Only 0.2 percent of Taiwanese manufacturers have an annual IT security budget of more than NT$3 million (US$100,901) and a dedicated IT security department, Industrial Development Bureau data show.
Five percent of them have an annual IT security budget of more than that amount, but no dedicated IT security team, while the remaining 95 percent have neither a sufficient IT security budget nor dedicated in-house IT security talent.
In 2019, the average IT security budget of companies in the information and electronics industry and in the metal and machinery sector was less than NT$1 million, while the average budget in the financial services and healthcare industries reached NT$22 million and NT$8 million respectively.
This difference in IT security investment is because the latter industries are heavily regulated, including the required IT security measures, while the former are not.
Many CEOs of Taiwan’s small and medium-sized manufacturers understand and recognize, in concept, the importance of IT security investment, but when the time comes to open their checkbooks to act on the idea, they balk.
This is for one simple, but powerful reason: The return on investment (ROI) of IT security investment often cannot be quantified.
Whenever a company’s IT department proposes a plan to strengthen its security, the CEO is likely to ask some variant of the following question: By exactly how much would the proposed plan improve IT security?
Such a question is perfectly reasonable from the standpoint of corporate governance, but is it impossible for the IT department, as well as any other players in the field, to quantify the expected improvement and answer the question satisfactorily.
IT security technologies cannot quantitatively estimate the degree of vulnerability of a company’s IT environment. In the end, because the ROI of the proposed IT security enhancement plan is unclear, it is given a lower priority and might eventually fall through the cracks.
The most effective way to increase a manufacturer’s investment in IT security is to tie it to or align it with its business objectives.
The ongoing China-US trade dispute provides such an example.
Supply chain security has long been a concern, but became a real and pressing issue after the dispute started under former US president Donald Trump and the SolarWinds attack in 2020.
A modern, sophisticated product might consist of hardware and software components provided by dozens or even hundreds of suppliers. To ensure a finished product’s overall security, its manufacturer needs to ensure that its own IT environment, as well as components from suppliers and their IT environments, are secure.
Leaders of large manufacturing ecosystems, such as Boeing, General Motors and Taiwan Semiconductor Manufacturing Co (TSMC), are beginning to devise supplier IT security standards and guidelines, and include them in their routine quality audit programs to ensure that ecosystem members deploy proper cybersecurity defense measures in their IT environments.
With such a mandate in place, the CEO of a supplier now sees IT security investment not as something that is “good to have,” but as something their company “must have,” because the investment becomes an essential element of product development and competitiveness.
That is, the associated ROI is not only clear, but also compelling.
The government should leverage this supply chain management trend to steer the country’s small and medium-sized manufacturers toward increasing their IT security investments. Specifically, it should borrow supplier IT security standards, guidelines and auditing procedures from world-class supply chain leaders, such as TSMC, codify them into a reference plan on supply chain security assurance and provide it for free to local industry associations, incentivizing them to apply it to their supply chain management.
Taiwan’s manufacturing industry has a chance to not only strengthen its internal IT security, but also enhance the global competitiveness of its products.
Chiueh Tzi-cker is a joint appointment professor in the Institute of Information Security at National Tsing Hua University.
The term “assassin’s mace” originates from Chinese folklore, describing a concealed weapon used by a weaker hero to defeat a stronger adversary with an unexpected strike. In more general military parlance, the concept refers to an asymmetric capability that targets a critical vulnerability of an adversary. China has found its modern equivalent of the assassin’s mace with its high-altitude electromagnetic pulse (HEMP) weapons, which are nuclear warheads detonated at a high altitude, emitting intense electromagnetic radiation capable of disabling and destroying electronics. An assassin’s mace weapon possesses two essential characteristics: strategic surprise and the ability to neutralize a core dependency.
In their recent op-ed “Trump Should Rein In Taiwan” in Foreign Policy magazine, Christopher Chivvis and Stephen Wertheim argued that the US should pressure President William Lai (賴清德) to “tone it down” to de-escalate tensions in the Taiwan Strait — as if Taiwan’s words are more of a threat to peace than Beijing’s actions. It is an old argument dressed up in new concern: that Washington must rein in Taipei to avoid war. However, this narrative gets it backward. Taiwan is not the problem; China is. Calls for a so-called “grand bargain” with Beijing — where the US pressures Taiwan into concessions
Chinese President and Chinese Communist Party (CCP) Chairman Xi Jinping (習近平) said in a politburo speech late last month that his party must protect the “bottom line” to prevent systemic threats. The tone of his address was grave, revealing deep anxieties about China’s current state of affairs. Essentially, what he worries most about is systemic threats to China’s normal development as a country. The US-China trade war has turned white hot: China’s export orders have plummeted, Chinese firms and enterprises are shutting up shop, and local debt risks are mounting daily, causing China’s economy to flag externally and hemorrhage internally. China’s
During the “426 rally” organized by the Chinese Nationalist Party (KMT) and the Taiwan People’s Party under the slogan “fight green communism, resist dictatorship,” leaders from the two opposition parties framed it as a battle against an allegedly authoritarian administration led by President William Lai (賴清德). While criticism of the government can be a healthy expression of a vibrant, pluralistic society, and protests are quite common in Taiwan, the discourse of the 426 rally nonetheless betrayed troubling signs of collective amnesia. Specifically, the KMT, which imposed 38 years of martial law in Taiwan from 1949 to 1987, has never fully faced its
RSS