Taiwan needs coordinated approach to create robust cybersecurity – Taiwan News Feedzy

 

TAIPEI (Taiwan News) — Fan Chun-I (???), director of National Sun Yat-sen University’s Information Security Research Center, believes that talent in information security has been put off by the less-than-satisfactory salaries in Taiwan’s higher education and discouraged from joining academia.

The country needs to revisit its institutions and think about how the government, industry, and academia can better coordinate to create a quantum-safe cryptography ecosystem as it builds itself into a cybersecurity powerhouse, he said.


Fan got into information security in 1991, when he took up his postgraduate studies. At the time, cryptography was popular, while he took a special interest in symmetric encryption. Over the last three decades, he initially pivoted his research to asymmetric encryption and then to post-quantum cryptography (PQC).


It has been a lonely journey, Fan said. It was not until recent years that cybersecurity gained more prominence, along with greater interest in the field and more diverse options. Some have decided to pursue internet security, hacking and countermeasures, and image security. Only a few have delved into cryptography, he said.


Fan joked that encryption used to be called a form of “art” before it was elevated to the status of “science” and an area of “engineering” after its theorization. Ensuring effective security in encryption involves repeated testing of theories. American computer scientist Shafrira Goldwasser, co-inventor of zero-knowledge proofs, applied cryptographic theory to practice and was awarded the 2012 Turing Award for her work in the field of cryptography. The research, though, requires rigorous analysis and verification, hence no easy task for graduate students, Fan noted.


Asked about how he would define “security,” Fan said views vary, so by demand, there is no common definition, similar to the debate concerning “health.”


All these years, Fan has been advocating “precision cybersecurity,” which entails demand, cost, efficacy, environmental impacts, legal issues, techniques, and affordable risk. Information security management is energy-consuming and has a carbon footprint, he stressed. Companies are advised to seek expertise in identifying the weak spots in their IT infrastructure, so as to find the best solutions and boost system safety. By doing so, firms can realize low-carbon info-security through reduced cost and concern for environmental sustainability.


Speaking of Taiwan’s overall academic environment and technology research, Fan pointed out “a considerable lack of cybersecurity faculty in tertiary education.” He acknowledged this view could be challenged by the fact that the Ministry of Education planned to hire 80 personnel in cybersecurity-related posts between 2021 and 2024, subsidizing each with an annual salary of up to NT$1.2 million (US$37,845) to nurture quality talent. Still, this does not solve the problem. There are simply not enough qualified experts for universities to recruit, he said.


This conundrum can be attributed to the dwindling numbers of doctorate holders in the field, according to Fan. Those studying overseas are not inclined to return due to better career prospects in foreign countries and unimpressive offers at Taiwan’s universities. Moreover, the industry is competing with academia for talent with higher pay. This boils down to the reality that Taiwan’s academic institutions fail to provide attractive salaries.


Meanwhile, low birth rates directly hit the talent supply, and those with graduate degrees in engineering can easily land decent jobs, so why would they strive to pursue higher studies? A drop in the workforce, a lack of incentives, and strict hiring standards at universities mean a supply-demand imbalance in the ICT industry as a whole.


Some universities have added information security-related degree programs and the government has placed an emphasis on this issue, helping shed light on the importance of quantum-safe cryptography. However, relevant teachers, talent, and guidelines are not in place. In this regard, National Sun Yat-sen University has made cybersecurity courses available for under- and post- graduate studies in addition to cooperation with industry, allowing for theory to be put into practice. Students may choose to seek advanced studies or work in the public or private sectors.


In terms of international academic influence, Fan said Taiwan has long taken a lopsided approach that prioritizes midstream and downstream research over upstream research, or the theory establishment phase, causing it to lag behind major organizations and institutions. He recalled that during his school years, he had participated in and published papers in Asiacrypt, an international conference for cryptography research that PhD students would die for a chance to attend. But things have changed and the event’s prominence has waned. Fortunately, the National Science and Technology Council’s attitude has changed too, seeking to rectify things by setting up the Taiwan Academic Cybersecurity Center (TACC), which is intent on increasing the country’s presence by publishing high-quality papers in top conferences and journals.


When it comes to academia-industry cooperation, Fan said the corporate world needs to be more open-minded and have candid exchanges with those working in academia. The mindset that industry passively waits for technology transfer from academia must end, he urged. Research leads to proofs of concept (PoC) and true, some would go further by testing the commercial feasibility of relevant concepts, or proofs of value (PoV), but that takes time, he said. The ideas of research and commercialization should not be mingled, Fan argued.


Fan suggested that academia and industry work together on the most advanced cryptographic technologies through trial and error. That is to say, researchers can bring up a vision or concept that has the potential to be realized so companies can prepare in advance. In hindsight, suggestions were made a few years ago to the private sector about the need to tackle post-quantum cryptography, but not many recognized its importance then and some thought it was too early to talk.


Taiwan has a lot to offer to attract foreign investment. As a semiconductor powerhouse, Taiwan is well-positioned to drive the development of the cybersecurity industry and create a native info-security ecosystem, Fan said. The drive can encompass security chips, the implementation of infrastructure for quantum-safe cryptography, and AI security. This presents a golden opportunity to propel Taiwan to the status of a relevant global player in information security, a title only the U.S. and Israel can now proudly claim, Fan noted.


Also, Taiwan must not squander its chance to leverage its high-value datasets, including its National Health Insurance database and the sizable data accumulated from its being a victim of numerous hacks-the third hardest hit country in the world, Fan said. So far, the asset remains largely untapped. According to a January report by Check Point, an Israeli tech company, Taiwanese organizations were hit by an average of 3,118 cyberattacks per week last year, up 10% from 2021. Such data merits further research, he noted. However, Fan said any attempt to use the data must not break laws or cause privacy concerns. Even if it is stored on public clouds in the form of ciphertext, the whole process must be secured.


Asked about his advice for quantum-safe technologies, Fan noted cryptanalysis appears a challenge for hackers and deserves more focus. Efforts need to be invested in the research and development of encryption techniques, applications, and tools. Meanwhile, the government can draw lessons from Japan, South Korea, Singapore, the U.S., and Europe when drafting guidelines for cybersecurity, which can be applied to public, private, or academic scenarios.


The expert also made a case for optimizing value-added cryptographic technologies in the post-quantum era, such as attribute-based encryption (ABE), identity-based encryption (IBE), and searchable encryption (SE). Much can be expected from the research in this area, which has yet to garner broad attention, he added.


Currently, the development of post-quantum cryptography solutions has been multipronged and the government should spearhead coordinating all the resources. From laying down the fundamental work to implementing the technology, the process requires talent and talent is all that matters. This “migration” would take five to ten years and Taiwan must keep up with global players although it is already falling behind. Putting together a “national team” for quantum-safe technologies is a good way to start, he said.


A small country with limited resources, Taiwan can take stock of its strengths and find traits that are as forward-looking and distinctive as they are with the potential to be developed into niche markets. An example could be incorporating quantum-safe technologies into infrastructure. Always keep in mind that Taiwan is a formidable chipmaker, and let’s not squander such prowess in the post-quantum era, Fan concluded.