Cabinet unveils cybersecurity guidance

NOT JUST CHINA::While the Executive Yuan initially targeted products made in China, it decided to include all devices manufactured overseas that could pose a security risk

By Sean Lin  /  Staff reporter

Sat, Apr 20, 2019 - Page 1

The Executive Yuan yesterday unveiled guidelines asking central and local government agencies to tally in-use information and communications technology devices that could pose a risk to the nation’s information security and disconnect any potentially hazardous devices from government networks.

The check should be completed within three months based on assessments of the risks the devices could pose to the government’s operations and social security, Executive Yuan spokeswoman Kolas Yotaka told a news conference in Taipei.

Any device deemed to pose an information security risk whose life span has expired should be replaced and disposed of before the end of this fiscal year, while a timetable for elimination should be set for devices that have not reached the end of their lives, she said.

The Guidelines Restricting the Use of Products Threatening Information and Communication Safety went into effect on Thursday afternoon after they were signed by Premier Su Tseng-chang (蘇貞昌), Kolas said.

They apply to government agencies, state-run enterprises and science parks whose work is related to eight categories of key infrastructure: water, energy, communications, transportation, finance, science parks, government agencies and emergency medical services, she said.

Devices that are to be regulated include servers, webcams, drones, cloud-based applications, backbone networks, software and antivirus software, as well as systems whose development has been contracted out, she added.

As guidelines are a type of lower-ranking law, they do not include any punishments for local governments that fail to comply, Kolas said, adding that the Executive Yuan could only encourage local administrations to adhere to the guidelines.

However, relevant agencies are compiling a list of information and communications technology device manufacturers that would be banned from government use, Kolas said.

They are also considering introducing enforcement rules to complement the list, meaning that there would be consequences — for example, administrative fines or lawsuits — for local governments that procure products made by companies on the list, she said.

The list would be published in three months at the earliest, she added.

The Executive Yuan originally targeted only products made by Chinese companies, but later widened the scope to include all products manufactured overseas that could threaten the nation’s information security, Kolas said.

Also being deliberated is whether the central government should introduce a total ban on devices manufactured in China, or only those made by Chinese information and communications technology companies, she said.

Brands that are under review and could make the list include ZTE Corp (中興通訊), Lenovo Group (聯想) and Hikvision Digital Technology Co (海康威視), an official familiar with the matter said.

Asked whether the ban should also be followed by private companies whose work or services involve the eight categories of key infrastructure, Kolas said that they and their governing agencies should work out an agreement.

For example, the National Communications Commission should discuss the issue with privately run telecoms, such as Taiwan Mobile Co (台灣大哥大), as should science park administration offices with firms in the parks, she said.