-
Hello.
-
Lucas? Hi, Lucas.
-
Hi, Jason.
-
Can you hear me?
-
Hi. I can.
-
Great. Let’s get started. I guess we are all running a very precious time constraint here. First of all, thank you for staying up late, Lucas. Audrey, I thank you for taking time out of your super busy schedule. I know this is completely not easy. I thank you. Thank you.
-
As I’ve shared with you just now, Lucas and I have been developing a cyber study program based out of Oxford. We believe that this would be very useful and beneficial for Taiwan, given the current situation of Ukraine and Russia. Also, that now, you are in charge of the new ministry. I believe that cyber security would be an important focus too.
-
I’ll hand it over to Lucas. Lucas, maybe you can take it over from here.
-
Please.
-
Thank you, Jason and Audrey. It’s fantastic to meet you. I know you’re doing some very exciting things in Taiwan that I’d love to learn more about. If not today, in some other occasion.
-
I’m burning the midnight oil here in Oxford, England, as they say. Jason, I had a slide presentation just to briefly go over the project. I don’t think that I can share my screen, because I’m accessing this meeting through…
-
Ah, you’re through the Web.
-
…Web room.
-
I see. Or you can – I don’t know – paste the link somewhere.
-
I don’t know. Jason, would it help if I emailed it to you?
-
I don’t think I can share it either. Audrey, do you have access to a computer right now?
-
Yes, of course.
-
Maybe you can…
-
You do have my email, right? Just email the slide to me and say which slide.
-
I’ll do that.
-
You can email the slides to both of us. Maybe you can just go through it as you speak.
-
I’ll do it right now. Just give me one quick second.
-
Sure. Sure. Sure.
-
OK.
-
While Lucas is fixing your slides, Audrey, I’ll have to find the chance to bring you to speak at the Harvard Kennedy School. I’ll be great to do something. You can just via video, via Zoom. I think a lot of people here are very interested to hear you speak. That’s why…
-
Sure thing. I think David Eaves is also at HKS?
-
Oh. David Eaves. Yeah.
-
Yeah.
-
OK.
-
He’s a long-time collaborator.
-
Almost there.
-
Sure. Sure.
-
You’re in Boston right now, uh, Jason?
-
Yeah. Yeah. Very cold here.
-
Attaching and sending now. OK. Sent to your respective email.
-
It’s going through some very important cyber defense filters… I haven’t received it yet?
-
(pause)
-
That should be a shared screen pop somewhere.
-
Yes. Yes. I’m pretty sure it has.
-
Yeah.
-
I think on the app it does, but for some reason it took me through the web browser.
-
Oh, really?
-
You know what? I think I might be able to…
-
Yes.
-
Here you go. Here you go. Yes. I do see the screen.
-
I haven’t got Lucas’.
-
No. I haven’t either.
-
Lucas, are you able to…? If you click on…Do you see the button on the screen that has a sharing function? No?
-
I don’t think through the web he could share.
-
Not in the browser or web. We’ll just have to wait for the…
-
…to wait for the slides.
-
You haven’t gotten them yet?
-
No. I have not.
-
Interesting. That’s going to be last to my inbox.
-
I have another email. Maybe try that. If Jason haven’t receive it yet, then maybe it’s not me.
-
I got it now.
-
You do?
-
Hold on a sec. Opened it. Let me see how…
-
I got it now. Feel free to begin and say “slide one” or something.
-
You have it opened?
-
I do.
-
Audrey, I won’t take all that much time. This is hopefully…
-
It’s fine.
-
…just to help organize the thoughts about what the project’s background and objectives are. The background to the project is what we consider to be a very strong case for the necessity for more research on cyber issues.
-
I think in large part, that has to do with the big gaps that exists in the scholarship. There is a lot of research of course on cyber security issues within computer science and other technical communities, but what’s really lacking is research on these issues from the perspectives of political science, international relations, policy studies, and so forth.
-
Which is quite extraordinary when you consider statements such as your own precedents recently that Taiwan is in the front lines of cyber warfare, or President Joseph Biden recently referring to cybersecurity as the core national security challenge in the United States, and various other statements. I could go on to illustrate this point.
-
Also, at the same time, we see that there are enduring gaps in policy understandings about what to do with cybersecurity. Again, there’s been quite a bit of progress in thinking about the technical dimensions of the problem. At the policy level, at the political and legal level, there are still some major gaps in understanding. That’s the background.
-
We think there’s a very strong case for the necessity of cyber studies from our political, international and policy perspective. The situation of your country in this regard is particularly important and notable because Taiwan after all – I’ve now moved on to slide number 3 – is at the center of this general trend, which is the convergence of geopolitics in cyberspace.
-
What’s interesting is that when you look at the history of major incidents of cybersecurity, you see that they have tended to happen on the backdrop of major geopolitical rivalries and contexts. Taiwan, of course, finds itself at the center of China’s rise in the international system and its ambitions.
-
At the same time, Taiwan, of course, has a very advanced and vibrant technology sector which has led to your country being quite a pioneer when it comes to digital innovation in public service, so that I will have to tell you what those innovations are. There have been a number of extraordinary initiatives.
-
I’ve heard of them, yes. [laughs]
-
By the way, I come from a half Estonian background. My father is Estonian descent. I’ve done some research with Estonia as well. I’m sure you’re aware of some of the innovations there, too.
-
What that creates, though, and the Estonians are very clear about this, is that when you create a digital state in a digital democracy, that creates new opportunities, but it also creates vulnerabilities. They can be exploited through cyberspace.
-
On the backdrop of all this, we have, as I noted, the growing threat from mainland China. It’s growing assertiveness in cyberspace and in other domain. Very briefly, it’s perhaps helpful to note some lessons that we can derive from the experience of the war in Ukraine with Russia.
-
What’s interesting about that case, they could provide some lessons and insights for the Taiwan context. Is that in the case of Taiwan, a conventional invasion would be extremely costly for China. The war in Ukraine right now is demonstrating this for Russia.
-
What the PRC could seek to do, and clearly there’s already evidence that this is happening, is it could seek to exploit vulnerabilities in Taiwanese cyberspace, sort of a military invasion.
-
What is also quite interesting about the Russia, Ukraine war, is that before Russia invaded, there were some early warning signs that came through, some major operations in cyberspace, disruption of power grids, the NotPetya malware incident, which we have looked into quite a bit in the Ukrainian business community.
-
We’ve also, broadly, throughout parts of the world, information campaigns and so forth. One interesting lesson there might be that an early sign of a potential military campaign against Taiwan could in fact be breakdowns in cyberspace.
-
This provides further backdrop to explore the political and geopolitical dimensions of cybersecurity problems. With your country in very important way, being at the center of that research topic.
-
Also, very importantly, what makes Taiwan a very interesting context is the rich environment of public-private partnerships. That being also important for a research model. After all, it’s private industry and policymakers such as yourself who are at the frontlines of these issues.
-
We as researchers – and this has been my personal experience – can benefit a lot from your insights, perspectives, data. We’ve proposed and put together with Jason, moving to the next slide, number 4, is a multi-year research project in partnership with Acer Cyber Security, that has two basic missions.
-
One is a research mission, which seeks to produce research outputs that explore the geopolitical dimensions of cybersecurity. That also seeks to apply that new understanding to analyze major policy problems. That’s the research mission.
-
Alongside, there’s a second impact mission, which is to translate that scholarship into a form that is digestible and relevant to the policymaking community in the form of policy briefs, events.
-
What is COSO main here?
-
Sorry?
-
You said especially through the development of COSO…
-
There’s a word missing. It should be COSO theories.
-
Oh, theories.
-
The point here, Audrey, is that we’re not interested in producing academic work that gets published in prestigious journals. That’s something that Oxford University does very well. Any large research university will do well.
-
What we’re interested, is in doing the translation work of taking that new knowledge, these new theories, and applying them in policy context. I can say, broadly, from my university, Oxford has taken a very strong interest in doing what they call knowledge exchange, which is exactly that kind of a translation into the policy world.
-
I think that these sets of topics are very much ripe for such impact-oriented analysis. Slide number 5, please.
-
Sorry, just to ask a clarifying question, what would be an example of a causal theory on a major policy problem?
-
An example would be, why is it that the Chinese has evolved from being primarily threats about stealing intellectual property theft and espionage activity in this domain, to a new threat that looks increasingly like the Russian threat.
-
Which has to do with not quietly stealing secrets, but also interfering in other countries’ domestic political systems in order to cause divisions and confusion, or to undermine the legitimacy of democratic processes. That’s an example of a research puzzle.
-
Then, what can begin to observe empirically. Then, the question is, what causal forces are behind that evolution? One of the things we would do in this project is examine those changes in the observable world, and then come up with theories and hypotheses about why they are happening, then, derive some policy recommendations.
-
How would you confirm the hypothesis without, I don’t know, interviewing the PRC leadership?
-
Exactly. That’s always a challenge whenever doing China-oriented research. It can be quite difficult to get at least reliable data from interview subjects.
-
They might deny all attribution attempts.
-
Exactly. They denied it. This has been my personal experience. For example, in October, I gave a presentation at a university in Singapore, and there were a couple of PLA officers there, high ranking officers, and they completely denied it.
-
They might say “we don’t do such cyber operations.”
-
That’s where you need to move beyond these verbal acrobatics that they take, and look at the empirical data, look at the forensic data, see what’s empirically verifiable on the ground.
-
In terms of motives and goals, there’s a challenge there. It’s a methodological one that one might never be able to ascertain exactly who they are because you can’t get into the mind of Xi Jinping or senior officers. Unless it’s Phoenix, publicly, but they often don’t. We just have to infer those motives in those objectives as best as we can.
-
That’s what I wanted to clarify. Thank you.
-
Yeah. I think your point is your question is an insightful one because there are obstacles to doing this kind of research. Now in slide 5, please.
-
Yes.
-
One of the key objectives of this project that we designed with Jason is to create what we’re calling a policy lab. It’s basically a knowledge exchange environment, where we gather some government and private industry practitioners, workshops, and seminars in Oxford.
-
We also include them in the project’s advisory board, to help us shape the research agenda and also to help us provide policy perspectives on the research topics that we’re exploring.
-
There you’ll see three photos. That’s of an actual event that I hosted with the Assistant Secretary General, Ambassador Sorin Ducaru of NATO, here in Oxford. This was a few years ago. We brought some policy makers from various countries in Europe and also North America and we had these kinds of discussions.
-
I’m very much hoping to replicate that kind of a model, working closely with individuals such as yourself and your colleagues in Taiwan. Of course, not just Taiwan but other allied and friendly countries in Asia-Pacific region, North America, Europe.
-
Next slide, please.
-
Sure.
-
Research agenda.
-
Yes.
-
In the interest of time, I won’t spend too much time on this because I could say so, so much about the topics. We have a rich research agenda. I think the topics will be very familiar to you.
-
Yes.
-
One of them, just briefly, is the whole question of how to adopt international law, norms, and institutions to the problems of cyber security. One of the problems that has preoccupied me a lot is that there seems to be a lot of difficulty in democratic countries to figure out how to respond to major cyber incidents.
-
The reason, it seems to me, is these incidents aren’t like traditional war. They’re not uses of force. You don’t have people die. You don’t see major destruction of physical property and so forth. It’s difficult to classify these incidents within the existing framework of international law. You don’t have clear violations of national territory, of sovereignty either.
-
Yet, it’s clear that the incidents can be quite damaging to political and social interests. Here, about law and institutions. Also, very importantly, is that recurring theme of the geopolitics of cybersecurity in Asia, context of China’s rise and its growing ambitions and assertiveness.
-
Again, this is just a brief sampling of some research topics. We would be looking forward to speak with individuals such as you in figuring out and shaping that research agenda if you were interested, hopefully, in participating. Next slide, please, number 7, on methods.
-
A lot of the research would involve primary data collection, sifting through government policy and strategy papers, reports of forensic incidents, including the kinds of reports that Maverick’s company, Maverick Shih from Acer Cyber Security, could provide.
-
Let me chime in here with…
-
Of course.
-
Acer Cyber Security is a technology partner and we took a project together. Go on, Lucas.
-
Also conducting interviews with leading policymakers and industry executives. We regard this project as interdisciplinary. There will be an important technical component looking at hardware and software vulnerabilities and things like global supply chains of semiconductors.
-
I’ll return to that theme because one of the leading people in this project is a computer science professor. Then also, we plan to organize simulation exercises of major cyber incidents, international and regional incidents.
-
This is where the policy lab becomes quite important, where we want to gather people here in Oxford from various parts of government in different nations and companies. Go through this simulation exercises in order to work through in realistic scenarios, possible solutions to these policy and legal challenges that I was referring.
-
Next slide, please. Number 8. I’m nearing the end of the presentation.
-
That’s OK.
-
Then in terms of the outputs, we are proposing to produce a series of written products. Things like research papers, and then shorter policy briefs targeting a professional audience reports derived from the front panel discussions at the workshops and seminars.
-
Also the simulation exercise that I mentioned with some datasets, showcasing the findings of those experiments. Then also, that’s the research aliquot. Then we have these events, workshops, policy lab, meetings, which would probably happen on the sidelines of our workshops.
-
Then a running seminar series throughout the academic year here in Oxford. The idea is to make this very much an interactive and dynamic project. Then again, it’s not a few academics doing research in a library or in their offices. There’s a sustained dialogue with policymakers and industry executives. Next slide, please.
-
Sure.
-
This is the academic team which comprises of myself. One of the things I do here in Oxford is I serve as a co-director of the university’s Center for Doctoral Training in Cyber Security, which has existed since 2013. I believe we were one of two universities, we started together in the United Kingdom to start such a center.
-
It was quite an innovative experiment. Also, a very important member of the team is Professor Richard Kaplan. He’s an expert in international relations and international organizations, United Nations, conflict resolution and so forth. He’s also the director of the University Center for International Studies.
-
Then also my other very close colleague, Andrew Martin, who is a professor of systems of security, and also the main director of the Center for Doctoral Training in Cyber Security. He would be responsible for overseeing the technical aspects of the research.
-
He’s expert in trusted computing, I believe.
-
Exactly. He’s an expert on the security of distributed assistance. Do you know, Andrew?
-
I heard of, but not directly.
-
OK, interesting. Next slide, please. Also, we have built up strong institutional support within the university for this project involving the research manager of my department, which is the Department of Politics and International Relations.
-
That’s Elizabeth Hodges, and also Nick Stone Villani who’s a senior development officer here at the university’s development office. With any safe project involving external stakeholders, there’s always a very important institutional factor. This is the final slide, please. Number 11.
-
This will give you a sense of Oxford’s cybersecurity research community. I don’t know if Jason’s going to like to hear this because he’s at Harvard now.
-
I left the Harvard Kennedy School seven years ago, where I was a researcher and came here to Oxford. I took my research here because there’s a really strong tradition of doing cybersecurity research in this community.
-
In perspective, The university is recognized as an academic center of excellence in cybersecurity by the UK’s National Cyber Security Center. The Department of Politics and International Relations, where I primarily reside, has a long history of exploring these political aspects and policy challenges on cybersecurity.
-
Then there are a number of other initiatives, they’re way too long to list here, but the point is that we do have a very diverse and mature cybersecurity community and it’s very interdisciplinary. This is a great place. It’s a great environment to bring people and researchers to work in this area. I’ll finish with that, so thank you very much.
-
Just…
-
Yes?
-
Just a complication. I’m physically in Harvard, but my heart is at Oxford.
-
(laughter)
-
Also, this project that Lucas just described, is a project that Lucas and I have been working on for almost two years when Lucas first invited me to be a visiting fellow at Oxford, at his department.
-
Although, the COVID-19 prevented me from actually going to Oxford to work with him, but we were able to actually work on this remotely and virtually. Very happy to see this come this far, but just to add to that.
-
Jason was one of the first non-visiting visiting fellows that we had here. [laughs]
-
Virtually visiting fellows?
-
(laughter)
-
Yeah.
-
Audrey, hopefully this can strengthen your defense of…
-
Let me add to the importance of having all this feedback here. Because we wanted to get the government involved, because we believe that the work that is produced along with private sector will have implications for Taiwan center front.
-
We wanted to hear your feedback, Audrey, to your program for, I know you are still in stealth mode. I don’t know how much you can share, but we’re happy to see if this can be something that either be happy to…
-
I think you broke off there.
-
…work together, or some, only the angle that maybe you can help co-initiate or something like that. Happy to hear your feedback on this.
-
A couple of points. I think this is timely and important. It’s very ambitious. It’s one of the more ambitious scopes that I’ve heard from the academia community. Congratulations on getting support from Acer Cyber Security IT Solutions. I think it’s one of the most major partners in the private sector here that can help you. It is a good project.
-
Now, just to set your expectations, I’m not in charge of overseeing the cybersecurity department. I am just in charge of setting up the organizational and institutional structure of the upcoming administration 資通安全署, which is different from the current Department of Cyber Security 資通安全處, and the national institute 資通安全研究院 that would liaises with the research community and practitioner community, much as how you would expect a Cyber Security Center of Excellence would do.
-
So sometime later this year, 資通安全署 and 資安研究院 would be both in place. As for now, we do have some initial progress for centers of excellence, and there are some preliminary researches which is all open-source intelligence. If you search for Taiwan Center for Cybersecurity Excellence you will find some time, but they are as I said, in pilot stages and I’m not currently in charge of those.
-
I’m just aware of those, because I’m preparing the institute and the administration. That’s just to set your expectation.
-
With that said, there is strong interest, especially around this information, election interference and so on, things. Because in Taiwan, every year, we either do election or referendum. There are abundant empirical data leading up to either the yearly referendum or election. Jason probably already knows there is this whole bunch of researchers such as Doublethink Labs, IORG, the INDSR and so on.
-
They are already working in produce, I believe, English and Mandarin reports on the thought of empirical backed attribution, or such studies that you have outlined. The forensics as well as other technological underpinnings are probably exactly the same as your technological underpinnings. They’re your natural allies for the next few months, and I would encourage you to reach out.
-
That’s just at the top of my mind at the moment. Feel free to continue the conversation. I don’t have anything for the next 24 minutes.
-
Thank you for that clarification. It’s helpful to know what the institutional scene on your side looks like. I realized and Jason had alerted me to that reality, that it’s a shifting ground.
-
Yes.
-
Let me just say the following, and I learned this very much from my experience running some projects on some policy challenges and initiatives in Estonia. Because we run a multi-year project in Estonian government and the European Union years back, with covering some similar themes.
-
One thing I’ve learned from that experience, which was maybe the most important lesson, is that there is no need to separation between the cyber security problems and the development of the digital society.
-
In a way, there are distinctions. I like to refer to them as the dark side of cyber space and the sunny side.
-
The nice and not so nice?
-
Exactly. The sunny side is things like online voting, which Estonians have been doing since 2005 at the municipal level or things like e-tax filing and so forth. That’s very much the positive side, because it reduces the distance between citizens and states.
-
It cuts down on government bureaucracy. It improves public service efficiency. All these things that you know, of course, very much a lot about. The cyber security issues and challenges are always closely entwined with those positive developments. Of course, that has to do with the underlying technologies.
-
One thing I’ve learned through that previous research experience is that it’s important from the very beginning of a project of this kind to involve closely people who work on the digital society side. Maybe not necessarily on the security side.
-
Even though, of course the cyber security and the info sec people, sure. They’re very important, should be there as well. I guess you can take this as a plea for your involvement in some way in these discussions and in these activities. Does that makes sense for you?
-
It does. I’m just trying to figure out the contributions that I can possibly make, aside from making introductions. Jason is very good at that too. [laughs] At the end of the day, to gather empirical data, you would need the actual cases of the global supply chain being interfered with and things like that.
-
Then you would want to simulate those scenarios, replaying it, so to speak, to gorge the response from the private sector and public sector leaders and also from the society as well. How can I help in that agenda?
-
That’s a legitimate question. What could be really valuable input from your perspective is if you could help us researchers understand what the next stage of digital public services are? What new citizen initiatives are being developed? What that would do…
-
(audio skips)
-
…anticipate some of the current and future challenges in cyber security. What the cyber security crowd would tell us…That’s one of the hard data about things like incidence and threats would come.
-
Rather helping us understand and shape an accurate view of what that background of the digital society and the digital state in Taiwan is. Again, in my experience with Estonia, I was talking very closely with people like Taavi Kotka.
-
I don’t know if you know of him. He was the CIO of Estonia back then. He would tell us, he’s like, “I’m not a cyber security guy, but you know what? We are changing the design of our national ID system,” because they wanted to strengthen the unique personal identifier.
-
They said, “You can’t really do cyber security research in Estonia unless you know that we’re developing this.”
-
I’m quite aware of that change.
-
Of course.
-
We’ve been on the same panel for a while back. Let me ask you this. Are you planning to do something like that? Getting a gold card, getting a residence certificate in Taiwan participating our services by yourself or do you have a partner, researchers, or institutions other than Acer Cyber Security in Taiwan that does that for you?
-
At the moment, we have initiated discussions with Acer Cyber Security. As you noted, Audrey, our common friend here, Jason, is hyper-connected. I know that he’s been very active in helping to connect us with other relevant companies and organizations in Taiwan.
-
At the research stage, yes, absolutely, we will want to include more participants and integrate them into the advisory board, into the policy lab, and these workshops and events here in Oxford.
-
Jason, maybe you can help answer this. We’re still building that momentum.
-
Which stage are you in?
-
Also, let me add to that. From our discussions with Acer and Maverick, his sentiment is, he will like government’s involvement in this. He believes that the work that we produce, or research that we produce, will have the very important implications for governments, including their intelligence, and etc.
-
They can be the execution partners, in whatever ideas that come out of this research. I think that’s why they said that they would like to sponsor this project, but then, they would also like to see government to also play a role in it, instead of then paying for the whole research cost. Put yourself, three-year project.
-
They also want government involvement in supporting this, so that the result of the research won’t be just a private sector-oriented only. They believe that at the end of day, the cybersecurity has to be a public-private collaboration.
-
By three years, which three years do you have in mind?
-
We’re hoping to start imminently as soon as possible. We’ve been in conversations about this project. Jason, since around the summer of last year, we had to go through a lot of steps.
-
Particularly, me, internally in the university. I had to get this approved and cleared at many levels. I had reached that stage. We’re at the execution stage if we come to an agreement.
-
Jason said three years. We regard that as an initial phase, and then, we see how the project goes. If everyone is happy with the successes of the outcomes, then, we would explore expanding the project to further years.
-
I see. As I mentioned, when you say government, there’s three very different branches working on this particular issue in parallel. One, I had already mentioned, is Institute for National Defense and Security Research, the INDSR.
-
They’re on their own track. I’m not intimately aware, but I do read their reports. They analyze, for example, PTT posts during the pandemic, for attribution about the infodemic. That’s to say, the information manipulation, for example, anti-vax, and things like that, and look for patterns for manipulation.
-
They do have partnering programs working on that. That’s one branch. The other branch, as I mentioned, is the institute 資通安全研究院. That’s the more futuristic branch. The other branch, which is more prominent anyway, is the social sector. You mentioned the g0v. Folks and many people who participated in g0v, started their own labs, IORG, Doublethink.
-
When working on this issue, not just to empower the social sector, but also work with international correspondence to produce reports that would make sense for the international audience as well, not just for domestic consumption. They actually have larger visibility for domestic discussions.
-
Audrey, there’s a new ministry the Ministry of Digital Affairs.
-
Yeah, the moda.
-
MoDA, right. Will it contain the cybersecurity bureau? I heard that cybersecurity affairs will be merged under that new ministry. Is that correct?
-
It’s the administration, 資通安全署. In a sense, of course, the administration is led by the ministry, but on the other hand we call them an administration because they make their own laws and regulations and so on. The ministry would play a supervising role. However, the administration will have more autonomy than a department, 處. There will also be another administration, 數位產業署 too.
-
I think that’s so helpful to understand and in response to this, I would reiterate the point about the importance of inclusivity. We’re trying to be comprehensive about the kinds of participants that we can include in such research.
-
Hopefully, covering the people who work exclusively on security and defense issues, and then also the people who work on the…that are supported by such efforts in the development of state and citizen services.
-
Yeah, definitely.
-
This conversation has really helped, at least me, understand a bit more about what the institutional landscape is like in Taiwan.
-
Let me also point out that many ministries are developing their own, like you mentioned Estonian ID system. Just yesterday [laughs] actually, I applied and received in maybe just two minutes, the entire flow of my vaccine records, my vaccination record using FIDO compliant way.
-
We call it 行動自然人憑證 or the Citizens Digital Certificate mobile version. Instead of using esoteric underpinnings like a sim card or whatever, the FidO flow feels exactly like integrated Google login on Android or something.
-
Because it pops up a notification, I say it’s me and then it lets me in, and it creates a Google Pay certificate. I can authenticate biometrically to show the EU DCC compliant QR code and so it’s all very smooth.
-
I used this example to illustrate that the root certificate is issued by Ministry of Interior. That is data processing is done by the Ministry of Health and Welfare. The issuance is in partnership of the Center for Disease Control.
-
They are all their own data protection authorities in terms of GDPR. They do not actually need the MODA, the Ministry of Digital Affairs, or at the current point, the National Development Council, to orchestrate this exchange.
-
We run on a very pluralistic poly-centered multi-stakeholder mode, even within the administration proper. If you do not have the Citizen Digital Certificate like I do, you can also use the other administration’s code. The administration for health insurance.
-
The instructions of each issuer, that’s a huge problem though.
-
Right. The thing is that it’s by necessity, because if you are a resident but not a citizen, you don’t get a citizen’s certificate, you get a universal healthcare card instead and so on. For each and every service, we have at least three different login methods and they are all managed, issued by different administrations.
-
Which is why I stressed the importance of autonomy of those administrations. It’s quite different from the Estonian model, is what I’m trying to say. The Estonian model is more similar to the Taipei municipality model, which is reasonable… Because of similar population? [laughs]
-
If you are in the Taipei municipality, you do have acces sto TaipeiPASS and they’re explicitly modeled after Estonia. In the national government’s case, it’s quite different, so prepare for cultural differences.
-
What you’re saying reminds me of a small project that we ran actually with Andrew Martin. This was several years ago. Looking at the way the different countries had structured their national identification system.
-
Estonia of course, was one of the case studies, using the unique personal identifier system. We looked at Austria, the United States and other national jurisdictions.
-
What you are saying reminds me a lot about one of the findings of that research, which is that these early design decisions that were either taken explicitly by policy makers, or simply emerged by path dependency through just common practices.
-
Then suddenly, “Oh, this is the national ID system that we have to work with.” It wasn’t designed for a digital era, but it’s what we have. That has all kinds of implications for whether and how far you can integrate public services into the digital domain.
-
If you don’t have a centralized ID system for example, you can get into some complications in how to do that. Here in the UK, we have a huge problem because the UK doesn’t even have a national ID.
-
Yeah, I’m aware of that.
-
There was an attempt to, David Cameron’s government several years back tried to propose legislation to create one, and he was shot down as it was…
-
We do have a national ID numbering system… It’s just there’s multiple certificate authorities.
-
You don’t have a unified technical layer beneath it, you mean?
-
We actually do. It’s just there’s multiple issuers.
-
I see. The issuers are the…You’ve got multiple issuing authorities, right?
-
Yes, and by necessity, because the ministry of interior takes care of citizens and residents in a different way and so on, and so forth. That’s the architecture that provides some fail-safe, if I want to look at a silver lining. [laughs]
-
It also means, especially when it comes to private data, we’re actually running something like an internal federation. It’s quite different from an Estonian model. It’s just what I’m saying.
-
Each ministry can interpret the personalness of the personal data quite differently from other ministries. When we need to integrate the data, we tend to then use privacy enhancing technologies, like OPen ALgorithm, Federated Learning, homomorphic encryption, zero-knowledge, and so on, instead of just keep a mutual record so that we shuffle the data, but the citizens are aware that data is being shuffled.
-
Exactly the model that Estonians took, the X-Road.
-
I understand it’s now a global digital public good.
-
I was going to ask you if Taiwan had something similar to what Estonians have.
-
Sure, we do have the T-Road project, and we do keep track of the authorized accesses. Underneath that, it’s more structured as a network of networks, instead of a single database…
-
That was another project that we had around the data embassies initiatives. Now, I don’t mean to suggest in my comments that the Estonian model is in any way a panacea for all these digital…
-
Well, it’s legacy-free. We might prefer that, too, if we are legacy-free.
-
(laughter)
-
What works at the population level of one million, might very well not work at the population level with more than 20 million, right? Also, the Estonians made some mistakes too. Like, the unique personal identifier has your date of birth. That right there is a privacy infringement.
-
Not the best idea, yeah?
-
Not the best idea at all, but at the time that they were creating these ID systems, that was not prevalent in people’s mind. No one imagined that that ID system would grow into the central point for the citizens’ interactions with the state.
-
Yeah. Too bad there’s no age reassignment surgery.
-
(laughter)
-
I think all this conversation reinforces what I did say. With Jason we want this to be and we designed it to be a multifaceted and multidisciplinary project. Issues from both the political and the technical perspective, but also encompassing the various aspects.
-
Not least your country and the many innovating things that I’m sure you are cooking in the oven, [laughs] in the framework of the new ministry.
-
Yeah. It’s going to be a very transparent oven, anyway.
-
(laughter)
-
We look forward to public consultations later this year.
-
When do you expect it to set up, officially?
-
Before September.
-
OK. Are you responsible for also appointing your lieutenants, like your deputies and stuff like that, or that’s not?
-
You speak as if I’m going to be the minister of moda… But I’m just currently in charge of setting up the ministry.
-
OK.
-
Everyone says you’ll be minister, Audrey, and you will be the best one.
-
It’s what was said a “newspaper assignment”, 報派, right?
-
No. Honestly, for the record, because Audrey would be the best Digital Affairs Minister. I think if anyone that should be her.
-
I’ve already been serving as digitalminister.tw — it’s just we’re setting up the digital ministry this year.
-
You’re currently a minister without portfolio?
-
Yeah. We have nine such at-large ministers. The minister “without portfolio” means that our staff are staffed from various ministries. I have around 16 different ministries seconding people to my office. It’s a very horizontal structure.
-
Nowadays, we’re saying that if I work closely with the NDC, the National Development Council, parts of the Ministry of Economic Affairs, parts of the National Communication Commission, and the Department of Cyber Security, then maybe they should work more closely together to save coordination time. That’s the impetus of setting up a new ministry.
-
We noted that these groups of people tend to work together on projects, but previously they have to work through their own ministries in order to get anything done. They did get a lot of things done, but it increase organizational friction.
-
To increase the bandwidth, reduce the latency, improve the connections, maybe we should restructure a little bit. Which is why I’m in charge of the re-structuring, but it does not neccessarily mean that I will keep the digitalminister.tw domain after September.
-
Does that mean that a lot of those individuals will transfer to the new ministry?
-
Yeah. We already know the scope, including from the department of information management within the National Development Council. Quite a few people from the National Communication Commission, and of course, the entire Department of Cyber Security, and so on.
-
As a student of government and politics, that right there strikes me as a fascinating case study for someone to investigate, about how government bureaucracies restructure themselves, in your context, to address the kinds of institutional and policy coordinating technologies that you after all have been facing, right?
-
Yes. I am sure we can do many causal theories and simulations. [laughs] That, like the same incident with or without a ministry how would coordination work differently? That’s my focus right now at least for the next few months. If and when it does set up, it will free up my time for more involvement in academia settings.
-
Jason, what do you think? It sounds to me like we may have a first potential case study to explore [laughs] in politics.
-
Absolutely. I think that that’s really great. Audrey, I’m just aware of your time because it’s nine o’clock now.
-
Sure.
-
Audrey, if there’s anything that anyone that…Because we’re trying to build support within the government right now. If there’s anyone that you suggest that we reach out, please feel free to let me know. I can take the initiative to reach out to some more people in your government.
-
Just wanted to say thank you for your time. Lucas and I will keep you posted of the progress. We look forward to your participation and we look forward to your advice and counsel.
-
Sure. If you need a business visa invitation or anything, Vivian, who has been in the email loop is actually the secondment from the foreign service. You have the Ministry of Foreign Affairs aware of your existence and feel free to reach out as well.
-
[laughs] Fantastic.
-
Lucas, you actually are thinking about…
-
I’m very eager to go soon, yeah.
-
Maybe that sounds like official invitation to me.
-
Exactly, if you need a invitation just let us know and you’ll just spend 10 short days. I guess, not very short [laughs] we’re reducing it — hopefully in a few months — in quarantine.
-
In the hotels. To echo Jason’s thanks, I’m grateful for your time and for your interest today. It’s been a fascinating exchange. I always learn new things. It was the case today, so thank you.
-
Thank you. It’s quite late for you, I guess you can now sleep, for…
-
…eight hours.
-
[laughs] OK, bye.
-
Goodnight.
-
Bye.
-
Ciao ciao.
-
Thanks Audrey. Bye-bye.
-
We’ll speak soon.
-
Bye.
-
Bye.
-
Bye.