Written by Philip Hsu.
In late 2016, the Taiwanese technology magazine iThome ran a series of articles extolling the virtues of Israel’s cyber security industry and suggesting lessons for developing a homegrown cyber industry that could be applied to Taiwan. In particular, the articles honed in on the importance of the Israeli Defense Force’s Unit 8200 signal intelligence unit as a cyber vanguard, a start-up incubator nurturing new generations of cyber companies and hackers in addition to fulfilling its role as an elite military unit.
This sentiment proved prescient, as just half a year later the Tsai Ing-wen government inaugurated Taiwan’s “Cyber Fourth Service,” with President Tsai herself “bestowing a mission” on the new cyber corps to become a “vanguard” of the government’s cybersecurity efforts and drive domestic cyber research, academic, and industry activity. The commonalities between Israel and Taiwan’s cyber polices don’t end there: Both governments have opted to develop “clusters” of cybersecurity companies in their own way, Israel through developing the Beersheba cybersecurity industrial cluster, and Taiwan in consolidating its support of its cyber sector through its new Cybersecurity Management Law and both military and non-military spending.
Some comparisons between Israel and Taiwan suggest commonalities that may provide synergies between the two nations’ cybersecurity policies. Both are geographically small, lack natural resources, and face extensive cyber threats from hostile neighbours. Both have policies of mandatory conscription, which supply a constant source of talent in Unit 8200’s case. Both have impressive, internationally-facing technology sectors and substantial human capital in the technology space. Why wouldn’t Taiwan be able to mimic Israeli’s model?
A combination of structural and cultural differences between Taiwan and Israel might undermine the applicability of the Israeli model to Taiwan. Take the issue of conscription alone. Israel’s mandatory conscription is three years for men and two years for women, with an option of continuing one’s tour for years longer. This provides Israel cyber units ample time to train conscripts in the art and science of cyber and for service members to develop the social connections that they will later bring with them into the cyber workforce. Taiwan’s mandatory military service has been shortened to just four months as the nation moves towards an uncertain process of ending conscription, not to mention that joining the Taiwanese military isn’t seen to be as much of a national duty or offering a promising career as it is in Israel.
This perception will stymie talent development in Taiwan’s new all-volunteer military, even if the Cyber Forth Service is seen as an elite force. But even Taiwan’s military culture may not foster a spirit of cyber entrepreneurship seen in the Israeli example. As Israel’s former Ambassador to the United Nations Ron Prosor put it in explaining the success of Israel’s cyber industry, “when a brigadier general in the Israeli army can speak to a lieutenant as if they were the same rank,” a culture of entrepreneurship and innovation can thrive outside the military when these soldiers leave the service. I am no expert on Taiwanese military culture, but I don’t think they’re there yet – few military services are.
If there are problems with entrepreneurial culture and communication within the military, it seems unlikely that the government will be able to attract the best and brightest of Taiwan’s extensive hacker community. Any government or military job in most countries will face tough competition in the market from the private sector in terms of salaries offered, but even barring that, asking hackers to conform to regimented military or even government life might not be the best approach.
This challenge is made more pronounced by the backdrop with which Taiwan’s hacker community developed. It was largely grassroots, underground movement at first, with independent hackers or members of groups such as chroot later coalescing to host the Hacks in Taiwan Conference (HITCON), an annual “carnival” for Taiwan’s hacker community along the lines of cybersecurity conferences Black Hat and Defcon. Many hackers conducted their craft outside of their formal line of work, and for good reason: When Taiwanese white hat hackers disclosed vulnerabilities to the related companies, the first impulse of these companies was often to file suit against the hackers, instead of rewarding them with bug bounties or hiring them.
Today, Taiwan’s hacker community appears to have entered the mainstream, with no less than President Tsai herself proclaiming that the power of Taiwan’s white hat hackers should be “unleashed” and serving as the keynote speaker at HITCON 2016. For what seems like the first time, Taiwan’s government is lavishing resources and attention on the nation’s human hacker capital. Given structural and cultural differences between Taiwan and Israel, this energize-the-grassroots approach is a better fit for Taiwan than the heavily top-down Israeli model. That being said, since both the Taiwanese and Israeli markets are too small to develop substantial companies with, the Israeli model also proves the importance of the government facilitating the international go-to-market strategy for cyber firms that Taiwan should emulate. In this regard Taiwan has opted to support its homegrown cyber industry through defence projects, banking on firms becoming globally competitive from those engagements – another energize-the-grassroots approach.
There is one further important difference between Taiwan and Israel, and that is the nature of the political divide within Taiwan. The conscription controversy is just one example of how Taiwan’s government often struggles to develop critical national defence policies, of which cyber security categorically falls under. With public spending on cyber as a component of national defence increasing and private spending on cyber security soaring, both the public and private sector can agree that cyber security matters. An energize-the-grassroots approach, though it still might make the grassroots wary of the motives and intentions of the government doing the energizing, may be a way of getting past the political gridlock in Taiwan and serving as an alternative to top-down governance and initiatives characteristic of the Israeli model. On an issue as important to Taiwan’s security as cyber security, Taiwan’s white hat hackers may well hold the key to bridging a paralyzing political divide.
Philip Hsu is a Technology Consultant at FTI Consulting and a graduate of Columbia University’s School of International and Public Affairs. He tweets @philipwhsu. Image credit: CC by Cheryl Pellerin/U.S. Department of Defense
To build an all-round defence against cyber attacks requires a systematic and comprehensive approach only a well-supported and well-organised institution can deliver. In Israel this institution is provided by the army.
Grassroots initiatives focus on issues that are close to the heart of leading participants. Their selection is quite arbitrary and never comprehensive. Such, it is unlikely that they “hold the key to bridging a paralysing political divide”. Grassroots initiatives are an unsuitable substitute for weak leadership.
The people of Israel are driven by the unbending will to defend their country. Do the people of Taiwan have that kind of will? Developing a cyber security industry is a secondary issue in this context.