NSB to bolster cybersecurity controls

‘QUITE ALARMING’::The bureau said that amid China’s attemps to hack government agencies, staff have not been observing protocols when handling classified materials

By Lo Tien-pin and Jake Chung  /  Staff reporter, with staff writer

Fri, Nov 22, 2019 - Page 1

The National Security Bureau (NSB) has announced that it plans to amend the Government Password Standardization Act (政府機關密碼統合辦法) and design a new defense mechanism to shield government Web sites and systems from Chinese hacking.

The changes would step up the enforcement of regulations and offer incentives for civil servants to observe rules for protecting classified materials, the bureau said.

Local and overseas government units were found to be lax in managing and safeguarding information, and have an outdated concept of security, the bureau said, adding that overseas personnel do not observe necessary security protocols when handling classified materials or equipment.

Some personnel even use classified equipment for personal use, which increases the risk of leaking classified information, it said.

“This laxness amid efforts by China to hack into our government information systems is quite alarming,” the bureau said.

Government agencies at every level must enforce security protocols and defense mechanisms for the proper handling of classified equipment, the bureau said.

The array of equipment and environments has necessitated the amendments, which would give agencies a reference to follow to mitigate risks, it said.

Passage of the amendments would ensure that encoding; research and development for new codes; and verification processes adhere to regulations and at least meet safety standards of a certain level, it added.

Oversight agencies must ensure that units’ efforts are improved if found to be deficient, the bureau said.

The amendments say that an emergency that compromises the safety of classified equipment and documents would require their evacuation or immediate destruction.

A joint task force would be established to oversee all password-related affairs for overseas units, including the allocation, or recall and destruction, of classified equipment, they say, adding that the task force would assemble and maintain security-related hardware.

Recent cases of suspected Chinese hacking have included a Nov. 7 claim made on Facebook by National Sun Yat-sen University associate professor Chen Chih-chieh (陳至潔) that university professors specializing in political science or cross-strait studies have had their e-mails monitored — some for up to three years — by someone posing as a school official.

National Defense University military instructor Chang Ling-ling (張玲玲) on Tuesday last week said that she has witnessed two hacking incidents.

In 2005, a Chinese Trojan horse program embedded in an e-mail was sent to the university’s staff e-mail system and gained access to the network, she said.

In 2008, Chinese hackers sent her two e-mails in Korean, Chang said.

The first e-mail — whose senders were aware that she was in South Korea at the time — said that she was being sued and included a file that was supposedly a litigation notice, while the second e-mail said that she was being offered a position to teach Korean at an unnamed university in Taiwan, she said.