The 2023 EU-Taiwan Cybersecurity Seminar was arranged by the European Economic and Trade Office (EETO) in conjunction with the ECCT on the topic "Strengthening cybersecurity resilience and cooperation". The event brought together policy makers and cybersecurity experts from the EU and Taiwan to discuss recent and ongoing trends, opportunities and challenges in cybersecurity and share best practices in terms of government policy and how to increase resilience against a variety of cyber threats facing businesses.
The half day seminar began with opening remarks by Aleksandra Kozlowsaka, Head of the EETO's Trade Section and ECCT chairman Giuseppe Izzo. This was followed by two sessions featuring the following speakers: Dr Herming Chiueh, (闕河鳴), Deputy Minister, Ministry of Digital Affairs; Dr Stefan Kramer, First Counsellor for Science, Innovation, Digital and other EU Policies Delegation of the EU to Japan; Marcin Mateusz Jerzewski, Head of Taiwan Office, European Values Center; Toni Lin (林大馗), Partner, Cybersecurity Services at KPMG and Dr Benson Wu (吳明蔚), Co-founder & CEO of CyCraft Technology. The seminar was concluded with a panel discussion featuring all of the speakers that was moderated by Henrison Fan (范栩), Deputy Director, Process Automation from Siemens Limited.
Topic: Building a resilient and secure smart country
Speaker: Dr Herming Chiueh, Deputy Minister, Ministry of Digital Development (MODA, 闕河鳴 博士 數位發展部政務次長)
Deputy Minister Chiueh spoke about how MODA supervises key telecommunications infrastructure builders to implement information security protection. Under the authority of the Telecommunications Management Act, to ensure national security and public order, the competent authority may designate all or part of the public telecommunications network as critical telecommunications infrastructure and installers are required to implement infrastructure protection plans, which may be evaluated by the competent authority. Core infrastructure covered under the provisions include those under the control of government and state-controlled agencies and companies that provide services, such as the provision of power, water, gas and healthcare. The objective is to build resilience in infrastructure to deal with emergency situations. Given the fact that Taiwan is an island communicating to the world via submarine cables, this makes Taiwan vulnerable.
To promote information security protection of connected devices, the MODA has formulated basic common information security specifications for networked equipment for reference or use by competent authorities. Some specifications follow international standards while others are not. After passing reviews, devices are certified. While not all devices for private use have to pass reviews, only certified devices may be used by government agencies.
Securing cybersecurity talent is a critical issue. According to statistics provided by Chiueh, of the over 363,000 government employees, fewer than 7,000 are IT professionals while only 1,200 of them are dedicated to information security. To address this problem, MODA is running classes on cybersecurity for government workers (basic knowledge of information security and information security laws and regulations for average workers as well as advanced skills training for full time information security professionals). A common problem is that talented people tend to leave public service for more lucrative careers in the private sector. However, Chiueh says that he is not concerned about people moving on because, they will help to enhance Taiwan's overall resilience in their future roles.
Resilience is defined as having the ability to respond to risks, being able to withstand external force violations as much as possible and minimize the degree of damage by external forces and being able to recover quickly. Authorities are exploring ways to increase Taiwan's multivariate heterogeneous network, the integration of various transmission channels such as ground fixed network, wireless network, submarine cables and satellites, so that anyone and any object can achieve wireless communication at any time and place. For example, Starlink, a low-orbit satellite system, has attracted the attention of many countries following its successful deployment in the war in Ukraine. The MODA is accelerating the promotion of the national digital development policy and will develop heterogeneous networks and prepare important data and services to maintain government and social operations in the event of disruptions, so as to improve the resilience of Taiwan's communication infrastructure. According to Chiueh, communication resilience does not rely solely on a single technology, solution, specific country or supplier. This means that Taiwan will welcome solutions from the private sector and cooperation with international companies, including European companies.
Topic: Shaping Europe's digital future – the EU's cybersecurity policies
Speaker: Stefan Kramer, First Counsellor, Delegation of the EU to Japan
The speaker gave an update on the EU's latest cybersecurity legislative initiatives: the Network and Information Security Directive 2 (NIS 2) and the Cyber Resilience Act. The NIS 2 directive was updated recently from the original directive in 2016. The EU Parliament and the European Council approved the implementation of NIS 2 in November 2022 and it went into force on 16 January 2023.
The aim of the original 2016 NIS directive was to lay down obligations for all EU Member States to adopt a national strategy on the security of network and information systems and get Member States to exchange information on incidents, especially those operating essential services. The 2016 directive created computer security incident response teams and established security and notification requirements for operators of essential services (OES) and for digital service providers, among others.
The reason for the review and update of the directive in 2022 was to make it future proof. The original directive covered the energy, transport, banking, finance, health, drinking water, digital infrastructure sectors in Annex I (essential entities) and digital providers in Annex II (important entities).
In the updated NIS 2 directive, the commission proposed adding waste water, public administration entities and space to Annex I as well as postal and courier services, waste management, chemicals, food and manufacturing to Annex II. Co-legislators also agreed to add ICT service management to Annex I and research to Annex II.
In terms of scope, the size threshold has been widened to include all SMEs with more than 50 employees or turnover of over €10m or above in the relevant sectors (with some exceptions).
Under NIS 2, top level management will now be accountable for non-compliance with cybersecurity risk management measures and must take appropriate and proportionate cybersecurity measures. In addition, all significant incidences must be reported within 24 hours and Member States must inform one another of incidents of a cross-border nature.
In addition, Member States are required to address cybersecurity in the supply chain for ICT products and services for essential and important entities in their national cybersecurity strategies.
The Cyber Resilience Act proposal includes cybersecurity rules for the placing hardware and software on the market. It will require manufacturers of hardware and software to comply with obligations throughout the life cycle of the product (or five years, whichever is shorter). It covers all products with digital elements but not those which are already regulated under other directives (such as medical devices and cars).
Essential requirements are that products have the appropriate level of security and are delivered without known vulnerabilities. If vulnerabilities are identified, they would need to be documented and addressed without delay and information about fixed vulnerabilities needs to be made public. Patches will need to be delivered without delay, free of charge and with advisory messages.
As a rule, whoever places on the market a "final" product or a component is required to comply with the essential requirements, undergo conformity assessment and affix a CE marking.
Most products (90%) fall into the default category and may be self assessed but critical class products (Class 1 and 2), may refer to an existing cybersecurity standard. If there is no existing standard, a third party assessment will be required. Highly critical products require mandatory EU certification.
In terms of market surveillance powers, market surveillance authorities have the power to:
require manufacturers to bring non-compliance to an end and eliminate risk; to prohibit/restrict the making available of a product or to order that the product is withdrawn/recalled and impose penalties (including fines up to €15 million or up to 2.5% of worldwide turnover).
Topic: Cyber resilience: Opportunities for Taiwan-EU Cooperation
Speaker: Marcin Mateusz Jerzeski, Head of Taiwan Office, European Values Center
For the implementation of NIS 2.0, there are new funding calls under the Digital Europe Program to boost cyber resilience (€176.5 million worth of grants for companies, public administration institutions and other organisations). The latest directive is more advanced than the original version and focused on building public private partnerships.
Taiwan promulgated the Cyber Security Management Act in June 2018 with a number of rules and regulations, including audit regulations, incident regulations, cyber security information sharing regulations, regulations on the classification of cybersecurity responsibility, among others, but implementation has been fragmented. This should be addressed with the establishment of the National Institute of Cyber Security under the MODA (which has been authorised by the implementation of legislation on 1 January 2023). Cybersecurity has also been listed as one of six core strategic industries by the Tsai administration.
There is currently a lack of and therefore a key role for public private partnerships in cybersecurity. This is recognised by authorities in both Taiwan and the EU. The lack of public-private partnership collaboration mechanism was identified as one of key threats for cybersecurity development in a SWOT analysis carried out by Taiwan's Executive Yuan while, in May 2022, the European Council recognised the fact that "developing ties with the private sector could be an amplifier of public capacities, in particular in a context of skills shortages across the EU, and that identifying and coordinating these private partners could make a difference in the event of large-scale incidents".
There are also regional opportunities for cooperation. For example, the EU has demonstrated a willingness to engage with like-minded partners in the Indo-Pacific region to increase cyber resilience capacity building in the region through initiatives like the EU-ROK Digital Partnership. Cybersecurity is also included under Taiwan's flagship New Southbound Policy. In 2022 Taiwan signed an MOU with India on cybersecurity aimed at expanding cooperation from basic cybersecurity research to cybersecurity trends and threat analysis.
Topic: 2022 Taiwan Enterprises Cyber Risk Report
Speaker: Toni Lin, Partner, Cybersecurity Services, KPMG (林大馗 執行副總經理)
The speaker gave an overview of the main findings of KPMG's 2022 Taiwan Enterprises Cyber Risk Report, which was released in September 2022 and is available to the public. Taiwan faces unprecedented cybersecurity challenges due to new business trends (the rise of remote work, unmanned production and touchless services), geopolitical issues (Taiwan has long been the target of hackers from China while the war between Ukraine and Russia has accelerated asymmetric warfare), and the use of advanced technology (such as cloud services). While these trends have increased operational efficiency, they have also increased risks.
The goal of the survey was to measure overall cybersecurity risks and compare risk exposure across industries and ultimately help entities to deploy cybersecurity defence strategies.
60 companies from a variety of industry sectors participated (financial services, core businesses in supply chains, semiconductors, e-commerce, semiconductors, computers and peripherals and start-ups). The survey employed three detecting aspects (application, human, network and IT) and 14 detection items, namely: Under 1) applications (application security, domain attacks, exposed services and technologies), 2) Human (responsiveness, employee attack service, security team and social posture) and 3) Network and IT (asset reputation, cloud, DNS, TLS, mail server, web server).
Companies were given grades ranging from A (Excellent, 90% and above, meaning that they only vulnerable to world class hackers ) to B (Good, 80-90%, vulnerable only to experienced hackers), C (Fair, 70-80%, vulnerable to any general professional hacker), D (Poor, 60-70%, vulnerable even to rookie hackers) to F (Very poor, below 60%, vulnerable to beginners with basic network programming skills).
The surveyed enterprises received an average C grade regarding network defence. Companies in the financial services sector scored the best, followed by those in the semiconductor sector (both over 80%). Given that enterprises are constantly exposed to a high level of network risk, they should therefore improve internal cybersecurity controls without delay.
The most important findings from the survey were as follows:
- Many enterprises overlook cyberattacks derived from social media: Most companies register social media fan pages. In addition, employees can easily expose the company's contact information on their social media accounts, which increases the probability for hackers to successfully initiate spear phishing attacks.
- Taiwan suffers from a serious shortage of cybersecurity talent across industries: Of all the 60 surveyed enterprises, external sources show that one half of the enterprises did not have in place appropriate cybersecurity personnel.
- Core business in supply chain should strengthen network defence as a matter of urgency given low scores.
- Financial services companies performed the best but still face great challenges from external threats.
- Incorporating and verifying international standards of cybersecurity can significantly decrease risk exposure.
Cybersecurity risk is also a risk to sustainability. With the surge of terminal gadgets, the increasing demand of cloud services for enterprises and the acceleration of digital transformation, issues regarding cyber risk pose greater a threat than ever to the sustainability of a company, which triggers stakeholders such as the authorities, investors and consumers to pay greater attention to cybersecurity. Cybersecurity management is therefore a crucial driving force for enterprises to optimise ESG.
Topic: Human-AI collaboration for a safer, resilient world
Speaker: Dr Benson Wu (吳明蔚), Co-founder and CEO of CyCraft Technology
Taiwan is on the frontline of cyberattacks. In 2020, Cycraft curtailed a year-long attack targeting Taiwan's semiconductor ecosystem (upstream and downstream) aimed at stealing software development kits and chip designs. In 2021, the company discovered that a vulnerable third party software commonly used by Taiwanese securities traders was exploited by hackers to purchase Hong Kong stocks after hours on consumer trading accounts.
There are billions of threats on the internet. Every day 500,000 new malware and 2,000-3,000 new ransomware threats and three million phishing attacks are launched. It is the shared responsibility of government, companies and civilians to address the issue. Using technology is essential since it is impossible to fight using labour intensive methods alone.
Hackers have gained access to almost everyone's Personal Identifiable Information (PII). According to Wu, there is an underground PII as a service business model whereby hackers steal data (such as cell phone numbers) from vulnerable websites or buy it from disreputable agents and then sell it on to other disreputable agents, criminals or hostile actors (often state-backed agents). According to Wu, as of January 2023 there were some 14.4 billion stolen PII records. One of the largest PII leakages was the QQ database in China, where the data of some 700 million users was stolen. Even though these types of activities are illegal, it is extremely difficult to enforce the law.
Many listed companies in Taiwan have reported ransomware attacks, which is required by law. However, there are no real consequences for not reporting them so it is highly likely that a large number of cases go unreported. Wu said that evidence of underreporting can be found by looking at the dark web, where hackers expose the data they have stolen.
Different industries and companies tend to have different views on risk, according to Wu. Business leaders do not always see that supporting their business requires security. Manufacturers tend to devote little effort and budgets to risks and thereby expose themselves to higher risks. Semiconductor firms, on the other hand are willing to devote more efforts and budgets to security and thereby reduce their risks.
More than 100 listed companies in Taiwan disclosed their security practices in their 2021 annual reports. TSMC sets a high standard with a cybersecurity team of 500 people and a budget of over NT$1 billion while E. Sun Financial Holding spent NT$300 million and Mediatek spent NT$243 million.
Companies are increasingly realising the risks of cybersecurity incidents. According to Allianz's Risk Barometer 2022, cyber incidents were cited as the most important risk to enterprises.
Wu reiterated the point made by the previous speaker that ESG reporting is not complete without a cybersecurity report.
On the question of talent, Wu said that it is difficult to attract people to cybersecurity because it is thankless job where 32% of employees get burned out in 12 months. This because all of the great work at preventing incidents is usually overlooked while security employees are always blamed when things go wrong. The best way to change this is to empower staff with the right technology and adopt a strategy that employs both AI and human resources in a way that uses AI in a smart way so that it does not burden staff too much. Company leadership and culture are also important. Leaders should act as role models in taking security risk seriously and educating employees to make security awareness part of the company culture.