The legal challenges of ubiquitous healthcare

Artificial Intelligence Governance - Taking Deep Fake as an Example 1.Introduction 　　With the increasing maturity of the use of neural networks, the application of artificial intelligence technologies is becoming more and more widely used. Among them, through the automated editor and convolutional neural network technology, the threshold of the technology of copying films is not very high. In November 2017, some films that superimpose the faces of social celebrities on pornographic film actors/actresses appeared in the American social networking platform, Reddit. These types of films analyze the faces of specific socialites through deep learning algorithms and superimpose their faces on the films, making them look as if the films were taken by the socialites themselves. This technology was released by developers in 2018 and was made into an app for public use. At present, such technology is generally referred to as "deep fake" internationally, and it is believed that it may contribute to the speedy invention and distribution of false information existing throughout the Internet nowadays, which has attracted the attention of legislators worldwide. As it uses fake images or films automatically generated by Deep-learning technology, it involves both dimensions of fake information prevention and artificial intelligence governance. The purpose of this paper is to observe the relevant policies, legal measures and related guidelines or principles of the international community in response to issues of deep fake and artificial intelligence governance, and to examine whether the current legal system in Taiwan can cope with the impact of deep fake so as to provide feasible recommendations. 2.Ethics Rules for Artificial Intelligence 　　In the governance of artificial intelligence, the European Union introduced the “Ethics Guidelines for Trustworthy AI” on April 8, 2019 to establish a framework for supervising artificial intelligence in order to make artificial intelligence trustable. 　　The guidelines first points out that Trustworthy AI requires three key characteristics: (1) it should be lawful: complying with all applicable laws and regulations; (2) it should be ethical: ensuring adherence to ethical principles and values; and (3) it should be robust: both from a technical and social perspective, to avoid AI from inadvertently causing harm. 　　Fundamental Rights are the basis of trustworthy AI. In order to comply with the above-mentioned basic human rights and to make AI reliable, their expert group believes that AI should abide by four ethical principles, including: (1) respect for human autonomy; (2) prevention of harm; (3) fairness; and (4) explicability. The four ethical principles are also transformed into the seven specific measures: “human agency and oversight”, “technical robustness and safety”, “privacy and data governance”, “transparency”, “diversity, non-discrimination and fairness”, “societal and environmental wellbeing impact evaluation” and “AI accountability”. To facilitate the true implementation of self-assessment for application developers, the Guidelines devise the Trustworthy AI Assessment List in Chapter 4 for the reference of the enterprise. 3.Counter measures Against the International false messages 　　In response to the prevention of false messages, the two parties in the United States also jointly proposed in 2018 the Malicious Deep Fake Prohibition Act of 2018 to amend the relevant provisions of fraud in the criminal law. This bill amends Chapter 47 of the United States Code by adding Section 1041 with regard to fraud in connection with audiovisual records. It treats the use of deep fake as a criminal offence and defines deep fake as “audiovisual record created or altered in a manner that the record would falsely appear to a reasonable observer to be an authentic record of the actual speech or conduct of an individual”. It shall be unlawful to, using any means or facility of interstate or foreign commerce, to create, with the intent to distribute, a deep fake with the intent that the distribution of the deep fake would facilitate criminal or tortious conduct; or distribute an audiovisual record with actual knowledge that the audiovisual record is a deep fake, and the intent that the distribution of the audiovisual record would facilitate criminal or tortious conduct. Any person who violates the above may be sentenced to imprisonment for more than 2 years but less than 10 years. However, the bill is currently put on hold without being further reviewed. 　　In addition, in order to properly cope with the danger of deep fake, on June 28, 2019, the two parties in the US Congress jointly proposed the bill - "To require the Secretary of Homeland Security to publish an annual report on the use of deep fake technology, and for other purposes”, which may be cited as the "Deepfakes Report Act of 2019". This bill requires the Department of Homeland Security to conduct research on deep fake and related issues, produce an annual report, and to request it to assess the direction of addition or revision of relevant laws and regulations. Moreover, the US senators from both parties also proposed on June 12, 2019 the bill- “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act of 2019”, which may be cited as “DEEP FAKES Accountability Act”. This Act is the same as the Act of 2018, both of which treat the use of deep fake as a fraudulent act by adding section 1041 to Chapter 47 of the United States Code. However, this Act does not directly define deep fake, but rather define such a type of technology as “advanced technological false personation record”, and require such records to comply with: (1) DIGITAL WATERMARK: Any advanced technological false personation record which contains a moving visual element shall contain an embedded digital watermark clearly identifying such record as containing altered audio or visual elements. (2) AUDIOVISUAL DISCLOSURE shall comply with the following principles: A. clearly articulated verbal statement that identifies the record as containing altered audio and visual elements, and a concise description of the extent of such alteration; and B. an unobscured written statement in clearly readable text appearing at the bottom of the image throughout the duration of the visual element that identifies the record as containing altered audio and visual elements, and a concise description of the extent of such alteration. (3) VISUAL DISCLOSURE shall comply with the following principles: Any advanced technological false personation records exclusively containing a visual element shall include an unobscured written statement in clearly readable text appearing at the bottom of the image throughout the duration of the visual element that identifies the record as containing altered visual elements, and a concise description of the extent of such alteration. (4) AUDIO DISCLOSURE shall comply with the following principles: Any advanced technological false personation records exclusively containing an audio element shall include, at the beginning of such record, a clearly articulated verbal statement that identifies the record as containing altered audio elements and a concise description of the extent of such alteration, and in the event such record exceeds two minutes in length, not less than 1 additional clearly articulated verbal statement and additional concise description at some interval during each two-minute period thereafter. 　　According to the bill, those who violate the above requirements shall be subject to legal responsibilities. In criminal liabilities, whoever knowingly violates the above requirements and (1) with the intent to humiliate or otherwise harass the person falsely exhibited, provided the advanced technological false personation record contains sexual content of a visual nature and appears to feature such person engaging in such sexual acts or in a state of nudity; (2) with the intent to cause violence or physical harm, incite armed or diplomatic conflict, or interfere in an official proceeding, including an election, provided the advanced technological false personation record did in fact pose a credible threat of instigating or advancing such; (3) in the course of criminal conduct related to fraud, including securities fraud and wire fraud, false personation, or identity theft; or (4) by a foreign power, or an agent thereof, with the intent of influencing a domestic public policy debate, interfering in a Federal, State, local, or territorial election, or engaging in other acts which such power may not lawfully undertake, may be sentenced to imprisonment for not more than 5 years. In civil liabilities, any person who violates the above requirements may be subject to a civil penalty of up to US$150,000 per record or alteration, as well as the compensation for the damage, if any. 　　In addition to the United States, the United Kingdom also launched the "Online Harms White Paper" in April 2019, which will establish a new "Online Safety" control structure to respond to false messages and underage pornographic videos, deep fake and online drug trafficking and so on. 　　The report points out that the new network security control framework will clarify the legal obligations of the Internet company to make the company assume more security responsibilities and avoid the harm caused by the content or actions generated by the service provided, and establish an independent regulatory agency supervising and implementing the relevant legal policies. The regulatory authority should provide relevant guidelines for compliance with the new obligations. If the company is unwilling to comply with the relevant guidelines, it must bear the burden of proof and prove that its alternative measures can achieve more effectively for the purpose of protecting the Internet users. In addition, the framework will also include elements of “Transparency, Trust, and Accountability”. The competent authority will be given the right to request an annual transparency report be submitted by the company, which the report should indicate the relevant harmful contents appeared on its platform, explain how it is handling with the problem, and publish the report on the website. Furthermore, the competent authority will have the right to request additional information from the Internet company, such as how its algorithm works. 　　In response to false messages, the report points out that current Internet companies have begun to conduct research on the prevention and control methods of fake news dissemination, including: (1) through the terms of service, users are not allowed to distort their identity on social software to spread false messages. (2) developing relevant tools to detect suspicious, false or junk accounts; (3) using automated artificial intelligence to delete or remove fake accounts; and (4) collaborating with independent fact verifying platforms. However, in the future, the government hopes that the guidelines and related policies proposed by the competent authorities must further include the following matters: (1) The company shall clarify its definition of false information in its terms of service, and state its expectations of users, and the possible penalties to users who violate the company policy; (2) The company should adopt the relevant countermeasures to deal with users with distorted identities who disseminate false messages; (3) The visibility of the disputed content currently under the fact-verifying inspection shall be reduced; (4) The fact-verifying service shall be used, especially during the election period, for fulfilling the obligation of fact verification; (5) Promote authoritative news sources; (6) Promote news circulation from different perspectives, rather than only reinforce the messages of people's existing views; (7) Users should be able to recognize that they are interacting with automated accounts and should ensure that the dissemination of automated accounts information is not abused; (8) Promote the transparency of political advertising to comply with the norms of the UK electoral law; (9) Companies should ensure that users may mark the content that they believe to be false news by themselves and let them know that the company is targeting false news for countermeasures to be taken; (10) The procedures for publishing information should be open and transparent so that the public can assess the effectiveness of the company’s response to false information, and further support the relevant research on online false message activities; (11) The relevant procedures and measures should be taken to continuously monitor and evaluate the effectiveness of the processing flow of fake messages. 　　From the above-mentioned relevant international legal policy observations, it can be found that international measures related to deep fake can be classified into the following items: (1) Establish an independent fact-verifying unit. (2) Improve the transparency of information sources. (3) Improve the oversight responsibility of the online platform for the messages appeared on such a platform. (4) Deep fake is to be treated as an independent criminal act and its criminal, civil and administrative responsibilities are to be clearly regulated. (5) On the technical level, relevant artificial intelligence tools are being developed to respond to this issue. For example, the American startup company, Deeptrace, has begun to conduct research and develop deep fake identification technology to identify the authenticity of the films.

To establish a trusted foundation for sports data compliance, the Sports Data Altruism Service releases the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook 2024/05/15 I. Introduction The Sports Data Altruism Service aims to construct a blueprint for the development of sports and technology, to promote practical applications for sports scientific research results, to drive industry development, and to establish a sports data innovation ecosystem. This will be achieved through multi-ministerial/multi-agency value-added applications for sports data, multidisciplinary upgrading and transformation of sports technology, digital empowerment to establish a sports technology ecosystem, and public-private collaboration efforts. The Sports Data Altruism Service aims to build a legal compliance platform, and to reinforce the trust foundation for legally-compliant sports data operations, all while balancing privacy protection and public interest. In pursuit of these ends, the Sports Data Altruism Service draws upon international data governance practices and trends, as well as current industry practices. It aims to develop guidelines and regulations that consider the value of sports data applications and apply them to data legal compliance operations for sports venues. The Service is also intended to help operators in the sports field maintain personal data protections and reasonable use. Consequently, in August 2023, the Sports Data Altruism Service released the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook. For entities seeking to become Sports Data Altruism Service data providers, the Handbook explains the related regulations and provides important things to watch out for. II. Structure of the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook The Handbook is divided into three sections: A. Requirements for joining the Sports Data Altruism Service: Before starting with the Sports Data Altruism Service, users must read and agree to the service’s Privacy Policy, Terms of Service, Notification Regarding Personal Data Collection and Personal Data Provision Agreement, and other important platform information. The Privacy Policy explains how the platform collects, uses, and protects the information that users provide. If you wish to become a data provider or data user, the Terms of Service will explain what you need to comply with to do so. And if you decide to become a data provider or data user, you must register on this platform and must sign the "Notification and Letter of Consent for Collection, Processing, and Use of Personal Data" to state your agreement to provide your data to the platform. B. Personal data subject rights protection mechanism for sports venue operators (data providers): After becoming a Sports Data Altruism Service data provider, to lawfully obtain the personal sports data, the data provider must submit the Points of Note When Connecting to the Sports Data Altruism Service and Personal Sports Data Provision Agreement. This form, submitted in either paper or online format, must include a signature from the person whose personal sports data is to be used. When a data subject needs to correct their personal data or no longer wishes to provide their data to the Sports Data Altruism Service, the data provider must provide the Exercise of Data Subject Rights Application Form. After the data subject submits the application, the sports venue operator must verify whether the data has been processed to the extent that it cannot be used to identify a specific individual. In accordance with Article 4 of the Points of Note When Connecting to the "Notice of Connection to the Sports Data Altruism Service Platform and Consent Form for Provision of Personal Sports Data", data that can no longer identify specific data subjects is no longer considered personal data, and is not subject to exercising of data subject rights, nor is it subject to deletion of statistical or analytical results based on such data. If the data has not been anonymized, the operator must remove the data subject from the list uploaded to the platform and delete any unprocessed sports data. They must also retain records of the deletion and notify the data subject. Source: Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook Figure 1　Data Subject Rights Exercise Mechanism for Sports Venue Operators C. Data protection management process for sports venue operators (data providers): To assist sports venue operators in complying with personal data protection requirements, the Sports Data Altruism Service provides a personal data protection self-assessment tool. After an operator becomes a Sports Data Altruism Service data provider, they must assess their compliance with data protection laws by completing the Self-Assessment Form for Personal Data Protection in Collecting Public Sports Data by Sports Venue Operators (Data Providers). This helps operators understand the importance of personal data protection and establish a robust personal data protection management system, to achieve both data protection and reasonable usage. The Self-Assessment Form for Personal Data Protection in Collecting Public Sports Data by Sports Venue Operators (Data Providers) is designed in accordance with the regulations of the Personal Data Protection Act and its enforcement rules. It includes 20 assessments in 10 major categories. When filling out the self-assessment form, the operator must provide the name of the self-assessment venue, the name of the person filling out the form, and the date. The form has to be completed based on the personal characteristic data and sports data that is to be uploaded to the Sports Data Altruism Service. However, not every assessment is mandatory. The form requires considering the operator’s actual situation to review the current practices related to personal data protection and management, then conducting the self-assessment based on this. For more detailed information about the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook, please visit the Sports Data Altruism Service website (https://www.data-sports.tw/#/SportData/Landing?redirect=%2FDashboard).

1. Organization Framework In the organization framework of critical infrastructure protection, there are mainly the public departments and the PPP organizations. The functions and task description of relevant organizations are as follows. (1) Department of Homeland Security After the September 11 attacks in America, the Homeland Security Act was passed in November 2002, and based on this act, 23 federal organizations, plans and offices were integrated to establish the Department of Homeland Security (DHS) to take responsibility for homeland security in America. The tasks include: (1) to analyze intelligence data collected from various departments such as the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) so that any threats to security can be discovered in time, (2) to protect and defend critical infrastructure, (3) to coordinate and lead America to prevent and respond to the attacks from nuclear weapons, biochemical weapons and other and (4) to coordinate the tasks of the federal government, including emergency and rescue. For the task regarding critical infrastructure and critical information infrastructure protection, the main units in charge are the Office of Infrastructure Protection (OIP) and the Office of Cybersecurity and Communications (CS&C) subordinate to National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS), to reduce the risk in both physical and cyber security to maintain national security1 (2) Congress Relevant units and committees are established both in the Senate and the House of Representatives to be responsible for protection and making policies pertinent to important critical infrastructure and critical information infrastructure. (3) Computer Crime and Intellectual Property Section In 1991, the Department of Justice (DOS) established the Computer Crime and Intellectual Property Section (CCIPS), a section of the Criminal Division, to be responsible for all crime combating computer and intellectual property. Computer crime is referred to cases which include electronic penetrations, data thefts, and cyber attacks to the important critical infrastructure. CCIPS also prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts. (4) Other Relevant PPP Organizations 2The Information Sharing and Analysis Center (ISAC) is responsible for the information security message sharing among the industries of each critical infrastructure to ensure the liaison and cooperation among industries. Finally, for the issue on critical information infrastructure, especially cyber crimes, both the National Cyber Security Alliance (NCSA) and the Cross Sector Cyber Security Working Group (CSCSWG) are designated to serve as crucial roles in governmental and non-governmental internet security prevention to be responsible for techniques and education. 2. Notification System (1)Computer Emergency Response Team Coordination Center The Computer Emergency Response Team Coordination Center (CERT/CC) run by Carnegie Mellon University is the oldest and most important early-warning organization for information security in the USA. With its experts studying internet vulnerabilities and risk assessment released regularly, it reminds people of the possible dangers which exist in the information age and the need to improve internet security. (2)US Computer Emergency Readiness Team The US Computer Emergency Readiness Team (US-CERT) was established in 2003. It is responsible for protecting the infrastructure of the internet in America and for coordinating and providing response support and defense against national cyber attacks. It interacts with federal agencies, industry, the research community, state government, and others to disseminate reasoned and actionable cyber security information to the public. (3)Federal Bureau of Investigation The Federal Bureau of Investigation (FBI), the first early warning center of critical infrastructure at the national level, is responsible for providing the information pertinent to legal execution presently and also taking responsibility for the investigation of cyber crime. (4)Information Sharing and Analysis Centers Currently, industry in America, including finance, telecommunications, energy, traffic, water resources, together established individual Information Sharing and Analysis Centers (ISACs) based on the policy made in PDD-63. The ISAC of the financial system established in October 1999 being the first established center. These ISACs further work together to form an ISAC Council to integrate the information from each of them and improve their interaction and information sharing. 3. Legal Norms In reference to the laws and regulations of critical infrastructure protection, America has aimed at critical infrastructure protection and computer crime to formulate the following regulations. (1) Federal Advisory Committee Act of 1972 According to the Federal Advisory Committee Act (FACA), the advisory committee can be established in every federal agency to provide the public, along with received open advice, with relevant objectives, and to prevent the public from being inappropriately influenced by the policies made by the government. However, to keep the private institutions which run the critical infrastructures from worrying the inappropriate leak of the sensitive information provided and consulted by them, Critical Infrastructure Partnership Advisory Council was established so that the Secretary of Homeland Security has the right to disregard the regulations of FACA and establish an independent advisory committee. (2) Computer Fraud and Abuse Act of 19863 The Computer Fraud and Abuse Act (CFAA) was enacted and implemented in 1986. It mainly regulates computer fraud and abuse. The Act states that it is against the law for anyone to access a protected computer without authorization. However, it also recognizes the fact that accessing a computer system of electronic and magnetic records does not mean a violation of the law. According to the CFAA, what is needed is one of the following requirements to be the wrongful conduct regulated in the Act: (1) whoever intentionally accesses a computer to obtain specific information inside the government or whoever has influenced the transmission function of the computer system; (2) whoever intentionally accesses a computer to obtain a protected database (including the information contained in a financial record of a financial institution or of a card issuer, or the information contained in a file of a consumer reporting agency on a consumer, or the information from any department of agency of the United States, or the conduct involving an interstate transaction); (3) whoever intentionally accesses any nonpublic computer of a department or agency of the United States, and causes damage. In addition, the Act also prohibits conduct such as transmitting malicious software, and defrauding traffic in any password or similar information. For any person who suffers damage or loss by reason of a violation of the law, he/she may maintain a civil action to obtain compensatory damages and injunctive relief or other equitable relief. However, the Computer Abuse Amendment Act (1994) expands the above Act, planning to include the conduct of transmitting viruses and malicious program into the norms whose regulatory measures were adopted by the USA Patriot Act enacted in October 20014 (3) Homeland Security Act of 20025 The Homeland Security Act provides the legal basis for the establishment of the Department of Homeland Security and integrates relevant federal agencies into it. The Act also puts information analysis and measures of critical infrastructure protection into the norm. And, the norm in which private institutions are encouraged to voluntarily share with DHS the information security message of important critical infrastructure is regulated in the Critical Infrastructure Information Act: Procedures for Handling Critical Infrastructure Information. According to the Act, the DHS should have the obligation to keep the information provided by private institutions confidential, and this information is exempted from disclosure by the Freedom of Information Act. (4) Freedom of Information Act Many critical infrastructures in America are regulated by governmental laws, yet they are run by private institutions. Therefore, they should obey the law and provide the government with the operation report and the sensitive information related with critical infrastructure. However, knowing that people can file a request at will to review relevant data from the government agencies based on the Freedom of Information Act (FOIA), then the security of national critical infrastructure may be exposed to the danger of being attacked. Therefore, the critical infrastructure, especially the information regarding the safety system, early warning, and interdependent units, are all exempted by the Freedom of Information Act. (5) Terrorism Risk Insurance Act of 20026 After the 911 Incident, Congress in America passed the Terrorism Risk Insurance Act to establish the mechanism to underwrite terrorism risk insurance, in which insurance companies are required to provide terrorism attack risk insurance and the federal government will also cover part of loss for severe attacks. 1.http://www.dhs.gov/xabout/structure/editorial_0794. shtm (last accessed at 21. 07. 2009). 2.http://www.thei3p.org/ (last accessed at 21. 07. 2009). 3.http://www.panix.com/~eck/computer-fraud-act. html (last accessed at 21. 07. 2009). 4.Mark G. Milone, Hacktivism：Securing the National Infrastructure, 58 Bus. Law, 389-390, 2002. 5.http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf (last accessed at 21. 07. 2009). 6.http://www.ustreas.gov/offices/domestic-finance/financial-institution/terrorism-insurance/pdf/hr3210.pdf (last accessed at 21. 07. 2009).

The Research on Cybersecurity Risks in 5G network: Perspectives on Global strategy I. The characteristics of 5G and cybersecurity threats 　　Compared to 4G, 5G adopts several new designs on the network architecture, such as software-defined networking (SDN), a baseband unit (BBU), logical disjunction, network function virtualization (NFV), and multi-access edge computing (MEC), to provide users with high-speed, low-latency and other quality services, as well as flexibility and expansibility to accommodate more emerging applications. 　　According to the three key usage scenarios (see Figure 1) defined by the International Telecommunication Union (ITU), enhanced mobile broadband access (eMBB) provides high-volume mobile broadband services such as AR/VR or ultra-high-definition video. Massive machine type communication (mMTC) provides large-scale IoT services. Ultra-reliability and low latency communication (uRLLC) can be used for services that require low-latency and high-reliability connections, including unmanned driving and industrial automation. 　　However, with 5G’s open, flexible and extensible design, as well as its coexistence with other 4G and 3G systems in the early stage of commercial operation, the cybersecurity threats facing 5G networks are more severe and diverse than the past mobile phone generations. At present, the known 5G cybersecurity threats mainly come from network functional components and connection interfaces among components, including the terminal device, access network, air interface, cloud virtualization, multi-access edge computing rental, core network, back-end/backbone network, roaming and external services, and so on. Source: ITU Figure　1Three key 5G scenarios by the ITU II. Cybersecurity strategy development in major countries 　　5G is not only one of the critical infrastructures, but also an important foundation for pursuing a digital nation, digital economy, the industrial 4.0, and for promoting industrial transformation for upgrading. However, different scenarios require different cybersecurity protection levels, which poses great challenges to both mobile network operators and service providers. 　　Therefore, the construction of favorable environment for 5G development, the promotion of relevant applications and the development of innovative services and so on, have become the priority of governance in the countries around the world. 1. European Union (EU) 　　Then European Commission President Jean-Claude Juncker noted in 2017 that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks…Cyber-attacks know no borders and no one is immune,” indicating the EU's high priority in the cybersecurity field. 　　The "Digital Single Market," an important EU policy, lays the foundation for digital economy based on "cybersecurity, trust and privacy." In response to the loss of billions of euros a year in cyber attacks, the EU has taken a series of measures to safeguard and advance the development of the Digital Single Market. For the purposes of this strategy, the European Commission in 2018 came up with the policy of Resilience, Deterrence and Defence: Building strong cybersecurity for the EU,[1]with the aim of improving the level of cyber security, cyber resilience and trust in the EU, and in June 2019 passed the Cybersecurity Act [2] with two highlights described as follows: (1) Strengthen the authority of the European Union Agency for Network and Information Security (ENISA)(see Figure 2), increase the allocation of human and financial resources to ENISA, as well as the preparation for the work items related to the cybersecurity industry, and reinforce cyber security support for EU member states. (2) Establish the EU cybersecurity certification framework. [3] 　　In the European Union, where different cybersecurity certification schemes already exist, the absence of a common certification regime would increase the risk of fragmentation of the single market. For this reason, a set of technical requirements, standards and procedures are provided under this framework to assess whether information/communication products, services and processes are in compliance with security requirements. 　　The certification program includes product and service categories, information/communication security requirements (e.g. reference standards or technical specifications), types of assessment (e.g. self-assessment or third-party assessment), levels of security, and so on. All member states agree that certification not only facilitate cross-border business transactions, but also enable consumers to better understand the security of products and services. Source: Compiled from the ENISA websit Figure　2 ENISA organization and authority strengthening 2. the United States (U.S.) 　　In consideration of cyber security affairs in the country, the US Department of Homeland Security (DHS) in May 2018 unveiled the "Cybersecurity Strategy,"[4] which focused on the objectives and priorities of the U.S. government in future cybersecurity protection, identifying and managing national cybersecurity risks with the overall risk management approach, and addressing security threats to the country, critical infrastructures and private enterprises, as well as preventing cybercrimes. 　　Then the White House in September 2018 released the National Cyber Strategy of the United States of America, [5] based on the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [6] issued in May 2017, stating the strategy and position of the United States against the threat of cyber- attacks. The strategic goal aimed to, by safeguarding cybersecurity, protect the American people, the homeland, and the American way of life, to build a secure digital economic environment, to promote American prosperity, and strengthen cooperation with partners to deter malicious cyber attackers, so as to maintain peace and security, and continue to expand U.S. influence. 　　The department in July 2019 published the Digital Modernization Strategy [7] to announce its national defense strategy in the digital environment, including the use of cybersecurity, AI, cloud computing, blockchain and other technologies in information security protection to create a more secure, coordinated and efficient platform and improve the security of intelligence transmission and processing. 3. Canada 　　Public Safety Canada in June 2018 released the National Cyber Security Strategy, [8] with the vision of a sustainable, robust cybersecurity environment, innovation and prosperity. Through international cooperation and a domestic public-private partnership, the department has been working on three goals: 1. cyber security and resilience (to reduce cybercrime and ensure Internet privacy; 2. Internet innovation (to create a friendly environment for the development of cybersecurity startups); 3. government leadership and cooperation (to transfer government-owned cybersecurity knowledge to the private sector and set up a cybersecurity governance framework). 　　The Canadian government also attaches great importance to critical infrastructure. In May 2018, the National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure [9] was unveiled to facilitate information sharing between public and private partners through sharing and protecting intelligence, and implementing a full risk management approach. Moreover, Public Safety Canada in April 2019 issued a report called Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, which provided guidelines and suggestions for action on internal risks in critical infrastructure organizations.[10] 4. Singapore 　　The government of Singapore in 2018 promulgated the Cybersecurity Act, [11] which aimed to fulfill the vision of a Smart Nation by enacting and putting into effect cybersecurity regulations to achieve the goal of a resilient infrastructure and a more secure cyberspace, and to strengthen the protection of critical information infrastructure against cyber-attacks. The Cyber Security Agency of Singapore (CSA) was given the authority to prevent and respond to cybersecurity threats, and to set up a system for sharing security information, as well as a light-touch licensing system for cybersecurity service providers.[12] 　　The Government of Singapore has appointed a Commissioner of Cybersecurity responsible for promoting domestic cybersecurity policy. To safeguard Singaporeans from cybersecurity threats, [13] the government particularly laid down cybersecurity threat or incident response provisions in Chapter 4 of the Cybersecurity Act to empower the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents, such as requiring the parties to the incidents to present statements in person or in writing, producing documents or provide information and so on.[14] 5. Australia 　　The Australian government in 2016 proposed a four-year "Australia's Cyber Security Strategy,"[15] which was expected to invest more than 230 million Australian dollars to strengthen Australia's cyber security capability and complete the following five aspects: national cyber partnership, strong cyber defenses, global responsibility and influence, growth and innovation, and a cyber smart nation. 　　As for the global responsibility and influence, the Australian government in 2017 announced the "Australia's International Cyber Engagement Strategy."[16] which aims to strengthen digital trade, to improve cybersecurity and to response to cybercrime through international cooperation; encourage innovative cybersecurity solutions; provide security advice and best practices, such as Essential Eight strategies[17] to mitigate cyber-attacks; establish the Pacific Cyber Security Operational Network (PaCSON) [18] with neighboring countries to develop regional cybersecurity capabilities; and advance the development of Australia's cybersecurity industry, nurture startups and attract foreign investment. III. Cybersecurity strategy to promote 5G in Taiwan 　　Since President Tsai Ing-wen took office in 2016, she declared that cybersecurity is directly linked to national security. In 2017, the Department of Cyber Security (DCS) under the Executive Yuan issued "National Cybersecurity Development Plan (2017-2020)," and in 2018 the "Cybersecurity Industry Development Action Plan (2018-2025)," in order to enhance the independence of Taiwan's cybersecurity industry, consolidate the nation’s cybersecurity defense line, improve its innovative thinking of cyber security, and further promote it to the international market. 　　To develop a favorable environment to promote 5G, the Executive Yuan on May 10, 2019 approved the “Taiwan 5G Action Plan (2019-2022),” [19] with a total investment about NT$20.466 billion over a four-year period. The plan aims to build a 5G application and industrial innovation environment, and reshape Taiwan's mobile communication industry ecosystem, with its content planned around five themes, including "promoting 5G vertical application field demonstration", "building 5G innovation and application development environment," "completing 5G technology core and cybersecurity protection capabilities," "planning to release 5G frequency spectrums in line with overall interests" and "adjusting laws and regulations to create favorable environment for 5G development," and to promote industrial upgrading and transformation, as well as create the next wave of economic prosperity in Taiwan. 　　Secure, robust and reliable 5G systems are sufficient and requisite conditions for building an innovation ecosystem in digital countries. The third theme of the "Taiwan 5G Action Plan" is to "complete 5G technology core and cybersecurity protection capabilities," which is intended to advance the integration of applied science and technology by establishing advantageous core technologies, set up a 5G technology and test platform, and increase the market competitiveness of 5G industry, while drafting the overall national policies on 5G cybersecurity, building the cybersecurity protection mechanism of 5G homemade products, strengthening 5G critical infrastructure and operational cybersecurity protection capabilities, and promoting domestic suppliers to enter the international 5G reliable supply chain. 　　In terms of strengthening 5G critical infrastructure and operational cybersecurity protection capacities, the NCC has planned a four-year (2019-2022) "5G Network Cybersecurity Protection and Related Regulations Preparation Plan." In coordination with a 5G license issue in 2020, the agency in 2019 added/amended the 5G cybersecurity provisions of the Regulations for Administration of Mobile Broadband Businesses, making it mandatory for the winning bidder of the 5G frequency spectrum to incorporate the cybersecurity protection concept into the system design for system construction. 　　Upon commercial operation of 5G, the NCC will audit from time to time the implementation of the cybersecurity maintenance plan by telecom operators, so as to ensure and reinforce the cybersecurity protection system of Taiwan's 5G telecom network, and create an opportunity for the development of 5G homemade products with cybersecurity protection capability. In addition, the NCC will also face up to the fact that 5G technology standards continue to evolve, and the operators have different construction schedules and heterogeneous mobile networks coexist. Therefore, relevant regulations will continue to be completed from 2020 to 2022, and examples will be verified through cybersecurity function testing laboratories to ensure that cybersecurity protection functions of 5G networks keep pace with the times. IV. Conclusion and Suggestion 　　As for emerging technologies, countries around the world are actively evaluating and constructing 5G systems and services. Taiwan boasts excellent industrial advantages in terms of semiconductors, ICT software and hardware, and high-quality talents, and thus makes a foundation for developing 5G. Furthermore, going with the importance of cybersecurity, it is necessary to pay more attention to planning and developing 5G cybersecurity technology. 　　It is clear that the development of cybersecurity is both a challenge and an opportunity for Taiwan. In order to implement the national policy objectives of "cybersecurity is national security" as well as "innovative economic development programs for a digital nation," and to response to the scientific and technological progress, and the demand for cybersecurity, key development direction is proposed to expedite the establishment of 5G cybersecurity protection. Reference: [1]Resilience, Deterrence and Defence: Building strong cybersecurity in Europe, European Commission, https://ec.europa.eu/digital-single-market/en/news/resilience-deterrence-and-defence-building-strong-cybersecurity-europe [2]The draft Regulation of The European Parliament And of The Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation(EU)526/2013, and on Information and Communication Technology cybersecurity certification(''Cybersecurity Act'') was published in September 2017 to expand the rights and obligations of ENISA, which would make ENISA the EU's cybersecurity and information competent authority and the authority for critical infrastructure (information) facilities after the passage of the Act. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.151.01.0015.01.ENG&toc=OJ:L:2019:151:TOC [3]The EU cybersecurity certification framework, European Commission, https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework [4]Cybersecurity Strategy(2018), DHS, https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf [5]National Cyber Strategy of the United States of America(2018), The White House, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf [6]THE WHITE HOUSE, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/ [7]DoD Digital Modernization Strategy, DoD, https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF [8]National Cybersecurity Strategy, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx [9]National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2018-20/index-en.aspx#a02 The action plan is a three-year program under Canada's2010 National Strategy for Critical Infrastructure (National Strategy) starting in 2010 for all phases. [10]Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/nhncng-crtcl-nfrstrctr/index-en.aspx [11]Cybersecurity Act 2018, Singapore Statutes Online, https://sso.agc.gov.sg/Acts-Supp/9-2018/ [12]Cybersecurity Act, CSA, https://www.csa.gov.sg/legislation/cybersecurity-act [13]Id. [14]Cybersecurity Act Explanatory Statement, https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/cybersecurity%20act%20-%20explanatory%20statement.pdf [15]Australia’s Cybersecurity Strategy, https://cybersecuritystrategy.homeaffairs.gov.au/ What is the Government doing in cybersecurity, Ministers for the Department of Industry, Innovation and Science, https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security [16]Australia’s International Cyber Engagement Strategy, Department of Foreign Affairs and Trade,https://www.dfat.gov.au/sites/default/files/DFAT%20AICES_AccPDF.pdf [17]Essential Eight Explained, ACSC, https://www.cyber.gov.au/publications/essential-eight-explained [18]Pacific Cybersecurity Operational Network(PaCSON), https://dfat.gov.au/international-relations/themes/cyber-affairs/cyber-cooperation-program/Pages/pacific-cyber-security-operational-network-pacson.aspx Or Strengthening cybersecurity across the Pacific, ACSC, https://www.cyber.gov.au/news/pacific-islands PaCSON is comprised of 15 members, including Australia, Fiji, Marshall Islands, New Zealand, Papua New Guinea, Samoa, and Solomon Islands. [19]Taiwan 5G Action Plan, Executive Yuan,https://www.ey.gov.tw/Page/5A8A0CB5B41DA11E/087b4ed8-8c79-49f2-90c3-6fb22d740488