During the Taiwan Strait ‘hacker war’ of 1999, the National Security Bureau alone recorded 70,000 hits in a single month. By 2012, that number had reached 3.34 million. Is the nation ready to meet the challenge of cyber warfare?
It has been a long since anyone fired in anger across the Taiwan Strait. The last large-scale outbreak of hostilities was the 1958 Taiwan Strait Crisis and minor clashes throughout the 1960s. Since then, political change in Taiwan has transformed cross-strait relations from one of a dispute over which government represents “China” to one of Taiwan’s efforts (admittedly not universal) to preserve its de facto independence and China’s fundamental opposition thereto.
In recent years cross-strait relations have been hailed as “stable” due in large part to the conciliatory policies of President Ma Ying-jeou (馬英九). However, whatever rapprochement observers may have had in mind when describing post-2008 China-Taiwan relations, one area has been markedly different — in fact, conflict in that sphere occurs every day. That area is cyberspace, and Taiwan has been experiencing cyber-attacks for a very long time. The situation is serious enough that government officials often cut the diplomatic speak they normally use when they refer to the military threat from China. For example, arguing for Taiwan’s participation in the U.S.-led Cyber Storm exercise, Vice Premier Simon Chang (張善政) left no doubt as to what was the principal threat facing Taiwan today:
“Taiwan has no enemy in the international community except you-know-who.
Who in the world would try to hack Taiwan?”
Chang, a former director of hardware operations for Google Asia, knows what he is talking about. According to a report in The Age, Taiwan’s executive branch experienced nearly 2,000 attacks per week in 2013. That number does not include other governmental institutions, the military, and business. Moreover, it may take months or even years before an attack is identified and immediate attribution is generally impossible, unless the perpetrator was really clumsy. The recent hacking into the U.S. Office of Personnel Management (OPM) is a good example. To make matters even more complicated, the extent of the damage from a cyber attack is typically not immediately clear, and proper investigation and damage assessment after a sophisticated breach takes time.
This is one of the factors that distinguish cyber-attacks from “kinetic” attacks. After a kinetic attack, the state usually knows, if not immediately then in a short time, who fired the shot and what was the extent of the physical damage caused, and is therefore able to choose a proportional response. After a cyber-attack, however, the damage assessment is lengthy and identifying the perpetrator can be greatly challenging. Often, the real source of an attack cannot be identified beyond reasonable doubt.
This, naturally, applies during peacetime. During conflict or immediately before the commencement of hostilities, the incentive to hide one’s actions is greatly reduced and the attacker may concentrate on brute force with the help of pre-planted viruses, worms, and Trojan horses inside an opponent’s computer systems.
Cyber security is not a new phenomenon. The first documented cases of significance go back to the 1980s. One of the first was the hacking into the Lawrence Berkeley National Laboratory (LBNL), which was conducting sensitive research for the U.S. government. The perpetrator was Markus Hess, a German national who was selling information to the Soviet Union. Hess hacked the LBNL using a modem. Earlier in the 1980s, the CIA launched an operation using information from France’s Direction de la Surveillance du Territoire (DST) to flood the USSR with faulty hardware and software that allegedly resulted in the 1982 Trans-Siberian pipeline explosion. Whereas the first example was probably the first recorded remote hacking of a government network, the latter is an early example of the manner in which software and hardware can be used to conduct sabotage and result in real physical destruction.
Taiwan has faced a cyber threat for several years. The first high profile and publicly known case occurred during the cross-strait “cyber war” in 1999 following statements by then-president Lee Teng-hui (李登輝) referring to cross-strait relations as a “special state-to-state relationship.” In July 1999, hackers on both sides got involved. Defaced websites and other forms of web vandalism, the paralyzing of mainframe computers and attempts to introduce computer viruses into the opponent’s systems were part of the exchange. The “hacker war” also involved posting false news. For example, at the beginning of the crisis, a website owned by a Chinese company posted a false report that Chinese Su-27 aircraft had shot down a Taiwanese F-5E. The news reportedly resulted in a 2 percent drop in the stock markets. What is significant about this incident is that it involved private individuals who joined in the attacks. In fact, it is possible that there was no significant involvement by state actors. This is an area where the difference between the relative military power of the two states gets blurred. Individuals may voluntarily join wider efforts against an opponents’ information infrastructure and thus add to a states’ offensive efforts.
However unsophisticated attacks by individuals may be, the defender must nevertheless deal with them, which complicates the effort. It is also something that could play to Taiwan’s advantage. While China relies on its so-called cyber army, attacks on democratic Taiwan could result in widespread, Anonymous-style retaliation against the Chinese cyber space. However, the real concern is not individuals defacing government websites or participating in distributed denial of service (DDoS) attacks, such as the attack on GitHub in March 2015. Rather, the main challenge is defending against Advanced Persistent Threats (APT) attacks that require levels of sophistication that are typically out of the reach of disgruntled individuals. APT attacks are designed to evade detection by maintaining a low profile, slowly penetrating a system and remaining there in order to collect information (the OPM hack is an example), sabotage control systems, or cause physical damage. Whereas it is usually the first, the other two options could be exploited in the opening stages of a military conflict to add to the damage caused by kinetic attacks.
What has changed since the early days of cyber threats? Not much, and a lot at the same time. The methods are not very different. What has changed is the extent of interconnection. The days when cyber security mattered only to a limited number of government institutions, research facilities, and bunch of universities are long gone. In Taiwan in 2002, Internet penetration was around 40 percent, making Taiwan one of the most connected nations at the time. And although other countries have since surpassed Taiwan, Internet penetration rose to 80 percent in 2014. In addition, smartphone penetration was 60 percent in 2014. Back in the late 1990s, experts were beginning to point to the high quality of the information infrastructure, an information-savvy population, and a solid education-base, to name few factors, and their potential use in the pursuit of military transformation (more on this here, Chapter 7 more specifically). However, this is a double-edged sword. More networked societies also create more vulnerabilities for attackers to exploit. Moreover, high penetration does not necessarily make sophisticated users. While most people have become used to protecting their personal computers against viruses, they do not necessarily extend the same courtesy to their smartphones. This is a glaring omission, when we consider that personal computers get synced with their owners’ smartphones and data storage is slowly but surely moving to cloud. Combined with a rather abysmal approach to password protection and the growing sophistication of hacking methods, making them indistinguishable from legitimate services, the threat to cyber security is often at the level of the individual user.
When negligence combines with access to restricted governmental or military networks, the damage can be more significant than loss of information. Negligence might not be the only culprit. The other possibility is a successful intelligence operation resulting in physical access to a computer or computers within a restricted network. A good example of this is the Stuxnet worm that infiltrated computer systems at Iranian uranium enrichment facilities in Natanz, which allegedly resulted in the damage of approximately 1,000 centrifuges. Whether it was negligence or an undercover agent, the most likely insertion of the worm into the closed network was via a USB flash drive.
One characteristics of cyber space that stands out is that it is hard to distinguish between cyber security of civilian and military, government and business, or public and private sectors. After all, they all use the same information infrastructure, all of them are trying to secure their information in closed networks, and ultimately any difference disappears when cyber-attacks become part of kinetic military action.
Even before the 1999 “hacker war,” Taiwan’s policymakers and defense planners were becoming aware that networked attacks by China presented a serious threat to national security. One of the first policy steps was the creation of the governmental Computer Emergency Response Team (CERT) in 2001, making Taiwan’s CERT (TWNCERT) one of the earliest of its kind. By comparison, the U.K. established its national CERT only in 2014, while Estonia’s CERT was launched in 2006, just in time to deal with Russia-originated cyber-attacks in 2007. CERTs (or CSIRT – Computer Security Incident Response Team) do not operate exclusively in the government arena. On the contrary, the emergence of private/corporate CERTs often precedes their governmental brethren. However, it is government-led CERTs that are primarily responsible for a country’s preparedness against cyber-attacks, protection of critical information infrastructure (CIIP), and responding to them when the need arises.
Taiwan’s cyber security policy document of reference is the National Strategy for Cybersecurity Development Program (2013-2016) prepared by the National Information & Communication Security Taskforce (NICST), agency established under Executive Yuan in 2014 “in order to promote policies on national information and communication (IC) security, expedite the construction of a safe national IC environment and boost national competitiveness.”
On the military level, the Taiwanese military included cyber-attacks in its annual Han Kuang exercises starting in the early 2000s, and cyber security is part of broader information warfare (IW) preparedness. The latest iterations of the Quadrennial Defense Review and the National Defense Report (NDR) well acknowledge the importance of information security and the extent of the threat posed by the cyber capabilities of the People’s Liberation Army.
However, the military and intelligence agencies are not concerned only with defending against the 100,000 men and women who reportedly fill the ranks of China’s cyber army. Cyber attacks are a perfect asymmetrical weapon. Defense is costlier and places the defender at a great disadvantage against relatively cheap attacks. It is also asymmetrical in that the attacker may impede military operations and decision-making through attacks on the civilian information infrastructure. This works as well for China as it might for Taiwan.
During the 1999 “hacker war,” Taiwan’s National Security Bureau recorded 70,000 hits in one month alone. In 2012, that number was 3.34 million. While military networks may be well protected for the moment, things are different in other sectors. Thus, a concerted effort to protect all the domains of Taiwan’s cyberspace is needed. Where Taiwan should fare well is in human resources. Taiwanese hackers are internationally competitive and the Hacks in Taiwan conference (HITCOM) has developed from a low-profile event to an important international gathering. However, having a pool of talented individuals is of little value if the government and the military are not successful in absorbing part of that talent to address Taiwan’s defense requirements. And there, it faces a challenge similar to that of the military, which continues to struggle to present itself as an attractive career option for young Taiwanese.