Since assuming office in 2016, President Tsai Ing-wen (蔡英文) has on multiple occasions strongly advocated a data security and national security policy.
With all of the world’s major powers having adopted cyberwarfare strategies, there can be no question that data security and national security are inextricably linked.
Last year, several of Taiwan’s state-run companies and many mid-sized and large manufacturers fell victim to ransomware attacks of varying severity, which in some cases resulted in the temporary suspension of business operations or large ransom payouts, laying bare the intimate connection between data security and economic security.
A nation’s defensive capability against cyberattacks can be termed “national data security power.” The government’s data security and national security policies should focus primarily on upgrading that power.
A nation’s data security power is almost entirely determined by the quality and quantity of its data security specialists, and the latter is closely related to the extent to which it possesses a flourishing data security industry. If a nation wishes to elevate its data security power, it must first cultivate a pool of data security talent that can help develop the sector.
In the past few years, the government has been attempting to do just this. Taiwan now has a community of respected “white hat” hackers who regularly participate in the world-famous Capture the Flag competition, organized by DEF CON, an international convention for hackers and computer security professionals in Las Vegas, Nevada. Taiwanese teams frequently rank among the best in the annual competition.
Some of Taiwan’s white hat hackers have established their own data security companies and are doing good business. Meanwhile, white hat hacker social media groups are popping up all over the place, which means that the pool of data security talent in Taiwan is likely to grow.
Do these achievements mean that Taiwan has already built up formidable data security power and that it has enough data security experts to fulfill its needs? The answer is no.
White hat hackers primarily practice on established software tools, probing target organizations’ systems and networks for security vulnerabilities and conduct packet-based cyberattacks that exploit identified vulnerabilities.
They probe the systems’ vulnerabilities concerning malware, by installing it or activating already existing malware, such as ransomware or botnets, and initiate mock denial of service attacks.
The idea behind employing white hat hackers is that by allowing them to attack your systems, you can discover vulnerabilities and flaws, and hopefully learn how to patch them before you are targeted by a real-world attack by a malicious actor.
In the past few years, penetration testing by data security companies has gradually become more common in Taiwan, and most firms’ data security specialists sharpened their skills as white hat hackers.
However, white hat hackers only constitute a small link in the overall data security industry.
I previously worked as director of core technical development and research for the world’s largest data security company. Of the nearly 17,000 employees on the company’s payroll, white hat hackers numbered fewer than 50. The vast majority of employees were software engineers, who developed, integrated and tested a wide variety of data security products.
The human resource structure of other global data security firms is roughly equivalent to that company.
This is why Taiwan’s data security industry should focus on cultivating talent in the following areas of software development: specification setting for innovative data security products, design of streamlined and extensible software architecture, and use of advanced software engineering techniques to produce high-performance and reliable large-scale software products.
Also in high demand are people with an intimate understanding of the strengths, weaknesses and price ratios of commercial data security products, who are able to design a bespoke data security protection architecture and implementation plan tailored to the requirements and budget constraints of customers. They should also be able to deliver immediate and effective repairs and patches to clients’ systems if an attack to their systems occus.
If Taiwan wishes to improve data security protection across all of its industries, the nation needs to train these types of experts.
As with many other industries, the data security industry is gradually moving toward automation. Automated tools are increasingly used for password-strength checks, detection of phishing e-mails and social media attacks, detection and correction of software vulnerabilities, the establishment of system protection rules, the creation of penetration test scripts, and even the generation of network attacks that can intrude into a system’s weak spots.
The use of automated tools allows for the simplification of these processes and can vastly improve quality output. Individuals who are able to develop automated data security tools usually have many years of experience in the development of system software — such as operating systems, compilers and virtual machine monitors, as well as offensive and defensive data security techniques, and artificial intelligence technologies.
These are the key areas of research and development where Taiwan’s data security industry needs to make breakthroughs.
Chiueh Tzi-cker is general director of Information and Communication Labs at the Industrial Technology Research Institute.
Translated by Edward Jones
When Chinese Communist Party (CCP) leader Xi Jinping (習近平) wakes up one morning and decides that his People’s Liberation Army (PLA) can win a war to conquer Taiwan, that is when his war will begin. To ensure that Xi never gains that confidence it is now necessary for the United States to shed any notions of “forbearance” in arms sales to Taiwan. Largely because they could guarantee military superiority on the Taiwan Strait, US administrations from Jimmy Carter to Barack Obama practiced “forbearance” — pre-emptive limitation of arms sales to Taiwan — in hopes of gaining diplomatic leverage with Beijing. President Ronald
Chinese Nationalist Party (KMT) Legislator Lin Wei-chou (林為洲) talked about “opposing the Chinese Communist Party [CCP]” in a recent Facebook post, writing that opposing the CCP is not the special reserve of the Democratic Progressive Party (DPP). Not long after, many people within the KMT received a mysterious letter signed “Chinese Nationalist Party Central Committee” containing what looked like a declaration of opposition to, and a call to arms against, the CCP. Unexpectedly, the KMT’s Culture and Communications Committee came forward with a clarification, saying that the letter was not sent by the KMT and telling the public not to believe
While China’s abrupt ban on imports of pineapples from Taiwan is malicious, it is a problem that the government can manage. However, the ban’s real aim might be to test Taiwan’s status in the eyes of US President Joe Biden’s administration. Beijing cited biosecurity as the reason for its ban, which is to start tomorrow, an untenable assertion, as 99.79 percent of Taiwan’s pineapples exported to China since last year passed customs tests. The timing is intriguing. The ban was announced just before harvesting is to begin; after Biden ordered a review of supply chains of chips and other strategic materials; and
Australia’s decades-long battle to acquire a new French-designed attack submarine to replace its aging Collins class fleet bears all the hallmarks of a bureaucratic boondoggle. The Attack-class submarine project, initially estimated to cost A$20 billion to A$25 billion (US$15.6 billion to US$19.5 billion at the current exchange rate), had by 2016 doubled to A$50 billion, and almost doubled again to A$90 billion by February last year. Because of delays, the French-led Naval Group consortium would not begin cutting steel on the first submarine until 2024, which means the first vessel would not be operational until after 2030 — and the last