penetration of Taiwan’s networks is “worse than before” (Liberty Times, March 9, 2017).
Cyber Autonomy and National Security
Given this backdrop, it may come as no surprise that Taiwan’s push to support its cybersecurity industry through cyber autonomy has a national security bent. In one sense, the word autonomy (自主) is connected to Taiwan’s ongoing efforts at “defense self-reliance” (国防自主) to reduce the island’s reliance on foreign arms. Such efforts to indigenously design and build military jets, missiles, and armored vehicles have been ongoing for decades, but the Tsai administration has made self-reliance a central component of its defense policy, most notably including Taiwan’s new plans to deploy indigenously developed attack submarines.
A national defense-centric interpretation of cyber autonomy, a response to an uncertain environment for international cyber technology transfers and the clear threat from China, is one impetus for building up an “autonomous” domestic cybersecurity industry. New Frontier Foundation, a Democratic Progressive Party (DPP) think tank, first described cyber security as one of Taiwan’s “Core Defense Industries” along with the aerospace and shipbuilding industries in its Blue Paper No. 7 from 2014 (New Frontier Foundation, October 2, 2014). It argued that Taiwan’s Ministry of Defense should assist in the development of Taiwan’s cybersecurity industry and create a local market for cyber products by opening up its cybersecurity contracts to small and medium-sized cyber companies.
President Tsai herself joined the effort to enlist the private sector in Taiwan’s national defense efforts as early as 2016. As a keynote speaker at the Hacks in Taiwan Conference (HITCON), an annual gathering of Taiwan’s hacker community, she highlighted how the “hacker spirit” could aid in her government’s goal of elevating cyber security to a matter of national security (iThome, December 1, 2016). In particular, Tsai expounded upon her government’s policy of encouraging indigenous cybersecurity innovation by creating a domestic market for cybersecurity services, including plans to recruit the private sector to bolster the capabilities of Taiwan’s military cyber forces. At a cybersecurity awareness event hosted at the Presidential Palace in Taipei last December, Tsai again declared that the power of Taiwan’s white hat hackers should be “unleashed” to drive growth and innovation in Taiwan’s cybersecurity industry, a clear nod to cyber autonomy (China Times, December 11, 2017).
The national defense-oriented interpretation of cyber autonomy acquired more definition through the efforts of Taiwan National Security Council Member Lee Der-tsai, who has become one of the primary spokespersons for the Tsai government’s cybersecurity initatives. Following President Tsai’s example of promoting cyber autonomy policy positions at major cybersecurity conferences, Lee listed promoting “defense-based autonomous cybersecurity research” as one of the government’s strategic goals at the March 2017 Taiwan Cyber Security Summit (iThome, March 16, 2017). He further compared Taiwan’s situation with that of Israel, another victim of constant cyber attacks that promotes its domestic cybersecurity industry through government policy, including subsidies and extensive cooperation between the private cybersecurity sector and military.
A Different Interpretation of Cyber Autonomy
Yet by the time of the Taiwan Cyber Security Summit a year later in March 2018, another interpretation of cyber autonomy may have gained traction. In his keynote at the Summit, Lee again referenced the development of the cybersecurity industry through national defense projects. However he indicated that these efforts would henceforth be led by Taiwan’s Ministry of Economic Affairs (MOEA), as that agency begins to take a leading role in developing Taiwan’s cybersecurity industry as a whole (Liberty Times, March 14).
The basis for MOEA’s leading role in a cyber autonomy policy stems from the National Cyber Security Program of Taiwan for 2017 to 2020, which was released in November of 2017 by the Executive Yuan’s National Information and Communication Security Taskforce, or NICST (NICST, November 14, 2017). NICST is an inter-agency task force founded in 2001 at the behest of Taiwan’s National Security Council to secure Taiwan’s government networks and critical infrastructure.
MOEA has long been responsible for executing specific policies and goals related to “cybersecurity industry autonomy” (资安产业自主). This phrase first appeared in the 2013 to 2016 National Cyber Security Program in reference to boosting Taiwan’s indigenous cybersecurity research and competitive capabilities (NICST, February 2, 2016).
MOEA Takes Over
As has long been the case, MOEA is focused on non-defense efforts to promote the development of Taiwan’s cybersecurity industry. One of its main related initiatives is the propagation of security standards for mobile applications developed in Taiwan. Though MOEA’s Industrial Development Bureau (IDB) had supported these efforts since at least 2015, the standards gained traction in 2017 when IDB began promoting these standards for adoption by Taiwan’s government agencies and banks (MOEA, February 22).
IDB has similarly promulgated domestic IoT security standards for internet-connected video surveillance systems. In addition, it plans to open up the testing of domestic cybersecurity industry products on critical infrastructures and other selected industries in 2018, to allow domestic companies to “gain product experience and build skills” (MOEA, February 22).
IDB also sponsored the Cyber Taiwan Expo at this year’s Taiwan Cyber Security Summit. The expo included “autonomous research and skills exhibition” show booths for 38 domestic cybersecurity companies to demonstrate their capabilities to expo attendees (China Times, March 16). Participating companies presented to government officials, including Taiwan’s Vice President Chen Chien-jen.
Taiwan’s National Cyber Security Program for 2017 to 2020 explicitly states that MOEA is to “develop the domestic cybersecurity industry ecosystem by connecting it with national defense needs” (NICST, November 14, 2017). Given the innate vulnerability of mobile, surveillance, and critical infrastructure systems, the Ministry’s efforts so far to elevate the value of Taiwan’s cybersecurity industry do appear to be aimed at improving national security and fulfilling President Tsai’s broader policy of cyber security as national security. However, it remains to be seen how or whether the ministry will fulfill its mission of bringing together private industry and national defense needs in the military sector.
National Defense Still a Focus
In a recent poll of 374 public agencies and industries, general public and private sector spending on cybersecurity services in Taiwan grew by seventy-three percent between 2017 and 2018, led by the financial and services sectors (iThome, April 4). Though increased private sector investment in cyber security services is a promising development, Taiwanese companies may have difficulty competing with better-resourced multinational cybersecurity companies, a challenge that has been highlighted in both the DPP’s aforementioned Blue Paper No. 7 and Taiwan’s National Cyber Security Programs. In this regard, defense-based cybersecurity spending may be an attractive option for developing Taiwan’s homegrown cyber industry, since foreign firms are likely to be excluded from competing for national defense contracts.
Connecting Taiwan’s cybersecurity industry with its military will require the participation of Taiwan’s Ministry of Defense (MoD). For its part, the Ministry is actively employing private sector cybersecurity firms in defense projects as part of its defense self-reliance efforts, including prioritizing the use of homegrown cyber products and services. In addition, the Executive Yuan remains committed to developing Taiwan’s cybersecurity industry through building its connections with national defense. It now considers Taiwan’s cyber industry as part of the national defense component of the $3.6 billion “Five Plus Two” economic development plan that the Tsai administration has proposed to develop new industries and small to medium-sized businesses (Executive Yuan, May 4; AmCham, May 8, 2017).
These funds will prove crucial to achieving the Executive Yuan’s goal of doubling the size of Taiwan’s cybersecurity industry from $1.3 billion currently to more than $2.6 billion by 2025. If private sector cyber security is effectively matched to national defense needs, then Taiwan’s military spending will also come into play. The Tsai administration has plans to increase military spending to $12.6 billion by 2025, from the current level of $10.9 billion, or about 1.84% of GDP (Taiwan News, January 12). While this level of spending remains below the 3% of GDP proposed by DPP Blue Paper No. 7 in 2014, it does highlight investment in cyber security and continued emphasis on the defense self-reliance project.
The Tsai administration has delivered support and promised additional funding for cyber autonomy. So far these efforts have gained some momentum on multiple tracks led by the Executive Yuan, MOEA, and MoD. The ultimate goal of these initiatives is to simultaneously help Taiwan’s cyber firms become globally competitive and defend against the Chinese and other cyber threats, which will require both the whole-of-market approach of MOEA and targeted industry approach of MoD.
Cyber autonomy could provide a springboard and help develop a local market for Taiwan’s cybersecurity industry, but the reach of MoD’s cyber funding may be limited in the market, and Taiwan’s cyber firms will still face tough competition internationally. Both Taiwan’s public and private sector have suggested that Taiwan’s unique threat environment gives rise to a competitive autonomous industry through increased expertise on a variety of cyber tactics, techniques and procedures, but there is uncertainty about whether this environment is relevant to the rest of the world’s cyber needs.
Finally, defending against the concerted cyber challenge from China will require a determined and organized inter-agency response. If successful, mobilizing Taiwan’s private cybersecurity sector in defending government agencies, private companies, military and other sectors of Taiwan’s “digital territory” (数位国土) will be a good start.Philip W Hsu is a Technology Consultant at FTI Consulting and a graduate of Columbia University’s School of International and Public Affairs. He tweets @philipwhsu