In 2013, when Taiwan’s then-Intelligence Chief Tsai De-Sheng (蔡得勝) was subject to a public hearing in Taiwan’s legislature, he described a surge in China-sponsored cyber intrusions directed at Taiwan, and that Taiwan is used as a testing ground for future sophisticated Chinese state-sponsored attacks on US targets. These attacks have increased in intensity over the years. More recently, in May, Taiwan was one of the top targets—along with Russia and Ukraine—of the WannaCry ransomware that infected over 57,000 computers in 99 countries. Where there are challenges, there are also opportunities not only to strengthen one’s own capabilities, but also to work with others to overcome such challenges, to hold international dialogues and cooperative cyber security exercises, and especially to take a leading role in setting positive international cyber norms.
Cyber norms arise from international interactions related to cyber security, and the US State Department already counts Taiwan as a close partner in this area. The US State Department highlights in an official 2016 document that it has led cyber policy dialogues—specifically new digital economy dialogues—with Taiwan and others in ASEAN, and Colombia. With Taiwan’s developed economy and high tech industries, it is an important partner in the growing digital economy.
Since Taiwan is home to many of the world’s integrated circuit high tech industries, it fits well with Microsoft Corporation’s new cyber norm framework. Taiwan is a major player in the area of integrated circuits, semiconductors, and other high tech endeavors. Since June 2016, Microsoft has been calling for what it terms “nation-states” and private companies to adhere to its formulation of positive cyber norms, and these are all relevant to Taiwan:
- To maintain trust, nation-states should not ask companies to insert vulnerabilities such as backdoors, and private companies should not permit states to install backdoors on their products.
- Nation-states should handle vulnerabilities by reporting them to vendors rather than stockpiling or exploiting them, and private companies should keep to disclosure practices when handling vulnerabilities.
- Nation-states should not proliferate cyber weapons, and private companies should not traffic them.
- Nation-states should exercise restraint in developing cyber weapons, and private companies should collaborate to defend against attacks.
- Nation-states should limit engagement in offensive cyber operations to avoid creating a mass event.
- States should support the private sector to respond to cyber threats, and private companies should also support the private sector.
- Private companies should patch customers globally (much like how Microsoft runs its “patch Tuesdays” twice a month to update its software).
Taiwan appears to be doing well enough in these areas that the Center for Strategic and International Studies recommends that the United States and its allies to work even more closely with Taiwan: “The United States, Japan, and Taiwan should work together to identify networks and companies that are at risk, develop an early warning and rapid response system, and research new ways of detecting viruses that go beyond identifying signatures from past malware.”
The next biennial US Department of Homeland Security-led Cyber Storm VI exercise will likely occur in early 2018. Now may be a good time to consider Taiwan’s participation in this upcoming exercise so that Taiwan can set a good example for others. Previous Cyber Storm exercises were held in 2006, 2008, 2010, and 2016. Cyber Storm activities fit well with Taiwan’s goals to enable organizations to prepare for cyber-attacks, exercise strategic decision making and interagency coordination, and validate information sharing relationships. In addition to Taiwan’s desire to set a good example in global cyber norms, Taiwan should be included in Cyber Storm because it is a major supplier in the integrated circuit industry, it is constantly under cyber espionage and attack, and already possesses advanced capabilities as demonstrated in the superior performance of its cyber team at DEFCON conferences.
Though Taiwan faces major cyber security threats, these are opportunities to continue to develop its own capabilities, cooperate with others on cyber security, and set the trend in cyber norms. The US State Department has already reported that it is working with Taiwan, and there are additional opportunities through DHS and other organizations. It is through these interactions that Taiwan will set a good example to the international community and continue to play an active role in cultivating norms of behavior in cyberspace.
The main point: With Taiwan’s leading role in the integrated circuit (IC) sector, it is poised to be a global cyber norm setter, and it therefore should actively participate in Cyber Storm and other such programs.