A multinational criminal ring pulled off an ATM heist in Taiwan in 2016 when it surreptitiously implanted malware inside Taiwan’s First Commercial Bank’s computer networks, and then brazenly sent individuals to travel throughout Taiwan to collect from ATMs that spewed cash. A report on this incident by Taiwan’s Ministry of Justice Investigation Bureau (MJIB)—Taiwan’s equivalent to the US Federal Bureau of Investigation (FBI)—added that approximately US$ 2.6 million were stolen in that heist from 41 ATMs at 22 bank branches throughout Taiwan, involving 22 suspects from nine mostly Eastern European countries. Though losing millions of dollars is itself a significant loss due to cybercrime, Taiwan faces far graver threats, such as the exploitation of sensitive information and kinetic cyber attacks, especially considering Taiwan’s unique cross-Strait circumstances and the challenging regional security situation.
Taiwan can guard against these threats by protecting its own vulnerabilities, while looking for opportunities to exploit the vulnerabilities of its potential adversaries. In cyber security, a key vulnerability is people, acting as insider threats who intentionally work against their own company or government, such as Edward Snowden or Chelsea Manning, yet also includes users who are the victims of phishing or spear-phishing who unintentionally click on malware attachments that infect their computer networks. Though some are intentional and others unintentional, the outcomes can be similar in causing irreparable harm to one’s company or government. Therefore, it should be a top priority to guard against one’s own insider threats and spear-phishing, while working to exploit such vulnerabilities in any potential adversary.
Cyber threats as financial crimes, exploitation, and attack
Taiwan is not only victim to hacking by criminals for cash as in the earlier example of the ATM heist, but also from state actors such as North Korea. On October 16, 2017, the cyber-intelligence chief at government contractor BAE Systems identified that the North Korean “Lazarus” hacking group is the “most likely culprit” of recent attempts by hackers to steal $60 million US dollars from Taiwan’s Far Eastern International Bank; fortunately, almost all of the money has been recovered. Earlier, Bangladesh was not as fortunate, since the same BAE Systems, along with Kaspersky Labs and Symantec Corporation, also linked the Lazarus group to a successful $81 million US dollar cyber heist at Bangladesh’s central bank.
When state actors make hacking attempts, it can be much more serious because they generally seek classified and other protected information. The United States is famously a target of hacking for secrets, with news of the latest hacking attempts broadcast on a regular basis. With higher stakes than financial crimes, hacks against the United States have been for military secrets such as plans for the F-35 aircraft in 2007 and 2008, and the detailed SF-86 security clearance information of US government officials in 2015.
The previously mentioned cases are examples of financial cyber crimes and forms of computer network exploitation (CNE), which differ from kinetic computer network attack (CNA). Computer network attacks are severe enough to be interpreted as an act of war, since they involve “actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.” Along these lines, National Geographic created a fictional documentary-like video about what a cyber “attack” on critical infrastructure such as electricity would look like, and how chaotic society could become out of fear and desperation.
Such attacks against critical infrastructure could lead to major social unrest, but potential cyber attacks against Taiwan’s military would also be disastrous. A successful cyber attack on the military’s communication network could disrupt command and control structures (C2)—with commanders unable to communicate electronically with officers or subordinates, aircraft unable to communicate with ground stations, or hackers spoofing a commander’s emails and sending out contradictory instructions to troops. In this sense the consequences are hard to predict and prepare for, since any adversary’s plans could be virtually indiscernible until they are implemented.
A cyber attack is on the extreme side in terms of severity, but there are also ways to exploit normal computer and information system processes short of an attack. Hackers can coordinate distributed denial of service (DDOS) disruptions by taking over an average user’s computer, often without the person even knowing it. The person might have accidentally clicked on a malware attachment in an email, or clicked on a link that led to a “watering hole” website that then installed malware on their computer. That person’s computer could then be centrally controlled by a hacker and directed to join a flood of simultaneous requests that are sent to a website to view its pages. This causes the web server to crash or simply become inoperable, making other users unable to access that website. Yet another variation is the ransom denial of service (RDOS) used to extort money under threat of DDOS attacks, demanding ransom in bitcoins, with a threat to organize a DDOS attack against a victim if they do not pay.
Red team/blue team exercises for the digital sphere
In my previous Global Taiwan Brief article, I discussed how the United States could work with Taiwan to deter hackers by apprehending them and sending them to face court trial in the relevant jurisdictions. In addition to setting up such extradition agreements, the United States and Taiwan should cooperate on cyber threats and countermeasures that target any potential adversary’s weakest cyber security link: people.
To protect one’s own vulnerabilities in cyber security involves finding holes in one’s website security before others can, and a military analogy is useful here. In the military, this is generally done by training through utilizing red team/blue team exercises to internally challenge oneself to improve one’s abilities. This sets up a team as an adversary within one’s own military. One team’s success is to bring about the other side’s failure, so the military will learn from its mistakes and grow stronger without facing conflict against a real adversary.
In cyber security, the red team/blue team opposition would be what are commonly called “white-hat” and “ethical” hackers, who are also known as penetration testers. These white-hat, ethical hackers are hired by the organization to test its own websites, trying to crack passwords, or sending out spear-phishing emails to a company or government office’s own employees—to make sure that the websites and information systems cannot be penetrated by outside “black-hat hackers,” which refers to malicious actors.
Companies or government offices might be hesitant to allow such penetration testers to test their systems in case the testing disrupts normal operations. However, it is possible to test one’s own system without disrupting regular operations of a website through “sandboxing.” This involves loading computer programs onto an isolated computer, introducing malware, then observing to see the outcome as if in a controlled laboratory environment.
Guarding against intentional and unintentional threats
In addition to testing one’s own systems for vulnerabilities, protecting information systems also means preventing insider threats. These individuals inside company or government organizations act purposefully and intentionally to harm their own company or government, and can do so by leaking classified information electronically by copying and sending files as did Snowden and Manning. They could also load malware onto their own computer networks through a USB vector by plugging an infected USB into their work computers. However, it is likely that these insider threats can be deterred if a computer network administration is so robust that these insiders can expect to be caught in the act, and when they are caught can expect heavy criminal legal consequences.
People can unintentionally be victims of phishing or spear-phishing when they inadvertently click on malicious email attachments. However, regular computer hygiene training such as mandatory cyber awareness training even if held once a year for as little as one hour would make people better at spotting fake emails and prevent them from becoming victims. Companies can also hire “ethical” hackers to purposely send fake emails to their own employees with fake malicious attachments that don’t actually deploy a computer virus when clicked, but would keep a record of who fell for the fake email. Then these individuals would be invited back for additional cyber awareness training, which nobody wants to do. Over time, those in the company or government office will become more cautious and smarter about maintaining good digital hygiene.
Though Taiwan’s banks were victim to the $2.6 million ATM heist, they were fortunate to have successfully guarded against North Korea’s Lazarus group’s attempts to steal $60 million. Since all advanced technological states face similar cyber threats, knowing how to protect one’s own cyber vulnerabilities—whether in finance, government information, or even to guard against cyber attack—will not only strengthen a nation’s people and information systems, but will also shed light on how to exploit similar vulnerabilities in any potential adversary. It is therefore important to continually focus on digital hygiene training for company and government employees, and to test one’s own systems often by using penetration testers in a similar way as the military uses red teams and blue teams.
The main point: Taiwan faces cyber threats like any other technologically advanced society, but also deals with additional challenges, due to its unique cross-Strait circumstances and regional political factors. Taiwan’s companies and government can strengthen its cyber defenses through continuous digital hygiene training, but also through penetration testers to find vulnerabilities in their systems before others do, and actively discern vulnerabilities in a potential adversary.