The recent Taiwan visit by US Congresswoman Nancy Pelosi brought the increasing cyber threats to national security to light again. According to Taipei Times, systems like electronic bulletin boards at railway stations and convenience stores were hacked, and government websites were attacked and brought down, even before Pelosi arrived on the island nation.

It was reported that television screens behind cashiers in some of the 7-Eleven convenience stores—a US-based multinational retail company—were compromised to display statements like “Warmonger Pelosi, get out of Taiwan!”. In another instance, an electronic board at the Sinzuoying railway station showed a message in simplified Chinese which translated into “The visit of the old witch to Taiwan is a serious challenge to the core of the country. Those who actively welcome it will eventually be judged by people, the blood ties of the same race will continue to be separated, great China will eventually be unified”.

Audrey Tang, Taiwan’s digital minister, highlighted that before and after the visit, Taiwan observed 23 times higher cyberattacks than the previous daily record. However, without directly blaming any state or non-state actor for the attacks, Taipei underlined that the attacks originated from addresses in China and Russia.   

At the recently concluded DEFCON—a US-based annual hacker convention—the White House National Cyber Director, Chris Inglis, remarked that “the way forward for cybersecurity is defence, defined roles and responsibilities, and investing in resilience and robustness”. He stressed the ‘three-wave of attacks’ observed in recent years. The three waves focus on –

1. Holding data and systems at risk
2. Keeping the data and systems at risk but abstracting it into holding critical functions at risk
3. Attack on confidence

He asserted that while there is a lack of imagination and anticipation of future attacks, there is also a need for clarity on roles and responsibilities, strengthening supply chains, and focus on collective defence. According to him, “the attackers seek to defeat one, and in the process, they are able to defeat all.”

From this perspective, it is essential to understand the Taiwanese scenario where high risks and high stakes co-exist in cyberspace. The asymmetry makes developing cyber defence capabilities an imperative without the necessary means to back cyber offensive capabilities with ground capabilities, especially against adversaries like China. Further, Taiwan’s experience can be utilised by countries like India facing similar threats to increasing cyber espionage activities, disinformation campaigns, and cyber threats to critical infrastructure.

Taiwan’s cyber threat profile

Today, Taiwan is arguably the most critical node in the global high-tech manufacturing and supply chains. The Taiwan Semiconductor Manufacturing Corporation (TSMC) is the single largest semiconductor manufacturer in the world, with over 90 per cent market share and exclusive capabilities in developing the most sophisticated and valuable computer chips. Its importance can be gauged from the fact that China spends more on importing semiconductors than any other commodity or product. Thus, the Taiwanese semiconductor industry is of enormous significance to developing technical capabilities in increasingly crucial national security domains like quantum computing and Artificial intelligence.

Beyond its significance for global supply chains, Taiwan is of utmost strategic importance from geopolitical, economic, military, and humanitarian perspectives. For China, Taiwan is the entrance into the South China sea. For the US, Taiwan is “an unsinkable aircraft carrier”.

According to Chien Hung-Wei, head of Taiwan’s Department of Cybersecurity, in the increasingly digitised Taiwanese ecosystem where critical infrastructure like water, electricity, and gas are digitally controlled, cyberattacks can be catastrophic for the island nation. In his remarks in the parliament last year, he highlighted that Taiwan’s government networks face “five million attacks and scans a day”. While Taipei has restrained from attributing specific cyberattacks to the Chinese government or agencies, it accuses China of using disinformation campaigns, military intimidation, and cyberattacks to erode Taiwanese society’s trust in their government.

It has been regularly stressed that Taiwanese government agencies face an acute cybersecurity personnel shortage at both local and central levels. While the Executive Yuan (the executive branch of the government) aims to cultivate 350 cybersecurity experts by 2024, considering Taiwan’s rapidly evolving threat profile in cyberspace, this is expected to remain highly inadequate. As many cybersecurity vulnerabilities like unpatched systems and unmonitored networks result from the shortage of personnel, cultivating skilled personnel remains a critical factor in countering adversarial threats in cyberspace.

To develop a robust cybersecurity environment, Taiwan established the Cyber Security Management Act in 2019, which mandates firms to define their cybersecurity defences, incident response strategies, and recovery plans in detail while training cybersecurity professionals. Through cybersecurity exercises and discussions, Taipei is also working with other countries to develop a skilled cyber workforce.

Quad and Taiwan

Several voices have been calling to reduce dependence on Chinese products in Taiwan. The attacks during Pelosi’s visit compromised electronic equipment made in China, so the issue of possible backdoors and trojan malware in Chinese software and hardware has resurfaced. As Taiwan looks to reduce this dependence, a similar aim is now being pursued by the Quad partners – India, the US, Australia, and Japan. While focusing on developing collective resilience in cyberspace, the four partners are now looking to create robust global supply chains, reducing dependence on China.

An example of Quad’s efforts can be seen in the rare earth minerals domain, where the Chinese monopoly is now being challenged through cooperation and coordination among the Quad partners. In an unfolding development, India is looking to establish itself as a semiconductor hub, a move that will bring the South Asian nation closer to Taiwan, irking Beijing in the process.

Similar to Taiwan, India faces increasing cyber threats from China. This has been visible in several reports highlighting persistent cyber espionage campaigns on India’s critical infrastructure like power grids and disinformation campaigns in synchronised attempts with Pakistan. These campaigns have been aimed to sow doubts in the Indian society over Indian governance and military capabilities. As Chris Inglis defines it, this marks the third wave of cyberattacks.

Similar to an exponential increase in cyberattacks faced by Taiwan during the Pelosi visit, India has faced such a phenomenon during the Doklam standoff in 2017 and the Galwan valley clashes in 2020. Similar to Taiwan, New Delhi has also not attributed these attacks directly to Beijing or its agencies.  This remains in stark contrast to Quad partners like the US or Australia, who have sought to utilise public attribution, collective public attribution, and intelligence-sharing frameworks like the Five Eyes Alliance to respond to Chinese cyber campaigns by explicitly bringing them to light.

All the Quad partners extensively cooperate with Taiwan on economic and people-to-people fronts.  It has been pointed out in recent years that both India and Taiwan lack cyber defence capabilities. Given the significance of the countries for the Indo-Pacific construct, which is at the core of the Quad partnership, there remains both the scope and necessity for greater cooperation between Taiwan, India, and the Quad partners in the cyber domain. To build collective cyber resilience and defence, robust cyber partnerships are now vital.

(Views are personal)

Related