Taiwan's Cyber Resilience in the Semiconductor Supply Chain

How Taiwan is developing its cybersecurity by bolstering its critical industries

Image Source: NoLimitStudio - stock.adobe.com

Overview

In an era characterized by rapid technological growth and geopolitical shifts, Taiwan emerges as a pivotal player in the global supply chain, demonstrating innovation and resilience. With the world grappling with the intricacies of interconnected economies and the digital realm, Taiwan's semiconductor sector plays a crucial role, driving essential industries and addressing cybersecurity threats with determination. In this context, the development of Taiwan's cybersecurity industry gains prominence, fueled by its integration into the supply chain sectors and the critical need to protect infrastructure.

This article sheds light on Taiwan's strategic journey towards enhancing its cyber resilience in recent years. At the heart of this story is the dynamic interplay between Taiwan's thriving semiconductor sector and its proactive cybersecurity measures. By dissecting the connections between these two areas, the analysis reveals the significant impact on Taiwan's cybersecurity environment, promoting growth and sophistication in its cyber defenses. This examination highlights key partnerships, innovative efforts, and challenges, aiming to illuminate Taiwan's holistic approach to cybersecurity and national security.

Read about Taiwan’s other national security concerns.

Analysis

Executive Government Action

Within the sphere of global supply chains, Taiwan finds itself at a decisive moment, contemplating the formation of cross-industry alliances to spearhead changing geopolitical dynamics. Recently, Lin Chia-lung, Taiwan’s Secretary-General to the President, shared his vision¹ of Taiwan's ambitious aspirations to pioneer new opportunities in various countries within the restructured global supply chain, advocating for a paradigm shift from "China plus one" to "Taiwan plus N” — a strategic evolution in supply chain diversification, where businesses consider Taiwan and other countries, to reduce dependency on China. He emphasized the importance of Taiwanese enterprises exploring international markets by leveraging the government's promotion of industrial innovation, including smart manufacturing, IoT, and precision health.

Lin further highlighted the government's Program for Promoting Six Core Strategic Industries and stressed the need for Taiwanese companies to embrace cross-industry innovation to become trustworthy partners in the supply chain. This strategic program, announced by President Tsai in 2020, uplifts cybersecurity as a vital sector alongside information technology and renewable energy.²

Around the same time, Taiwan has embarked on the Sixth Phase (2021-2024) of its National Cybersecurity Program, affirming the establishment of a secure cyber environment, comprehensive cybersecurity management, information sharing, talent cultivation, and international collaboration. This initiative dovetails with Taiwan's economic transformation and innovation initiatives, integrating emerging technologies like AI, IoT, and Big Data while ensuring strengthened cybersecurity measures, aligning closely with the Program for Promoting Six Core Strategic Industries.

(Left) Image Source: Taiwan’s National Development Council, Program for Promoting Six Core Strategic Industries. (Right) Image Source: National Information and Communication Security Taskforce, Executive Yuan, Republic of China (Taiwan), National Cyber Security Program (2021-2024), Sixth Phase outline.

With a dedicated focus on enhancing protective technologies such as semiconductors, and establishing robust cybersecurity defense mechanisms, Taiwan aims to embolden its cybersecurity infrastructure in a way that is at its core, resilient.

Cyber Threats to the Supply Chain

While Taiwan's prominence in the global technology industry, particularly in semiconductor chip production brings immense opportunities, it brings many cybersecurity challenges as well.

The 2023 confirmation of a supplier data breach at Taiwan Semiconductor Manufacturing Company (TSMC) following a ransom demand by a Russian-speaking cybercriminal group, LockBit, calls attention to the persistent threats facing Taiwan's critical industries³.

Read about the recent Chunghwa Telecom data breach.

Despite the minimal immediate impact on TSMC's operations, such cyberattacks display the broader risks posed to Taiwan's critical infrastructure and global supply chains. Particularly, Taiwan's semiconductor companies have long been targets of state-sponsored cyber espionage attacks, further accentuating the need for greater cybersecurity measures.⁴

Collaborative Efforts for Standardization

Recognizing these risks, Taiwan authorities are championing initiatives like the U.S. Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) framework to protect businesses against advanced cyber threats⁵. This initiative not only creates export opportunities for U.S. cybersecurity firms but also prompts collaboration between Taiwanese organizations like the Ministry of Digital Affairs (MODA), Institute for National Defense and Security Research (INDSR), and Taiwan Defense Industry Development Association (TW-DIDA) to raise CMMC awareness and provide guidance. As DOD certification becomes mandatory for selling into its supply chains, Taiwan's close economic ties with the U.S. underscore the significance of CMMC compliance for ICT hardware vendors and other sectors.

Domestically, the latest partnership between GlobalPlatform and the Institute for Information Industry (III) also underscores Taiwan's dedication to fortifying its cybersecurity by integrating internationally accepted “security-first” protocols like SESIP into its technology supply chains⁶.

Additionally, SEMI, a Taiwan-based non-governmental organization focused on advancing growth within the global semiconductor industry, has collaborated with industry partners including TSMC, to launch the world's first cybersecurity standard for fab (fabrication) equipment. Covering computer operation systems, networks, endpoint protection, and monitoring, SEMI E187, aims to strengthen the cybersecurity defenses of the Taiwan semiconductor ecosystem against cyberattacks.⁷

Alongside this standard, SEMI has introduced the Semiconductor Cybersecurity Risk Rating Service. This service utilizes third-party risk scoring and a risk posture assessment to enable SEMI Taiwan members to assess cybersecurity risks in real time and receive guidance for risk remediation by identifying and addressing security vulnerabilities among suppliers and facilitating cybersecurity decision-making across supply chains.⁸

SEMI Semiconductor Cybersecurity Risk Rating Service – 5 Features⁹

• Quantitative Risk Scores and Peer Comparison: Helps enterprises assess various cybersecurity risks, score risk exposure levels, and compare their cybersecurity defenses with those of peers to better understand their strengths and vulnerabilities both internally and externally.

• Self-Evaluation with General Questionnaire: Aids enterprises in conducting internal risk and vulnerability assessment. The general semiconductor industry questionnaire is tailor-made based on security-related experiences from across the Taiwan semiconductor industry.

• Risk Enhancement Recommendations: The service offers mitigation measures for each identified risk and re-evaluations once the measures are implemented, giving enterprises an immediate view of their cybersecurity optimization results and investment benefits.

• Continuous Risk Ratings: Continuous risk ratings help keep enterprises updated with changes in risk indices while helping them understand both cybersecurity management trends and how they can strengthen their cybersecurity.

• Objective Risk Ratings: Objective risk rating scores for enterprises to share with business partners to help deepen mutual trust.

These collaborative efforts unite various participants from Taiwan's semiconductor supply chain, highlighting a proactive approach to enhancing cyber defenses and showing a strong commitment to elevating cybersecurity measures through the adoption of standardized solutions and certifications in response to growing targeted threats.

Private Sector Partnership

In 2021, CyCraft, a leading Taiwanese cybersecurity firm, discovered a supply chain attack, linked to APT10, a China state-sponsored hacker group, targeting the Taiwan financial and securities trading sector. The attack disrupted online trading, leading to two securities traders halting trading due to unusual purchases, resulting in financial losses and loss of customer trust. Manipulation of stock prices damaged financial transaction credibility, posing a significant threat to the financial sector.¹⁰

CyberTotal Cyber Threat Intelligence Platform Quickly Detected APT10 Activity. Image Source: CyCraft

With this incident in mind, it’s important to note that Taiwan supplies approximately 63% of the global semiconductor market share and over 80% of advanced 5nm chip production¹¹. These figures emphasize the critical need to safeguard the industry with a more mature security posture.

One solution has been through greater government and private sector partnership. In example, the partnership between CyCraft and semiconductor companies exemplifies Taiwan's proactive approach to strengthening supply chain security management. The firm successfully partnered with various stakeholders in the semiconductor industry, other cybersecurity firms, government agencies, and academia to advocate for the formation of the Semiconductor Supply Chain Cybersecurity Alliance (半導體供應鏈資安聯盟) during SEMICON Taiwan 2021, with the goal of achieving the following three key actions¹²:

1. Develop a robust framework for cybersecurity that incorporates lessons learned from the recent transition and embraces open collaboration.

2. Create a semiconductor industry-specific framework to assess the strength of cybersecurity across the supply chain and implement measures to better protect ecosystem networks.

3. Incorporate best practices from industries such as automotive and medical with the aim to modernize security protocols and facilitate greater collaborative information sharing through SEMI.

To prevent severe incidents like the attack to Taiwan’s financial industry and the 2018 TSMC WannaCry malware attack, private sector companies such as CyCraft, with its sophisticated threat detection and proactive incident management approaches, are crucial to the cybersecurity resilience in Taiwan's semiconductor industry. And as Taiwan is poised to play an increasingly prominent role in global semiconductor supply chain cybersecurity, it does so by its active involvement in developing cybersecurity standards from strong public-private sector collaboration, again aligning to the strategic goals outlined in its Six Core Industries Program and the Sixth Phase of its National Cyber Security Program.

Impact

Through initiatives like the Semiconductor Supply Chain Cybersecurity Alliance and adherence to global standards and government programs, Taiwan safeguards its vital industry while strengthening its national security and economic stability. This dedication establishes Taiwan as a global model in protecting the semiconductor supply chain, showcasing the essential roles of collaborative public-private efforts and global partnerships in addressing cyber challenges. Such initiatives highlight lessons for the international community:

1. The critical need for a coordinated approach to cybersecurity

2. The effectiveness of sector-specific frameworks

3. The imperative for global collaboration in our interconnected world

Taiwan's deliberate and strategic actions in enhancing the cybersecurity of its semiconductor industry demonstrate a story of enduring resilience and continuous innovation, navigating through the challenges of modern-day cyber threats.

CyberSec Taiwan

About CyberSec Taiwan

Your source for the latest news and analysis on Taiwan-centric cybersecurity.

1

FocusTaiwan. (2024). Taiwan mulls cross-industry alliances to lead new supply chains.

2

National Development Council. Program for Promoting Six Core Strategic Industries.

3

TechCrunch. (2023). TSMC confirms data breach after LockBit cyberattack on third-party supplier.

4

Greenberg, Andy. WIRED (2020). “Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry”.

5

US International Trade Administration. Taiwan Cybersecurity.

6

GlobalPlatform. (2023). GlobalPlatform & III partner to advance Taiwan’s cybersecurity goals.

7

SEMI. (2022). SEMI Taiwan Sets Out to Help Secure Chip Manufacturing Supply Chain with Publication of First Fab Equipment Cybersecurity Specification.

8

SEMI. (2024). Can New Taiwan-U.S. Cooperation on Cybersecurity Raise the Profile of Taiwan in the Global Chip Supply Chain?

9

SEMI. (2022). SEMI Taiwan Launches Rating Service to Strengthen Cybersecurity Across Taiwan Chip Ecosystem.

10

CyCraft. (2022). Smokescreen Supply Chain Attack Targets Taiwan Financial Sector, A Deeper Look.

11

SEMI. (2023). New SEMI Cybersecurity Consortium Sets Out to Strengthen Semiconductor Manufacturing Supply Chain Network Protections.

12

CyCraft. (2022). Strengthening the Supply Chain Security Management.