Despite Serious Cybersecurity Breaches, MODA Knows Only "Health Checks"
United Daily News, February 23, 2023
Political thinker John Locke (1632-1704) wrote in his Two Treaties of Government that government has no other end, but the preservation of property.
Recently in Taiwan, personal information has been leaked from the databases of Lion Travel, China Airlines, and iRent and sold online. Now it has been rumored that the personal information of 900,000 Breeze Center customers has also been stolen. The only initiative undertaken by the Ministry of Digital Affairs (MODA) to protect personal information is to call for a health-check of all government and business databases in the future. In the case of the Breeze Center information leak, an anonymous hacker pointed out that “it was a serious leak where all customer transaction information was stolen” and sarcastically remarked that “deep sleepers can’t be awaken” in reference to the ineptness of the government’s response.
Minister of Digital Affairs Audrey Tang is regarded as a genius hacker by younger generations in Taiwan. She tries to advance information security by upgrading technology and integrating digital systems. But her extended tenure as a politician has left her with a myopic outlook on issues that require integration on a national level, such as legal authority, and human resources. Under her long ministerial tenure, she has never called on the government to establish any ministerial institution with a higher authority and oversight.
Hackers are still distributing the personal information of China Airlines’ members on the dark web and so far more than 7,000 entries of personal information have been leaked. Now that Breeze Center has been hacked and the names of customers, invoices, orders, and payment records have been stolen, the only statement issued by Breeze Center is the familiar “damage control mechanisms were activated immediately and our internal information security team has completed software and system security updates.”
The European General Data Protection Regulation (GDPR), which has been in force for five years, imposes a personal data protection duty on all companies with a fine of up to €20 million or 4 percent of companies’ gross revenue for violations. While Taiwan’s government still has a long road ahead toward establishing an independent authority and amending personal data laws, the MODA with its NT$20 billion (about US$652 million) budget is incapable of doing anything except admonish the public on data protection and issue postmortem security health checks for businesses.
Two years ago, Adam Chien, former director of the Department of Cybersecurity of the Executive Yuan, wrote a paper in which he argued that the government should set up a “Digital Services and Information Security Headquarters of the Executive Yuan” or a “Digital Development and Information Security Committee,” which has the authority and responsibility to carry out inter-ministerial coordination, instead of the current MODA, which can only implement national digital industry policies but cannot directly direct or supervise the operation of the administrative system. He predicted that the MODA would have structural difficulties in promoting nationwide information security affairs and integrating with the national security system. A third-tier agency such as the “Digital Development and Information Security Committee” would be under the command of the second-tier ministries, thus lacking independence and authority in promoting information security. It is not in line with the governments’ own ideal of “information security as national security.” Unfortunately, his proposal was not accepted and Chien's retirement was approved last year.
Today, the fact that diverse agencies and ministries are responsible for personal data leakage, data security, law enforcement and disciplinary actions in Taiwan has led to the agencies and ministries shirking responsibility and pinning the blame on each other. No one dares to blow the whistle on data security problems. The MODA can only intervene in assisting businesses through corporate information security health-checking or through multinational joint prevention of cyber-attacks. The general public must fend for themselves in the event of a personal data breach.
A global trend in information security is to establish a “Zero Trust Architecture.” The biggest challenge of the MODA is to rebuild the “zero trust” that people currently have with the government.