2022.09 The Taiwan Banker NO.153 / By David Stinson
A Plan to Thrive Under Cyber HarassmentBanker's Digest
On August, China responded to the Taiwan visit by US House Speaker Nancy Pelosi with attacks designed to intimidate it and its allies. The kinetic portion of these operations featured a Taipei missile overflight and operations off its coasts, but these responses remained physically distant from the Taiwanese people. Therefore, China also targeted Taiwan’s civil society through a series of cyberattacks on infrastructure such as government websites and banks. It is becoming increasingly likely that Taiwan’s foreseeable future will feature such escalating “grey-zone” attacks. These tactics are generally the result of China’s frustration at Taiwan’s political inclinations, rather than a strategic plan to eventually annex it. The main way that the grey zone could potentially serve that aim would be to conceal an impending attack – but the scale of forces required for a full invasion would be so large that they could not be maintained on an ongoing basis. Although more than we know has probably occurred behind the scenes, the cyberattacks that have been reported so far were designed not to truly disrupt society or the military, but instead to be seen by the public. By implying that China has further tools at its disposal, they aim to harm morale. If an invasion were a reasonable option for China, however, they would simply do it rather than show off. Taiwan should therefore see the present situation not a reason for passivity, but as an opportunity to improve its reliance, taking China’s warning as a challenge. Cybersecurity is one area in which it could potentially also improve its economy in the process, but before it plans a response it must consider more precisely what problem it hopes to solve. Security starts from coding practice This is not an easy a proposition as it sounds. The term “cybersecurity” could potentially refer to almost any aspect of security in the networked era. Popular expositions on the topic frequently take shortcuts like confusing methods with targets – i.e. phishing and personal information protection. The various aspects of cybersecurity are so diverse that might almost be better to abandon the term altogether and start from elsewhere. Most non-specialists tend to assume that cybersecurity is closely related to algorithms, the central topic of computer science, and the most basic competency software companies seek when hiring. Indeed, there is a rich area of overlap between the two in the field of cryptography, but problems of this nature are generally far removed from the everyday work of system security. To see why, it might be helpful to understand the development of programming languages over time, as a reflecting of the gradually increasing importance of security in computer science. Python – first released in 1991, only five years after the creation of the first virus – uses a design philosophy of “better to ask for forgiveness than permission.” To be clear, its approach was an innovation over older assembly-level languages like C, which are neither safe nor user-friendly. Nevertheless, that approach is becoming recognized as flawed for an increasing range of applications, for reasons that should be obvious to anyone with a legal background. Rust, which has gained prominence in recent years, is an example of a more modern language designed with the opposite approach. There are several aspects to this safe design, but one of the most important is simply error management. And errors are fundamentally nothing more than text strings which are meant to be read by humans (programmers themselves, others within the organization, or less ideally end users). This comparison should make it clear that many problems in software development are in fact issues of organizational management, rather than purely programming. That realization should both encourage those without technical skills not to be scared of the topic of cybersecurity, and also point to the connection between safe software and other aspects of management processes. Know your attacker Most mistakes simply reduce the functionality of a program, if they have any effect at all; only a fraction turn into vulnerabilities. Thus, the most important way to improve cybersecurity from a national perspective is to build a software industry. Notably, the skills to create safe software align closely with those to correctly use outside software – which will be the vast majority of software in any organization, and also the most important source of vulnerabilities. The vast majority of companies can simply import systems made by industry leaders for sensitive tasks like password storage, as long as they understand their security requirements. A vibrant software industry would help reduce Taiwan’s overreliance on outdated or unsafe platforms, which is one of its most urgent security problems. Of course, Taiwan’s ultimate target is not software development, but resilience to state-level attacks. In that case as well, however, many of the skills needed are not purely technical in nature. Rather, they fall under the broad category of open-source intelligence (OSINT). This aspect of cybersecurity involves the use of detective work to create and refine threat models – assumptions about potential attackers. In an interview, Jon DiMaggio, author of The Art of Cyberwarfare, noted the importance of differentiating between different types of attackers. “When you have an advanced threat…the main difference is, there is a motivated human with an objective. When North Korea attacked the Bank of Bangladesh, they spent a year prior preparing for that, before they actually tried to make the first fraudulent transaction. A year! Your traditional criminal or automated threat – most of the stuff you see – is not spending a day, let alone a year.” He also noted the persistence of such threats. “If they can’t get into your network…they’re going to have multiple campaigns. It’s never once. When you have an advanced threat, there’s going to be many attacks for a single objective.” They will also target individuals personally, not just organizations. Thus, it is essential to understand the intentions of attackers in order to design a response. Regarding national strength, as the term “intelligence” implies, civil and military capabilities will likely develop in tandem. Intelligence sharing agreements with other countries will be helpful. At the same time, the field of OSINT is also growing quickly, including for civilian purposes such as law enforcement, so the private sector can also play an important role. OSNIT requires strong logical foundations and knowledge of software ecosystems – but in ways very different from pure software development. This aspect of cyber defense could also turn into a business opportunity for Taiwan. Outsiders may look for understanding of Chinese attackers from people with an understanding of Chinese language and culture. The Israel of Asia Whether it is software management and development, intelligence, or cryptography, the key bottleneck is always human resources. This is a somewhat complex problem because most of these skills are difficult to learn in the abstract context of university classes. Rather, they can only be learned at the same time they’re put to use. To understand the nature of the growth process, it may be helpful to consider the case of similar small country which has managed to turn its isolation into an advantage over time: Israel. Israel could now be characterized as a software superpower, having moved past decades of boycotts, divestment campaigns, and travel restrictions. Google, Facebook, Microsoft, and Intel all have extensive operations in this country of 9 million people. Moreover, its cyber defense industry is world-class. Sales of its Pegasus spy software have not only earned the country at least hundreds of millions of dollars, but also become an important tool for its foreign policy. The Stuxnet virus (widely assumed to be partially developed by Israel) remains legendary over ten years later, having disabled Iranian nuclear systems that were not even connected to the internet. Israel’s software industry benefits from the intensive military service of its citizens. Most of its young people have real wartime experience, which they often bring into the private sector. In particular, its Unit 8200 is known as a factory for future IT entrepreneurs. The US, for its part, similarly benefits from its world-leading research university system, as well as the Silicon Valley ecosystem. These structural factors have helped produce knowledge in these countries in the areas of pure mathematics relevant for classic code breaking, like number theory. (Unit 8200 works on signals intelligence, or SIGINT). It would be difficult for Taiwan to replicate such conditions a short amount of time. Instead, growth of the software industry is likely to be the quickest path to Taiwan’s development. Stringent legal requirements for cybersecurity could create demand for relevant skills at market scale. This checklist approach is unlikely to produce industry-leading results, but in any case, state-of-the-art cryptographical research frequently only reveals highly theoretical attacks that may be interesting on paper but highly unlikely in practice. Meanwhile, it is unlikely that attacks on 7-11 signs, for instance, were particularly sophisticated. Taiwan will need to start near the bottom of the value chain to develop its capabilities. At the same time, though, the military draws from the same labor pool as the private sector. Progress in any given area can contribute to strength of the nation as a whole. This will be a multi-step process, which is why it’s so fortunate that China has given so much advance warning.