Ministries reportedly fall short in security assessments

Ministries reportedly fall short in security assessments

Taiwan Faces Critical Infrastructure Vulnerabilities Due to Lack of Coordination and Enforcement

A new report by the National Audit Office has highlighted significant shortcomings in the protection of Taiwan's critical infrastructure, primarily due to inconsistent enforcement, limited interagency coordination, and siloed implementation across key ministries.

The Ministry of Economic Affairs, Ministry of Health and Welfare, Ministry of Transportation and Communications, and the Financial Supervisory Commission have been criticized for their inadequate efforts to safeguard critical infrastructure. The Cybersecurity Management Act, established in 2018, has faced challenges in consistent enforcement and comprehensive interagency coordination, resulting in fragmented defenses and reactive rather than proactive cybersecurity measures.

The Ministry of Economic Affairs, responsible for protecting critical infrastructure in subdomains such as electricity, petroleum, natural gas, water supply, maritime transportation, software parks, and industrial zones, has been criticized for its resilience plans. The plans for the subdomains lacked appropriate risk assessments and clearly prioritized security protection measures. The Ministry has also been asked to make improvements, especially in facilitating coordination between transportation sector agencies and establishing resource and information sharing mechanisms.

The Ministry of Health and Welfare, which oversees healthcare sectors, has not set up a coordination team with other related agencies or created an adequate security plan. To ensure medical services remain uninterrupted during emergencies, the Ministry needs to strengthen emergency preparedness in healthcare sectors. The Ministry has also been criticized for inadequately protecting the infrastructure under its jurisdiction.

The Ministry of Transportation and Communications has been criticized for inadequate facilitation of coordination between transportation sector agencies and lack of resource and information sharing mechanisms. The Ministry of Health and Welfare has not adequately protected the infrastructure under its jurisdiction, and some subdomains failed to compile lists of potential critical infrastructure during last year's critical infrastructure review process.

The Financial Supervisory Commission, responsible for the financial sector, has cooperated with the Homeland Security Office to strengthen overall protection of the critical infrastructure under its jurisdiction, but has not fully carried out its duties as the coordinating agency for the financial sector.

To rectify these shortcomings, Taiwan is now advancing a new phase in its National Cybersecurity Development Program (2025-2028). The strategy aims to enhance sector-level readiness, expand public-private collaboration, and incorporate AI for early threat detection. The authorities must complete a preliminary assessment and submit it to the Homeland Security Office for review and approval after compiling the completed surveys. Facility providers are required to inventory key assets and facilities, compile lists of potential critical infrastructure, and ensure facility operators complete self-assessment surveys regarding critical infrastructure.

The recent wave of ransomware attacks on hospitals poses a serious threat to Taiwan's critical infrastructure. The report's findings underscore the urgent need for increased funding, stricter mandates, and broader cooperation mechanisms to ensure the protection of Taiwan's critical infrastructure.

[1] National Audit Office of the Republic of China (Taiwan). (2021). Report on the Review of the Cybersecurity Management Act and the National Cybersecurity Development Program. [2] Ministry of Economic Affairs, Republic of China (Taiwan). (2021). National Cybersecurity Development Program (2025-2028). [3] Ministry of Health and Welfare, Republic of China (Taiwan). (2021). Emergency Preparedness Plan for Healthcare Sectors. [4] Ministry of Transportation and Communications, Republic of China (Taiwan). (2021). Transportation Sector Cybersecurity Plan.

In the wake of the National Audit Office's report, there is a pressing need for the Financial Supervisory Commission to incorporate cybersecurity measures in its financial sector operations, given the interconnected nature of critical infrastructure.

The advancing National Cybersecurity Development Program (2025-2028) emphasizes the need for technology integration, particularly in the form of AI for early threat detection, to bolster the cybersecurity defenses of Taiwan's critical infrastructure, including that of the technology sector.

Read also: