Introduction to Critical Infrastructure Protection

The security facet of cyberspace along with a world filled with CPU-controlled household and everyday items can be examined from various angles. The concept of security also varies in accordance with different stages of national conditions and industrial development in different nations. As far as our nation is concerned, the definition of security industry is "an industry offering protection for human bodies, important infrastructure, information, financial system, as well as offering equipment to defend the security of national lands and the service"1 as initially defined by "Security Industry Program Office." Judging from the illustration of the definition, the security industry should be inter-disciplinary and integrative, which covers almost all walks of life and fields, such as high-tech industrial security management, traffic & transportation security management, fire control and prevention against natural calamities, disaster relief, information security management, security management in defense of national borders, and prevention of epidemics.

After the staged mission, "e-Taiwan program", was accomplished in 2007, our government hoped to construct a good surrounding by creating a comfortable life from a user’s point-of-view. This was hoped to be achieved by using "the development of a high-quality internet society" as a main source by using innovative services, internet convergence, perceptive environment, security, trust, and human machine linkage. At the Economic Development Vision for 2015: First-Stage Three-Year Sprint Program (2007~2009) formulated by the Executive Yuan, wireless broadband, CPU computer-controlled items all have become part of our every day lives, and healthcare, along with the green industry are listed as the next emerging industries; whereby the development of relevant critical technologies is hoped to be promoted to create higher industrial values and commercial opportunities. However, from a digitally-controlled-life viewpoint, the issue concerned by all walks of life is no longer confined to the convenience and security of personal life but gradually turns to protection of security of a critical infrastructure (CI) run by using information technology. For instance, finance management, stock market, communication network, harbors and airports, high speed rail, R&D of important technology, science parks, water purification facilities, water supply facilities, power, and energy facilities. 2Because security involves resources related with people's most fundamental living needs and is the most elementary economic activity of the society, it is regarded as an important core objective to promote the modern social security system. Therefore, critical infrastructure protection requires more dependence on information and communication technology to maintain the stability of finance and communication, as well as the security of facilities related with supply and economy of all sorts of livelihoods in order to ensure regular operation.

With the influence of information and communication technology on the application of critical infrastructure on the increase, the society has increasingly deepened its dependence on the security of our cyber world. The concept and connotation of information security also keep extending with it toward the aforementioned critical infrastructure protection planning, making critical information infrastructure protection (CIIP) and critical infrastructure protection (CIP) more inseparable in concept3 , and becomes an important goal of policy implementation to achieve the vision of a digital lifestyle which is secure for every nation. In recent years, considerable resources have been invested to complete an environment whereby a legal system of “smart lifestyle” is developed. However, what has been done for infrastructure protection continues to appear as not being comprehensive enough. This includes vague definitions, scattered regulations and policies, different protection measures taken by different authorities in charge, obvious differences in relevant risk management measures and in the magnitude of management planning of information security and so on. These problems all influence the formation of national policies and are the obstacles to the promotion of relevant industrial development. In view of this, the 2008/2009 International CIIP Handbook will be used as the cornerstone of research in this project. After the discussion on how critical infrastructure protection is done in America, Germany and Japan, the contents of norms of regulations and policies regarding critical infrastructure protection in our nation will be explored to make an in-depth analysis on the advantages and disadvantages of relevant norms. It is hoped to find out what is missing or omitted in the regulations and policies of our nation and to make relevant amendments. Suggestions will also be proposed so that the construction of a safe environment whereby the digital age of our nation can be expanded to assist the “smart lifestyle” to be developed further.


1.See http://tsii.org.tw/modules/tinyd0/index.php?id=14 (last visited May 24, 2009)
2.For "2008 International Conference on Homeland Security and Application of Technology in Taiwan ~ Critical Infrastructure Protection~", please visit http://www.tier.org.tw/cooperation/20081210.asp (last visit date: 05/17/2009).
3.For critical infrastructure protection, every nation has not only proceeded planning for physical facilities but put even more emphasis on protection jobs of critical information & communication infrastructure maintained via the information & communication technology. In the usage of relevant technical terms, the term "critical infrastructure" has also gradually been used to include the term "critical information & communication infrastructure". Elgin M. Brunner, Manuel Suter, Andreas Wenger, Victor Mauer, Myriam Dunn Cavelty, International CIIP Handbook 2008/2009, Center for Security Studies, ETH Zurich, 2008. 09, p. 37.

※Introduction to Critical Infrastructure Protection,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=169&d=6127 (Date:2021/06/15)
Quote this paper
You may be interested
Norms of Critical Infrastructure Protection in Japan

The approaches to promote critical infrastructure protection in Japan The approaches to promote critical infrastructure protection in Japan are illustrated below: 1. Coverage of Critical Information Infrastructure In the "Action Plan on Information Security Measures for Critical Infrastructure" promulgated by the Information Security Policy Council (ISPC) in 2005, critical infrastructure is defined as: Critical infrastructure which offers the highly irreplaceable service in a commercial way is necessary for people's normal lives and economic activities, and if the service is discontinued or the supply is deficient or not available, it will seriously influence people's lives and economic activities. Based on the definition of the action plan, the critical infrastructure contains: telecommunication systems, administration services of the government, finance, civil aviation, railway, logistics, power, gas, water, and medical services 2. Promoted Relevant Policies of The Past The issues regarding the CIIP are gradually being developed with the norm of information social security policy in Japan. Adopting the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society of 1998 proposed by the Japanese government in 1998 as a basis. The Japanese government keeps presenting polices of improvement for the relevant issues in order to acquire the stable development of telematics and telecommunications. Several years later, the Ministry of Economy, Trade, and Industry (METI) announced the Comprehensive Strategy on Information Security in 2003. The formulation of the strategy not only emphasizes the possible telematics-related risks and protection against threats that may be encountered in the information society, but it also enhances the level of information security to the level of national security and presents a comprehensive information security improvement program. Furthermore, the submission of the strategy has identified government’s responsibility in the development of information security Therefore, a division which is solely responsible for information security was established in the Cabinet Secretariat and is devoted to the development of it. In 2005, the Ministry of Economy, Trade, and Industry (METI) amended the Comprehensive Strategy on Information Security and announced the First National Strategy on Information Security based on the creation of a policy of a long-term information security task in Japan which is also the foundation for the policy of guidelines and action security concerning critical information infrastructure. This is in addition to being the most important basis for the policy of information security development. The strategy is different from the Comprehensive Strategy on Information Security in connotation. In the range of information security protection, it not only maintains information security from the perspective of the government; for instance, to divide the rights and duties on information security protection practices between the central government and the local government, and to strengthen the capacity of the government to solve emergencies such as cyber attacks, but it also tries to employ the public-private partnership on the CIIP issue to construct an extensive information security protection and to develop a Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR): one similar to the ISAC of America, to strengthen the information sharing and analysis of information security of all industry involved. According to the strategy, the METI established the Information Security Policy Council (ISPC) and the National Information Security Center (NISC) under the subordination of the Cabinet Secretariat in order to reach a goal of dependable society of information security.1 Finally, the information security policies more directly related with the CIIP are the Action Plan on Information Security Measures for Critical Infrastructure and the Standards for Information Security Measures for the Central Government Computer Systems, both of which regulate CI-related threats, information security standards, public-private partnership information sharing system, and the levels of information security standards between different governments and critical infrastructures, respectively. 3. Oraganization Framework Generally speaking, the Cabinet Secretariat is the main division of the CIIP and the information security for the Japanese government, while the ISPC and the NISC established under the Cabinet Secretariat in 2005 are the core organizations for the development of the CIIP policy. In addition, the National Policy Agency (NPA) and the Ministry of Internal Affairs and Communications (MIC) also played an important role in assisting the Cabinet Secretariat with critical infrastructure protection. The part of public-private partnership is covered by the CEPTOAR which takes the responsibility for information sharing and analysis of information security between the government and private organizations. 4. Notification System For critical infrastructure protection, Japan has set up a warning and notification system in addition to the emphasis on fundamental information security protection. With the concept of public-private partnership, various messages related with information security are analyzed and shared in order to prevent information security incidents from occurring. The network of notification system in Japan mainly consists of several organizations as listed below. (1) National Incident Response Team The National Incident Response Team (NIRT) which is the information security office under the Cabinet Secretariat in the organization framework belongs to the Computer Emergency Response Team (CERT)2 and is first in line in the government to handle internet emergencies. According to the Action Plan for Ensuring e-Government's IT Security, the NIRT which consists of 17 experts from the government and the private organizations is responsible to (1) accurately understand and analyze emergencies, (2) develop technical strategies to solve and rehabilitate emergencies to prevent incidents from reoccurrence, (3) provide other governmental organizations the assistance to solve the information security issue, (4) collect and analyze information or intelligence so that effective solutions and strategies may be provided when an incident happens, (5) provide the governmental organization with professional knowledge and information, and (6) enhance and improve all knowledge pertinent to information security. (2) Computer Emergency Response Team Coordination Center The Japan Computer Emergency Response Team Coordination Center (JPCERT/cc) is the first Computer Security Incident Response Team (CSIRT) established in Japan. It consists of internet service suppliers, security products/service suppliers, governmental agencies, and associations of industry & commerce. The JPCERT/CC is also a member of the Asia Pacific Computer Emergency Response Team (APCERT) and a member of the Forum of Incident Response and Security Teams (FIRST). It coordinates and integrates prevention measures pertinent to information security and is consistent with other CSIRTs. (3) Telecom Information Sharing and Analysis Center In Japan, besides the mechanism responsible to notify the government, which functions as a bridge for communication between it and all those outside of it, the mechanism of information sharing and notification is also established among industries to provide each with a channel for information exchange and consultation. In 2001, Japan established the Telecom Information Sharing and Analysis Center Japan (Telecom-ISAC Japan). In addition to real-time inspection for computer intrusion incidents and conducting information collection and analysis, the Telecom-ISAC Japan proposes to e-government many suggestions related with the Transact-SQL issue as well. The reasons for launching the Telecom-ISAC are to instantaneously detect a computer intrusion incident, and to instantaneously gather and analyze its information, and then exchange this with other telecom carriers and offer them relevant countermeasures for precaution; so that in can reach the goal of ensuring telecom security since it is an important infrastructure concerning social economy. (4) Cyber Force The reasons for launching the Cyber Force are to maintain the security to use the internet by regularly "patrolling" it, searching for evidence of internet crime, and to notify the critical infrastructure operators about any unusual internet use so as to prevent the occurrence of cyber terror attacks. The Cyber Force also assists operators to solve and diminish the damage and influences when an incident occurs. (5) Portal Site of National Police Agency The National Police Agency owns the portal site "@police". It exists to prevent large-scale cyber emergencies and to provide gathered information concerning information security to government. In addition to providing the techniques related with the safe use of computer networks, @police is also dedicated to educating internet users about the concept of information security and to increase security awareness. (6) Ministry of Economy, Trade and Industry Since 1990, the Ministry of Economy, Trade and Industry (METI) has cooperated with the JPCERT/CC and the Information Technology Promotion Agency (IPA) to provide reports on virus, intrusion, and the damage caused by them, to remind the public to pay attention. 5. Legal Norms The laws regarding critical infrastructure protection in Japan are illustrated as follows: (1) Unauthorized Computer Access Law of 1999 The Unauthorized Computer Access Law includes various conducts such as cyber intrusion, and data thefts, into the norms of criminal punishment to deter cyber crimes from spreading in order to ensure the safety of the critical information infrastructure. (2) Act on Electronic Signatures and Certification Business of 2000 With the formulation of the Act on Electronic Signatures and Certification Business, the smooth promotion of the electronic signature system is ensured and the circulation and process of electronic communication can be fostered further. (3) Basic Law on Formation of an Advanced Information and Telecommunication Network Society of 2001 Through the formulation of the Basic Law on Formation of an Advanced Information and Telecommunication Network Society, the legal basis to execute an information technology policy is enhanced, and the direction and job content for the government to execute this policy is explicitly stated. 1.http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf(last accessed date: 2009/07/20). 2.http://www.nisc.go.jp/en/sisaku/h1310action.html(last accessed date: 2009/07/20).

The Coverage and Policies of Critical Infrastructure Protection in U.S.

Regarding the issue of critical infrastructure protection, the emphasis in the past was put on strategic facilities related to the national economy and social security merely based on the concept of national defense and security1. However, since 911 tragedy in New York, terrorist attacks in Madrid in 2004 and several other martial impacts in London in 2005, critical infrastructure protection has become an important issue in the security policy for every nation. With the broad definition, not only confined to national strategies against immediate dangers or to execution of criminal prevention procedure, the concept of "critical infrastructure" should also include facilities that are able to invalidate or incapacitate the progress of information & communication technology. In other words, it is elevated to strengthen measures of security prevention instead. Accordingly, countries around the world have gradually cultivated a notion that critical infrastructure protection is different from prevention against natural calamities and from disaster relief, and includes critical information infrastructure (CII) maintained so that should be implemented by means of information & communication technology into the norm. In what follows, the International CIIP Handbook 2008/2009 is used as a research basis. The Subjects, including the coverage of CIIP, relevant policies promoted in America, are explored in order to provide our nation with some references to strengthen the security development of digital age. 1. Coverage of Important Critical Information Infrastructures Critical infrastructure is mainly defined in "Uniting and Strengthening our country by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, as known as Patriot Act of the U.S., in section 1016(e)2 . The term ‘critical infrastructure’ refers to "systems and assets, whether physical or virtual, so vital to our country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." In December 2003, the Department of Homeland Security (DHS) promulgated Homeland Security Presidential Directive 7 (HSPD-7)3 to identify 17 Critical Infrastructures and key resources (CI/KR) ,and bleuprinted the responsibility as well as the role for each of CI/KR in the protection task. In this directive, DHS also emphasized that the coverage of CI/KR would depend on the real situations to add or delete sectors to ensure the comprehensiveness of critical infrastructure. In March 2008, DHS added Critical Manufacturing which becomes the 18th critical infrastructure correspondent with 17 other critical infrastructures. The critical infrastructures identified by DHS are: information technology, communications, chemical, commercial facilities, dams, nuclear reactors, materials and waste, government facilities, transportation systems, emergency services, postal and shipping, agriculture and food, healthcare and public health, water, energy (including natural gas, petroleum, and electricity), banking and finance, national monuments and icons, defense industrial Base, and critical manufacturing. 2. Relevant Policies Previously Promoted With Critical Infrastructure Working Group (CIWG) as a basis, the President's Commission on Critical Infrastructure Protection (PCCIP) directly subordinate to the President was established in 1996. It consists of relevant governmental organizations and representatives from private sectors. It is responsible for promoting and drawing up national policies indicating an important critical infrastructure, including natural disasters, negligence and lapses caused by humans, hacker invasion, industrial espionage, criminal organizations, terror campaign, and information & communication war and so on. Although PCCIP no longer exists and its functions were also redefined by HDSP-7, the success of improving cooperation and communication between public and private sectors was viewed as a significant step in the subsequent issues on information security of critical infrastructure of public and private sectors in America. In May 1998, Bill Clinton, the former President of the U.S., amended PCCIP and announced Presidential Decision Directive 62, 63 (PDD-62, PDD-63). Based on these directives, relevant teams were established within the federal government to develop and push the critical infrastructure plans to protect the operations of the government, assist communications between the government and the private sectors, and further develop the plans to secure national critical infrastructure. In addition, concrete policies and plans regarding information security of critical infrastructure would contain the Defence of America's Cyberspace -- National Plan for Information Systems Protection given by President Clinton in January, 2000 based on the issue of critical infrastructure security on the Internet which strengthens the sharing mechanism of internet information security messages between the government and private organizations. After 911, President Bush issued Executive Order 13228 (EO 13228) and Executive Order 13231 to set up organizations to deal with matters regarding critical infrastructure protection. According to EO 13228, the Office of Homeland Security and the Homeland Security Council were established. The duty of the former is mainly assist the U.S. President to integrate all kinds of enforcements related to the protection of the nation and critical infrastructure so as to avoid terrorist attacks, while the latter provides the President with advice on protection of homeland security and assists to solve relevant problems. According to EO 13228, the President's Critical Infrastructure Protection Board directly subordinate to the President was established to be responsible for offering advice on polices regarding information security protection of critical infrastructure and on cooperation plans. In addition, National Infrastructure Advisory Council (NIAC), which consists of owners and managers of national critical infrastructure, was also set up to help promote the cooperation between public and private sectors. Ever since the aforementioned executive order, critical infrastructure protection has been more concrete and specific in definition; for instance, to define critical infrastructure and its coverage through HSPD-7, the National Strategy for Homeland Security issued in 2002, the polices regarding the National Strategy to Secure Cyberspace and the National Strategy for Physical Protection of Critical Infrastructure and Key Assets addressed by the White House in 2003; all of this are based on the National Strategy for Homeland Security. Moreover, the density of critical infrastructure protection which contains virtual internet information security was enhanced for the protection of physical equipment and the protection from destruction caused by humans. Finally, judging from the National Infrastructure Protection Plan (NIPP), Sector-Specific Plans (SPP) supplementing NIPP and offering a detailed list of risk management framework, along with National Strategy for Information-Sharing, the public-private partnership (PPP) and the establishment of information sharing mechanism are highly estimated to ensure that the network of information security protection of critical infrastructure can be delicately interwoven together because plenty of important critical infrastructures in the U.S. still depend on the maintenance and operation of private sectors. 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands:A Quick-scan”. In:Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf (last accessed at 20. 07. 2009) 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands:A Quick-scan”. In:Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf (last accessed at 20. 07. 2009) 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 3.Introduction of Consumer Protection in Taiwan , Republic of China , Consumer Protection Commission (CPC), Executive Yuan.http://www.fas.org/irp/offdocs/nspd/hspd-7.html ( Last visit 2008/6/27 )

Implementing Information Security to Protect Individuals' Privacy

The development of new technology is bound to have both positive and negative effects. However, when a new technology is first introduced, it is common for insufficient attention to be paid to its negative aspects, either because there has not been time to accumulate sufficient experience in using it or because users are blinded by the potential benefits. It is only later, when the technology begins to be abused, that people wake up to the potential dangers. The evolution of computers and the Internet is a classic example of this phenomenon. While the rapid development of information technology has helped to stimulate the flow of information in every corner of society, cyberspace has also become the setting for a wide range of criminal activities. In many cases, countries' existing legal and regulatory frameworks have proved inadequate to cope with the threat posed by the various forms of unauthorized access. A variety of forms of cyber-crime have developed, including denial-of-service attacks, unauthorized accessing of databases, phishing, identity theft and online fraud or intimidation. Cyber-crime may involve making unauthorized use of individuals' personal information, stealing companies' confidential business information or selling state secrets; these new types of crime thus affect every level of society. The effects can be catastrophic, hence the growing importance is now being attached to information security, including both the establishment of effective management mechanisms to prevent cyber-crime from occurring in the first place and the development of the capabilities needed to detect such crime when it occurs. Recognizing the need to plug the gaps in the existing legal and regulatory framework in the face of cyber-crime, countries all over the world are working on the formulation of new legislation, and Taiwan is no exception. The following sections will discuss the key developments in the laws and regulations governing information security in Taiwan in recent years. I. The Convention on Cyber-crime and Chapter 36 of Taiwan’s Criminal Code (offences relating to the abuse of computers) Today, governments throughout the world are formulating measures to combat criminal activity that makes use of the Internet (cyber-crime). In many cases these measures are based on the Convention on Cyber-crime announced by the European Commission on November 23, 2001, and which came into effect on July 1, 2004. This convention is the first international agreement to be established specifically to combat cyber-crime. Its contents include discussion of the various types of cyber-crime, regulations governing the obtaining of electronic evidence, provisions for mutual assistance between nations in judicial matters with respect to cyber-crime and measures to encourage multilateral collaboration. The European Commission asked all signatory nations to revise their own national laws so that they conform to the provisions of the Convention, with the aim of establishing a unified international framework for combating cyber-crime. Responding to the international trend towards the enactment of legislation to fight cyber-crime and to eliminate any loopholes in Taiwanese law that might result in Taiwan becoming a haven for cyber-criminals, on June 25, 2003 the Taiwanese government added a new chapter, Chapter 36 (Offences Relating to the abuse of Computers) to Taiwan's Criminal Code. It contains six articles covering four types of crime: unauthorized access (Article 358), the unauthorized acquisition, deletion or titleeration of electromagnetic records (Article 359), unauthorized use of or interference with a computer system (Article 360) and creating computer programs specifically for the perpetration of a crime (Article 362). Article 361 specifies that more severe punishment should be imposed in the case of violations carried out against the computers or other equipment of a public service organization, and Article 363 states that the provisions of Articles 358–360 shall apply only after prosecution is instituted upon complaint. These new articles provide a clear legal basis for the punishment of common types of cyber-crime such as unauthorized access by hackers, the spreading of computer viruses and the use of Trojan horse programs. In formulating these articles, reference was made to the categorization of cyber-crimes used in the Convention on Cyber-crime and to the suggestions for revision of national laws put forward there. Article 36 is thus in broad conformity with current international practice in this regard and can be expected to achieve significant results in terms of combating cyber-crime. II. The authority of law enforcement to get evidence and ISPs liability In its discussion of the securing of electromagnetic records by law enforcement agencies, the Convention on Cyber-crime notes that such securing of records falls into two broad categories: immediate access and non-immediate access. Immediate access includes the monitoring of communications by law enforcement agencies, non-immediate access relates mainly to the data retention obligations imposed on Internet Service Providers (ISPs). As regards the regulatory framework for the monitoring of communications, Communications Protection and Surveillance Act came into effect in Taiwan on July 16, 1999. According to its provisions, monitoring of communications may only be implemented when it is deemed necessary to protect national security or to maintain social order. Warrants for such surveillance may only be issued if the content of the communications is related to a threat to national security or to the maintenance of social order. Furthermore, the crime in question must be a serious one. In principle, the period for which surveillance is implemented should not exceed 30 days. These restrictions reflect the government’s determination to ensure that citizens' right to privacy is protected. While the Internet is an environment conducive to the maintenance of anonymity, electromagnetic records are easy to erase. Effective investigation of cyber-crime requires automatic recording of communications by the equipment used to transmit the messages, that is to say, it requires the retention of historic data. As regards the extent to which companies are required to collaborate with law enforcement agencies and the conditions applying to the making available of electromagnetic records, these issues relate to the public's right to privacy, and the law in this area needs to be very clear and precise. For the most part, data retention obligations are laid down in Taiwan’s Telecommunications Act. In Taiwan ISPs are classed as "Type II Telecommunications Operators". Article 27 of the Administrative Regulations on Type II Telecommunications Businesses stipulates that Type II telecommunications operators may be required to confirm the existence of, and provide the contents of, customers' communications for the purpose of investigation or collection of evidence upon request in accordance with the requirements of the law. ISPs are required to retain, for a period of between 1 and 6 months, data relating to the account number of subscribers, the times and dates of communications, the times at which subscribers logged on and off, free e-mail accounts, the IP addresses used when applying for Web space and the time and date when such applications were made, the IP address used to make postings on message boards and newsgroups, the time and date when such postings were made and subscribers' e-mail communications records. If a Type II telecommunications operator violates these provisions, he may be fined between NT$200,000 and NT$1 million and be required to remedy the situation within a specified time limit in accordance with Paragraph 2 of Article 64 of the Telecommunications Law. If he fails to remedy the situation within the specified time limit, his license may be revoked. III. The Legal Framework for Personal Data Protection titlehough, as outlined above, some revisions have already been made to the legal framework governing information security, there are still many areas which need to be reviewed. One of the most important is the protection of personal information. Following the explosive growth of the Internet, customer-related information is being processed by computers on a large scale in many different industries. With so many companies collaborating with other firms or adopting new marketing methods, the value and importance of personal information is being reassessed. The dramatic increase in the number of online scams in Taiwan in recent years has made the protection of privacy a focus of attention. The existing Computer-processed Personal Data Protection Law, drawn up to target specific industries, does not really provide adequate protection. A new Personal Data Protection Act, drawn up with reference to the European Union’s Directive (95/46/EC) on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data and the personal information protection legislation adopted in the USA and Japan, has already been submitted to the Legislative Yuan for deliberation. The key differences between this new Act and the existing Computer-processed Personal Data Protection Law are as follows. Protection is no longer industry-specific, it now applies to both natural and juristic persons and to both public and private agencies. The scope of protection has been expanded to include hard copies of documents containing personal information, and five new types of "sensitive information" – information relating to criminal records, medical examinations, medical records, sexual history and genetic information – have been added. Special restrictions apply to the collection and processing of these types of data. The Personal Data Protection Act also imposes stricter requirements on public and private agencies with regard to the protection of individuals' personal data. For example, agencies must formulate personal data protection plans and measures for dealing with personal data once those data are no longer needed for business purposes. If an agency discovers that an individual's personal data have been stolen, leaked, titleered or violated in any way, they are required to notify by telephone or letter the agency responsible for notifying the individual concerned as soon as possible. If these provisions are violated, the agency's responsible person will be liable for administrative punishment. The new Act also gives regulatory authorities greater powers to undertaking auditing in this area, makes provision for class action suits and increases the amount of compensation to be paid to victims. It is expected that these mechanisms will help boost awareness of the importance of information security in all sectors, thereby helping to ensure better protection for the public's personal information. IV. Management of Unsolicited Commercial E-Mail The widespread utilization of e-mail has created a brand new marketing channel, so that e-mail can fairly be described as one of the most important "killer applications" to which the Internet has given rise. Today, spamming is causing serious problems for both e-mail users and ISPs. E-mail users are concerned about their privacy being violated and about having their e-mail box stuffed full of junk e-mail. Spamming also ties up bandwidth which could be used for other purposes, and Distributed Denial of Service Attacks (DDOS) can make it difficult for ISPs to provide normal service to their customers. Governments throughout the world have begun to consider whether anti-spamming legislation may be necessary. In Taiwan draft legislation of this type has already been submitted to the Legislative Yuan. Taiwan's Anti-SPAM Act was drawn up with reference to the USA's CAN-SPAM Act of 2003, Japan's Law on Regulation of Transmission of Specified Electronic Mail, Australia's SPAM Act and the UK's Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft SPAM Act contains 13 articles, with an emphasis on self-regulation, technology filtering and provision for seeking compensation through civil action. The Act provides for the use of an "opt-out" mechanism to regulate the behavior of e-mail senders, with the following obligations to be imposed on them. (1) The sender must specify in the "Subject" field of the e-mail whether it is a "business communication" or "advertising" to facilitate filtering by ISPs and to make clear to the recipient what type it is. (2) The sender must provide accurate information, including header, information on the sender's identity and the sender's e-mail address. (3) E-mails may not be sent if the sender knows or could be expected to know that the intended recipient has already expressed a wish not to receive e-mail from this source. E-mails may also not be sent if the sender knows or could be expected to know that the information in the "Subject" field is inaccurate or misleading. If the sender continues to send e-mails after the recipient has expressed a clear wish not to receive any more from the sender or if the sender falsifies the "Subject" or header information, then the sender may be required to pay compensation to the recipient at a rate of NT$500–2,000 per person per e-mail. With regard to the widespread practice whereby companies or advertising agencies commission third parties to send junk e-mail on their behalf, in cases where the commissioning party knows or could be expected to know that e-mail is being sent in violation of the above regulations, the commissioning party shall be held jointly liable with the party sending the e-mail. Through the implementation of this new law, the government hopes to establish a first-class Internet environment in Taiwan, putting an end to the current situation whereby large numbers of businesses are engaged in spamming. V. Conclusions Security is the biggest single factor affecting the implementation of e-government initiatives, e-business application adoption and Internet user confidence. Most people associate information security only with the purchasing of security hardware or software and the setting up of firewalls. While these products can indeed help to make the online environment more secure, Internet users should not allow themselves to be lulled into thinking that buying these products will in and of itself be sufficient to ensure security. "Security" is a fluid concept. Over time, the level of security that even a high-end product can provide will deteriorate; the fact that your system is secure now does not guarantee that it will remain secure in the future. Evidence that this is true is provided by the damage that is constantly being caused by viruses, by the need to constantly update security products and by the shift in emphasis away from virus prevention and firewalls towards preventing "backdoor" attacks and towards proactive intrusion detection. Furthermore, the information security risks that companies and organizations have to deal with are not limited to external threats; poor internal management may result in employees selling or leaking customer data or other company data, which can cause serious damage to the organization. Examination of information security theory and practice in Taiwan and overseas suggests that the establishment of effective information security measures embraces four main areas: the detection of cyber-crime, development of new information security technologies and formulation of standards, education and management of computer users and regulatory and policy issues. The most important of these is the education and management of computer users. Detection of cyber-crime is the next most important, while development of new technologies and standard setting and the regulatory and policy aspects play a supporting role. To create a genuinely secure online environment, attention must be paid to all of these. Today governments throughout the world are formulating new legislation to plug the gaps in the regulatory framework governing the online environment. Given the need to let the market mechanism operate freely and to refrain from measures that might retard industrial development, government interference in the Internet, with the exception of crime prevention activity, has generally been viewed as a last resort. Currently the government in Taiwan is still focusing mainly on self-regulation by Internet service providers and other types of business enterprise, and the government's role is still largely confined to formulating standards and assisting with the development of new security products. The area on which both the government and the private sector will need to concentrate in the future is educating and ensuring effective management of computer users.

The Research on Cybersecurity Risks in 5G network: Perspectives on Global strategy

The Research on Cybersecurity Risks in 5G network: Perspectives on Global strategy I. The characteristics of 5G and cybersecurity threats   Compared to 4G, 5G adopts several new designs on the network architecture, such as software-defined networking (SDN), a baseband unit (BBU), logical disjunction, network function virtualization (NFV), and multi-access edge computing (MEC), to provide users with high-speed, low-latency and other quality services, as well as flexibility and expansibility to accommodate more emerging applications.   According to the three key usage scenarios (see Figure 1) defined by the International Telecommunication Union (ITU), enhanced mobile broadband access (eMBB) provides high-volume mobile broadband services such as AR/VR or ultra-high-definition video. Massive machine type communication (mMTC) provides large-scale IoT services. Ultra-reliability and low latency communication (uRLLC) can be used for services that require low-latency and high-reliability connections, including unmanned driving and industrial automation.   However, with 5G’s open, flexible and extensible design, as well as its coexistence with other 4G and 3G systems in the early stage of commercial operation, the cybersecurity threats facing 5G networks are more severe and diverse than the past mobile phone generations. At present, the known 5G cybersecurity threats mainly come from network functional components and connection interfaces among components, including the terminal device, access network, air interface, cloud virtualization, multi-access edge computing rental, core network, back-end/backbone network, roaming and external services, and so on. Source: ITU Figure 1Three key 5G scenarios by the ITU II. Cybersecurity strategy development in major countries   5G is not only one of the critical infrastructures, but also an important foundation for pursuing a digital nation, digital economy, the industrial 4.0, and for promoting industrial transformation for upgrading. However, different scenarios require different cybersecurity protection levels, which poses great challenges to both mobile network operators and service providers.   Therefore, the construction of favorable environment for 5G development, the promotion of relevant applications and the development of innovative services and so on, have become the priority of governance in the countries around the world. 1. European Union (EU)   Then European Commission President Jean-Claude Juncker noted in 2017 that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks…Cyber-attacks know no borders and no one is immune,” indicating the EU's high priority in the cybersecurity field.   The "Digital Single Market," an important EU policy, lays the foundation for digital economy based on "cybersecurity, trust and privacy." In response to the loss of billions of euros a year in cyber attacks, the EU has taken a series of measures to safeguard and advance the development of the Digital Single Market. For the purposes of this strategy, the European Commission in 2018 came up with the policy of Resilience, Deterrence and Defence: Building strong cybersecurity for the EU,[1]with the aim of improving the level of cyber security, cyber resilience and trust in the EU, and in June 2019 passed the Cybersecurity Act [2] with two highlights described as follows: (1) Strengthen the authority of the European Union Agency for Network and Information Security (ENISA)(see Figure 2), increase the allocation of human and financial resources to ENISA, as well as the preparation for the work items related to the cybersecurity industry, and reinforce cyber security support for EU member states. (2) Establish the EU cybersecurity certification framework. [3]   In the European Union, where different cybersecurity certification schemes already exist, the absence of a common certification regime would increase the risk of fragmentation of the single market. For this reason, a set of technical requirements, standards and procedures are provided under this framework to assess whether information/communication products, services and processes are in compliance with security requirements.   The certification program includes product and service categories, information/communication security requirements (e.g. reference standards or technical specifications), types of assessment (e.g. self-assessment or third-party assessment), levels of security, and so on. All member states agree that certification not only facilitate cross-border business transactions, but also enable consumers to better understand the security of products and services. Source: Compiled from the ENISA websit Figure 2 ENISA organization and authority strengthening 2. the United States (U.S.)   In consideration of cyber security affairs in the country, the US Department of Homeland Security (DHS) in May 2018 unveiled the "Cybersecurity Strategy,"[4] which focused on the objectives and priorities of the U.S. government in future cybersecurity protection, identifying and managing national cybersecurity risks with the overall risk management approach, and addressing security threats to the country, critical infrastructures and private enterprises, as well as preventing cybercrimes.   Then the White House in September 2018 released the National Cyber Strategy of the United States of America, [5] based on the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [6] issued in May 2017, stating the strategy and position of the United States against the threat of cyber- attacks. The strategic goal aimed to, by safeguarding cybersecurity, protect the American people, the homeland, and the American way of life, to build a secure digital economic environment, to promote American prosperity, and strengthen cooperation with partners to deter malicious cyber attackers, so as to maintain peace and security, and continue to expand U.S. influence.   The department in July 2019 published the Digital Modernization Strategy [7] to announce its national defense strategy in the digital environment, including the use of cybersecurity, AI, cloud computing, blockchain and other technologies in information security protection to create a more secure, coordinated and efficient platform and improve the security of intelligence transmission and processing. 3. Canada   Public Safety Canada in June 2018 released the National Cyber Security Strategy, [8] with the vision of a sustainable, robust cybersecurity environment, innovation and prosperity. Through international cooperation and a domestic public-private partnership, the department has been working on three goals: 1. cyber security and resilience (to reduce cybercrime and ensure Internet privacy; 2. Internet innovation (to create a friendly environment for the development of cybersecurity startups); 3. government leadership and cooperation (to transfer government-owned cybersecurity knowledge to the private sector and set up a cybersecurity governance framework).   The Canadian government also attaches great importance to critical infrastructure. In May 2018, the National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure [9] was unveiled to facilitate information sharing between public and private partners through sharing and protecting intelligence, and implementing a full risk management approach. Moreover, Public Safety Canada in April 2019 issued a report called Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, which provided guidelines and suggestions for action on internal risks in critical infrastructure organizations.[10] 4. Singapore   The government of Singapore in 2018 promulgated the Cybersecurity Act, [11] which aimed to fulfill the vision of a Smart Nation by enacting and putting into effect cybersecurity regulations to achieve the goal of a resilient infrastructure and a more secure cyberspace, and to strengthen the protection of critical information infrastructure against cyber-attacks. The Cyber Security Agency of Singapore (CSA) was given the authority to prevent and respond to cybersecurity threats, and to set up a system for sharing security information, as well as a light-touch licensing system for cybersecurity service providers.[12]   The Government of Singapore has appointed a Commissioner of Cybersecurity responsible for promoting domestic cybersecurity policy. To safeguard Singaporeans from cybersecurity threats, [13] the government particularly laid down cybersecurity threat or incident response provisions in Chapter 4 of the Cybersecurity Act to empower the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents, such as requiring the parties to the incidents to present statements in person or in writing, producing documents or provide information and so on.[14] 5. Australia   The Australian government in 2016 proposed a four-year "Australia's Cyber Security Strategy,"[15] which was expected to invest more than 230 million Australian dollars to strengthen Australia's cyber security capability and complete the following five aspects: national cyber partnership, strong cyber defenses, global responsibility and influence, growth and innovation, and a cyber smart nation.   As for the global responsibility and influence, the Australian government in 2017 announced the "Australia's International Cyber Engagement Strategy."[16] which aims to strengthen digital trade, to improve cybersecurity and to response to cybercrime through international cooperation; encourage innovative cybersecurity solutions; provide security advice and best practices, such as Essential Eight strategies[17] to mitigate cyber-attacks; establish the Pacific Cyber Security Operational Network (PaCSON) [18] with neighboring countries to develop regional cybersecurity capabilities; and advance the development of Australia's cybersecurity industry, nurture startups and attract foreign investment. III. Cybersecurity strategy to promote 5G in Taiwan   Since President Tsai Ing-wen took office in 2016, she declared that cybersecurity is directly linked to national security. In 2017, the Department of Cyber Security (DCS) under the Executive Yuan issued "National Cybersecurity Development Plan (2017-2020)," and in 2018 the "Cybersecurity Industry Development Action Plan (2018-2025)," in order to enhance the independence of Taiwan's cybersecurity industry, consolidate the nation’s cybersecurity defense line, improve its innovative thinking of cyber security, and further promote it to the international market.   To develop a favorable environment to promote 5G, the Executive Yuan on May 10, 2019 approved the “Taiwan 5G Action Plan (2019-2022),” [19] with a total investment about NT$20.466 billion over a four-year period. The plan aims to build a 5G application and industrial innovation environment, and reshape Taiwan's mobile communication industry ecosystem, with its content planned around five themes, including "promoting 5G vertical application field demonstration", "building 5G innovation and application development environment," "completing 5G technology core and cybersecurity protection capabilities," "planning to release 5G frequency spectrums in line with overall interests" and "adjusting laws and regulations to create favorable environment for 5G development," and to promote industrial upgrading and transformation, as well as create the next wave of economic prosperity in Taiwan.   Secure, robust and reliable 5G systems are sufficient and requisite conditions for building an innovation ecosystem in digital countries. The third theme of the "Taiwan 5G Action Plan" is to "complete 5G technology core and cybersecurity protection capabilities," which is intended to advance the integration of applied science and technology by establishing advantageous core technologies, set up a 5G technology and test platform, and increase the market competitiveness of 5G industry, while drafting the overall national policies on 5G cybersecurity, building the cybersecurity protection mechanism of 5G homemade products, strengthening 5G critical infrastructure and operational cybersecurity protection capabilities, and promoting domestic suppliers to enter the international 5G reliable supply chain.   In terms of strengthening 5G critical infrastructure and operational cybersecurity protection capacities, the NCC has planned a four-year (2019-2022) "5G Network Cybersecurity Protection and Related Regulations Preparation Plan." In coordination with a 5G license issue in 2020, the agency in 2019 added/amended the 5G cybersecurity provisions of the Regulations for Administration of Mobile Broadband Businesses, making it mandatory for the winning bidder of the 5G frequency spectrum to incorporate the cybersecurity protection concept into the system design for system construction.   Upon commercial operation of 5G, the NCC will audit from time to time the implementation of the cybersecurity maintenance plan by telecom operators, so as to ensure and reinforce the cybersecurity protection system of Taiwan's 5G telecom network, and create an opportunity for the development of 5G homemade products with cybersecurity protection capability. In addition, the NCC will also face up to the fact that 5G technology standards continue to evolve, and the operators have different construction schedules and heterogeneous mobile networks coexist. Therefore, relevant regulations will continue to be completed from 2020 to 2022, and examples will be verified through cybersecurity function testing laboratories to ensure that cybersecurity protection functions of 5G networks keep pace with the times. IV. Conclusion and Suggestion   As for emerging technologies, countries around the world are actively evaluating and constructing 5G systems and services. Taiwan boasts excellent industrial advantages in terms of semiconductors, ICT software and hardware, and high-quality talents, and thus makes a foundation for developing 5G. Furthermore, going with the importance of cybersecurity, it is necessary to pay more attention to planning and developing 5G cybersecurity technology.   It is clear that the development of cybersecurity is both a challenge and an opportunity for Taiwan. In order to implement the national policy objectives of "cybersecurity is national security" as well as "innovative economic development programs for a digital nation," and to response to the scientific and technological progress, and the demand for cybersecurity, key development direction is proposed to expedite the establishment of 5G cybersecurity protection. Reference: [1]Resilience, Deterrence and Defence: Building strong cybersecurity in Europe, European Commission, https://ec.europa.eu/digital-single-market/en/news/resilience-deterrence-and-defence-building-strong-cybersecurity-europe [2]The draft Regulation of The European Parliament And of The Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation(EU)526/2013, and on Information and Communication Technology cybersecurity certification(''Cybersecurity Act'') was published in September 2017 to expand the rights and obligations of ENISA, which would make ENISA the EU's cybersecurity and information competent authority and the authority for critical infrastructure (information) facilities after the passage of the Act. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.151.01.0015.01.ENG&toc=OJ:L:2019:151:TOC [3]The EU cybersecurity certification framework, European Commission, https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework [4]Cybersecurity Strategy(2018), DHS, https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf [5]National Cyber Strategy of the United States of America(2018), The White House, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf [6]THE WHITE HOUSE, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/ [7]DoD Digital Modernization Strategy, DoD, https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF [8]National Cybersecurity Strategy, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx [9]National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2018-20/index-en.aspx#a02 The action plan is a three-year program under Canada's2010 National Strategy for Critical Infrastructure (National Strategy) starting in 2010 for all phases. [10]Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/nhncng-crtcl-nfrstrctr/index-en.aspx [11]Cybersecurity Act 2018, Singapore Statutes Online, https://sso.agc.gov.sg/Acts-Supp/9-2018/ [12]Cybersecurity Act, CSA, https://www.csa.gov.sg/legislation/cybersecurity-act [13]Id. [14]Cybersecurity Act Explanatory Statement, https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/cybersecurity%20act%20-%20explanatory%20statement.pdf [15]Australia’s Cybersecurity Strategy, https://cybersecuritystrategy.homeaffairs.gov.au/ What is the Government doing in cybersecurity, Ministers for the Department of Industry, Innovation and Science, https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security [16]Australia’s International Cyber Engagement Strategy, Department of Foreign Affairs and Trade,https://www.dfat.gov.au/sites/default/files/DFAT%20AICES_AccPDF.pdf [17]Essential Eight Explained, ACSC, https://www.cyber.gov.au/publications/essential-eight-explained [18]Pacific Cybersecurity Operational Network(PaCSON), https://dfat.gov.au/international-relations/themes/cyber-affairs/cyber-cooperation-program/Pages/pacific-cyber-security-operational-network-pacson.aspx Or Strengthening cybersecurity across the Pacific, ACSC, https://www.cyber.gov.au/news/pacific-islands PaCSON is comprised of 15 members, including Australia, Fiji, Marshall Islands, New Zealand, Papua New Guinea, Samoa, and Solomon Islands. [19]Taiwan 5G Action Plan, Executive Yuan,https://www.ey.gov.tw/Page/5A8A0CB5B41DA11E/087b4ed8-8c79-49f2-90c3-6fb22d740488

TOP