The world’s economy is currently experiencing a digital transformation unprecedented in scope and/or scale. The introduction of IoT, AI, robotics and smart manufacturing have realigned the manufacturing and services sectors, changing global value chains and generated new information flows. A likely result of a digitised economy is greater cross border data flows, greater reliance on digital infrastructure and the creation of innovative digital platforms. This in combination with the rising number of targeted cyber attacks will focus government attention on cybersecurity.
The Policies
Digital Nation and Innovative Economic Development Plan (DIGI+)
Taiwan has launched several initiatives to accelerate the transition to a digital economy. In 2016, it announced the Digital Nation and Innovative Economic Development Plan (2017-2025), which is intended to enhance digital infrastructure, reconstruct a service based digital government, and realise a fair and active internet society with equal digital rights. This strategy is often referred to as DIGI+ and focuses on digital infrastructure, fostering interdisciplinary digital talents, smart cities, smart government and the globalization of a digital service economy. According to the Executive Yuan Office of Science and Technology the plan’s main goals for 2025 are to grow Taiwan’s digital economy to NT$6.5 trillion (US$205.9 billion), increase the digital lifestyle services penetration rate to 80 percent, speed up broadband connections to 2 Gbps, ensure citizens’ basic rights to have 25 Mbps broadband access, and put Taiwan among the top 10 information technology nations worldwide. 1
5+2 Innovative Industries (推動五加二產業創新計畫)
Another noteworthy policy is the 5+2 Innovative Industries Plan, a development strategy to create an Asia Silicon Valley in Taiwan. The plan covers seven industries and projects: intelligent manufacturing, green energy, biomedical, national defence and aerospace and agriculture. The focus on these areas is expected to move the Taiwan economy from contract manufacturing to a new commercial model cantered on high-value-added business, services and solutioning. This shift is expected to stimulate innovation, boost the competitiveness of industry and increase corporate profitability, all the while raising wages, creating jobs and bringing more balanced development to all regions of Taiwan.2
National Strategy for Cybersecurity Development Program (國家資通安全發展方案)
However, in order to fulfil the promise of these policies, its necessary for participants to embrace cybersecurity in all of its dimensions. The government has recognised this linkage and has promoted a number of initiatives for enhancing its cybersecurity sector, including adoption of the National Strategy for Cybersecurity Development Program (2017-2020), which integrates cybersecurity industry development into Taiwan’s 5+2 Industrial Innovation Plan. The Executive Yuan began investing what will total NT$11 billion (US$377 million) by 2020 into cybersecurity efforts under the national technology development plan and the Forward-looking Infrastructure Development Program. Moving forward, the Executive Yuan will lead the way in establishing and promoting industry standards and certifications in order to build a strong brand for Taiwan’s enterprises and furnish a sound and secure cyber environment for key domestic infrastructure. This work will also support and assist Taiwan’s cybersecurity industry as local firms seek to conquer global markets.3
Cybersecurity Management Act (資通安全管理法)
In May 2018, the Legislative Yuan passed the Cybersecurity Management Act (資通安全管理法) to create a secure and stable cyber environment in the public and private domains. The Act mandates stringent requirements for providers of critical infrastructure (關鍵基礎設施提供者) to establish adequate cybersecurity management plans, levels of protection, and response mechanisms. The legislation defines providers of critical infrastructure as providers of tangible or intangible assets, systems, and/or internet resources that are of high importance because their impairment will have a substantial impact on, or endanger, public interest or economic activity. Industries of high importance within the purview of the Cybersecurity Management Act include information technology and communications, banking and finance, high technology parks, transportation, energy, water, emergency services, and public healthcare.4, 5
In general, providers of Critical Infrastructure will need to:
-
-
- implement a Cybersecurity Maintenance Plan (資通安全維護計畫)
- notify the central competent authority for its business of any incidents of cybersecurity (資通安全事件).
-
Cybersecurity Maintenance Plan
Providers of Critical Infrastructure should formulate, revise and implement a Cybersecurity Maintenance Plan to conform with the requirements of its risk level (資通安全責任等級之要求) as decided by the Administrative Yuan and in accordance with the types, quantity of information and nature of the data they keep or process as well as the scale and nature of their cybersecurity system.
In addition, Providers of Critical Infrastructure are required to report the implementation status of their Cybersecurity Maintenance Plan (資通安全維護計畫之實施情形) to their competent authority for inspection. In case of any defects or insufficiency, the Provider of Critical Infrastructure must rectify the defects and submit an improvement report (改善報告).
Notification Requirements
To deal with potential cybersecurity incidents, the Act requires Providers of Critical Infrastructure to establish a report and response mechanism (通報及應變機制) in advance.
When there is an identified threat to the systems, services or internet status which may affect the operation, availability, integrity, authenticity or confidentiality of its IT system, the Provider of Critical Infrastructure must immediately notify its competent authority after becoming aware of the incident.
In addition, the Provider of Critical Infrastructure should submit a report with details about its investigation, handling and improvement (調查、處理及改善報告) following each cybersecurity incident to the competent authority that oversees its business. In the case of significant incidents, the report should be sent to the Administrative Yuan as well.
Enforcement
The central competent authority for the business can directly impose a fine of TWD 300,000 to 5 million (approx. US$ 10,000 to 168,000) and also order the Provider to rectify the issue within a prescribed period of time when the Provider of Critical Infrastructure fails to issue the required notifications of the cybersecurity incident. If the Provider continues to be negligent about reporting, the fine can be issued on a consecutive basis.
Regarding a violation of the other obligations stipulated in the Act, the competent authority for the business will first order the Provider to remedy the shortcoming within a prescribed time. If the Provider fails to improve before the deadline, fines of TWD 100,000 to 1 million (approx. US$ 3,400 to 33,000) can be imposed on a consecutive basis.
The Department of Cyber Security has indicated in the Taiwanese media that that Act will take effect in two phases. The Department expects that the Act will come into force for public agencies starting around 1 January 2019. It further expects to put the Act into force for private entities including designated critical infrastructure operators in June 2019.
Next Steps
The moves by the Taiwanese government to tighten cybersecurity regulation should be applauded and echo what the US and the UK have done. It’s a good first step and prudent to start with government agencies and critical infrastructure. However, its important that Taiwan continues to improve the regulation and apply it to a broader range of businesses. It should look for inspiration from programs like the UK’s Cyber Essentials scheme (https://www.cyberessentials.ncsc.gov.uk/), which is a UK government information assurance scheme that encourages organisations to adopt cybersecurity best practices. It includes an assurance framework and a simple set of security controls that can be easily implemented by organisations of all sizes. There are two levels of certification:
Cyber Essentials: Independently verified self-assessment. Organisations assess themselves against 5 basic security controls and a qualified assessor verifies the information provided.
Cyber Essentials Plus: Provides a higher level of assurance. A qualified and independent assessor examines the same 5 controls, testing that they work in practice by simulating basic hacking and phishing attacks.
The five controls when implemented properly help protect against unskilled internet-based attackers using commodity capabilities. The program enables smaller organisations to show their customers that they take cybersecurity risks seriously. In addition, the UK government has made certification a requirement of doing business with the government.
Innovative Cybersecurity Leads to Innovate Businesses
The government has a goal of placing Taiwan in the top 10 information technology nations. Taiwan already has significant technical capabilities but to reach this goal its needs to move the economy from contract manufacturing to a new commercial model centred on high-value-added business and services. This migration will require deep investment and innovation. Not just in technology, but in people and processes. Taiwan will not be in the top 10 information technology nations unless it incorporates cybersecurity capabilities into the core of government and business.
We know from research that cybersecurity excellence drives business innovation. Businesses that have strong cybersecurity practices, can take greater risks and innovate at an accelerated rate. Companies in Taiwan must follow the governments lead and incorporate cybersecurity excellence within the DNA of their organisations. If they fail to do this, competitors from other countries will out innovate them and Taiwan will miss the opportunities available to it.
Talk to us, if you have questions on how to transform your business with cybersecurity. We provide a broad portfolio of solutions to address the needs of any business no matter the size. Contact us to learn more.
