For the National Institute of Cybersecurity, we take a comprehensive view on FIMI, Foreign Information Manipulation and Interference. The adversary is coordinated and so should be the defense. So, although it is not in our ministerial mandate, it is in the institute mandate because the National Institute of Cybersecurity also ...
And that is the core of the vision.
Of course, we have to sort our 20 national languages first, but it does carry the possibility of bridging across divide in a systemic way, and the peacemaking potential of internet is paramount. On the other hand, of course, we also see that under the wrong incentives, it will also ...
and with the contributions of the participatory policymaking community, including the Twitter community notes, actually, and the language models fostering transcultural dialogues.
So, to me, the space that is digital embodies the promise that people who are very far away in terms of ideology, culture, ethnicity or whatever can be bridged by the space. And that’s the original promise of internet. It’s called the end-to-end principle,
Yes. Plurality, or collaborative diversity is a wordplay because “數位” in Mandarin means both digital and plural. Shu wei as in several, right? “數位部長”.
I’m writing a book on that. It will be posted on plurality.net.
And the DFI too. I think it really helped a lot in Taiwan.
Yes.
So, by participating as partners or democracies, we are full members but we don’t need to do this whole country/area/jurisdiction/regime dance. And this is quite fresh to me. And so far, we don’t have any problem directly pinging my counterparts under this state are part of this multistakeholder system of ...
It almost changed overnight with the Ukraine situation. It used to be that we had to sort… I was once in an open government partnership meeting before the Ukraine situation and I was representing Taiwan as a civil society organization, Taiwan as a CSO. And there are many contortions like ...
It’s pretty easy now.
So, that’s pretty much it. The infrastructure level, the communication level, and the standard setting level.
The incubator will start later this year, and hopefully by next year we’ll have a GDPR compatibility. So, we need legal support there as well to recognize essentially Taiwan as part of the CBPR and GDPR system, so that the data can still flow freely with trust.
So, the EU sponsors a lot of privacy-enhancing technologies, verifiable credentials, decentralized identifiers, and so on, so that you can prove you’re a human or you’re 18 years old or whatever without revealing anything about yourself. And we do need to adopt that, especially that we’re going to have a ...
And for example, we’re also the competent authority for the Digital Signature Act. And so we do need, for example, to cross-recognize with the European, with the U.S. digital signature trust systems because that’s going to be the ongoing digital signature, and going to be the go-to solution to the ...
Sure. So, we mentioned the critical infrastructure. The private sector stepping in as essentially critical infrastructure providers. That is for the short term. In the rollout of ZTA, the Zero Trust Architecture, we cannot do it alone. We must work with the NIST and CMMCs of the world to make ...
So, the startup and SMEs and so on, that’s the economy affairs. But for us, we’re working on digital resilience for all. So, we have significant amount of subsidies and so on that goes in the digital transformation of those local civil groups which is outside of MOEA’s purview, but ...
Yes. And I think that is also why we’re sorted into the Transportation Committee because transportation, critical infrastructure, national security and cybersecurity and so on are the purviews of that committee. We didn’t get sorted into the economy subcommittee because well, the Ministry of Economic Affairs is still there. This ...
You mean like, what would we do next if the PRC regime repeals its anti-secession law?
Yes. Because many of us came from NCC. Our vice minister 葉寧 came from NCC. And two of our departments did. So, we are very intentional in designing our mandates to not overlap that of NCC, in particular internet broadcasting regulation. So, any of the supervisory role belongs squarely in ...
It’s in the news. Yeah.
Like the recent ruling on CTiTV?
Last year, every time they interpellated NCC they invited me in because they think somehow I’m part of that. But this session not anymore, so we’re not confused with the NCC.
So, this time around I think because we’re in the transportation committee in the LY.
That is to say we’re non-partisan in our nature and we’re not interested in meddling with the election at all. We’re just interested in countering FIMI and not in helping any party win. And I made a point of attending none of the rallies. I never attended any party rallies ...
Yeah. We made it quite clear because we founded last August which is close to another election, Mayoral election. So, we made a point of… for example all the directors, generals and administrators can theoretically be appointed by me from someone outside of public service. But I made a point ...
All parties are supportive.
Oh yeah. Pan-parties.
I think it’s pretty good.
Yeah. So, in terms of full-time public service staff, it’s close to 600 people, but that doesn’t count the NICS which is another few hundreds people. So, all in all we have close to a thousand full-time staff.
In the scam world already. There’s very convincing voice cloning already. And video cloning there is… because video cloning currently is still quite compute intense, so I suspect that as the techniques goes easier on the hardware which is improving by the day, maybe by the next month or so, ...
So, the main difference is that what used to be broadcast-level disinformation that requires going viral and therefore detectable can be now done like spearphishing in a precision level. So, individualized interactive persuasion at a scale of viral videos. That is an emerging threat vector enabled by language models.
So, a lot of our work now in addition to resilience of all, is just the cyber awareness of everyone that basically picture and it doesn’t happen video and it doesn’t happen. Everything can be synthetic now. And we have pretty good reason to believe in my book here actually ...
So, in terms of FIMI, we have seen a lot in the scam front of the new use of voice cloning and also behavior cloning. So, for example, people would receive a phone call and they will answer it. And with just a few seconds of voice print, now AI ...
Right. So, in terms of FIMI, Foreign Information Manipulation and Interference, which is an EU term that is easier to say than mis/dis/mal-information, which is impossible to pronounce.
And of course, there are boundaries to this because some of the private sector doesn’t want the state to know the kind of ransomware-attack they’re undergoing. But there are ways to basically use privacy enhancing technologies to ensure that the metadata is still shared meaningfully and people still know the ...
And so, to this end, the National Institute of Cybersecurity is working very closely with all these threat intelligence-gathering stakeholders to establish the norm. So that the private sector computer emergency response team, which is entirely private sector, can interoperate with more defense or administration or critical infrastructure oriented, so ...
So, in the IT army of Ukraine, what we have found is that there were already private sector practitioners of cybersecurity that already participated in those drills regularly. And they already know what are the important targets to defend and so on. And in this, the public cloud providers play ...
The norms.
So, whether you’re TSMC or whether you’re the administration, you’re subject to the same coordinated attack. And that means that the industrial standards, such as the SEMI E187, by the semiconductor supply chain, they suffer actually from the same degree of attack or even more because of industrial espionage and ...
Yeah of course, and also a shared posture. The posture is zero trust architecture. Everyone in the private sector is facing state-sponsored attacks. It’s not like those state-sponsored attacks will see you’re a dot com, so will not attack you because of, I don’t know, the Tallinn Manual’s rules of ...
And so, if there is an escalation in the traditional military sense, we expect the system that we built, the keys, will be handed to the military people. But we, in the civilian world, plan for all hazards, all disasters.
Because the same actually happened to our submarine cables. I think a decade or so ago, an actual earthquake destroyed an actual submarine cable that disrupted, I think, in the southern Taiwan. And we do have earthquakes that can actually disrupt communication.
Which is why I keep saying earthquakes.
All hazards.
Right. Yeah, and running drills also. And the CODE defense exercise is public. We run once every two years, and we invite people around the world to be red teams, essentially, to simulate as close as possible to the actual scenario of a coordinated hybrid attack.
So, we need to also respond in a similarly coordinated way, because it doesn’t pay now to say, oh, this is disinformation, that is cyber, that is whatever propaganda, because they are all part of the same attack.
Once they successfully blocked temporarily the access to the major ministries, then they launched disinformation attacks, like the hate speech on the billboards outside the Taiwan Railway Station. It’s coupled with disinformation.
