Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul] (00:01)

Welcome back everybody to Exploited: The Cyber Truth. I am Paul Ducklin, joined as usual by Joe Saunders, CEO and founder of RunSafe Security. Hello Joe.

[Joseph M. Saunders] (00:20)

Hello, Paul. Great to be here today.

[Paul] (00:23)

So our topic is, can Taiwan survive a digital siege? For those who’ve never actually looked at a map of the South China Sea and that region, it’s kind of important to know that Taiwan is just about 20% bigger than Belgium, which is a modestly sized European country that’s quite densely populated, but has more than twice as many people.

And it is also home, of course, to TSMC, the Taiwan Semiconductor Manufacturing Company Limited, which is also used by other semiconductor giants who have their own factories, including Intel and TI in the US, and if I’m not wrong, STMicroelectronics and companies like NXP, used to be Philips in Europe. So it is of massive global importance.

[Joseph M. Saunders] (01:21)

Well, as you say, Taiwan’s economically a very important country, not only for its semiconductor industry, but for all of its electronics and everything that it produces. I think it’s a top 20 in terms of gross domestic product, top 20 country in terms of output per year. And it’s a small island nation, which just happens to be 30, 40 miles away from mainland China.

[Paul] (01:48)

Yes, which is one of the biggest countries in the world with the second biggest population. Talk about a little bit of a David and Goliath situation.

[Joseph M. Saunders] (01:57)

Bit of a contrast for sure. And it’s separated by the South China Sea. And so there’s all sorts of economic activity going through the shipping ports in the region. There’s the economic output of Taiwan itself. And its position is geographically strategic for not only US interests, but lots of countries’ interests.

[Paul] (02:18)

It certainly has global economic innovation at its core, doesn’t it? And yet it relies very heavily on imports to keep all that modern stuff ticking over. I believe they still need to use coal for about 40% of their electricity. They use methane for about 42% of it. Almost all of their LNG, that methane, is imported. I believe they have a supply chain that’s about two weeks long.

And that introduces massive challenges all of its own, doesn’t it?

[Joseph M. Saunders] (02:52)

It does introduce challenges in some kind of blockade, preventing liquefied natural gas coming into the island is one method to really put some pressure on Taiwan. And that certainly would have an effect for all the reasons you already mentioned around its importance to the global economy. Another angle is concern that at some point in the future, China will attack the island through military action of some sort, but it also needs to be considered.

The cyber risk the island has because of some of these important supply chain questions that you raise with that risk of energy supply. You can imagine that there needs to be strong infrastructure to ensure that when supplies arrive that they can be distributed. If you think about the energy risk, the semiconductor industry and the geo position of Taiwan, there’s a lot at risk here and a lot of reason to not only protect it from military action and blockades, but also from a cyber attack.

[Paul] (03:54)

Yes, I’m just looking in front of me at a list of some of the well-known companies for whom TSMC makes chips. Now I mentioned Intel and TI and NXP and companies like that because they are chip companies that have their own fabrication plants but that also rely on TSMC. But there are lots of so-called fabless companies these days. They basically take their design and say build me 17 trillion of these.

[Joseph M. Saunders] (04:25)

And to put that in perspective, mean, I think it’s 90% of the advanced semiconductor chips are in fact produced in Taiwan. And so there is this global ecosystem with massive companies. Certainly TSMC has looked for ways to expand its footprint, even a build out in Arizona. But there’s all sorts of logistical issues and expertise and local expertise when it’s managed in Taiwan that may or may not convey to a fab plant in Arizona, for example. So it’s yet to be seen if in fact it’s truly diversified its supply chain. So there’s a lot still to come on that story.

 

[Paul] (05:06)

So what would an attack on the actual digital side of an infrastructure like that look like? Obviously a very specific problem for Taiwan given its island nature and its size and its location. But in truth, a problem for almost any industry in any country of the world. How do know that an attack had even started?

[Joseph M. Saunders] (05:30)

It’s certainly a digital world. Again, you’ve spelled it out quite well, but I like to think that if everything was mechanical, you’d have to go around one by one to every traffic light or every pump and do something to it. But in a digital world that’s connected, access is so much more straightforward and so much more wide-scale that it can be disrupted quite easily if not for cyber prevention or cyber protection in general. The interesting thing about this is that in the US we like to say we have 16, 17 sectors that comprise critical infrastructure. Well, Taiwan has one that the US doesn’t have, and that is technology parks. And technology parks are these fabrication plants.

[Paul] (06:14)

The sector that drives and helps the 16 or 17 sectors in the US.

[Joseph M. Saunders] (06:20)

Yeah, so let’s call it a super sector, which is exactly why I brought it up. And so these technology parks in Taiwan need to be made safe. But there are other priorities in Taiwan as well.

[Paul] (06:32)

As he said, having all these digital switches that allow you to manipulate and to fix devices without having to go to each and every one is very much a blessing. But it can turn into a curse if that remote access goes wrong because it means an enemy who hasn’t even set foot on your territory can reach out from a laptop screen somewhere and do much the same thing if you aren’t careful. So how do you build that carefulness into the system? Where does the money come from? How much does it cost?

[Joseph M. Saunders] (07:06)

Critical infrastructure, there are some very high priority items that are essential for an island nation like Taiwan to stay connected. And some of the high priority areas in Taiwan include all of the industrial control systems in the energy grid, and then also telecommunications and certainly financial services. And if we think about all the cyber attacks that are happening, can you imagine an island without energy, communications, and an ability to make financial payments. It would be devastating. You can see why potential vulnerabilities in cyber could be such a massive risk to the country itself.

[Paul] (07:48)

My understanding is that Taiwan has recently increased its military defence budget. How much of that money should be going towards cyber resilience rather than, say, towards another aircraft carrier? Which, as we discussed when we talked to Sparky Braun a few episodes ago, in South Korea they’ve decided, you know what, you look at the history of the USS Nimitz and the USS Gerald Ford, you think, wow, those are really important vessels, but you know what?

We’re not going to do that anymore. We’re going to go for autonomous vessels. We’re going to go for the drone type approach. So we’re more vigorous, more resilient, more adaptable. So how does cyber resilience come out of a military budget, if that’s the place for it? And how do you make sure that the right amount of money does get spent?

[Joseph M. Saunders] (08:37)

Well, certainly Taiwan has its own Ministry of Digital Affairs and a Ministry of Defense. And as you know, as a part of a panel that included retired Admiral Chen, who’s a current legislator in the Taiwanese government, and he is actually responsible for the defense budget. And having spoken to him just last week, Paul, he had mentioned how he agrees that critical infrastructure and protecting critical infrastructure is an extension of national defense and national security, and that Taiwan does need to do more because of what’s called the gray zone tactics of attacking, say, from cyber means. 

It may not be a full blown kinetic attack, but it might be something that can be very disruptive. Admiral Chen is leading the charge on that budget, that budget increase. It went from just over 2% to now 3.2% this next year. And so certainly they’re going to spend a good portion of that on traditional military needs. could be training weapons programs. It could be other forms of technology. But a portion of that, as you say, will likely go towards cyber tools of different types. And that could be cyber offensive tools. It could be cyber defensive tools. It could be for open source threat intelligence tools. 

And I imagine that at least 300 million US dollars a year could go towards those kinds of software tools that could help Taiwan have an asymmetric shift in its cyber posture, especially if you consider what’s at stake given someone threatening Taiwan like China, who has probably the largest cyber army in the world and by some counts is 50 times bigger than even the US’s cyber army. What I think we’re looking at is Taiwan could benefit from having the right investment in technology that can have an asymmetric shift to make it very difficult for that massive cyber army to attack.

[Paul] (10:36)

Yes, I watched the video of that panel session of which you were a part. And you expect to hear an Admiral waxing lyrical about naval stuff. And in fact, he included in the things that Taiwan, or indeed any other country needs to defend against potential attacks, whether they’re in time of war or in peace, he mentioned, and I wrote them down here, the power grid, gadgets in general.

So that could include even things that people have around their homes that you rely upon to make society work, medical systems and more. So it’s very much thinking beyond the let’s build another aircraft carrier. We really are in a different era, aren’t we?

[Joseph M. Saunders] (11:20)

We are in a different era. And just to go back to a theme earlier, the connectivity of all those systems is high. The connectivity of the medical systems and the health care systems and the medical devices themselves, you would be surprised if you looked at how much of infrastructure is dependent on the telecommunications infrastructure and how much is dependent on the energy infrastructure. And so there are some key priority areas telecom and energy being very high priority.

[Paul] (11:51)

Yes, and they hunt in pairs, don’t they? Because the energy grid relies upon a strong telecommunications network in order to let all the parts of the grid know what they’re doing so it can be well balanced. And of course, the telecoms network relies on a regular and reliable supply of electricity to function at all.

[Joseph M. Saunders] (12:10)

And so those two in particular are vital for Taiwan to withstand any kind of cyber siege. So that’s actually part of where my recommendation is to really bolster telecom equipment and telecom networking, as well as aspects of the energy sector itself.

[Paul] (12:27)

So if you had, let’s say, $300 million to spend, you’ve said that a key focus would be on telecoms and the energy grid. As the Admiral himself said, there’s a lot more to it. There are the gadgets, there are the medical systems, there are all the other things. You mentioned traffic lights. So that’s where you’d spend it, but what would you spend it on? Of this applies whether you’re in Taiwan or whether you’re in a Pacific island that’s even less well connected a Vanuatu or something like that, or even if you’re in the continental United States of America.

[Joseph M. Saunders] (13:02)

Yeah, I think it applies everywhere. And for Taiwan specifically, my view is there’s a couple areas. There’s AI enabled open source threat intelligence that I think is necessary in part to make sure all the necessary threat intel is collected, but also to help ensure there is a sharing of information with partners and allies and the like.

[Paul] (13:25)

So by that you mean that you may use what you might even call old-fashioned techniques to collect information, but you have to get an edge in picking out the stuff that really matters.

[Joseph M. Saunders] (13:36)

Yeah, exactly right. You need that as early warning to help prioritize where you ought to be looking. So I think that’s one key aspect.

[Paul] (13:44)

What about software development in general, Benjo? We’ve got all these embedded devices, some of them have been around for 5, 10, 15, 20 years. We’re going to be building new ones, we’re going to be trying to fix the old ones. How do we avoid making some of the mistakes that we made in the past?

[Joseph M. Saunders] (14:02)

Yeah, exactly. And I think that’s where the second level of recommendation comes in. And that is to harden the software that goes on these devices that get deployed across critical infrastructure and working in the software development process, adding in security protections so that these systems are protected even when a patch trying to resolve a vulnerability at some point in the future isn’t available. These systems should still remain resilient. 

Memory based protection is essential and also gives a very significant asymmetric advantage because if you could add in hardening on these devices and make it so even if the attacker knew how to compromise a single device, you need to make it so they can’t build a reliable exploit that works across devices. So I think protecting the firmware, the software, the application layer, the operating system on these devices so that they cannot be exploited in the first place would go a long way to free up resources to be used in other areas as well.

 

[Paul] (15:05)

Now on systems like Windows and Mac OS and Linux, we sort of take some aspects of that for granted because of a thing called ASLR address space layout randomization, where when a program loads or actually more precisely on Windows, it’s actually only every time your computer reboots, the sort of debt gets reshuffled so that programs don’t load in exactly predictable areas of memory like they used to in the Windows XP days.

On Windows we have that protection, but it is a little bit limited because we still get plenty of attacks despite ASLR. And as I said on Windows, it’s not every time a program runs. It is only every time you reboot your system. But there’s even more problem with that on embedded devices, isn’t there? Because you’re not looking at a laptop with 16 gig of memory and a virtual memory system that lets you run massive programs and they work fine. You might be looking at a device that was designed to fit in something the size of a matchbox, to run on a 3 volt battery, and to last for 20 years that has 128 kilobytes of memory. So you have to work smarter as well as harder, don’t you?

[Joseph M. Saunders] (16:17)

That those pesky little boxes that are both rugged and able to survive in low power with low compute happen to just be very, very reliable. But as you say, they don’t have the luxury of being over constrained with extra software on them. And so you do need to find ways, much like ASLR, to disrupt the ability for the attacker to identify those areas that they could compromise. What we’ve tried to do at RunSafe, for example, unlike ASLR, can be defeated with not to get too technical here, but with a single information link, you can defeat ASLR.

[Paul] (16:54)

And that could be something as innocent as a log file entry that just happens to record a memory address because the programmer thought it might be useful. They gave away the keys to the castle.

[Joseph M. Saunders] (17:06)

The whole kit and caboodle – exactly right. And so I do think it’d be economically feasible for Taiwan to deploy across all its devices, all its systems, what I would call Load-time Function Randomization that couldn’t be easily defeated, even if there’s a single information leak and doesn’t require new hardware, new upgrades, does work in low power, highly constrained compute environments. And so that would be a significant portion of my recommendation should anybody ask. So I think the cyber offensive tools, software and device hardening to prevent exploitation, there are other areas further into the cybersphere that I think they can go from there as well.

[Paul] (17:51)

The obvious one that springs to mind because we sort of touched on the concept earlier when I spoke about the fact that Taiwan, I believe, generates close to half its electrical energy from methane and it has about a two week supply. So you should be hearing the words supply chain concerns in that statement. Now, it’s a different sort of thing in software, isn’t it? You’re not worried that somebody might cut you off from your software supply chain.

It’s almost the opposite these days, isn’t it? You’ve got this abundance of choice that means what if you pick something in your software supply chain that later gets poisoned either by accident or as we’re increasingly seeing by design possibly by attackers who aren’t individuals or money-based cyber criminals but are state-sponsored attackers who may spend months or in some cases even years worming their way, pun intended, into a position of trust in the open-source community so they can, figuratively at least, drop a bombshell on the world by sneaking something in that shouldn’t be there.

[Joseph M. Saunders] (19:05)

Yes, and for a country like Taiwan who does see critical infrastructure as an extension of national security, looking for ways to ensure there’s rigor behind the software supply chain security, I think the government itself could ask for everybody to provide a solid review of the software supply chain. And that would include generating the Software Bill Materials, analyzing the vulnerabilities, understanding the risk associated with potential zero days that could compromise systems in the future and really imposing that to ensure that everybody has a complete and transparent view of what the risk looks like. 

Let’s face it, when it’s a country that could potentially be under siege by an adversary looking to change the course of history, you can’t really afford to wait and find out if there’s going to be a compromise or an attack or some kind of disruption in service you need to be as prepared as possible. And I think one way to do that is to analyze the risk in the supply chain as much as defending the software and preventing exploitation.

[Paul] (20:12)

So in a situation like this, where the output of Taiwanese semiconductor factories is of critical importance to the economy of the US, what do you think the US should be doing when it comes to something like cyber coordination, intelligence sharing and software development technologies that make a secure digital infrastructure possible?

[Joseph M. Saunders] (20:38)

Yeah, I think US companies offer a huge advantage in many of the cyber technologies. And so I do think that there is a really strong potential partnership for Taiwan to engage US companies. If it’s going to increase its defense budget and buy some of that technology, I think that’s one way. I also know more specifically to your question, there is a defense cooperation security agency inside the Department of Defense.

And I believe that when it comes to cyber resilience, that organization could provide a transfer of capabilities and technology to other countries who want to ensure that their critical infrastructure remains protected. So through the Department of Defense’s DCSA, I think some of these countries can make requests to secure cyber technology and methods and training to ensure that a country like Taiwan is prepared for full on cyber attack.

[Paul] (21:38)

So mean it’s not just enough to say, let’s put aside $300 million to spend on this. You have to spend it in a way that will deliver measurable returns quickly. And that kind of quick return is particularly difficult in the embedded market, isn’t it? If you have a web app, hey, well, we’ll just update it tomorrow. Heck, let’s do it this afternoon. But you don’t have that luxury with the embedded market, whether it’s military equipment or things like pump rooms, power stations and telecommunications kit.

[Joseph M. Saunders] (22:17)

Yeah, I think given the nature of the threat and the size of the cyber army in China, Taiwan does need a form of asymmetric shift in its cyber defense. And when that comes to embedded systems and critical infrastructure itself, there are technologies and techniques to create a game-changing shift. And I think that’s part of what might be appropriate in this case, given the substantial risk that the cyber siege does represent to Taiwan.

[Paul] (22:46)

We’ve already talked about how to actually know what form the digital side of the threat is taking right now. And you’ve spoken about how you can increase your ability to know what bad actors are doing and how you can share that information. But what about exactly the same sort of threat to other places in the world? Either because they’re allies of Taiwan or simply because, hey, what worked once might work elsewhere.

Could this same approach be used against the US, the UK, or European countries, or any number of African and South American countries? Not to mention places like South Korea, Japan, the Philippines.

[Joseph M. Saunders] (23:29)

Yeah, and I think about places like San Diego and Norfolk, even places with large maritime presence and ports.

[Paul] (23:37)

For our overseas listeners, particularly for our British listeners, that’s Norfolk, Virginia, not Norfolk on the eastern coast of England.

[Joseph M. Saunders] (23:46)

Yes, Norfolk, Virginia and Southern Virginia. So yeah, San Diego, Norfolk, Houston, these are vitally important ports. It really does affect seaports around the world in the same way that it could affect ports in an island nation like Taiwan. And what’s funny is I often joke about wanting to take a trip across Eastern Europe. And I particularly want to stop in Poland and talk to folks about the cyber attacks they experience because it’s been well known and documented that Russia tests its cyber technology in Poland before it does campaigns around the world. 

You know, I’m sure there are plenty of areas where China is testing certain kinds of attacks and certainly meddling with infrastructure inside Taiwan as well. Your point is very well taken that Taiwan could be under siege for geopolitical reasons, for economic reasons, for competition reasons.

But I also think that the lessons there or lessons from other countries could be applied anywhere in the United States or any other country around the world.

[Paul] (24:55)

And we see that in miniature with ransomware cyber criminals, don’t we? They choose a company to attack because it happens to be at the top of their list. If they get in, next thing they want a million dollars in blackmail money. And after they’ve succeeded at place A, then they will attack place B and place C and place D as well. Because that gives them more power, it makes them more feared, and let’s face it, it makes them more money. So why would it be any different in the field of international influence industrial espionage and I don’t know what the right term is, power projection is that what you call

 

[Joseph M. Saunders] (25:32)

Call it horse projection and power projection.

[Paul] (25:35)

So there are a lot of things we can do Joe, but if you had one particular takeaway that you wanted to advise to policy makers and cyber security listeners, what should they be thinking about now? Where to start?

[Joseph M. Saunders] (25:51)

Well, I think from a strategic view of risk, I guess for places like Taiwan and really any other country, one of the most important things to realize is that cyber tactics are a part of modern warfare. And a part of modern warfare includes gray zone tactics that might poke people, but not invoke a full on attack.

[Paul] (26:16)

So grey zone is, that’s a term that sort of means you’re putting lots of pressure on the person but you haven’t done anything that somebody could point a finger at and say, that’s an act of war. So you’re swinging your fist but you’re stopping it just in front of the person’s nose.

[Joseph M. Saunders] (26:30)

Exactly.

Or you might do a couple body blows, but you don’t punch them in the face. The point is cyber is part of modern warfare and gray zone tactics are a part of modern warfare. And so with that said, I think the biggest takeaway is ensuring that you do protect critical infrastructure is one step and certainly protecting the software deployed across critical infrastructure is an essential step. And I say that because we don’t want some of these cyber attacks to go any further, we don’t want them to succeed because at some point down the road, those may be considered acts of war. And with that, we don’t want escalation when we could be preventing. 

So I think protecting software across critical infrastructure is an essential step. And when I look at what happened in Ukraine, I think there’s kind of a related topic. If you see where the kinetic attacks were, they were preceded by cyber attacks in the same area. There’s no doubt that cyber and kinetic warfare tactics are intertwined and part of the future of warfare. We have to be ready. We have to be resilient. We have to defend our infrastructure. And we need to maintain communications, energy, payment networks, and a well-functioning government in order to ensure that we have something to continue to fight for.

[Paul] (27:57)

And when it comes to topics like industrial espionage, I guess you have to remember that if someone is getting right in your face, if they are squeaking their fist and stopping it a centimeterfrom your nose, and you get away without getting thumped, you still have to be careful that while they’re doing that, they haven’t slipped their hand into your jacket and made off with your wallet and your mobile phone at the same time. Particularly when you’re a country like Taiwan and some of the stuff that be purloined relates to semiconductor secrets for all of the laundry list of global companies that I mentioned earlier. It all matters a lot and as you mentioned Joe all of the components are kind of interconnected. Your telecommunications grid won’t work without good electricity supply and vice versa.

[Joseph M. Saunders] (28:49)

Yeah. And all of these areas need defense in depth. And I think part of that is the cyber hardening. I think part of that is redundancy and other tactics to ensure that you have good infrastructure in place that’s resilient, but no doubt that the cyber seizure is real and that cyber protection is needed.

[Paul] (29:09)

And therefore cybersecurity very much is a value to be sought and cherished and not merely a cost to be itemized and minimized. Well Joe, that’s heady stuff I must admit. Thanks to everybody who tuned in and listened. Thanks especially to Joe for his very very pertinent and thoughtful insights. If you find this podcast insightful please don’t forget to subscribe so you know when each new episode drops. 

Please like and share us on social media as well, and don’t forget to share us with all of your team so they can benefit from Joe’s wisdom as well. Once again, thanks to everybody who tuned in and listened. That is a wrap for this episode of Exploited: The Cyber Truth. Remember, stay ahead of the threat. See you next time!